fast-interp: reject br/br_if/br_table to loop entry from inside try-region

matthargett · matthargett · commit 231862aa6455 · 2026-05-18T22:14:07.000-07:00
When a br skips over a try-region's END, the runtime br doesn't pop
eh-stack entries. For a one-shot br to a block / function-end /
catch, the leaked entry is absorbed by the static
`exception_handler_count * EH_ENTRY_CELLS` reservation and dies at
frame teardown — a load-time `LOG_WARNING` surfaces the shape for
embedders.

If the br target is a LOOP entry, however, every iteration's TRY
push adds one more entry to the eh-stack. After more iterations
than the function's `exception_handler_count`, the next TRY push
writes past the static reservation. `bh_assert(eh_count &lt; count)`
catches this in debug builds, but is a no-op without `BH_DEBUG` —
release builds silently corrupt whatever sat past the reservation
in the frame allocation.

This commit changes that pathological shape from "log a warning
and accept" to "fail load with an explicit error". The check sits
next to the existing `count_try_blocks_crossed &gt; 0` warning at all
three branch sites (BR, BR_IF, BR_TABLE) and only fires when
`frame_csp_tmp-&gt;label_type == LABEL_TYPE_LOOP`. The error message
is identical at each site modulo opcode name:

  "br[_if|_table] to loop entry from inside try-region not
   supported in fast interpreter (would leak eh-stack entries
   per iteration)"

Emitting a synthetic eh-stack pop at the br site would be the
other fix and would let valid modules with this shape run, but it
complicates the rewritten IR's br-info layout (the br dispatch
currently emits a single uint32 depth; a pop-count immediate
would need a per-target lookup) and the shape is rare in
practice. Rejecting at load is the conservative, App-Store-safe
choice — embedders see a deterministic error rather than silent
memory corruption.

Test added in the external integration suite: the previously-
ignored `br_out_of_try_inside_loop` became
`br_out_of_try_inside_loop_rejected`, which asserts the loader
fails with the expected error string.

Codex P1 review feedback on both PRs ("Reject branches that leak
EH entries" / "Reject branches that leak EH stack entries").
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
@@ -13433,20 +13433,37 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                     goto fail;
 
 #if WASM_ENABLE_EXCE_HANDLING != 0 && WASM_ENABLE_FAST_INTERP != 0
-                /* Warn (pass 1 only — once per br site) when a br
-                 * skips over a try-region's END. The runtime br
-                 * doesn't pop eh-stack entries, so each leaked entry
-                 * relies on the static
-                 * `exception_handler_count * EH_ENTRY_CELLS` cell
-                 * reservation per frame to absorb it. Pathological
-                 * shape: `loop { try { br_to_loop_top } catch }`
-                 * leaks one entry per iteration and eventually writes
-                 * past that reservation. See `count_try_blocks_
-                 * crossed` for the full mechanism. */
-                if (loader_ctx->p_code_compiled == NULL) {
+                /* When a br skips over a try-region's END, the
+                 * runtime br doesn't pop eh-stack entries. For a
+                 * one-shot br to a block / function-end / catch,
+                 * the leaked entry is absorbed by the static
+                 * `exception_handler_count * EH_ENTRY_CELLS`
+                 * reservation and dies at frame teardown — log
+                 * a warning so the shape shows up in load-time
+                 * diagnostics, but accept the module.
+                 *
+                 * If the br target is a LOOP entry, however,
+                 * every iteration's TRY push adds one more entry
+                 * to the eh-stack and eventually overwrites past
+                 * the static reservation (silently in release
+                 * builds since `bh_assert` is a no-op without
+                 * `BH_DEBUG`). Reject those modules at load time
+                 * — emitting cleanup at the br site would be the
+                 * other fix, but it complicates the hot dispatch
+                 * loop and the shape is rare in practice. */
+                {
                     uint32 leaked = count_try_blocks_crossed(
                         loader_ctx->frame_csp - 1, frame_csp_tmp);
-                    if (leaked > 0) {
+                    if (leaked > 0
+                        && frame_csp_tmp->label_type == LABEL_TYPE_LOOP) {
+                        set_error_buf(error_buf, error_buf_size,
+                                      "br to loop entry from inside "
+                                      "try-region not supported in fast "
+                                      "interpreter (would leak eh-stack "
+                                      "entries per iteration)");
+                        goto fail;
+                    }
+                    if (leaked > 0 && loader_ctx->p_code_compiled == NULL) {
                         LOG_WARNING("wasm fast-interp: br at func[%u] crosses "
                                     "%u try-region(s); each leaks one "
                                     "eh-stack entry until frame teardown",
@@ -13470,10 +13487,19 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                     goto fail;
 
 #if WASM_ENABLE_EXCE_HANDLING != 0 && WASM_ENABLE_FAST_INTERP != 0
-                if (loader_ctx->p_code_compiled == NULL) {
+                {
                     uint32 leaked = count_try_blocks_crossed(
                         loader_ctx->frame_csp - 1, frame_csp_tmp);
-                    if (leaked > 0) {
+                    if (leaked > 0
+                        && frame_csp_tmp->label_type == LABEL_TYPE_LOOP) {
+                        set_error_buf(error_buf, error_buf_size,
+                                      "br_if to loop entry from inside "
+                                      "try-region not supported in fast "
+                                      "interpreter (would leak eh-stack "
+                                      "entries per iteration)");
+                        goto fail;
+                    }
+                    if (leaked > 0 && loader_ctx->p_code_compiled == NULL) {
                         LOG_WARNING(
                             "wasm fast-interp: br_if at func[%u] crosses "
                             "%u try-region(s); each leaks one "
@@ -13550,10 +13576,19 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                     }
 
 #if WASM_ENABLE_EXCE_HANDLING != 0 && WASM_ENABLE_FAST_INTERP != 0
-                    if (loader_ctx->p_code_compiled == NULL) {
+                    {
                         uint32 leaked = count_try_blocks_crossed(
                             loader_ctx->frame_csp - 1, frame_csp_tmp);
-                        if (leaked > 0) {
+                        if (leaked > 0
+                            && frame_csp_tmp->label_type == LABEL_TYPE_LOOP) {
+                            set_error_buf(error_buf, error_buf_size,
+                                          "br_table to loop entry from inside "
+                                          "try-region not supported in fast "
+                                          "interpreter (would leak eh-stack "
+                                          "entries per iteration)");
+                            goto fail;
+                        }
+                        if (leaked > 0 && loader_ctx->p_code_compiled == NULL) {
                             LOG_WARNING(
                                 "wasm fast-interp: br_table[%u] at "
                                 "func[%u] crosses %u try-region(s); each "
