[Bug] Assertion failed extraType == labelType in wasm::IRBuilder::fixExtraOutput

[oneafter]

Description

We encountered a SIGABRT (Assertion Failure) in wasm-dis. The crash occurs within wasm::IRBuilder::fixExtraOutput when disassembling a malformed WebAssembly binary.

The assertion extraType == labelType fails during the visitEnd phase. This indicates a type mismatch in the IR construction logic where the type flowing to a label does not match the label's expected type definition.

Environment

• OS: Linux x86_64
• Complier: Clang
• Tools: gdb

Vulnerability Details

• Target: wasm-dis
• Crash Type: Assertion Failure (SIGABRT)
• Location: src/wasm/wasm-ir-builder.cpp:1169
• Function: Expression* wasm::IRBuilder::fixExtraOutput(ScopeCtx&, Name, Expression*)
• Assertion: Assertion extraType == labelType failed
• Root Cause Analysis: The stack trace shows WasmBinaryReader::readInst -> IRBuilder::visitEnd -> fixExtraOutput. The visitEnd function is called when the parser reaches the end of a block/loop/if. The builder attempts to reconcile the types of branches targeting the current scope. The assertion failure suggests that a branch targeting this scope is carrying a value of a type that differs from what the scope label expects, and the IRBuilder fails to handle this inconsistency gracefully in Debug builds.

Reproduce

gdb --args ./wasm-dis ./repro
r
bt

Download Link: repro

Stack Trace (GDB)

wasm-dis: /src/binaryen/src/wasm/wasm-ir-builder.cpp:1169: Expression *wasm::IRBuilder::fixExtraOutput(ScopeCtx &, Name, Expression *): Assertion `extraType == labelType' failed.

Program received signal SIGABRT, Aborted.
0x00007f63a21b3b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f63a21b3b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f63a215a27e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f63a213d8ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007f63a213d81b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007f63a2150517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x00007f63a54f0b75 in wasm::IRBuilder::fixExtraOutput (this=0x7f63a060c110, scope=..., label=..., curr=<optimized out>)
    at /src/binaryen/src/wasm/wasm-ir-builder.cpp:1169
#6  0x00007f63a54ed419 in wasm::IRBuilder::visitEnd()::$_0::operator()(wasm::Expression*) const (
    this=this@entry=0x7ffc93e32c38, curr=curr@entry=0x52d000000420) at /src/binaryen/src/wasm/wasm-ir-builder.cpp:1007
#7  0x00007f63a54ec102 in wasm::IRBuilder::visitEnd (this=0x7f63a060c110) at /src/binaryen/src/wasm/wasm-ir-builder.cpp:1068
#8  0x00007f63a545381b in wasm::WasmBinaryReader::readInst (this=0x7f63a060c0a0)
    at /src/binaryen/src/wasm/wasm-binary.cpp:3240
#9  0x00007f63a541baf7 in wasm::WasmBinaryReader::readFunctions (this=0x7f63a060c0a0)
    at /src/binaryen/src/wasm/wasm-binary.cpp:3128
#10 0x00007f63a5406c30 in wasm::WasmBinaryReader::read (this=0x7f63a060c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:2077
#11 0x00007f63a54bd63d in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename="")
    at /src/binaryen/src/wasm/wasm-io.cpp:67
#12 0x00007f63a54bddc8 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...)
    at /src/binaryen/src/wasm/wasm-io.cpp:78
#13 0x00005649ac8d6c34 in main (argc=<optimized out>, argv=<optimized out>) at /src/binaryen/src/tools/wasm-dis.cpp:76