Skip to content

DRC free_list panic with addition overflow #13067

Open
Open
DRC free_list panic with addition overflow#13067
Labels
fuzz-bugBugs found by a fuzzerwasm-proposal:gcIssues with the implementation of the gc wasm proposal
@alexcrichton

Description

@alexcrichton
alexcrichton
opened on Apr 13, 2026

Given this (unminimized) input:

Details 
(module
  (rec
    (type (;0;) (sub (struct (field (mut f32)) (field (mut i16)) (field f32) (field (mut v128)) (field (mut i8)) (field (mut i16)) (field (mut i8)) (field (mut f64)))))
    (type (;1;) (array i8))
    (type (;2;) (struct (field (mut i16)) (field i8) (field (mut i16)) (field (mut f32)) (field (mut i8)) (field f64) (field i16) (field (mut i8)) (field (mut i16)) (field (mut i16)) (field (mut i16)) (field anyref) (field (mut i16)) (field i8) (field i8) (field (mut v128)) (field (mut i8)) (field (mut i8)) (field i16) (field (mut i8))))
    (type (;3;) (struct (field i8) (field i8) (field i8) (field (mut i8)) (field (mut i8)) (field v128) (field i16) (field (mut i8)) (field (mut i8)) (field i8) (field i8) (field (mut f32)) (field i8) (field i8) (field i16) (field (mut i8)) (field (mut f32)) (field (mut i64)) (field f64) (field (mut i8))))
    (type (;4;) (func (param f32 f32) (result v128)))
    (type (;5;) (sub (func (param f32))))
    (type (;6;) (sub (struct (field i64) (field (mut i8)) (field (mut i16)) (field (mut f64)) (field (mut f64)) (field i16) (field f32) (field f32) (field f32) (field (mut i16)) (field (mut f32)) (field (mut f64)) (field i8) (field (mut i8)) (field (mut f64)) (field f64) (field i16))))
    (type (;7;) (func (param i32 nullfuncref f64 f64 v128 f64 i32 f64) (result f64)))
    (type (;8;) (func (param i32) (result anyref f64)))
    (type (;9;) (sub (array (mut i16))))
    (type (;10;) (sub (array (mut i16))))
    (type (;11;) (array i8))
    (type (;12;) (array (mut i8)))
    (type (;13;) (sub (array (mut i8))))
    (type (;14;) (sub (func (param f32 i64 f32 f64 f32 f32 v128 f64) (result i64 i64 exnref v128 f64 i32 f32 v128 i32 f64 i64))))
    (type (;15;) (array i8))
    (type (;16;) (sub (array i8)))
    (type (;17;) (sub (array (mut i8))))
    (type (;18;) (sub (func (result v128 f64 f64 i32 f32 f32 f64))))
    (type (;19;) (sub (func (result f64))))
    (type (;20;) (struct (field (mut i16)) (field i8) (field (mut i8)) (field (mut i64)) (field i8) (field i16) (field i64) (field (mut i8)) (field i16) (field (mut f32)) (field (mut i64)) (field (mut f64)) (field f32)))
    (type (;21;) (sub 19 (func (result f64))))
    (type (;22;) (sub 17 (array (mut i8))))
    (type (;23;) (array (mut i8)))
    (type (;24;) (array (mut i8)))
    (type (;25;) (func (param i64 f64 i32 i64 i64 v128 i64) (result f64)))
    (type (;26;) (func (result f32 f64)))
    (type (;27;) (array i64))
    (type (;28;) (array i16))
    (type (;29;) (sub (array (mut i8))))
    (type (;30;) (func (param i32 structref)))
    (type (;31;) (func (param externref i64 f64) (result exnref exnref exnref f64)))
    (type (;32;) (func))
    (type (;33;) (func (param f64)))
    (type (;34;) (sub (array (mut i8))))
    (type (;35;) (sub (array i8)))
    (type (;36;) (sub 0 (struct (field (mut f32)) (field (mut i16)) (field f32) (field (mut v128)) (field (mut i8)) (field (mut i16)) (field (mut i8)) (field (mut f64)))))
    (type (;37;) (sub (array i16)))
    (type (;38;) (struct (field i32) (field i8) (field i8) (field i8) (field i8) (field i8) (field (mut i16)) (field (mut i16)) (field (mut i16)) (field (mut i16)) (field (mut (ref null 34))) (field (mut i8))))
    (type (;39;) (func (param f64 i64)))
    (type (;40;) (sub (func (param f32 i32 v128 f64 f64))))
    (type (;41;) (sub (struct (field i8) (field anyref) (field (mut i16)) (field i8) (field i8) (field (mut v128)) (field (mut i8)) (field (mut i16)) (field (mut i8)))))
