Skip to main content

synth_core/
wasm_stack_check.rs

1//! Pre-flight wasm value-stack underflow detector.
2//!
3//! Real wasm input is validated by the decoder (wasmparser). This module is
4//! a safety net for *direct callers* of the lowering pipeline that feed in
5//! raw `Vec<WasmOp>` without going through the validator — most notably the
6//! fuzz harnesses, which intentionally generate malformed sequences to
7//! prove the contract that lowering returns `Err`, not panics.
8//!
9//! The check is best-effort and, above all, *sound* — it never rejects valid
10//! wasm. Stack effects that depend on data we don't have here (block-result
11//! arities, callee signatures) are handled conservatively:
12//!
13//! * `Call` and unmodeled ops (SIMD, etc.) bail out with `Ok(())` — their
14//!   effect is signature/type dependent.
15//! * The stack-polymorphic terminators `unreachable`/`return`/`br`/`br_table`
16//!   also bail with `Ok(())`: everything after them (up to the enclosing
17//!   `end`) is unreachable and, per the wasm spec, type-checks against an
18//!   infinite-depth polymorphic stack, so depth-only reasoning would produce
19//!   *false* underflows there (issue #329).
20//! * `Block`/`Loop`/`If`/`Else`/`End` are modeled as stack-neutral. In
21//!   reachable code the depth counter can then only ever *over*-count (it
22//!   never pops the `if` condition and never resets at `else`/`end`), so it
23//!   cannot invent an underflow — it just catches fewer of them past a block.
24//!
25//! The net effect: the check reliably rejects the control-flow-free underflow
26//! shapes (the fuzz-harness bug class below) and never false-rejects a
27//! `wasm-tools`-valid module.
28//!
29//! The bug this was written for ([PR #113 fuzz harness wasm_ops_lower_or_error,
30//! input `[I32DivS]` with empty initial stack]) sits squarely inside the
31//! modeled subset, which is the common case.
32//!
33//! ## Scope
34//!
35//! The validator does *not* enforce wasm type checking — it only tracks
36//! stack *depth*. So `i32.const ; i64.add` will pass even though it's
37//! type-invalid. Type errors fall to the lowering pipeline, which now
38//! raises them as `Err` (per PR #117 — the same audit pass).
39//!
40//! ## Why not just call wasmparser?
41//!
42//! Two reasons:
43//! * The lowering pipeline accepts `Vec<WasmOp>` (its own enum), not raw
44//!   wasm bytes. Threading wasmparser back would require a re-encoder.
45//! * The harnesses *want* to feed malformed input. We want a cheap local
46//!   check that returns Err rather than panics, not full re-validation.
47//!
48//! See PR #117 for the original fuzz crash that motivated this module.
49//!
50//! Note: `Select` is modeled as `pop 3, push 1` — wasm's `select` consumes
51//! two values and a condition. `MemoryGrow` pops a page count and pushes
52//! the previous size (or -1). `MemorySize` is a pure push.
53
54use crate::Error;
55use crate::wasm_op::WasmOp;
56
57/// Pre-flight check: returns `Err(Error::validation(...))` if any modeled
58/// op would underflow the wasm value stack. If the sequence contains
59/// control-flow ops we don't model, returns `Ok(())` (bails conservatively).
60pub fn check_no_underflow(wasm_ops: &[WasmOp]) -> crate::Result<()> {
61    let mut depth: i64 = 0;
62    for (idx, op) in wasm_ops.iter().enumerate() {
63        match stack_effect_or_bail(op) {
64            StackEffect::Modeled { pops, pushes } => {
65                if depth < pops as i64 {
66                    return Err(Error::validation(format!(
67                        "wasm value-stack underflow at op {idx} ({op:?}): \
68                         would pop {pops} from depth {depth}"
69                    )));
70                }
71                depth -= pops as i64;
72                depth += pushes as i64;
73            }
74            StackEffect::Bail => return Ok(()),
75        }
76    }
77    Ok(())
78}
79
80/// #587: a conservative UPPER BOUND on the wasm value-stack depth this op
81/// sequence can reach. Used by the ARM backend's `pool-grow` exhaustion-
82/// recovery rung to size the i64 spill-slot pool: the number of values
83/// *simultaneously* spilled by the direct selector can never exceed the
84/// number of values simultaneously live on the operand stack, so a pool of
85/// `max_depth_bound` slots (plus the resolver/result-parking transients the
86/// caller adds) cannot exhaust through the deepest-value spill loop.
