Preserve try_call[_indirect] stack maps during lowering (#12934)

fitzgen · web-flow · commit 763622c304a5 · 2026-04-01T23:08:47.000Z
* Preserve `try_call[_indirect]` stack maps during lowering Branch instructions are skipped in the main lowering loop, which means the stack map forwarding code is never reached for them. The branch lowering path didn't forward stack maps either. This was fine because branch instructions couldn't previously ever be safepoints. However, with the introduction of `try_call` and `try_call_indirect`, we now have instructions that are both safepoints and branches. This caused GC references live across `try_call[_indirect]` instructions to not be traced during garbage collection, leading to use-after-free within the GC heap sandbox when the collector swept those untraced-but-still-live objects. The fix adds stack map forwarding after branch lowering, mirroring the existing logic for non-branch instructions. Fixes #11753. * update disas test
diff --git a/cranelift/codegen/src/machinst/lower.rs b/cranelift/codegen/src/machinst/lower.rs
@@ -1151,8 +1151,27 @@ impl<'func, I: VCodeInst> Lower<'func, I> {
             // End branch.
             if let Some(bb) = lb.orig_block() {
                 if let Some(branch) = self.collect_branch_and_targets(bindex, bb, &mut targets) {
+                    let branch_start = self.vcode.vcode.num_insts();
                     self.lower_clif_branch(backend, bindex, bb, branch, &targets)?;
                     self.finish_ir_inst(self.srcloc(branch));
+
+                    // Branch instructions like try_call can also be safepoints
+                    // that need stack maps. Forward the stack map from the CLIF
+                    // branch to the VCode safepoint, just like we do for
+                    // non-branch instructions in `lower_clif_block`.
+                    if let Some(entries) = self.f.dfg.user_stack_map_entries(branch) {
+                        let branch_end = self.vcode.vcode.num_insts();
+                        for i in branch_start..branch_end {
+                            let iix = InsnIndex::new(i);
+                            if self.vcode.vcode[iix].is_safepoint() {
+                                self.vcode.add_user_stack_map(
+                                    BackwardsInsnIndex::new(iix.index()),
+                                    entries,
+                                );
+                                break;
+                            }
+                        }
+                    }
                 }
             } else {
                 // If no orig block, this must be a pure edge block;
diff --git a/crates/wast/src/wast.rs b/crates/wast/src/wast.rs
@@ -236,6 +236,17 @@ impl WastContext {
         Ok(())
     }
 
+    /// Register the "wasmtime" module, which provides utilities that our misc
+    /// tests use.
+    pub fn register_wasmtime(&mut self) -> Result<()> {
+        self.core_linker
+            .func_wrap("wasmtime", "gc", |mut caller: Caller<_>| {
+                caller.gc(None)?;
+                Ok(())
+            })?;
+        Ok(())
+    }
+
     /// Perform the action portion of a command.
     fn perform_action(&mut self, action: &Action<'_>) -> Result<Outcome> {
         // Need to simultaneously borrow `self.async_runtime` and a `&mut
diff --git a/tests/disas/gc/issue-11753.wat b/tests/disas/gc/issue-11753.wat
@@ -0,0 +1,79 @@
+;;! target = "x86_64"
+;;! flags = "-W gc,exceptions"
+;;! test = "compile"
+;;! objdump = "--stack-maps=true"
+
+(module
+  (type $s (struct (field (mut i32))))
+
+  (import "" "gc" (func $gc))
+
+  (func (export "run") (result i32)
+    (struct.new $s (i32.const 42))
+
+    block $b
+      try_table (catch_all $b)
+        ;; This should have both exception handlers and stack maps in the
+        ;; disassembly below.
