Fix array.new_default validation for non-defaultable element types (#4853)

orange-dot · orange-dot · commit cb5fd0ffc689 · 2026-04-23T00:06:44.000+02:00
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
@@ -307,6 +307,17 @@ is_packed_type(uint8 type)
 {
     return (type == PACKED_TYPE_I8 || type == PACKED_TYPE_I16) ? true : false;
 }
+
+static bool
+is_defaultable_array_elem_type(uint8 elem_type, WASMRefType *elem_ref_type)
+{
+    if (!wasm_is_type_multi_byte_type(elem_type)) {
+        return true;
+    }
+
+    bh_assert(elem_ref_type);
+    return elem_ref_type->ref_ht_common.nullable;
+}
 #endif
 
 static bool
@@ -1396,6 +1407,16 @@ load_init_expr(WASMModule *module, const uint8 **p_buf, const uint8 *buf_end,
                             WASMValue len_val;
                             uint32 len;
 
+                            if (!is_defaultable_array_elem_type(
+                                    array_type->elem_type,
+                                    array_type->elem_ref_type)) {
+                                set_error_buf(
+                                    error_buf, error_buf_size,
+                                    "array.new_default requires a defaultable "
+                                    "element type");
+                                goto fail;
+                            }
+
                             /* POP(i32) */
                             if (!pop_const_expr_stack(
                                     &const_expr_ctx, NULL, VALUE_TYPE_I32, NULL,
@@ -15020,6 +15041,16 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                             else
                                 POP_REF(elem_type);
                         }
+                        else if (opcode1 == WASM_OP_ARRAY_NEW_DEFAULT) {
+                            if (!is_defaultable_array_elem_type(
+                                    elem_type, array_type->elem_ref_type)) {
+                                set_error_buf(
+                                    error_buf, error_buf_size,
+                                    "array.new_default requires a defaultable "
+                                    "element type");
+                                goto fail;
+                            }
+                        }
                         else if (opcode1 == WASM_OP_ARRAY_NEW_DATA) {
                             /* offset of data segment */
                             POP_I32();
diff --git a/tests/unit/gc/gc_test.cc b/tests/unit/gc/gc_test.cc
@@ -92,4 +92,9 @@ TEST_F(WasmGCTest, Test_nested_struct)
     //FIXME: Revert the change when anyref support is added
     ASSERT_FALSE(load_wasm_file("nested_struct_field_any.wasm"));
     ASSERT_FALSE(load_wasm_file("nested_array_elem_any.wasm"));
-}
+}
+
+TEST_F(WasmGCTest, Test_array_new_default_non_defaultable_elem)
+{
+    ASSERT_FALSE(load_wasm_file("array_new_default_non_defaultable_elem.wasm"));
+}
diff --git a/tests/unit/gc/wasm-apps/array_new_default_non_defaultable_elem.wasm b/tests/unit/gc/wasm-apps/array_new_default_non_defaultable_elem.wasm
diff --git a/tests/unit/gc/wasm-apps/array_new_default_non_defaultable_elem.wat b/tests/unit/gc/wasm-apps/array_new_default_non_defaultable_elem.wat
@@ -0,0 +1,8 @@
+(module
+  (type $elem (array i32))
+  (type $outer (array (ref $elem)))
+
+  (func (export "new_invalid_array")
+    (array.new_default $outer (i32.const 1))
+    drop)
+)