87///
88/// Over-approximation rules (never under-counts in reachable code):
89/// * Modeled ops apply their exact pops/pushes; a would-be underflow clamps
90///   to 0 (malformed input is someone else's Err, not a panic here).
91/// * Unmodeled/`Bail` ops (`call`, terminators, SIMD, …) are treated as net
92///   `+1` — every wasm op pushes at most one value net, so this only ever
93///   over-counts (a call pops its args; a terminator pushes nothing).
94/// * `Block`/`Loop`/`If`/`Else`/`End` are stack-neutral in the effects table,
95///   which over-counts (`if` really pops its condition) — same direction.
96pub fn max_depth_bound(wasm_ops: &[WasmOp]) -> u32 {
97    let mut depth: i64 = 0;
98    let mut max: i64 = 0;
99    for op in wasm_ops {
100        match stack_effect_or_bail(op) {
101            StackEffect::Modeled { pops, pushes } => {
102                depth = (depth - pops as i64).max(0) + pushes as i64;
103            }
104            StackEffect::Bail => depth += 1,
105        }
106        max = max.max(depth);
107    }
108    u32::try_from(max).unwrap_or(u32::MAX)
109}
110
111enum StackEffect {
112    Modeled { pops: u32, pushes: u32 },
113    Bail,
114}
115
116fn modeled(pops: u32, pushes: u32) -> StackEffect {
117    StackEffect::Modeled { pops, pushes }
118}
119
120#[allow(clippy::too_many_lines)]
121fn stack_effect_or_bail(op: &WasmOp) -> StackEffect {
122    use WasmOp::*;
123    match op {
124        // ---- pushes (constants, reads) -----------------------------------
125        I32Const(_) | I64Const(_) | F32Const(_) | F64Const(_) | V128Const(_) | LocalGet(_)
126        | GlobalGet(_) | MemorySize(_) => modeled(0, 1),
127
128        // ---- i32 binary (pop 2, push 1) ----------------------------------
129        I32Add | I32Sub | I32Mul | I32DivS | I32DivU | I32RemS | I32RemU | I32And | I32Or
130        | I32Xor | I32Shl | I32ShrS | I32ShrU | I32Rotl | I32Rotr | I32Eq | I32Ne | I32LtS
131        | I32LtU | I32LeS | I32LeU | I32GtS | I32GtU | I32GeS | I32GeU => modeled(2, 1),
132
133        // ---- i32 unary (pop 1, push 1) -----------------------------------
134        I32Clz | I32Ctz | I32Popcnt | I32Eqz | I32Extend8S | I32Extend16S | I32WrapI64 => {
135            modeled(1, 1)
136        }
137
138        // ---- i64 binary (pop 2, push 1) ----------------------------------
139        I64Add | I64Sub | I64Mul | I64DivS | I64DivU | I64RemS | I64RemU | I64And | I64Or
140        | I64Xor | I64Shl | I64ShrS | I64ShrU | I64Rotl | I64Rotr | I64Eq | I64Ne | I64LtS
141        | I64LtU | I64LeS | I64LeU | I64GtS | I64GtU | I64GeS | I64GeU => modeled(2, 1),
142
143        // ---- i64 unary (pop 1, push 1) -----------------------------------
144        I64Clz | I64Ctz | I64Popcnt | I64Eqz | I64Extend8S | I64Extend16S | I64Extend32S
145        | I64ExtendI32S | I64ExtendI32U => modeled(1, 1),
146
147        // ---- f32 binary --------------------------------------------------
148        F32Add | F32Sub | F32Mul | F32Div | F32Eq | F32Ne | F32Lt | F32Le | F32Gt | F32Ge
149        | F32Min | F32Max | F32Copysign => modeled(2, 1),
150
151        // ---- f32 unary ---------------------------------------------------
152        F32Abs | F32Neg | F32Ceil | F32Floor | F32Trunc | F32Nearest | F32Sqrt => modeled(1, 1),
153
154        // ---- f64 binary --------------------------------------------------
155        F64Add | F64Sub | F64Mul | F64Div | F64Eq | F64Ne | F64Lt | F64Le | F64Gt | F64Ge
156        | F64Min | F64Max | F64Copysign => modeled(2, 1),
157
158        // ---- f64 unary ---------------------------------------------------
159        F64Abs | F64Neg | F64Ceil | F64Floor | F64Trunc | F64Nearest | F64Sqrt => modeled(1, 1),
160
161        // ---- f32 ↔ f64 / int conversions (pop 1, push 1) -----------------
162        F32ConvertI32S | F32ConvertI32U | F32ConvertI64S | F32ConvertI64U | F32DemoteF64
