Invalid emitted binary for unreachable code

[kripken]

Testing the new fuzzer's emitted binaries in wasm VMs, I see something odd. This module

(module
  (memory $0 1 1)
  (export "func_0" (func $func_0))
  (func $func_0 (result f32)
    (block $label$2 f32
      (i32.trunc_u/f64
        (unreachable)
      )
    )
  )
)

won't load in sm or v8,

v8: CompileError: WebAssembly.Module(): Compiling WASM function #0: failed:: type error in merge[0] (expected f32, got i32) @+5

sm: CompileError: at offset 70: type mismatch: expression has type i32 but expected f32

It does work in wabt,

$ ./wasmdump -d a.wasm
a.wasm:	file format wasm 0x00000d

Code Disassembly:

00003c func[0]:
 000042: 02 7d                      | block f32
 000044: 00                         |   unreachable
 000045: ab                         |   i32.trunc_u/f64
 000046: 0b                         | end

(I manually changed the version to 0xd since that's what wabt required), and it works in binaryen. Who is wrong here?

It seems like it should be valid, the unreachable sets us into the mode where it's ok to pop anything, so the i32.trunc is ok and the block popping an f32 should be ok? Is this a case of undefined behavior in wasm type checking?

[binji]

Ah, I see the problem. wasmdump is the old name, the new name is wasm-objdump. wast2wasm won't even generate file since it isn't using the new block signature syntax:

test.wast:5:21: error: syntax error, unexpected VALUE_TYPE, expecting )
    (block $label$2 f32
                    ^^^

Fixing that produces the following error:

test.wast:6:8: error: type mismatch in block, expected f32 but got i32.
      (i32.trunc_u/f64
       ^^^^^^^^^^^^^^^

This error is correct; unreachable makes the stack polymorphic, so i32.trunc_u/f64 pops an f64 and pushes an i32. But then block wants an f32, so it is invalid.

We can generate the invalid wasm file with wast2wasm --no-check, then try to read it using wasm-objdump. This works, since wasm-objdump doesn't validate:

000028 func[0]:
 00002a: 02 7d                      | block f32
 00002c: 00                         |   unreachable
 00002d: ab                         |   i32.trunc_u/f64
 00002e: 0b                         | end
 00002f: 0b                         | end

wasm2wast does validate, and produces the same error as above:

test.wasm:000002e: error: type mismatch in block, expected f32 but got i32.

[kripken]

I see, thanks. Ok, then we are indeed emitting bad code in cases of unreachable code like this.

[kripken]

Will be fixed by #1117.