Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[lightbeam] add overflow in debug mode (backend:store:2136 & backend:store:2159) #738

Closed
pventuzelo opened this issue Dec 18, 2019 · 2 comments
Closed

[lightbeam] add overflow in debug mode (backend:store:2136 & backend:store:2159) #738

pventuzelo opened this issue Dec 18, 2019 · 2 comments
Labels
fuzz-bug Bugs found by a fuzzer lightbeam Issues related to the Lightbeam compiler

Comments

@pventuzelo
Copy link
Contributor

Issue description

An addition with overflow make lightbeam to panic when compiled in debug mode.

$ ./target/debug/debug_lightbeam store_add_overflow_lightbeam.wasm 
thread 'main' panicked at 'attempt to add with overflow', XXX/wasmtime/crates/lightbeam/src/backend.rs:2136:68
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

This issue is related to the macro store! when dealing with the i32.store8 opcode:

wasmtime/crates/lightbeam/src/backend.rs

Lines 2133 to 2138 in 31472fb

match runtime_offset {
Ok(imm) => {
dynasm!(ctx.asm
; mov [Rq(mem_ptr_reg.rq().unwrap()) + offset + imm], $int_reg_ty(src_reg.rq().unwrap())
);
}

Reproduction

Download:
store_add_overflow_lightbeam.zip

or wasm2wat store_add_overflow_lightbeam.wasm :

(module
  (type (;0;) (func))
  (func (;0;) (type 0)
    i32.const 2
    i32.const 1
    i32.store8 offset=2147483647)
  (memory (;0;) 1)
  (export "_start" (func 0)))

Testing program (need to be compiled in debug mode i.e. RUSTFLAGS=-g cargo build):

use std::env;
use std::fs::{File};
use std::io;
use std::io::Read;
use std::path::PathBuf;

use wasmtime_fuzzing::oracles;
use wasmtime_jit::CompilationStrategy;
use lightbeam;

/// Read the contents of a file
fn read_contents(path: &PathBuf) -> Result<Vec<u8>, io::Error> {
    let mut buffer: Vec<u8> = Vec::new();
    let mut file = File::open(path)?;
    file.read_to_end(&mut buffer)?;
    drop(file);
    Ok(buffer)
}

fn main() {
	let args: Vec<String> = env::args().collect();
	let wasm_path = std::path::PathBuf::from(&args[1]);
	let wasm_binary: Vec<u8> = read_contents(&wasm_path).unwrap();

    let _res_compile = oracles::compile(&wasm_binary[..], CompilationStrategy::Lightbeam);
    let _res_instantiate = oracles::instantiate(&wasm_binary[..], CompilationStrategy::Lightbeam);
    let _res_translate = lightbeam::translate(&wasm_binary[..]);
}

wasmtime commit: 31472fb
@pventuzelo pventuzelo changed the title [lightbeam] panic during add overflow in backend.rs (compiled in debug) [lightbeam] panic during add overflow in backend:store macro (compiled in debug) Dec 23, 2019
@pepyakin pepyakin added lightbeam Issues related to the Lightbeam compiler fuzz-bug Bugs found by a fuzzer labels Jan 6, 2020
@pventuzelo pventuzelo mentioned this issue Jan 14, 2020
Closed
@pventuzelo pventuzelo changed the title [lightbeam] panic during add overflow in backend:store macro (compiled in debug) [lightbeam] add overflow in debug mode (backend:store:2136) Jan 17, 2020
@pventuzelo
Copy link
Contributor Author

Another addition overflow is in this part of the store macro:

wasmtime/crates/lightbeam/src/backend.rs

Lines 2157 to 2160 in 31472fb

(Ok(imm), GPR::Rq(r)) => {
dynasm!(ctx.asm
; mov [Rq(mem_ptr_reg.rq().unwrap()) + offset + imm], $int_reg_ty(r)
);

Crash:

$ debug_diff_compile panic_add_overflow_2159.wasm 
thread 'main' panicked at 'attempt to add with overflow', wasmtime/crates/lightbeam/src/backend.rs:2159:68
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Reproduction:

(module
  (type (;0;) (func))
  (func (;0;) (type 0)
    i32.const 2
    i32.const 1
    i32.store offset=2147483647 align=1
    unreachable)
  (memory (;0;) 1)
  (export "_start" (func 0)))

@pventuzelo pventuzelo changed the title [lightbeam] add overflow in debug mode (backend:store:2136) [lightbeam] add overflow in debug mode (backend:store:2136 & backend:store:2159) Jan 17, 2020
arkpar pushed a commit to paritytech/wasmtime that referenced this issue Mar 4, 2020
@bnjbvr
Fixes bytecodealliance#738: Check ebbs used in jump tables in the ver…
274415d 
…ifier;
@alexcrichton
Copy link
Member

Lightbeam was removed in #3390 as explained in RFC 14, so I'm going to close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzz-bug Bugs found by a fuzzer lightbeam Issues related to the Lightbeam compiler
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexcrichton @pepyakin @pventuzelo