    (type (;42;) (array (mut i16)))
    (type (;43;) (sub (array i8)))
    (type (;44;) (sub (array (mut i8))))
    (type (;45;) (func (param f64 i32) (result v128 i64 i32)))
    (type (;46;) (sub (struct (field i16) (field (mut i16)) (field (mut i16)) (field i8) (field i8) (field (mut i8)) (field i8) (field (mut i8)) (field (mut i8)) (field (mut i8)))))
    (type (;47;) (array (mut i8)))
    (type (;48;) (sub (struct (field f64) (field (mut i8)))))
    (type (;49;) (array (mut i8)))
    (type (;50;) (array i8))
    (type (;51;) (sub (struct (field f32) (field (mut i8)))))
    (type (;52;) (array (mut i8)))
    (type (;53;) (sub (array (mut i8))))
    (type (;54;) (array (mut i8)))
    (type (;55;) (array (mut i8)))
    (type (;56;) (array (mut i31ref)))
    (type (;57;) (struct (field i16) (field (mut i16)) (field (mut f32)) (field (mut i8)) (field (mut i8)) (field i8) (field (mut i8)) (field (mut i8))))
    (type (;58;) (array i16))
    (type (;59;) (sub 14 (func (param f32 i64 f32 f64 f32 f32 v128 f64) (result i64 i64 exnref v128 f64 i32 f32 v128 i32 f64 i64))))
    (type (;60;) (sub (func (param f32 funcref i64 f32))))
    (type (;61;) (sub (func (result v128 f64 f32 f64 f64 f64))))
    (type (;62;) (struct (field (mut i16)) (field i8) (field (mut i16)) (field (mut nullexternref)) (field (mut i16)) (field (mut i16)) (field (mut f32)) (field (mut i8)) (field f64) (field i16) (field (mut i8)) (field (mut i16)) (field (mut i16)) (field (mut i16)) (field (mut (ref null 53))) (field (mut i16)) (field (mut i8)) (field (mut i8)) (field anyref) (field (mut i8))))
    (type (;63;) (func (param f64) (result f32 i32)))
    (type (;64;) (sub 0 (struct (field (mut f32)) (field (mut i16)) (field f32) (field (mut v128)) (field (mut i8)) (field (mut i16)) (field (mut i8)) (field (mut f64)))))
    (type (;65;) (sub final 9 (array (mut i16))))
    (type (;66;) (sub (func (result v128 f64 f64 i32 f32 f32 f64))))
    (type (;67;) (sub (func (param i64))))
    (type (;68;) (func (param i32 v128 f64 f32 f64 f64 f64) (result f64 anyref f32 i64 f32 f64 f32 f32 v128 f64)))
    (type (;69;) (struct (field (mut i8)) (field (mut i64)) (field (mut v128)) (field (mut i8))))
  )
  (import "URWKT\u{9}\u{2}}\u{0}\u{0}\u{0}\u{0}\u{c}\u{0}\u{0}{'" "" (table (;0;) 21 213 (ref null 39)))
  (import "KT\u{9}\u{2}) WKT\u{9}\u{2}" "" (table (;1;) 1 10187 (ref null 17)))
  (import "8,'name':'CDCC" "" (global (;0;) (mut f64)))
  (import "z +proj=mbtfpp z +proj=;ieVEsmvnvert" "" (tag (;0;) (type 67) (param i64)))
  (import "_0=0\u{b}" "" (tag (;1;) (type 5) (param f32)))
  (global (;1;) (mut i64) i64.const 0)
  (global (;2;) (mut v128) v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000)
  (global (;3;) (mut i64) i64.const 0)
  (global (;4;) (mut i32) i32.const 0)
  (global (;5;) (mut i32) i32.const 0)
  (export "ECCC" (global 0))
  (export "main" (func 2))
  (func (;0;) (type 32))
  (func (;1;) (type 61) (result v128 f64 f32 f64 f64 f64)
    v128.const i32x4 0xde100000 0x690c370c 0x2f0c6e47 0x30303030
    f64.const 0x1.030303030303p-236 (;=0.000000000000000000000000000000000000000000000000000000000000000000000009162216479754085;)
    f32.const 0x1.fffff8p-128 (;=0.00000000000000000000000000000000000000587747;)
    f64.const -nan:0x7ffffffffffff (;=NaN;)
    f64.const 0x1.f73686935770dp+736 (;=710540255337142200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
    f64.const 0x1.p-1027 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006953355807835;)
  )
  (func (;2;) (type 61) (result v128 f64 f32 f64 f64 f64)
    (local f64 i64 f32)
    i32.const 1048575
    try_table (result v128) ;; label = @1
      i64.const 34359738367
      table.size 0
      struct.new_default 36
