workaround: prevent usage of anyref in struct fields and array elements

Author: lum1n0us

core/iwasm/interpreter/wasm_loader.c

@@ -1920,6 +1920,11 @@ resolve_struct_type(const uint8 **p_buf, const uint8 *buf_end,
         if (need_ref_type_map)
             ref_type_map_count++;
 
+        if (wasm_is_reftype_anyref(ref_type.ref_type)) {
+            LOG_ERROR("Not support using anyref in struct fields");
+            return false;
+        }
+
         if (wasm_is_type_reftype(ref_type.ref_type))
             ref_field_count++;
 
@@ -2039,6 +2044,11 @@ resolve_array_type(const uint8 **p_buf, const uint8 *buf_end,
         return false;
     }
 
+    if (wasm_is_reftype_anyref(ref_type.ref_type)) {
+        LOG_ERROR("Not support using anyref in array element type");
+        return false;
+    }
+
     CHECK_BUF(p, p_end, 1);
     mutable = read_uint8(p);
     if (!check_mutability(mutable, error_buf, error_buf_size)) {

tests/unit/gc/CMakeLists.txt

@@ -11,6 +11,7 @@ set (WAMR_BUILD_GC 1)
 set (WAMR_BUILD_INTERP 1)
 set (WAMR_BUILD_AOT 0)
 set (WAMR_BUILD_APP_FRAMEWORK 0)
+set (WAMR_BUILD_SANITIZER "asan")
 
 include (../unit_common.cmake)
 

tests/unit/gc/gc_test.cc

@@ -53,14 +53,16 @@ class WasmGCTest : public testing::Test
   public:
     bool load_wasm_file(const char *wasm_file)
     {
-        const char *file;
+        char *file;
         unsigned char *wasm_file_buf;
         uint32 wasm_file_size;
 
         file = strdup((CWD + "/" + wasm_file).c_str());
 
         wasm_file_buf =
             (unsigned char *)bh_read_file_to_buffer(file, &wasm_file_size);
+        free(file);
+
         if (!wasm_file_buf)
             return false;
 
@@ -100,3 +102,10 @@ TEST_F(WasmGCTest, Test_app1)
     ASSERT_TRUE(load_wasm_file("func1.wasm"));
     ASSERT_TRUE(load_wasm_file("func2.wasm"));
 }
+
+TEST_F(WasmGCTest, Test_nested_struct)
+{
+    //FIXME: Revert the change when anyref support is added
+    ASSERT_FALSE(load_wasm_file("nested_struct_field_any.wasm"));
+    ASSERT_FALSE(load_wasm_file("nested_array_elem_any.wasm"));
+}

tests/unit/gc/wasm-apps/nested_array_elem_any.wasm

@@ -0,0 +1,63 @@
+(module
+  (type $array_type (array (mut anyref)))
+
+  (global $g_array
+    (mut (ref $array_type))
+    (array.new_fixed $array_type 2
+      (ref.i31 (i32.const 10))
+      (array.new_fixed $array_type 2
+        (ref.i31 (i32.const 20))
+        (array.new_default $array_type (i32.const 2))
+      )
+    )
+  )
+
+  ;; assert_return(invoke "get_elem0"), 10)
+  (func (export "get_elem0") (result i32)
+    (i31.get_s (ref.cast i31ref (array.get $array_type (global.get $g_array) (i32.const 0))))
+  )
+
+  ;; assert_return(invoke "get_elem1"), array.new_fixed $array_type ...)
+  (func (export "get_elem1") (result anyref)
+    (array.get $array_type (global.get $g_array) (i32.const 1))
+  )
+
+  ;; assert_return(invoke "get_elem1_elem0"), 20)
+  (func (export "get_elem1_elem0") (result i32)
+    (i31.get_s (ref.cast i31ref
+      (array.get $array_type
+        (ref.cast (ref $array_type)
+          (array.get $array_type (global.get $g_array) (i32.const 1))
+        )
+        (i32.const 0)
+      )
+    ))
+  )
+
+  ;; assert_return(invoke "get_elem1_elem1"), array.new_default $array_type ...)
+  (func (export "get_elem1_elem1") (result anyref)
+    (array.get $array_type
+      (ref.cast (ref $array_type)
+        (array.get $array_type (global.get $g_array) (i32.const 1))
+      )
+      (i32.const 1)
+    )
+  )
+
+  ;; assert_return(invoke "get_elem1_elem1_elem0"), 0)
+  (func (export "get_elem1_elem1_elem0") (result i32)
+    (i31.get_s (ref.cast i31ref
+      (array.get $array_type
+        (ref.cast (ref $array_type)
+          (array.get $array_type
+            (ref.cast (ref $array_type)
+              (array.get $array_type (global.get $g_array) (i32.const 1))
+            )
+            (i32.const 1)
+          )
+        )
+        (i32.const 0)
+      )
+    ))
+  )
+)

tests/unit/gc/wasm-apps/nested_array_elem_any.wat

@@ -0,0 +1,55 @@
+(module
+  (type $struct_type (struct (field (mut i32)) (field (mut anyref))))
+
+  (global $g_struct
+    (mut (ref $struct_type))
+    (struct.new $struct_type
+      (i32.const 10)
+      (struct.new $struct_type
+        (i32.const 20)
+        (struct.new_default $struct_type)
+      )
+    )
+  )
+
+  ;; assert_return(invoke "get_field1"), 10)
+  (func (export "get_field1") (result i32)
+    (struct.get $struct_type 0 (global.get $g_struct))
+  )
+
+  ;; assert_return(invoke "get_field1"), struct.new $struct_type ...)
+  (func (export "get_field2") (result anyref)
+    (struct.get $struct_type 1 (global.get $g_struct))
+  )
+
+  ;; assert_return(invoke "get_field2_field1"), 20)
+  (func (export "get_field2_field1") (result i32)
+    (struct.get $struct_type 0
+      (ref.cast structref
+        (struct.get $struct_type 1 (global.get $g_struct))
+      )
+    )
+  )
+
+  ;; assert_return(invoke "get_field2_field2"), struct.new_default $struct_type ...)
+  (func (export "get_field2_field2") (result anyref)
+    (struct.get $struct_type 1
+      (ref.cast structref
+        (struct.get $struct_type 1 (global.get $g_struct))
+      )
+    )
+  )
+
+  ;; assert_return(invoke "get_field2_field2_field1"), 0)
+  (func (export "get_field2_field2_field1") (result i32)
+    (struct.get $struct_type 0
+      (ref.cast structref
+        (struct.get $struct_type 1
+          (ref.cast structref
+            (struct.get $struct_type 1 (global.get $g_struct))
+          )
+        )
+      )
+    )
+  )
+)