T0b1/wasmtime
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix a possible panic with null-containing element segments (#4455)

Browse Source 
This commit fixes an issue with the initialization of element segments
when one of the elements in the element segment is `ref.func null`.
Previously the contents of a table were accidentally initialized with
the raw value of the `*mut VMCallerCheckedAnyfunc` which bypassed the
"this is initialized" encoding of function table entries that Wasmtime
uses for lazy table initialization. The fix here was to ensure that the
encoded form is used.

The impact of this issue is that a module could panic at runtime when
accessing a table element that was initialized with an element segment
containing a `ref.null func` entry. This only happens with imported
tables in a WebAssembly module where the table itself was defined on the
host. If the table was defined in another wasm module or in the local
wasm module this bug would not occur. Additionally this bug requires
enabling the reference types proposal for WebAssembly (which is enabled
by default) due to the usage of encodings for null funcrefs in element
segments.
This commit is contained in:
Alex Crichton
2022-07-15 15:14:53 -05:00
committed by GitHub
parent eca0a73453
commit 33312c5380
2 changed files with 28 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
crates/runtime/src/table.rs
View File

@@ -280,7 +280,9 @@ impl Table {
}; };
for (item, slot) in items.zip(elements) { for (item, slot) in items.zip(elements) {
*slot = item as usize; unsafe {
*slot = TableElement::FuncRef(item).into_table_value();
}
} }
Ok(()) Ok(())
} }

25
tests/all/table.rs
View File

@@ -1,3 +1,4 @@
use anyhow::Result;
use wasmtime::*; use wasmtime::*;
#[test] #[test]
@@ -50,3 +51,27 @@ fn copy_wrong() {
"tables do not have the same element type" "tables do not have the same element type"
); );
} }
#[test]
fn null_elem_segment_works_with_imported_table() -> Result<()> {
let mut store = Store::<()>::default();
let ty = TableType::new(ValType::FuncRef, 1, None);
let table = Table::new(&mut store, ty, Val::FuncRef(None))?;
let module = Module::new(
store.engine(),
r#"
(module
(import "" "" (table (;0;) 1 funcref))
(func
i32.const 0
table.get 0
drop
)
(start 0)
(elem (;0;) (i32.const 0) funcref (ref.null func))
)
"#,
)?;
Instance::new(&mut store, &module, &[table.into()])?;
Ok(())
}