      ref.null 53
      block (type 19) (result f64) ;; label = @2
        block (type 61) (result v128 f64 f32 f64 f64 f64) ;; label = @3
          local.get 0
          global.get 0
          f64.add
          i64.trunc_sat_f64_s
          table.size 0
          array.new 27
          local.get 1
          v128.const i32x4 0x276e7275 0x4f43273a 0x5245764e 0x4e4f4953
          loop (type 61) (result v128 f64 f32 f64 f64 f64) ;; label = @4
            table.size 0
            f64.const -nan:0xfffffffffffc0 (;=NaN;)
            i64.reinterpret_f64
            data.drop 0
            i32.wrap_i64
            i32.ne
            f32.convert_i32_u
            ref.null 1
            i64.const -232906745435090
            i32.const -8193
            i32.extend16_s
            i32.extend16_s
            i32.extend16_s
            i32.extend16_s
            i32.extend16_s
            array.new_fixed 35 0
            i32.const -32
            array.new_default 1
            global.get 0
            i64.trunc_sat_f64_s
            array.new_fixed 27 0
            extern.convert_any
            any.convert_extern
            loop (type 19) (result f64) ;; label = @5
              f32.const 0x1.88924p+55 (;=55249497000000000;)
              local.tee 2
              local.get 2
              f32.ne
              local.get 2
              f32.const inf (;=inf;)
              f32.eq
              local.get 2
              f32.const -inf (;=-inf;)
              f32.eq
              i32.or
              i32.or
              if ;; label = @6
                f32.const 0x0p+0 (;=0;)
                local.set 2
              end
              local.get 2
              f32.const -0x1.fffffep+30 (;=-2147483500;)
              f32.lt
              if ;; label = @6
                f32.const -0x1.fffffep+30 (;=-2147483500;)
                local.set 2
              end
              local.get 2
              f32.const 0x1.fffffep+30 (;=2147483500;)
              f32.gt
              if ;; label = @6
                f32.const 0x1.fffffep+30 (;=2147483500;)
                local.set 2
              end
              local.get 2
              i32.trunc_f32_s
              data.drop 0
              i32.const 1882139692
              i32.popcnt
              i32.ge_u
              struct.new_default 0
              try_table (type 26) (result f32 f64) (catch_all 1 (;@4;)) (catch_all 1 (;@4;)) (catch_all 1 (;@4;)) (catch_all 1 (;@4;)) (catch_all 0 (;@5;)) (catch_all 1 (;@4;)) ;; label = @6
                ref.null noextern
                i64.const -536870913
                i64.extend32_s
                global.get 0
                global.get 0
                global.get 0
                f64.sqrt
                f32.const 0x1.fffffep+127 (;=340282350000000000000000000000000000000;)
                i32.const 524287
                data.drop 0
                f32.convert_i32_s
                try_table (type 32) (catch_all 2 (;@4;)) (catch_all 1 (;@5;)) (catch_all 2 (;@4;)) (catch_all 2 (;@4;)) (catch_all 2 (;@4;)) ;; label = @7
                  try_table (type 19) (result f64) (catch_all 0 (;@7;)) (catch_all 3 (;@4;)) (catch_all 3 (;@4;)) (catch_all 0 (;@7;)) (catch_all 0 (;@7;)) (catch_all 0 (;@7;)) (catch_all 0 (;@7;)) ;; label = @8
                    nop
                    i32.const 170197050
                    local.get 1
                    f32.convert_i64_u
                    i64.const -262144
                    data.drop 0
                    i64.const 7423338952740843308
                    call 0
                    call 0
                    br 1 (;@7;)
                    data.drop 0
                    i64.le_s
                    f32.convert_i32_u
                    f32.gt
                    data.drop 0
                    i32.add
