luxinyi0105 opened issue #6940:
Test Case
The given testcase was simply mutated a wasm file, which was obtained by compiling C program generated with
Csmith
usingEmscripten Compiler
(Emcc).The original C program is
c_file.c
, the compilation results with Emscripten iswasm_file.wasm
, and its wat format iswat_file.wat
.We mutated the wat file to change its
i32.sub
in line 11762 withi32.mul
. The result after mutation ismutated_file.wat
, and its wasm format ismutated_file.wasm
.Expected Results
$ wasmtime mutated_file.wasm
Output nothing.
Actual Results
$ wasmedge mutated_file.wasm Error: failed to run main module `mutated_file.wasm` Caused by: 0: failed to invoke command default 1: error while executing at wasm backtrace: 0: 0x75ba - <unknown>!<wasm function 41> 1: 0x7bd0 - <unknown>!<wasm function 58> 2: 0x870c - <unknown>!<wasm function 61> 3: 0x7e70 - <unknown>!<wasm function 60> 4: 0x7d09 - <unknown>!<wasm function 59> 5: 0x8b39 - <unknown>!<wasm function 68> 6: 0x7544 - <unknown>!<wasm function 40> 7: 0x56a7 - <unknown>!<wasm function 12> 8: 0x3f65 - <unknown>!<wasm function 7> 9: 0x72d9 - <unknown>!<wasm function 34> 10: 0x7253 - <unknown>!<wasm function 33> 2: Pointer out of bounds: Region { start: 78792, len: 1914709016 }
Versions and Environment
Wasmtime version or commit: wasmtime-cli 13.0.0
Operating system: Ubuntu 22.04.1
Architecture: x86_64Extra Info
I tried to use some other wasm runtimes, such as wasmer, wasmedge and wasmi to execute the same testcase, they terminate normally and do not output anything(do not trigger errors).
Maybe there is something wrong with the “exception handling module”, or other tools do not follow certain specifications or perform certain condition checks. Due to a lack of knowledge of WebAssembly, the detail still need you to confirm. Thanks a lot!
luxinyi0105 added the bug label to Issue #6940.
bjorn3 commented on issue #6940:
That error seems to be emitted when calling a wasi function with an out-of-bounds pointer. Given that the memory is only 256 bytes big (
(memory (;0;) 256 256)
), address 78792 is out of bounds. I believe several other wasi implementations return ERRNO_FAULT when handed an out-of-bounds pointer, while Wasmtime emits a wasm traps and thus aborts execution.
alexcrichton commented on issue #6940:
Oh note that the 256 there is 256 wasm pages, which is a memory that's 16777216 bytes large. Nevertheless @bjorn3 is still correct because the length of the pointer, 1914709016, is out of bounds, so Wasmtime is the spec-compliant runtime here.
alexcrichton closed issue #6940:
Test Case
The given testcase was simply mutated a wasm file, which was obtained by compiling C program generated with
Csmith
usingEmscripten Compiler
(Emcc).The original C program is
c_file.c
, the compilation results with Emscripten iswasm_file.wasm
, and its wat format iswat_file.wat
.We mutated the wat file to change its
i32.sub
in line 11762 withi32.mul
. The result after mutation ismutated_file.wat
, and its wasm format ismutated_file.wasm
.Expected Results
$ wasmtime mutated_file.wasm
Output nothing.
Actual Results
$ wasmedge mutated_file.wasm Error: failed to run main module `mutated_file.wasm` Caused by: 0: failed to invoke command default 1: error while executing at wasm backtrace: 0: 0x75ba - <unknown>!<wasm function 41> 1: 0x7bd0 - <unknown>!<wasm function 58> 2: 0x870c - <unknown>!<wasm function 61> 3: 0x7e70 - <unknown>!<wasm function 60> 4: 0x7d09 - <unknown>!<wasm function 59> 5: 0x8b39 - <unknown>!<wasm function 68> 6: 0x7544 - <unknown>!<wasm function 40> 7: 0x56a7 - <unknown>!<wasm function 12> 8: 0x3f65 - <unknown>!<wasm function 7> 9: 0x72d9 - <unknown>!<wasm function 34> 10: 0x7253 - <unknown>!<wasm function 33> 2: Pointer out of bounds: Region { start: 78792, len: 1914709016 }
Versions and Environment
Wasmtime version or commit: wasmtime-cli 13.0.0
Operating system: Ubuntu 22.04.1
Architecture: x86_64Extra Info
I tried to use some other wasm runtimes, such as wasmer, wasmedge and wasmi to execute the same testcase, they terminate normally and do not output anything(do not trigger errors).
Maybe there is something wrong with the “exception handling module”, or other tools do not follow certain specifications or perform certain condition checks. Due to a lack of knowledge of WebAssembly, the detail still need you to confirm. Thanks a lot!
luxinyi0105 edited issue #6940:
Test Case
The given testcase was simply mutated a wasm file, which was obtained by compiling C program generated with
Csmith
usingEmscripten Compiler
(Emcc).The original C program is
c_file.c
, the compilation results with Emscripten iswasm_file.wasm
, and its wat format iswat_file.wat
.We mutated the wat file to change its
i32.sub
in line 11762 withi32.mul
. The result after mutation ismutated_file.wat
, and its wasm format ismutated_file.wasm
.Expected Results
$ wasmtime mutated_file.wasm
Output nothing.
