WasmFX: Turboshaft Suspend tag returns/params mismatch
In turboshaft's WasmFX's Suspend, the code mistakenly unpacks the tag’s returns using the tag’s parameter layout/count.
c++
// src/wasm/turboshaft-graph-interface.cc:3968
// Unpack tag returns. <-()
IterateWasmFXArgBuffer(sig->parameters(), [&](size_t index, int offset) {
DCHECK_EQ(returns[index].type, sig->GetParam(index));
returns[index].op = this->Asm().LoadOffHeap(
arg_buffer, offset, MemoryRepresentationFor(sig->GetParam(index)));
});- It iterates over
sig->parameters()instead ofsig->returns() - uses
sig->GetParam(index)instead ofsig->GetReturn(index) - writes into
returns[index]using the parameterindex/count
Because tags are a full FunctionSig (params and returns can differ):
tag_sig->parameter_count() < tag_sig->return_count(): ASan SEGV due to some returns not materialized; use of uninitialized/stale returns[i].op -> invalid OpIndex -> ASan SEGV- Turboshaft’s Suspend lowering materializes only parameter_count return values, leaving returns[i].op for the remaining returns uninitialized. A subsequent consumer like i32.add treats this garbage OpIndex as a valid input node, gives a SEGV of Graph::Add/IncrementInputUses under ASan.
tag_sig->parameter_count() > tag_sig->return_count(): OOB that overwrites thereturns[return_count .. param_count-1]- We validated this under GDB,
watch returns[1].op(params=[i32,i32], returns=[i32]):Hardware watchpoint 2: returns[1].optriggered- bt shows the write originates from the “Unpack tag returns” lambda at
src/wasm/turboshaft-graph-interface.cc:3971, withindex=1:- ...
operator()(unsigned long, int) const ( ... index=1, offset=4)at../../src/wasm/turboshaft-graph-interface.cc:3971(seeoob.watchpoint.log)
- ...
- We validated this under GDB,
Disclose Timeline
- Jan 5, 2026 12:40 AM: Reported to Chromium
- Jan 6, 2026 01:38 AM: Assigned (p1)
- Jan 7, 2026 09:27 AM: Accepted
- Jan 7, 2026 12:05 PM: Marked as fixed.
- Jan 14, 2026 02:51 PM: Bug requires --experimental-wasm-wasmfx which is an experimental flag: Regular bug with no security impact.