[Bug] Assertion failed isArray() in wasm::HeapType::getArray during makeArrayGet #8098
Description
Description
We encountered a SIGABRT (Assertion Failure) in wasm-opt. The crash occurs within wasm::HeapType::getArray when parsing a malformed WebAssembly binary containing GC instructions.
The assertion isArray() fails, indicating that the IRBuilder is attempting to process an array.get instruction, but the type of the reference operand is not an array type. The builder attempts to access array-specific properties without verifying the type kind first.
Environment
- OS: Linux x86_64
- Complier: Clang
- Tools: gdb
Vulnerability Details
- Target: wasm-opt
- Crash Type: Assertion Failure (SIGABRT)
- Location: src/wasm/wasm-type.cpp:915
- Function: wasm::Array wasm::HeapType::getArray() const
- Assertion: Assertion isArray() failed
- Root Cause Analysis: The stack trace shows WasmBinaryReader::readInst -> IRBuilder::makeArrayGet -> HeapType::getArray. The binary reader encounters an array.get opcode. It calls makeArrayGet, which internally calls type.getArray() to check the array's element type or signedness. However, the type passed to the builder is not an array, causing the assertion to fire.
Reproduce
gdb --args ./wasm-opt ./repro -o /dev/null
r
bt
Download Link: repro
Stack Trace (GDB)
wasm-opt: /src/binaryen/src/wasm/wasm-type.cpp:915: Array wasm::HeapType::getArray() const: Assertion `isArray()' failed.
Program received signal SIGABRT, Aborted.
0x00007f0a866d3b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f0a866d3b2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f0a8667a27e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f0a8665d8ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f0a8665d81b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f0a86670517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00007f0a89b8eb81 in wasm::HeapType::getArray (this=<optimized out>) at /src/binaryen/src/wasm/wasm-type.cpp:915
#6 0x00007f0a89a5dd8a in wasm::IRBuilder::makeArrayGet (this=0x7f0a84b0c110, type=..., signed_=<optimized out>, order=<optimized out>)
at /src/binaryen/src/wasm/wasm-ir-builder.cpp:2266
#7 0x00007f0a89975aee in wasm::WasmBinaryReader::readInst (this=0x7f0a84b0c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:4627
#8 0x00007f0a8993baf7 in wasm::WasmBinaryReader::readFunctions (this=0x7f0a84b0c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:3128
#9 0x00007f0a89926c30 in wasm::WasmBinaryReader::read (this=0x7f0a84b0c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:2077
#10 0x00007f0a899dd63d in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename="")
at /src/binaryen/src/wasm/wasm-io.cpp:67
#11 0x00007f0a899dddc8 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...)
at /src/binaryen/src/wasm/wasm-io.cpp:78
#12 0x00007f0a899df68e in wasm::ModuleReader::read (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...)
at /src/binaryen/src/wasm/wasm-io.cpp:101
#13 0x0000562c2949168d in main (argc=<optimized out>, argv=<optimized out>) at /src/binaryen/src/tools/wasm-opt.cpp:319