163        | F32ReinterpretI32 | I32ReinterpretF32 | I32TruncF32S | I32TruncF32U | F64ConvertI32S
164        | F64ConvertI32U | F64ConvertI64S | F64ConvertI64U | F64PromoteF32 | F64ReinterpretI64
165        | I64ReinterpretF64 | I64TruncF64S | I64TruncF64U | I32TruncF64S | I32TruncF64U => {
166            modeled(1, 1)
167        }
168
169        // ---- pop-only ----------------------------------------------------
170        LocalSet(_) | GlobalSet(_) | Drop => modeled(1, 0),
171
172        // ---- pop-modify-push (peek-write) --------------------------------
173        LocalTee(_) => modeled(1, 1),
174
175        // ---- memory ------------------------------------------------------
176        // load: pops address, pushes value
177        I32Load { .. }
178        | I32Load8S { .. }
179        | I32Load8U { .. }
180        | I32Load16S { .. }
181        | I32Load16U { .. }
182        | I64Load { .. }
183        | I64Load8S { .. }
184        | I64Load8U { .. }
185        | I64Load16S { .. }
186        | I64Load16U { .. }
187        | I64Load32S { .. }
188        | I64Load32U { .. }
189        | F32Load { .. }
190        | F64Load { .. } => modeled(1, 1),
191        // store: pops value, pops address
192        I32Store { .. }
193        | I32Store8 { .. }
194        | I32Store16 { .. }
195        | I64Store { .. }
196        | I64Store8 { .. }
197        | I64Store16 { .. }
198        | I64Store32 { .. }
199        | F32Store { .. }
200        | F64Store { .. } => modeled(2, 0),
201        // memory.grow: pops page count, pushes previous size or -1
202        MemoryGrow(_) => modeled(1, 1),
203
204        // ---- bulk memory (#374) -----------------------------------------
205        // memory.copy(dst, src, len) and memory.fill(dst, val, len) each pop
206        // three i32 operands and push nothing.
207        MemoryCopy | MemoryFill => modeled(3, 0),
208
209        // ---- select / nop -----------------------------------------------
210        // select: pops two values and a condition (i32), pushes one value
211        Select => modeled(3, 1),
212        Nop => modeled(0, 0),
213
214        // ---- stack-polymorphic terminators (#329) ------------------------
215        // `unreachable`, `return`, `br`, and `br_table` unconditionally
216        // transfer control, so every op *after* one of them (up to the
217        // enclosing `end`) is unreachable and, per the wasm spec, type-checks
218        // against an infinite-depth *polymorphic* stack. A
219        // `drop`/`select`/`local.set`/binary op in that dead region is
220        // perfectly valid wasm even at depth 0 — but our finite depth counter
221        // keeps decrementing and reports a *false* underflow (issue #329).
222        //
223        // (Note: falcon's original `func_30`/`func_39` underflows were a
224        // *different* root cause — the old #369 silent float-op decoder drop,
225        // which dropped pushes and starved the abstract stack; that was fixed
226        // by #369's loud-skip. This arm closes the remaining, latent
227        // dead-code-after-terminator false-positive in the same model.)
228        //
229        // Note the model can only ever *over*-count in reachable code (it
230        // never pops the `if` condition, never resets at `else`/`end`), so a
231        // false underflow is impossible there. Dead code after a polymorphic
232        // terminator is the sole false-reject class — and without block-result
233        // arities we cannot tell where reachable code resumes after the
234        // matching `end`. So we BAIL to `Ok(())` at the terminator: this keeps
235        // the check SOUND (it can only miss a genuine underflow, never invent
236        // one) and matches the module's documented "accept when unsure" intent.