                    local.get 1
                    i64.ctz
                    array.new_fixed 27 0
                    data.drop 0
                    local.get 1
                    try_table (result v128) (catch_all 1 (;@7;)) (catch_all 1 (;@7;)) (catch_all 1 (;@7;)) ;; label = @9
                      call 0
                      call 2
                      nop
                      drop
                      i64.reinterpret_f64
                      global.get 1
                      i64.xor
                      global.set 1
                      drop
                      drop
                      i64.reinterpret_f64
                      global.get 1
                      i64.xor
                      global.set 1
                    end
                    global.get 2
                    v128.xor
                    global.set 2
                    global.get 3
                    i64.xor
                    global.set 3
                    drop
                    global.get 3
                    i64.xor
                    global.set 3
                    drop
                    f64.const -nan:0xfffbfffffffff (;=NaN;)
                  end
                  i64.reinterpret_f64
                  global.get 1
                  i64.xor
                  global.set 1
                end
                i32.reinterpret_f32
                global.get 4
                i32.xor
                global.set 4
                i32.reinterpret_f32
                global.get 4
                i32.xor
                global.set 4
                i64.reinterpret_f64
                global.get 1
                i64.xor
                global.set 1
                i64.reinterpret_f64
                global.get 1
                i64.xor
                global.set 1
                i64.reinterpret_f64
                global.get 1
                i64.xor
                global.set 1
                global.get 3
                i64.xor
                global.set 3
                drop
                f32.const 0x1.a896aep-109 (;=0.0000000000000000000000000000000025553996;)
                f64.const 0x1.72c38277b0a97p+739 (;=4188167564342942600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
              end
              i64.reinterpret_f64
              global.get 1
              i64.xor
              global.set 1
              i32.reinterpret_f32
              global.get 4
              i32.xor
              global.set 4
              drop
              global.get 5
              i32.xor
              global.set 5
              f64.const 0x1.cbd4343444327p+252 (;=12999158086085096000000000000000000000000000000000000000000000000000000000000;)
            end
            i64.reinterpret_f64
            global.get 1
            i64.xor
            global.set 1
            drop
            global.get 3
            i64.xor
            global.set 3
            drop
            drop
            global.get 5
            i32.xor
            global.set 5
            global.get 3
            i64.xor
            global.set 3
            drop
            i32.reinterpret_f32
            global.get 4
            i32.xor
            global.set 4
            v128.const i32x4 0x70706674 0x2b207a20 0x6a6f7270 0x65693b3d
            f64.const 0x1.0202f766d7345p-509 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006013557289221415;)
            f32.const 0x1.41904p-49 (;=0.0000000000000022312948;)
            f64.const 0x1.55f4e4f47594cp+261 (;=4949483911663249600000000000000000000000000000000000000000000000000000000000000;)
            f64.const 0x1.ffffffp-1050 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000165780916;)
            f64.const 0x1.f3e0000000ep+775 (;=388032490694566600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
