Summary
An assertion failure is triggered in wasm::Type::getHeapType() when parsing malformed WebAssembly input with wasm-ctor-eval.
The assertion isRef() fails when trying to get a heap type from a non-reference type.
Affected Version
- Branch: main
- Commit: 3ef8d19 (2026-04-21 latest)
- Tool: wasm-ctor-eval
- Build type: Debug + AddressSanitizer
Reproduction
mkdir build && cd build
cmake \
-DCMAKE_C_COMPILER=/home/AFLplusplus/afl-clang-fast \
-DCMAKE_CXX_COMPILER=/home/AFLplusplus/afl-clang-fast++ \
-DCMAKE_C_FLAGS="-O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-error" \
-DCMAKE_CXX_FLAGS="-std=c++20 -O0 -g -fno-omit-frame-pointer -fsanitize=address -Wno-bitwise-instead-of-logical -Wno-ambiguous-reversed-operator -Wno-error" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address -no-pie -pthread -ldl -lm" \
-DCMAKE_BUILD_TYPE=Debug \
-DBUILD_TESTS=OFF \
-DBUILD_TOOLS=ON \
-DENABLE_BYESAN=OFF \
..
make -j$(nproc)
./wasm-ctor-eval poc
## Error Log
```text
wasm-ctor-eval: /home/new-cases/binaryen/latestest-04.21/binaryen-main/src/wasm-type.h:407: wasm::HeapType wasm::Type::getHeapType() const: Assertion `isRef()' failed.
[1] 1774067 IOT instruction
Root Cause
The method getHeapType() at wasm-type.h:407 expects the type to be a reference type (checked by isRef()),
but the input causes a non-reference type to reach this code path, triggering an assertion failure.
Call chain:
wasm-ctor-eval evaluation → Type::getHeapType() → Assertion isRef() failed
PoC
poc
Summary
An assertion failure is triggered in
wasm::Type::getHeapType()when parsing malformed WebAssembly input withwasm-ctor-eval.The assertion
isRef()fails when trying to get a heap type from a non-reference type.Affected Version
Reproduction
Root Cause
The method getHeapType() at wasm-type.h:407 expects the type to be a reference type (checked by isRef()),
but the input causes a non-reference type to reach this code path, triggering an assertion failure.
Call chain:
wasm-ctor-eval evaluation → Type::getHeapType() → Assertion isRef() failed
PoC
poc