237        //
238        // This does NOT reintroduce the PR #117 fuzz crashes. Those were
239        // panics deep in `wasm_to_ir`/`ir_to_arm` on shapes like
240        // `[Unreachable, I32GeS]`; the panic sites were since converted to
241        // typed `Err` (issue #93 / PR #101 `get_arm_reg`, issue #121
242        // `slot_stack`, and the `Unreachable`/`Return` handlers in
243        // `wasm_to_ir`). The fuzz contract is *no panic* — `Ok` or `Err` both
244        // pass — and those downstream changes, not this pre-flight, guarantee
245        // it. See the `*_does_not_panic_*` regression tests in synth-synthesis.
246        Unreachable | Return | Br(_) | BrTable { .. } => StackEffect::Bail,
247        // BrIf pops the condition (i32) but does NOT terminate — the
248        // fall-through path keeps executing reachable code. After it the stack
249        // lost the condition, so a genuine depth-0 `br_if` still underflows
250        // (kept as a real-underflow anchor).
251        BrIf(_) => modeled(1, 0),
252        // Block / Loop / If / Else / End — control region delimiters. Their
253        // stack effect depends on block type, which we don't have. Treat as
254        // stack-neutral; if a real underflow lurks past one of these, we
255        // accept it (matches the pre-flight's "best-effort safety net" intent).
256        Block | Loop | If | Else | End => modeled(0, 0),
257        // Call — pops N args, pushes M results. Without the callee's
258        // signature we can't compute this. Yield to upstream validation.
259        Call(_) => StackEffect::Bail,
260
261        // ---- SIMD lane ops, etc. — bail ---------------------------------
262        // The selector doesn't fully support these yet; their stack effects
263        // are well-defined but we don't enumerate them here. Bail.
264        _ => StackEffect::Bail,
265    }
266}
267
268#[cfg(test)]
269mod tests {
270    use super::*;
271
272    #[test]
273    fn binary_op_at_empty_stack_is_underflow() {
274        // This is the exact crash input from PR #113's fuzz harness:
275        // FuzzInput { num_params: 1, ops: [I32DivS] }
276        let err = check_no_underflow(&[WasmOp::I32DivS]).unwrap_err();
277        assert!(matches!(err, Error::ValidationError(_)), "got: {err:?}");
278        let msg = format!("{err}");
279        assert!(msg.contains("underflow"));
280        assert!(msg.contains("I32DivS"));
281    }
282
283    #[test]
284    fn well_formed_add_passes() {
285        let ops = vec![WasmOp::I32Const(1), WasmOp::I32Const(2), WasmOp::I32Add];
286        assert!(check_no_underflow(&ops).is_ok());
287    }
288
289    #[test]
290    fn unary_op_at_empty_stack_is_underflow() {
291        let err = check_no_underflow(&[WasmOp::I32Eqz]).unwrap_err();
292        assert!(matches!(err, Error::ValidationError(_)));
293    }
294
295    #[test]
296    fn drop_at_empty_stack_is_underflow() {
297        let err = check_no_underflow(&[WasmOp::Drop]).unwrap_err();
298        assert!(matches!(err, Error::ValidationError(_)));
299    }
300
301    #[test]
302    fn bulk_memory_pops_three_374() {
303        // memory.copy / memory.fill pop 3, push 0: three pushed operands then the
304        // op must balance to depth 0.
305        for op in [WasmOp::MemoryCopy, WasmOp::MemoryFill] {
306            let ok = vec![
307                WasmOp::I32Const(0),
308                WasmOp::I32Const(0),
309                WasmOp::I32Const(0),
310                op.clone(),
311            ];
312            assert!(check_no_underflow(&ok).is_ok(), "{op:?} with 3 operands");
313            // only two operands -> underflow
314            let bad = vec![WasmOp::I32Const(0), WasmOp::I32Const(0), op.clone()];
315            assert!(
316                matches!(
317                    check_no_underflow(&bad).unwrap_err(),
318                    Error::ValidationError(_)
319                ),
320                "{op:?} with 2 operands must underflow"
321            );
322        }
323    }
324
325    #[test]
326    fn store_at_empty_stack_is_underflow() {
327        let err = check_no_underflow(&[WasmOp::I32Store {
328            offset: 0,
329            align: 2,
330        }])
331        .unwrap_err();
332        assert!(matches!(err, Error::ValidationError(_)));
333    }
334
335    #[test]
336    fn select_needs_three_operands() {
337        // select with only 2 operands underflows.