          end
          i64.reinterpret_f64
          global.get 1
          i64.xor
          global.set 1
          i64.reinterpret_f64
          global.get 1
          i64.xor
          global.set 1
          i64.reinterpret_f64
          global.get 1
          i64.xor
          global.set 1
          i32.reinterpret_f32
          global.get 4
          i32.xor
          global.set 4
          i64.reinterpret_f64
          global.get 1
          i64.xor
          global.set 1
          global.get 2
          v128.xor
          global.set 2
          global.get 2
          v128.xor
          global.set 2
          global.get 3
          i64.xor
          global.set 3
          drop
          v128.const i32x4 0x1fffffff 0x00000000 0xffe00000 0xffffffff
          f64.const 0x1.ffffcp-1056 (;=0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000259032;)
          f32.const 0x1.fffffep-120 (;=0.0000000000000000000000000000000000015046327;)
          f64.const -0x1.fffffffffffffp+992 (;=-83711609936427125000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
          f64.const 0x1.265747265706fp+840 (;=8429601596626490000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
          f64.const 0x1.ffep-1063 (;=0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002023;)
        end
        i64.reinterpret_f64
        global.get 1
        i64.xor
        global.set 1
        i64.reinterpret_f64
        global.get 1
        i64.xor
        global.set 1
        i64.reinterpret_f64
        global.get 1
        i64.xor
        global.set 1
        i32.reinterpret_f32
        global.get 4
        i32.xor
        global.set 4
        i64.reinterpret_f64
        global.get 1
        i64.xor
        global.set 1
        global.get 2
        v128.xor
        global.set 2
        f64.const 0x1.4692a6f65672dp+855 (;=306468905418232370000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
      end
      i64.reinterpret_f64
      global.get 1
      i64.xor
      global.set 1
      drop
      drop
      global.get 5
      i32.xor
      global.set 5
      global.get 3
      i64.xor
      global.set 3
      v128.const i32x4 0xffffffff 0xff7fffff 0x00000000 0x00800000
    end
    global.get 2
    v128.xor
    global.set 2
    global.get 5
    i32.xor
    global.set 5
    v128.const i32x4 0x80000000 0x00000000 0x00000000 0xf0000000
    f64.const 0x1.p-1058 (;=0.00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000032379;)
    f32.const 0x0p+0 (;=0;)
    f64.const 0x0p+0 (;=0;)
    f64.const 0x0p+0 (;=0;)
    f64.const 0x0p+0 (;=0;)
  )
  (func (;3;) (type 4) (param f32 f32) (result v128)
    v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
  )
  (func (;4;) (type 68) (param i32 v128 f64 f32 f64 f64 f64) (result f64 anyref f32 i64 f32 f64 f32 f32 v128 f64)
    f64.const 0x0p+0 (;=0;)
    ref.null any
    f32.const 0x0p+0 (;=0;)
    i64.const 0
    f32.const 0x0p+0 (;=0;)
    f64.const 0x0p+0 (;=0;)
    f32.const 0x0p+0 (;=0;)
    f32.const 0x0p+0 (;=0;)
    v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
    f64.const 0x0p+0 (;=0;)
  )
  (data (;0;) "u")
)

this fails with:

$ cargo run -- -Wgc,exceptions,unknown-imports-default --invoke main testcase0.wat
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/debug/wasmtime -Wgc,exceptions,unknown-imports-default --invoke main testcase0.wat`

thread 'main' (119716) panicked at crates/wasmtime/src/runtime/vm/gc/enabled/free_list.rs:62:10:
attempt to add with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Metadata

Metadata

Assignees

No one assigned

    Labels

    fuzz-bugBugs found by a fuzzerwasm-proposal:gcIssues with the implementation of the gc wasm proposal

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions