wabt
wabt copied to clipboard
WebAssembly
[Bug] Assertion failed exp_stack.size() >= nargs in wabt::AST::InsertNode
Description
We encountered a SIGABRT (Assertion Failure) in wasm-decompile. The crash occurs within wabt::AST::InsertNode when attempting to decompile a malformed WebAssembly binary.
The assertion exp_stack.size() >= nargs fails, indicating that the decompiler attempts to construct an AST node that consumes more operands than are currently available on the internal expression stack. This suggests a stack underflow condition during the AST construction phase.
Environment
- OS: Linux x86_64
- Complier: Clang
- Tools: gdb
Vulnerability Details
- Target: wasm-decompile
- Crash Type: Assertion Failure (SIGABRT)
- Location: include/wabt/decompiler-ast.h:98
- Function: ode& wabt::AST::InsertNode(NodeType, ExprType, const Expr*, Index)
- Assertion: Assertion exp_stack.size() >= nargs failed
- Root Cause Analysis: The stack trace shows ProgramMain -> Decompile -> AST::Construct -> AST::InsertNode. During the decompilation process, AST::Construct iterates through the instructions to build the tree. It calls InsertNode to add a new operation. The assertion checks if the virtual stack has enough elements to serve as arguments for the new node. The failure implies the binary contains an instruction sequence that causes the decompiler's internal stack tracking to desynchronize or underflow.
Reproduce
gdb --args ./wasm-decompile ./repro
r
bt
Download Link: repro
Stack Trace (GDB)
wasm-decompile: /src/wabt/include/wabt/decompiler-ast.h:98: Node &wabt::AST::InsertNode(NodeType, ExprType, const Expr *, Index): Assertion `exp_stack.size() >= nargs' failed.
Program received signal SIGABRT, Aborted.
0x00007f626a25db2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f626a25db2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f626a20427e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f626a1e78ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f626a1e781b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f626a1fa517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x0000562f7eea0958 in wabt::AST::InsertNode (this=0x7f6268a01460, ntype=<optimized out>, etype=<optimized out>,
e=<optimized out>, nargs=<optimized out>) at /src/wabt/include/wabt/decompiler-ast.h:98
#6 0x0000562f7ee9008f in wabt::AST::Construct (this=0x7f6268a01460, es=..., nresults=<optimized out>,
nparams=<optimized out>, is_function_body=<optimized out>) at /src/wabt/include/wabt/decompiler-ast.h:253
#7 0x0000562f7ee86eba in wabt::Decompiler::Decompile[abi:cxx11]() (this=<optimized out>)
at /src/wabt/src/decompiler.cc:802
#8 0x0000562f7ee831f5 in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) (module=...,
options=...) at /src/wabt/src/decompiler.cc:861
#9 0x0000562f7edd247e in ProgramMain (argc=<optimized out>, argv=<optimized out>)
at /src/wabt/src/tools/wasm-decompile.cc:103
#10 0x00007f626a1e91ca in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#11 0x00007f626a1e928b in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#12 0x0000562f7eced645 in _start ()
wasm-decompile doesn't currently have a maintainer, or anyone who works on it. If you would like to send PR please do.
