WebAssembly
[Bug] Assertion failed is_name() in wabt::Var::name()
Description
We encountered a SIGABRT (Assertion Failure) in wasm-decompile. The crash occurs within wabt::Var::name() when decompiling a malformed WebAssembly binary.
The assertion is_name() fails, indicating that the decompiler attempts to access the string name of a wabt::Var object that actually holds a numeric index (or is undefined), not a name string. This happens inside DecompileExpr, likely when processing an instruction that references a function, global, or type by index, but the code path improperly assumes it has a name.
Environment
- OS: Linux x86_64
- Complier: Clang
- Tools: gdb
Vulnerability Details
- Target: wasm-decompile
- Crash Type: Assertion Failure (SIGABRT)
- Location:include/wabt/ir.h:82
- Function: const std::string& wabt::Var::name() const
- Assertion: Assertion is_name() failed
- Root Cause Analysis: The stack trace shows Decompile -> DecompileExpr -> Var::name. The DecompileExpr function is traversing the AST. At some point, it encounters a node and attempts to retrieve the name of the referenced entity using .name(). However, the Var object associated with that instruction is index-based , not name-based. The decompiler should check is_name() before calling name(), or use a safer accessor that handles both indices and names.
Reproduce
gdb --args ./wasm-decompile ./repro
r
bt
Download Link: repro
Stack Trace (GDB)
wasm-decompile: /src/wabt/include/wabt/ir.h:82: const std::string &wabt::Var::name() const: Assertion `is_name()' failed.
Program received signal SIGABRT, Aborted.
0x00007f07c54fcb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007f07c54fcb2c in pthread_kill () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f07c54a327e in raise () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f07c54868ff in abort () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007f07c548681b in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00007f07c5499517 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5 0x00005601b368553e in wabt::Var::name[abi:cxx11]() const (
this=<optimized out>) at /src/wabt/include/wabt/ir.h:82
#6 0x00005601b368553e in wabt::Decompiler::DecompileExpr (
this=<optimized out>, n=..., parent=<optimized out>)
#7 0x00005601b367cc5e in wabt::Decompiler::DecompileExpr (
this=<optimized out>, n=..., parent=<optimized out>)
at /src/wabt/src/decompiler.cc:357
#8 0x00005601b367cc5e in wabt::Decompiler::DecompileExpr (
this=<optimized out>, n=..., parent=<optimized out>)
at /src/wabt/src/decompiler.cc:357
#9 0x00005601b3671ad6 in wabt::Decompiler::Decompile[abi:cxx11]() (
this=<optimized out>) at /src/wabt/src/decompiler.cc:832
#10 0x00005601b366c1f5 in wabt::Decompile[abi:cxx11](wabt::Module const&, wabt::DecompileOptions const&) (module=..., options=...)
at /src/wabt/src/decompiler.cc:861
#11 0x00005601b35bb47e in ProgramMain (argc=<optimized out>,
argv=<optimized out>) at /src/wabt/src/tools/wasm-decompile.cc:103
#12 0x00007f07c54881ca in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#13 0x00007f07c548828b in __libc_start_main ()
from /lib/x86_64-linux-gnu/libc.so.6
#14 0x00005601b34d6645 in _start ()
wasm-decompile doesn't currently have a maintainer, or anyone who works on it. If you would like to send PR please do.