338        let ops = vec![WasmOp::I32Const(1), WasmOp::I32Const(2), WasmOp::Select];
339        let err = check_no_underflow(&ops).unwrap_err();
340        assert!(matches!(err, Error::ValidationError(_)));
341    }
342
343    #[test]
344    fn select_with_three_operands_passes() {
345        let ops = vec![
346            WasmOp::I32Const(1),
347            WasmOp::I32Const(2),
348            WasmOp::I32Const(0),
349            WasmOp::Select,
350        ];
351        assert!(check_no_underflow(&ops).is_ok());
352    }
353
354    #[test]
355    fn call_bails_conservatively() {
356        // Call(_) has a callee-signature-dependent stack effect we can't
357        // compute here, so we bail (accept). Upstream wasm validation
358        // catches real signature mismatches.
359        let ops = vec![WasmOp::Call(0), WasmOp::I32Add];
360        assert!(check_no_underflow(&ops).is_ok());
361    }
362
363    #[test]
364    fn return_then_binary_op_is_accepted_dead_code_329() {
365        // #329: after `return`, the rest of the block is unreachable and
366        // type-checks against a polymorphic (infinite-depth) stack in wasm, so
367        // `[Return, I64Eqz]` is VALID wasm — the pre-flight must not invent an
368        // underflow. (It previously did, modeling `Return` as stack-neutral.)
369        // The downstream `wasm_to_ir` panic-safety this used to stand in for is
370        // now guaranteed by the `slot_stack`/`get_arm_reg` Err conversions —
371        // see the synth-synthesis `*_does_not_panic_*` regression tests.
372        let ops = vec![WasmOp::Return, WasmOp::I64Eqz];
373        assert!(check_no_underflow(&ops).is_ok());
374    }
375
376    #[test]
377    fn br_then_binary_op_is_accepted_dead_code_329() {
378        // Mirror of the Return case for unconditional branch: code after `br`
379        // is unreachable/polymorphic, hence accepted.
380        let ops = vec![WasmOp::Br(0), WasmOp::I32Add];
381        assert!(check_no_underflow(&ops).is_ok());
382    }
383
384    #[test]
385    fn br_table_then_pop_is_accepted_dead_code_329() {
386        // br_table is also a stack-polymorphic terminator.
387        let ops = vec![
388            WasmOp::BrTable {
389                targets: vec![0],
390                default: 0,
391            },
392            WasmOp::Select,
393        ];
394        assert!(check_no_underflow(&ops).is_ok());
395    }
396
397    #[test]
398    fn br_if_pops_condition() {
399        // BrIf pops one (the i32 condition). At depth 0, the BrIf itself
400        // underflows.
401        let ops = vec![WasmOp::BrIf(0)];
402        let err = check_no_underflow(&ops).unwrap_err();
403        assert!(matches!(err, Error::ValidationError(_)));
404    }
405
406    #[test]
407    fn br_if_with_condition_then_op_is_ok() {
408        // BrIf pops 1 (the condition), then I32Const pushes 1, then
409        // I32Eqz pops 1 / pushes 1 — no underflow.
410        let ops = vec![
411            WasmOp::I32Const(1),
412            WasmOp::BrIf(0),
413            WasmOp::I32Const(0),
414            WasmOp::I32Eqz,
415        ];
416        assert!(check_no_underflow(&ops).is_ok());
417    }
418
419    #[test]
420    fn unreachable_then_binary_op_is_accepted_dead_code_329() {
421        // `[Unreachable, I32GeS]` is VALID wasm: after `unreachable` the stack
422        // is polymorphic, so i32.ge_s type-checks. The pre-flight must accept
423        // it (it previously reported a false underflow). The `wasm_to_ir`
424        // no-panic guarantee this used to proxy for now lives downstream.
