Check fuel on GC-related branching instructions (bytecodealliance#11426)

alexcrichton · bongjunj · commit 5884400305d6 · 2025-10-20T08:05:02.000Z
Previously GC instructions didn't check for fuel meaning that an
infinite loop with a GC-related branch instruction would never
terminate.
diff --git a/crates/cranelift/src/func_environ.rs b/crates/cranelift/src/func_environ.rs
@@ -419,6 +419,10 @@ impl<'module_environment> FuncEnvironment<'module_environment> {
             | Operator::Br { .. }
             | Operator::BrIf { .. }
             | Operator::BrTable { .. }
+            | Operator::BrOnNull { .. }
+            | Operator::BrOnNonNull { .. }
+            | Operator::BrOnCast { .. }
+            | Operator::BrOnCastFail { .. }
 
             // Exiting a scope means that we need to update the fuel
             // consumption because there are multiple ways to exit a scope and
diff --git a/tests/all/fuel.rs b/tests/all/fuel.rs
@@ -57,7 +57,7 @@ fn fuel_consumed(config: &Config, wasm: &[u8]) -> Result<u64> {
     Ok(u64::MAX - store.get_fuel()?)
 }
 
-#[wasmtime_test]
+#[wasmtime_test(wasm_features(gc, function_references))]
 #[cfg_attr(miri, ignore)]
 fn iloop(config: &mut Config) -> Result<()> {
     config.consume_fuel(true);
@@ -113,6 +113,64 @@ fn iloop(config: &mut Config) -> Result<()> {
             )
         "#,
     )?;
+    iloop_aborts(
+        &config,
+        r#"
+            (module
+                (start 0)
+                (func loop ref.null func br_on_null 0 drop end)
+            )
+        "#,
+    )?;
+    iloop_aborts(
+        &config,
+        r#"
+            (module
+                (start 0)
+                (func
+                    ref.func 0
+                    loop (param (ref func))
+                        br_on_non_null 0
+                        unreachable
+                    end
+                )
+                (elem declare func 0)
+            )
+        "#,
+    )?;
+    iloop_aborts(
+        &config,
+        r#"
+            (module
+                (start 0)
+                (func
+                    i32.const 0
+                    ref.i31
+                    loop (param (ref i31))
+                        br_on_cast 0 anyref (ref i31)
+                        unreachable
+                    end
+                )
+                (elem declare func 0)
+            )
+        "#,
+    )?;
+    iloop_aborts(
+        &config,
+        r#"
+            (module
+                (start 0)
+                (func
+                    ref.null any
+                    loop (param anyref)
+                        br_on_cast_fail 0 anyref (ref i31)
+                        unreachable
+                    end
+                )
+                (elem declare func 0)
+            )
+        "#,
+    )?;
 
     fn iloop_aborts(config: &Config, wat: &str) -> Result<()> {
         let engine = Engine::new(&config)?;
