Fix comparison of none and unreachable types#2514
Merged
aheejin merged 1 commit intoWebAssembly:masterfrom Dec 9, 2019
Merged
Conversation
aheejin
force-pushed
the
type_less_than
branch
from
a20bc07 to
1205889
Compare
Currently `none` and `unreachable` types are stored as the same empty
`{}` in src/wasm/wasm-type.cpp. This makes `Type::operator<` incorrectly
when given `none` and `unreachable`, because it expands both given types
and lexicographically compare them, when both of the expanded vector
will be empty.
This was found by the fuzzer. This line in `Modder::visitExpression`
tries to retrieve candidates of the same type. Because we can't really
compare these two types, if you give `unreachable` as the key,
candidates of `none` type can be returned. This generates incorrect code
that ends up failing in validation in a very weird way.
It was hard to generate a small testcase to trigger this part because it
was found by generating fuzzed code from a random data file. But I guess
this fix is pretty straightforward.
Fixes WebAssembly#2512.
aheejin
force-pushed
the
type_less_than
branch
from
f74355f to
ec752ac
Compare
tlively
approved these changes
Dec 9, 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently
noneandunreachabletypes are stored as the same empty{}in src/wasm/wasm-type.cpp. This makesType::operator<incorrectlywhen given
noneandunreachable, because it expands both given typesand lexicographically compare them, when both of the expanded vector
will be empty.
This was found by the fuzzer. This line in
Modder::visitExpressiontries to retrieve candidates of the same type. Because we can't really
compare these two types, if you give
unreachableas the key,candidates of
nonetype can be returned. This generates incorrect codethat ends up failing in validation in a very weird way.
It was hard to generate a small testcase to trigger this part because it
was found by generating fuzzed code from a random data file. But I guess
this fix is pretty straightforward.
Fixes #2512.