Stream: git-wasmtime

Topic: wasmtime / Issue #1601 [crash] assertion failed or unimpl...


view this post on Zulip Wasmtime GitHub notifications bot (Apr 25 2020 at 22:36):

pventuzelo labeled Issue #1601:

Description

Hey guys,

During fuzzing wasmtime with cranelift backend and almost all features enabled in the config, I trigger those bugs:

If you process the crashing wasm module using wasmtime = "0.15" crate, you will trigger a reachable assertion (CWE-617):

$ ./workspace/debug/target/debug/debug_wasmtime_all_cranelift assert_wasmtime_table_type_anyref.wasm
Start debugging of wasmtime_all_cranelift
file_to_process: "assert_wasmtime_table_type_anyref.wasm"
thread 'main' panicked at 'assertion failed: tt.element_type == wasmparser::Type::AnyFunc ||
    tt.element_type == wasmparser::Type::AnyRef', /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-0.15.0/src/module.rs:56:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

If you process the wasm module using wasmtime cli, you will trigger an unimplemented panic:

$ wasmtime --enable-all assert_wasmtime_table_type_anyref.wasm
thread 'main' panicked at 'not implemented: tables of types other than anyfunc (f32)', crates/runtime/src/table.rs:25:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Steps to reproduce the issue

Download the crashing file: assert_wasmtime_table_type_anyref.zip

Testing piece of code:

    use wasmtime::{Config, Engine, Module, Store, Strategy};

    // read data from provided file
    let data = read_contents_from_path(&args[1]).expect("cannot read file content");

    let mut config = Config::new();
    match config.strategy(Strategy::Cranelift) {
        Ok(o) => o,
        _ => return,
    };

    config
        .debug_info(true)
        .wasm_threads(true)
        .wasm_reference_types(true)
        .wasm_simd(true)
        .wasm_bulk_memory(true)
        .wasm_multi_value(true);

    let store = Store::new(&Engine::new(&config));
    let _module = Module::from_binary(&store, &data);
}

Which Wasmtime version / commit hash / branch are you using?

crate version: wasmtime = "0.15.0"
Wasmtime cli version: wasmtime 0.15.0

view this post on Zulip Wasmtime GitHub notifications bot (Apr 25 2020 at 22:36):

pventuzelo opened Issue #1601:

Description

Hey guys,

During fuzzing wasmtime with cranelift backend and almost all features enabled in the config, I trigger those bugs:

If you process the crashing wasm module using wasmtime = "0.15" crate, you will trigger a reachable assertion (CWE-617):

$ ./workspace/debug/target/debug/debug_wasmtime_all_cranelift assert_wasmtime_table_type_anyref.wasm
Start debugging of wasmtime_all_cranelift
file_to_process: "assert_wasmtime_table_type_anyref.wasm"
thread 'main' panicked at 'assertion failed: tt.element_type == wasmparser::Type::AnyFunc ||
    tt.element_type == wasmparser::Type::AnyRef', /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-0.15.0/src/module.rs:56:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

If you process the wasm module using wasmtime cli, you will trigger an unimplemented panic:

$ wasmtime --enable-all assert_wasmtime_table_type_anyref.wasm
thread 'main' panicked at 'not implemented: tables of types other than anyfunc (f32)', crates/runtime/src/table.rs:25:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Steps to reproduce the issue

Download the crashing file: assert_wasmtime_table_type_anyref.zip

Testing piece of code:

    use wasmtime::{Config, Engine, Module, Store, Strategy};

    // read data from provided file
    let data = read_contents_from_path(&args[1]).expect("cannot read file content");

    let mut config = Config::new();
    match config.strategy(Strategy::Cranelift) {
        Ok(o) => o,
        _ => return,
    };

    config
        .debug_info(true)
        .wasm_threads(true)
        .wasm_reference_types(true)
        .wasm_simd(true)
        .wasm_bulk_memory(true)
        .wasm_multi_value(true);

    let store = Store::new(&Engine::new(&config));
    let _module = Module::from_binary(&store, &data);
}

Which Wasmtime version / commit hash / branch are you using?

crate version: wasmtime = "0.15.0"
Wasmtime cli version: wasmtime 0.15.0

view this post on Zulip Wasmtime GitHub notifications bot (Apr 27 2020 at 14:45):

alexcrichton commented on Issue #1601:

Thanks for the report! There are known issues in the implementations of some wasm proposals right now, and for example reference types are known to not be fully implemented (same with SIMD and threads). Our own fuzzing has a whitelist of which wasm proposals that we fuzz against, and it's specifically not enabling all of them.

This is perhaps something that would be good to update the documentation for though to indicate that some wasm proposals exported from Config are not fully finished yet.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 28 2020 at 14:41):

pventuzelo commented on Issue #1601:

Hi Alex,

Oh interesting, effectively I checked the documentation for the different Config fields and it would have been good to have this information highlighted there.

In a more generic way, i'm not a big fan of macros in Rust that can lead to panics so I always prefer to report them even if project is under development.

I let you decided when to close this issue ;)

view this post on Zulip Wasmtime GitHub notifications bot (Apr 29 2020 at 17:38):

abrown closed Issue #1601:

Description

Hey guys,

During fuzzing wasmtime with cranelift backend and almost all features enabled in the config, I trigger those bugs:

If you process the crashing wasm module using wasmtime = "0.15" crate, you will trigger a reachable assertion (CWE-617):

$ ./workspace/debug/target/debug/debug_wasmtime_all_cranelift assert_wasmtime_table_type_anyref.wasm
Start debugging of wasmtime_all_cranelift
file_to_process: "assert_wasmtime_table_type_anyref.wasm"
thread 'main' panicked at 'assertion failed: tt.element_type == wasmparser::Type::AnyFunc ||
    tt.element_type == wasmparser::Type::AnyRef', /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-0.15.0/src/module.rs:56:5
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

If you process the wasm module using wasmtime cli, you will trigger an unimplemented panic:

$ wasmtime --enable-all assert_wasmtime_table_type_anyref.wasm
thread 'main' panicked at 'not implemented: tables of types other than anyfunc (f32)', crates/runtime/src/table.rs:25:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Steps to reproduce the issue

Download the crashing file: assert_wasmtime_table_type_anyref.zip

Testing piece of code:

    use wasmtime::{Config, Engine, Module, Store, Strategy};

    // read data from provided file
    let data = read_contents_from_path(&args[1]).expect("cannot read file content");

    let mut config = Config::new();
    match config.strategy(Strategy::Cranelift) {
        Ok(o) => o,
        _ => return,
    };

    config
        .debug_info(true)
        .wasm_threads(true)
        .wasm_reference_types(true)
        .wasm_simd(true)
        .wasm_bulk_memory(true)
        .wasm_multi_value(true);

    let store = Store::new(&Engine::new(&config));
    let _module = Module::from_binary(&store, &data);
}

Which Wasmtime version / commit hash / branch are you using?

crate version: wasmtime = "0.15.0"
Wasmtime cli version: wasmtime 0.15.0


Last updated: Dec 23 2024 at 13:07 UTC