Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[embedded wasmer llvm] subtraction overflow panic in State::peek1_extra #1057

Closed
pventuzelo opened this issue Dec 11, 2019 · 1 comment
Closed

[embedded wasmer llvm] subtraction overflow panic in State::peek1_extra #1057

pventuzelo opened this issue Dec 11, 2019 · 1 comment
Labels
bug Something isn't working 🏆 fuzzer-trophy Bugs found automatically by fuzzers.

Comments

@pventuzelo
Copy link
Contributor

Describe the bug

This bug happen when you are calling wasmer::compile_with from another rust binary compiled in debug mode. This issue is similar to this one: #1005

$  ./target/debug/compile_debug panic_substract_overflow_peek1_extra.wasm
thread 'main' panicked at 'attempt to subtract with overflow', /XXX/wasmer/lib/llvm-backend/src/state.rs:331:18
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Issue come from line 331 of lib/llvm-backend/src/state.rs:

wasmer/lib/llvm-backend/src/state.rs

Lines 329 to 337 in ca03402

pub fn peek1_extra(&self) -> Result<(BasicValueEnum<'ctx>, ExtraInfo), BinaryReaderError> {
self.stack
.get(self.stack.len() - 1)
.ok_or(BinaryReaderError {
message: "invalid value stack",
offset: -1isize as usize,
})
.map(|v| *v)
}

This issue is not happening with wasmer binary since an error will be through:

$ ./target/release/wasmer run --backend llvm panic_substract_overflow_peek1_extra.wasm
Error: Can't compile module: InternalError { msg: "Codegen(\"CodegenError { message: \\\"BinaryReaderError { message: \\\\\\\"invalid value stack\\\\\\\", offset: 18446744073709551615 }\\\" }\")" }

Status of my environment

echo "`wasmer -V` | `rustc -V` | `uname -m`"
wasmer 0.11.0 | rustc 1.38.0-nightly (2d1a551e1 2019-08-08) | x86_64

version: ca03402

Steps to reproduce

Download
panic_substract_overflow_peek1_extra.zip

Testing source code:

use std::env;
use std::fs::{File};
use std::io;
use std::io::Read;
use std::path::PathBuf;


extern crate wasmer_llvm_backend;
extern crate wasmer_runtime_core;
extern crate wasmer_runtime;

use wasmer_runtime::{
    compile_with,
};
use wasmer_runtime_core::backend::Compiler;

/// Read the contents of a file
fn read_contents(path: &PathBuf) -> Result<Vec<u8>, io::Error> {
    let mut buffer: Vec<u8> = Vec::new();
    let mut file = File::open(path)?;
    file.read_to_end(&mut buffer)?;
    // We force to close the file
    drop(file);
    Ok(buffer)
}

fn get_llvm_compiler() -> impl Compiler {
    use wasmer_llvm_backend::LLVMCompiler;
    LLVMCompiler::new()
}

fn main() {
    println!("Start compile_debug");
	let args: Vec<String> = env::args().collect();

	// first argument is wasm file path
	let wasm_path = std::path::PathBuf::from(&args[1]);
    println!("File path: {:?}", wasm_path);

	let wasm_binary: Vec<u8> = read_contents(&wasm_path).unwrap();
    //println!("wasm_binary: {:?}", wasm_binary);

    // CALL THE API HERE
    let _res = compile_with(&wasm_binary[..], &get_llvm_compiler());
    // CALL THE API HERE

    println!("OK");
}

Run with:

$ RUSTFLAGS=-g cargo build
$ ./target/debug/compile_debug panic_substract_overflow_peek1_extra.wasm

Expected behavior

Substration overflow should be checked using checked_sub()

