binaryen icon indicating copy to clipboard operation
binaryen copied to clipboard
verified publisher icon WebAssembly

[Bug] Assertion failed isStruct() in wasm::HeapType::getStruct during makeStructGet

Open oneafter opened this issue 2 months ago • 0 comments

Description

We encountered a SIGABRT (Assertion Failure) in wasm-dis. The crash occurs within wasm::HeapType::getStruct when disassembling a malformed WebAssembly binary.

The assertion isStruct() fails, indicating that the parser encountered a struct.get instruction where the type of the reference being accessed is not a struct type, but the code proceeds to treat it as a struct.

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Tools: gdb

Vulnerability Details

  • Target: wasm-dis
  • Crash Type: Assertion Failure (SIGABRT)
  • Location: src/wasm/wasm-type.cpp:910
  • Function: const Struct& wasm::HeapType::getStruct() const
  • Assertion: Assertion isStruct() failed
  • Root Cause Analysis: The stack trace shows WasmBinaryReader::readInst -> IRBuilder::makeStructGet -> HeapType::getStruct. The readInst function parses a struct.get instruction. makeStructGet attempts to retrieve the structure definition of the operand's type via getStruct(). However, the binary supplies a type that is not a struct, causing the isStruct() check to fail. The reader should validate that the type is actually a struct before attempting to access its field information.

Reproduce

gdb --args ./wasm-dis ./repro
r
bt

Download Link: repro

Stack Trace (GDB)

wasm-dis: /src/binaryen/src/wasm/wasm-type.cpp:910: const Struct &wasm::HeapType::getStruct() const: Assertion `isStruct()' failed.

Program received signal SIGABRT, Aborted.
0x00007f4b2e3bcb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007f4b2e3bcb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f4b2e36327e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f4b2e3468ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007f4b2e34681b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007f4b2e359517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x00007f4b318779eb in wasm::HeapType::getStruct (this=<optimized out>) at /src/binaryen/src/wasm/wasm-type.cpp:910
#6  0x00007f4b3173ad46 in wasm::IRBuilder::makeStructGet (this=<optimized out>, type=..., field=<optimized out>, 
    signed_=<optimized out>, order=<optimized out>) at /src/binaryen/src/wasm/wasm-ir-builder.cpp:2162
#7  0x00007f4b3165e98c in wasm::WasmBinaryReader::readInst (this=0x7f4b2c80c0a0)
    at /src/binaryen/src/wasm/wasm-binary.cpp:4596
#8  0x00007f4b31624af7 in wasm::WasmBinaryReader::readFunctions (this=0x7f4b2c80c0a0)
    at /src/binaryen/src/wasm/wasm-binary.cpp:3128
#9  0x00007f4b3160fc30 in wasm::WasmBinaryReader::read (this=0x7f4b2c80c0a0) at /src/binaryen/src/wasm/wasm-binary.cpp:2077
#10 0x00007f4b316c663d in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename="")
    at /src/binaryen/src/wasm/wasm-io.cpp:67
#11 0x00007f4b316c6dc8 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=..., wasm=..., sourceMapFilename=...)
    at /src/binaryen/src/wasm/wasm-io.cpp:78
#12 0x0000555882657c34 in main (argc=<optimized out>, argv=<optimized out>) at /src/binaryen/src/tools/wasm-dis.cpp:76

oneafter avatar Dec 05 '25 01:12 oneafter