From ee13160c10162b2f816e25093aa2d50146b47f19 Mon Sep 17 00:00:00 2001
From: Yuta Saito <kateinoigakukun@gmail.com>
Date: Sat, 26 Oct 2024 10:07:59 +0000
Subject: [PATCH] Translator: Fix stack depth check in checkBeforePop

---
 .../crash-2e61aac9dea72d2efe93489c1276ec1b69fb2992 | Bin 0 -> 70 bytes
 Sources/WasmKit/Translator.swift                   |  10 +++++-----
 2 files changed, 5 insertions(+), 5 deletions(-)
 create mode 100644 FuzzTesting/FailCases/FuzzTranslator/crash-2e61aac9dea72d2efe93489c1276ec1b69fb2992

diff --git a/FuzzTesting/FailCases/FuzzTranslator/crash-2e61aac9dea72d2efe93489c1276ec1b69fb2992 b/FuzzTesting/FailCases/FuzzTranslator/crash-2e61aac9dea72d2efe93489c1276ec1b69fb2992
new file mode 100644
index 0000000000000000000000000000000000000000..0230e496f9c21128e23de43971340ac91e4a5f06
GIT binary patch
literal 70
zcmZQbEY4+QU|?Y6VoG3ONMK;Dsjp|^1d1>*G8~-4$PA>|*cj^>9T~W}BpJnl!j2tR
QuPmyCkje~vK&9N=0G1^UfdBvi

literal 0
HcmV?d00001

diff --git a/Sources/WasmKit/Translator.swift b/Sources/WasmKit/Translator.swift
index 9d78dfda..3a7135a3 100644
--- a/Sources/WasmKit/Translator.swift
+++ b/Sources/WasmKit/Translator.swift
@@ -900,8 +900,8 @@ struct InstructionTranslator<Context: TranslatorContext>: InstructionVisitor {
     ///
     /// - Parameter typeHint: A type expected to be popped. Only used for diagnostic purpose.
     /// - Returns: `true` if check succeed. `false` if the pop operation is going to be performed in unreachable code path.
-    private func checkBeforePop(typeHint: ValueType?, controlFrame: ControlStack.ControlFrame) throws -> Bool {
-        if _slowPath(valueStack.height <= controlFrame.stackHeight) {
+    private func checkBeforePop(typeHint: ValueType?, depth: Int = 0, controlFrame: ControlStack.ControlFrame) throws -> Bool {
+        if _slowPath(valueStack.height - depth <= controlFrame.stackHeight) {
             if controlFrame.reachable {
                 let message: String
                 if let typeHint {
@@ -916,9 +916,9 @@ struct InstructionTranslator<Context: TranslatorContext>: InstructionVisitor {
         }
         return true
     }
-    private func checkBeforePop(typeHint: ValueType?) throws -> Bool {
+    private func checkBeforePop(typeHint: ValueType?, depth: Int = 0) throws -> Bool {
         let controlFrame = try controlStack.currentFrame()
-        return try self.checkBeforePop(typeHint: typeHint, controlFrame: controlFrame)
+        return try self.checkBeforePop(typeHint: typeHint, depth: depth, controlFrame: controlFrame)
     }
     private mutating func ensureOnVReg(_ source: ValueSource) -> VReg {
         // TODO: Copy to stack if source is on preg
@@ -994,7 +994,7 @@ struct InstructionTranslator<Context: TranslatorContext>: InstructionVisitor {
 
     private func checkStackTop(_ valueTypes: [ValueType]) throws {
         for (stackDepth, type) in valueTypes.reversed().enumerated() {
-            guard try checkBeforePop(typeHint: type) else { return }
+            guard try checkBeforePop(typeHint: type, depth: stackDepth) else { return }
             let actual = valueStack.peekType(depth: stackDepth)
             switch actual {
             case .some(let actualType):