Actual Results
$ wasmtime mutated_file.wasm Error: failed to run main module `mutated_file.wasm` Caused by: 0: failed to invoke command default 1: error while executing at wasm backtrace: 0: 0x75ba - <unknown>!<wasm function 41> 1: 0x7bd0 - <unknown>!<wasm function 58> 2: 0x870c - <unknown>!<wasm function 61> 3: 0x7e70 - <unknown>!<wasm function 60> 4: 0x7d09 - <unknown>!<wasm function 59> 5: 0x8b39 - <unknown>!<wasm function 68> 6: 0x7544 - <unknown>!<wasm function 40> 7: 0x56a7 - <unknown>!<wasm function 12> 8: 0x3f65 - <unknown>!<wasm function 7> 9: 0x72d9 - <unknown>!<wasm function 34> 10: 0x7253 - <unknown>!<wasm function 33> 2: Pointer out of bounds: Region { start: 78792, len: 1914709016 }
Versions and Environment
Wasmtime version or commit: wasmtime-cli 13.0.0
Operating system: Ubuntu 22.04.1
Architecture: x86_64Extra Info
I tried to use some other wasm runtimes, such as wasmer, wasmedge and wasmi to execute the same testcase, they terminate normally and do not output anything(do not trigger errors).
Maybe there is something wrong with the “exception handling module”, or other tools do not follow certain specifications or perform certain condition checks. Due to a lack of knowledge of WebAssembly, the detail still need you to confirm. Thanks a lot!
Robbepop commented on issue #6940:
@alexcrichton I just triaged the issue for Wasmi and found that Wasmtime no longer traps here but instead happily returns the checksum: https://github.com/wasmi-labs/wasmi/issues/757#issuecomment-2395612799
Robbepop edited a comment on issue #6940:
@alexcrichton I just triaged the issue for Wasmi and found that Wasmtime no longer traps here but instead happily returns the checksum: https://github.com/wasmi-labs/wasmi/issues/757#issuecomment-2395612799
% wasmtime --version wasmtime 25.0.1
alexcrichton commented on issue #6940:
In https://github.com/wasmi-labs/wasmi/issues/757 where did you get
06-mutated.wat
from? The*.zip
files in this issue and the wasmi issue are different, andmutated_file.wasm
is different, so it may be expected that one passes and one doesn't. I can reproduce the file from https://github.com/wasmi-labs/wasmi/issues/757 succeeding, but the one attached to this issue still fails with the same error.
Robbepop commented on issue #6940:
Hi @alexcrichton , sorry about the confusion with the Wasm file names. Yesterday I did a triage of many Wasmi issues and thus I renamed the Wasm files from the issues (which were often named the same).
Indeed the Wasm blobs in both issues are different. I probably got confused by the initial Wasmi issue post:
https://github.com/wasmi-labs/wasmi/issues/757#issue-1887832399According to the issue I submitted in wasmtime: https://github.com/bytecodealliance/wasmtime/issues/6940, the length of the pointer, 952683808, is out of bounds. Wasmtime emits a wasm traps when handed an out-of-bounds pointer, while other runtime tools maybe return ERRNO_FAULT.
Maybe the link to the Wasmtime issue is wrong there. But this link lead me to re-reporting the issue here.
alexcrichton commented on issue #6940:
No worries! I wanted to try to dig in further to see what's going on. Do you still have a module on-hand that's exhibiting different behavior in two runtimes?
Robbepop commented on issue #6940:
Well, the only Wasm blob I currently know where Wasmi and Wasmtime diverge is the one I was reporting above:
mutated_file.wasm
ormutated_file.wat
in this Zip file.Wasmi
% wasmi_cli mutated_file.wasm Error: failed during execution of _start: Pointer out of bounds: Region { start: 816071770, len: 952683808 }
Wasmtime
% wasmtime mutated_file.wasm checksum = 72658C22
Robbepop edited a comment on issue #6940:
Well, the only Wasm blob I currently know where Wasmi and Wasmtime diverge is the one I was reporting above:
mutated_file.wasm
ormutated_file.wat
in this Zip file.And I just re-checked and it indeed diverges in both.
Wasmi v0.38.0
% wasmi_cli mutated_file.wasm Error: failed during execution of _start: Pointer out of bounds: Region { start: 816071770, len: 952683808 }
Wasmtime v25.0.1
% wasmtime mutated_file.wasm checksum = 72658C22
Robbepop edited a comment on issue #6940:
Well, the only Wasm blob I currently know where Wasmi and Wasmtime diverge is the one I was reporting above:
mutated_file.wasm
ormutated_file.wat
in this Zip file.And I just re-checked (because it was very late yesterday) and it indeed diverges in both.
Wasmi v0.38.0
% wasmi_cli mutated_file.wasm Error: failed during execution of _start: Pointer out of bounds: Region { start: 816071770, len: 952683808 }
Wasmtime v25.0.1
% wasmtime mutated_file.wasm checksum = 72658C22
alexcrichton commented on issue #6940:
Digging in to this it looks like the issue is that beforehand
fd_write
was given 2 entries in its ciovec array. The mutation gives it instead 3 entries. Wasmtime however only look at the first non-empty entry and doesn't validate the others. Given the under-specification offd_write
and wasip1 functions in general I think this is probably fine, but that may explain the difference here.
Robbepop commented on issue #6940:
Digging in to this it looks like the issue is that beforehand
fd_write
was given 2 entries in its ciovec array. The mutation gives it instead 3 entries. Wasmtime however only look at the first non-empty entry and doesn't validate the others. Given the under-specification offd_write
and wasip1 functions in general I think this is probably fine, but that may explain the difference here.Ah okay, very good to know. Thanks a lot for the clarification here!
Last updated: Dec 23 2024 at 12:05 UTC