Validate overflow in stack layout calculation

Author: kateinoigakukun

FuzzTesting/FailCases/FuzzExecute/crash-0e27f2ac7ea0e6aec7910b36d3113d3b32f97525

@@ -51,12 +51,12 @@ def run(args):
             crash_file = os.path.join(fail_dir, f"diff-{i}.wasm")
             shutil.copy(wasm_file, crash_file)
             print(f"Found crash in iteration {i};"
-                  " reproduce with {args.program} {crash_file}")
+                  f" reproduce with {args.program} {crash_file}")
         except subprocess.TimeoutExpired:
             timeout_file = os.path.join(fail_dir, f"timeout-{i}.wasm")
             shutil.copy(wasm_file, timeout_file)
             print(f"Timeout in iteration {i};"
-                  " reproduce with {args.program} {timeout_file})")
+                  f" reproduce with {args.program} {timeout_file})")
         except KeyboardInterrupt:
             print("Interrupted by user")
             break

FuzzTesting/differential.py

@@ -181,7 +181,7 @@ struct WasmFunctionEntity {
     @inline(never)
     mutating func compile(runtime: RuntimeRef, code: InternalUncompiledCode) throws -> InstructionSequence {
         let type = self.type
-        var translator = InstructionTranslator(
+        var translator = try InstructionTranslator(
             allocator: runtime.value.store.allocator.iseqAllocator,
             runtimeConfiguration: runtime.value.configuration,
             funcTypeInterner: runtime.value.funcTypeInterner,

Sources/WasmKit/Execution/Function.swift

@@ -140,7 +140,7 @@ public struct Instance {
             let (iseq, locals, _) = function.assumeCompiled()
 
             // Print slot space information
-            let stackLayout = StackLayout(
+            let stackLayout = try StackLayout(
                 type: runtime.funcTypeInterner.resolve(function.type),
                 numberOfLocals: locals,
                 codeSize: code.expression.count

Sources/WasmKit/Execution/Instances.swift

@@ -221,11 +221,15 @@ struct StackLayout {
         return VReg(numberOfLocals + constantSlotSize)
     }
 
-    init(type: FunctionType, numberOfLocals: Int, codeSize: Int) {
+    init(type: FunctionType, numberOfLocals: Int, codeSize: Int) throws {
         self.frameHeader = FrameHeaderLayout(type: type)
         self.numberOfLocals = numberOfLocals
         // The number of constant slots is determined by the code size
         self.constantSlotSize = max(codeSize / 20, 4)
+        let (maxSlots, overflow) = self.constantSlotSize.addingReportingOverflow(numberOfLocals)
+        guard !overflow, maxSlots < VReg.max else {
+            throw TranslationError("The number of constant slots overflows")
+        }
     }
 
     func localReg(_ index: LocalIndex) -> VReg {
@@ -805,14 +809,14 @@ struct InstructionTranslator<Context: TranslatorContext>: InstructionVisitor {
         functionIndex: FunctionIndex,
         codeSize: Int,
         intercepting: Bool
-    ) {
+    ) throws {
         self.allocator = allocator
         self.funcTypeInterner = funcTypeInterner
         self.type = type
         self.module = module
         self.iseqBuilder = ISeqBuilder(runtimeConfiguration: runtimeConfiguration)
         self.controlStack = ControlStack()
-        self.stackLayout = StackLayout(
+        self.stackLayout = try StackLayout(
             type: type,
             numberOfLocals: locals.count,
             codeSize: codeSize