Skip to content

improve logic of heap_type validation when ref.null #4372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

improve logic of heap_type validation when ref.null #4372

wants to merge 9 commits into from
+25 −8

Conversation

Septa2112
Copy link
Contributor

PR #4300 introduced the rationale for validating heap_type.

This patch moves the validation before the computation of type1 to prevent potential overflow.

@Septa2112
Follow-up to PR bytecodealliance#4300: prevent potential overflow
fd5cfe4 
PR bytecodealliance#4300 introduced the rationale for validating heap_type.
This patch moves the validation before the computation of
type1 to prevent potential overflow.
@Septa2112 Septa2112 mentioned this pull request Jun 19, 2025
Open
@Septa2112
Copy link
Contributor Author

Further improved the heap type check logic:

  1. Moved the heap type validation ahead of the if (!is_byte_a_type...) check. Depending on whether heap_type >= 0, different methods are used to get type1.

  2. The type_index check is now performed only when heap_type >= 0, to ensure that type1 is correctly retrieved in this case.

  3. Why not checking type_index when heap_type < 0? Because in the current WAMR implementation, if wasm_is_valid_heap_type(heap_type) is true, then the condition if (!is_byte_a_type(type1) || wasm_is_type_multi_byte_type(type1)) will always be false.

lum1n0us
lum1n0us reviewed Jun 19, 2025
View reviewed changes
lum1n0us
lum1n0us reviewed Jun 24, 2025
View reviewed changes
@Septa2112 Septa2112 changed the title Prevent potential overflow improve logic of heap_type validation when ref.null Jun 25, 2025
lum1n0us
lum1n0us reviewed Jun 27, 2025
View reviewed changes
core/iwasm/interpreter/wasm_loader.c
}
}
else {
if (!wasm_is_valid_heap_type(heap_type)) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Guess heap_type should be type1.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Likewise, considering the same code context in function wasm_loader_prepare_bytecode when WASM_OP_REF_NULL , it might be better to keep the check for int32 heap_type here.

core/iwasm/interpreter/wasm_loader.c
const uint8 *p_copy = p;
int32 heap_type;
read_leb_int32(p_copy, p_end, heap_type);
#endif
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If following the spec, s33 should be a type index. might rename it as type_index better.

Copy link
Contributor Author

@Septa2112 Septa2112 Jun 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it might not be appropriate to rename heap_type to type_idx here:

  1. type_idx has already been defined as a uint32 at the beginning of this function.
  2. Based on the surrounding lines of code in function wasm_loader_prepare_bytecode when WASM_OP_REF_NULL, I think it's clearer and more consistent to keep the name heap_type.

    wasm-micro-runtime/core/iwasm/interpreter/wasm_loader.c

    Lines 13154 to 13169 in 18d4227

    pb_read_leb_int32(p, p_end, heap_type);
    if (heap_type >= 0) {
    if (!check_type_index(module, module->type_count, heap_type,
    error_buf, error_buf_size)) {
    goto fail;
    }
    wasm_set_refheaptype_typeidx(&wasm_ref_type.ref_ht_typeidx,
    true, heap_type);
    ref_type = wasm_ref_type.ref_type;
    }
    else {
    if (!wasm_is_valid_heap_type(heap_type)) {
    set_error_buf(error_buf, error_buf_size,
    "unknown type");
    goto fail;
    }

core/iwasm/interpreter/wasm_loader.c
CHECK_BUF(p, p_end, 1);
type1 = read_uint8(p);

#if WASM_ENABLE_GC == 0
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like above, in L839, rename type1 to heap_type or abs_heaptype.

core/iwasm/interpreter/wasm_loader.c
goto fail;
}
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

after wasm_is_valid_heap_type(), not sure we still need is_byte_a_type() and wasm_is_type_multi_byte_type().

core/iwasm/interpreter/wasm_loader.c
const uint8 *p_copy = p;
int32 heap_type;
read_leb_int32(p_copy, p_end, heap_type);
#endif
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thing, L872 will read it again. Seems we can remove either one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lum1n0us lum1n0us lum1n0us left review comments

@loganek loganek Awaiting requested review from loganek loganek is a code owner

@no1wudi no1wudi Awaiting requested review from no1wudi no1wudi is a code owner

@TianlongLiang TianlongLiang Awaiting requested review from TianlongLiang TianlongLiang is a code owner

@wenyongh wenyongh Awaiting requested review from wenyongh wenyongh is a code owner

@xujuntwt95329 xujuntwt95329 Awaiting requested review from xujuntwt95329 xujuntwt95329 is a code owner

@yamt yamt Awaiting requested review from yamt yamt is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Septa2112 @lum1n0us