Actual behavior

RUST_BACKTRACE=1 ./target/debug/compile_debug panic_substract_overflow_peek1_extra.wasm
Start compile_debug
File path: "panic_substract_overflow_peek1_extra.wasm"
thread 'main' panicked at 'attempt to subtract with overflow', XXX/wasmer/lib/llvm-backend/src/state.rs:331:18
stack backtrace:
   0: backtrace::backtrace::libunwind::trace
             at /cargo/registry/src/github.looper.workers.dev-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/libunwind.rs:88
   1: backtrace::backtrace::trace_unsynchronized
             at /cargo/registry/src/github.looper.workers.dev-1ecc6299db9ec823/backtrace-0.3.34/src/backtrace/mod.rs:66
   2: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:47
   3: std::sys_common::backtrace::print
             at src/libstd/sys_common/backtrace.rs:36
   4: std::panicking::default_hook::{{closure}}
             at src/libstd/panicking.rs:200
   5: std::panicking::default_hook
             at src/libstd/panicking.rs:214
   6: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:477
   7: std::panicking::continue_panic_fmt
             at src/libstd/panicking.rs:384
   8: rust_begin_unwind
             at src/libstd/panicking.rs:311
   9: core::panicking::panic_fmt
             at src/libcore/panicking.rs:85
  10: core::panicking::panic
             at src/libcore/panicking.rs:49
  11: wasmer_llvm_backend::state::State::peek1_extra
             at XXX/wasmer/lib/llvm-backend/src/state.rs:331
  12: <wasmer_llvm_backend::code::LLVMFunctionCodeGenerator as wasmer_runtime_core::codegen::FunctionCodeGenerator<wasmer_llvm_backend::code::CodegenError>>::feed_event
             at XXX/wasmer/lib/llvm-backend/src/code.rs:1677
  13: wasmer_runtime_core::codegen::MiddlewareChain::run
             at XXX/wasmer/lib/runtime-core/src/codegen.rs:322
  14: wasmer_runtime_core::parse::read_module
             at XXX/wasmer/lib/runtime-core/src/parse.rs:277
  15: <wasmer_runtime_core::codegen::StreamingCompiler<MCG,FCG,RM,E,CGEN> as wasmer_runtime_core::backend::Compiler>::compile
             at XXX/wasmer/lib/runtime-core/src/codegen.rs:238
  16: wasmer_runtime_core::compile_with
             at XXX/wasmer/lib/runtime-core/src/lib.rs:115
  17: compile_debug::main
             at src/main.rs:44
  18: std::rt::lang_start::{{closure}}
             at /rustc/2d1a551e144335e0d60a637d12f410cf65849876/src/libstd/rt.rs:64
  19: std::rt::lang_start_internal::{{closure}}
             at src/libstd/rt.rs:49
  20: std::panicking::try::do_call
             at src/libstd/panicking.rs:296
  21: __rust_maybe_catch_panic
             at src/libpanic_unwind/lib.rs:80
  22: std::panicking::try
             at src/libstd/panicking.rs:275
  23: std::panic::catch_unwind
             at src/libstd/panic.rs:394
  24: std::rt::lang_start_internal
             at src/libstd/rt.rs:48
  25: std::rt::lang_start
             at /rustc/2d1a551e144335e0d60a637d12f410cf65849876/src/libstd/rt.rs:64
  26: main
  27: __libc_start_main
  28: _start
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
@pventuzelo pventuzelo added bug Something isn't working 🏆 fuzzer-trophy Bugs found automatically by fuzzers. labels Dec 11, 2019
@pventuzelo pventuzelo mentioned this issue Dec 11, 2019
Merged
1 task
bors bot added a commit that referenced this issue Dec 12, 2019
@bors @pventuzelo @syrusakbary
Merge #1058
ba29483 
1058: Fix issue 1057 + improve llvm/state.rs code r=syrusakbary a=pventuzelo

# Description

This pull request is doing:
- Fix issue #1057 (subtraction overflow panic in State::peek1_extra) by using `checked_sub`
- replace other part of `state.rs` subject to potential substration overflow with `checked_sub`
- add more detail on the Errors messages in `state.rs`
- rename some variable for better understanding of the code.

# Review

- [x] Add a short description of the the change to the CHANGELOG.md file


Co-authored-by: Patrick Ventuzelo <[email protected]>
Co-authored-by: Syrus Akbary <[email protected]>
@syrusakbary
Copy link
Member

This issue is fixed with #1058, that is now merged in master.

Closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working 🏆 fuzzer-trophy Bugs found automatically by fuzzers.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@syrusakbary @pventuzelo