runtime crash: stack underflow when executing opcode switch

[linxuanm]

Hi! While writing spectests for Wizard we ran into a stack underflow crash with the reference interpreter switch5.wast:12.5-12.20: runtime crash: stack underflow (referring to the switch in $fn_1):

(module
  (type $f1 (func (result i32)))
  (type $c1 (cont $f1))
  (type $f2 (func (param (ref null $c1)) (result i32)))
  (type $c2 (cont $f2))
  (type $f3 (func (param (ref null $c2)) (result i32)))
  (type $c3 (cont $f3))
  (tag $e (result i32))

  (func $fn_1 (param (ref null $c2)) (result i32)
    (local.get 0)
    (switch $c2 $e)
    (i32.const 24)
  )
  (elem declare func $fn_1)

  (func $fn_2 (result i32)
    (cont.new $c3 (ref.func $fn_1))
    (switch $c3 $e)
    (drop)
    (i32.const -1)
  )
  (elem declare func $fn_2)

  (func (export "main") (result i32)
    (cont.new $c1 (ref.func $fn_2))
    (resume $c1 (on $e switch))
  )
)

(assert_return (invoke "main") (i32.const -1))

I don't think this is the intended behavior. Is this a problem in the reference interpreter? Thanks!

[dhil]

Thanks! The problem seems to be here

stack-switching/interpreter/exec/eval.ml

Line 1269 in 5010b4e

let cont' = Ref (ContRef (ref (Some (Int32.add (Lib.List32.length ts) 1l, ctxt'')))) in

The arity of the new continuation reference is mistakenly derived from the length of ts, which is codomain of the switch-tag. The arity of new continuation reference is known at the switch point as it can be read off the type annotation (though somewhat awkwardly).