425        let ops = vec![WasmOp::Unreachable, WasmOp::I32GeS];
426        assert!(check_no_underflow(&ops).is_ok());
427    }
428
429    #[test]
430    fn unreachable_then_consts_then_binary_op_is_ok() {
431        // Also valid — and accepted whether or not the consts re-push (we bail
432        // at the `unreachable`).
433        let ops = vec![
434            WasmOp::Unreachable,
435            WasmOp::I32Const(1),
436            WasmOp::I32Const(2),
437            WasmOp::I32GeS,
438        ];
439        assert!(check_no_underflow(&ops).is_ok());
440    }
441
442    #[test]
443    fn unreachable_then_drop_is_accepted_329() {
444        // Minimal #329 repro shape: `(unreachable) (drop)` — wasm-tools valid,
445        // previously rejected with "would pop 1 from depth 0".
446        let ops = vec![WasmOp::Unreachable, WasmOp::Drop];
447        assert!(check_no_underflow(&ops).is_ok());
448    }
449
450    #[test]
451    fn return_then_select_is_accepted_329() {
452        // The #329 `func_39` Select shape: a select in dead code after a
453        // terminator. Previously "would pop 3 from depth N".
454        let ops = vec![WasmOp::I32Const(0), WasmOp::Return, WasmOp::Select];
455        assert!(check_no_underflow(&ops).is_ok());
456    }
457
458    #[test]
459    fn return_then_local_set_is_accepted_329() {
460        // The #329 `func_30` LocalSet shape: a local.set in dead code.
461        // Previously "would pop 1 from depth 0".
462        let ops = vec![WasmOp::Return, WasmOp::LocalSet(0)];
463        assert!(check_no_underflow(&ops).is_ok());
464    }
465
466    #[test]
467    fn reachable_select_with_block_result_operand_is_ok_329() {
468        // A reachable select whose operands include a block result stays
469        // accepted — the depth counter over-counts across the block markers,
470        // so it never false-rejects. (Sanity that we didn't over-loosen away
471        // from reachable control flow.)
472        let ops = vec![
473            WasmOp::Block,
474            WasmOp::I32Const(5),
475            WasmOp::End,
476            WasmOp::LocalGet(0),
477            WasmOp::LocalGet(1),
478            WasmOp::Select,
479        ];
480        assert!(check_no_underflow(&ops).is_ok());
481    }
482
483    #[test]
484    fn reachable_binary_op_underflow_still_caught_after_block() {
485        // Bounded-loosening anchor: a genuine underflow that does NOT sit in a
486        // dead region is still caught. `Block` is stack-neutral, then I32Add at
487        // depth 0 underflows.
488        let ops = vec![WasmOp::Block, WasmOp::I32Add];
489        let err = check_no_underflow(&ops).unwrap_err();
490        assert!(matches!(err, Error::ValidationError(_)));
491    }
492
493    #[test]
494    fn const_then_unary_then_binary() {
495        // const → eqz → const → const → add — last add needs 2, has 3.
496        let ops = vec![
497            WasmOp::I32Const(0),
498            WasmOp::I32Eqz,
499            WasmOp::I32Const(1),
500            WasmOp::I32Const(2),
501            WasmOp::I32Add,
502        ];
503        assert!(check_no_underflow(&ops).is_ok());
504    }
505
506    #[test]
507    fn empty_input_is_ok() {
508        assert!(check_no_underflow(&[]).is_ok());
509    }
510
511    #[test]
512    fn max_depth_bound_exact_on_modeled_ops() {
513        // #587: 3 consts (depth 3) folded to 1 — the bound is the peak, 3.
514        let ops = vec![
515            WasmOp::I32Const(1),
516            WasmOp::I32Const(2),
517            WasmOp::I32Const(3),
518            WasmOp::I32Add,
519            WasmOp::I32Add,
520        ];
521        assert_eq!(max_depth_bound(&ops), 3);
522        assert_eq!(max_depth_bound(&[]), 0);
523    }
524
525    #[test]
526    fn max_depth_bound_over_approximates_unmodeled_ops() {
527        // #587: `call` bails in the underflow checker; the bound treats it as
528        // net +1 (an over-approximation, never an under-count).
529        let ops = vec![WasmOp::I32Const(1), WasmOp::Call(0), WasmOp::I32Add];
530        assert!(max_depth_bound(&ops) >= 2);
531    }
532}