+        call $gc
+      end
+    end
+
+    struct.get $s 0
+  )
+)
+;; wasm[0]::function[1]:
+;;       pushq   %rbp
+;;       movq    %rsp, %rbp
+;;       movq    8(%rdi), %r10
+;;       movq    0x18(%r10), %r10
+;;       addq    $0x60, %r10
+;;       cmpq    %rsp, %r10
+;;       ja      0xbe
+;;   19: subq    $0x50, %rsp
+;;       movq    %rbx, 0x20(%rsp)
+;;       movq    %r12, 0x28(%rsp)
+;;       movq    %r13, 0x30(%rsp)
+;;       movq    %r14, 0x38(%rsp)
+;;       movq    %r15, 0x40(%rsp)
+;;       movq    %rdi, 8(%rsp)
+;;       movl    $0xb0000000, %esi
+;;       xorl    %edx, %edx
+;;       movl    $0x20, %ecx
+;;       movl    $8, %r8d
+;;       movq    8(%rsp), %rbx
+;;       movq    %rbx, %rdi
+;;       callq   0x215
+;;       movl    %eax, (%rsp)
+;;       movq    8(%rbx), %rcx
+;;       movq    0x20(%rcx), %rcx
+;;       movl    %eax, %eax
+;;       movl    $0x2a, 0x18(%rcx, %rax)
+;;       movq    %rcx, 0x10(%rsp)
+;;       movq    0x30(%rbx), %rax
+;;       movq    0x40(%rbx), %rdi
+;;       movq    %rbx, %rsi
+;;       movq    %rbx, 8(%rsp)
+;;       callq   *%rax
+;;       ├─╼ exception frame offset: SP = FP - 0x50
+;;       ╰─╼ exception handler: default handler, context at [SP+0x8], handler=0x86
+;;       movl    (%rsp), %eax
+;;       ╰─╼ stack_map: frame_size=80, frame_offsets=[0]
+;;       testl   %eax, %eax
+;;       je      0xc0
+;;   91: movl    %eax, %eax
+;;       movq    0x10(%rsp), %rcx
+;;       movl    0x18(%rcx, %rax), %eax
+;;       movq    0x20(%rsp), %rbx
+;;       movq    0x28(%rsp), %r12
+;;       movq    0x30(%rsp), %r13
+;;       movq    0x38(%rsp), %r14
+;;       movq    0x40(%rsp), %r15
+;;       addq    $0x50, %rsp
+;;       movq    %rbp, %rsp
+;;       popq    %rbp
+;;       retq
+;;   be: ud2
+;;       ╰─╼ trap: StackOverflow
+;;   c0: ud2
+;;       ╰─╼ trap: NullReference
diff --git a/tests/misc_testsuite/gc/issue-11753.wast b/tests/misc_testsuite/gc/issue-11753.wast
@@ -0,0 +1,28 @@
+;;! gc = true
+;;! exceptions = true
+
+(module
+  (type $s (struct (field (mut i32))))
+
+  (import "wasmtime" "gc" (func $gc))
+
+  (func $observe (param (ref null $s)) (result (ref null $s))
+    local.get 0
+  )
+
+  (func (export "run") (result i32)
+    (struct.new $s (i32.const 42))
+    call $observe
+
+    block $b
+      try_table (catch_all $b)
+        call $gc
+        (drop (struct.new $s (i32.const 0)))
+      end
+    end
+
+    struct.get $s 0
+  )
+)
+
+(assert_return (invoke "run") (i32.const 42))
diff --git a/tests/wast.rs b/tests/wast.rs
@@ -267,6 +267,13 @@ fn run_wast(test: &WastTest, config: WastConfig) -> wasmtime::Result<()> {
                 use_shared_memory: true,
                 suppress_prints: true,
             })?;
+            if test
+                .path
+                .to_str()
+                .is_some_and(|s| s.contains("misc_testsuite"))
+            {
+                wast_context.register_wasmtime()?;
+            }
             wast_context
                 .run_wast(test.path.to_str().unwrap(), test.contents.as_bytes())
                 .with_context(|| format!("failed to run spec test with {desc} engine"))
