-
Notifications
You must be signed in to change notification settings - Fork 575
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double Free or Corruption Error on Valid WebAssembly Module Load #2586
Comments
Hi, thanks for reporting the issue! I fixed it with #2590, could you try again? |
wenyongh
added a commit
that referenced
this issue
Sep 26, 2023
`wasm_loader_push_pop_frame_offset` may pop n operands by using `loader_ctx->stack_cell_num` to check whether the operand can be popped or not. While `loader_ctx->stack_cell_num` is updated in the later `wasm_loader_push_pop_frame_ref`, the check may fail if the stack is in polymorphic state and lead to `ctx->frame_offset` underflow. Fix issue #2577 and #2586.
Thank you very much! It appears to be fixed. Thanks for prompt response! |
victoryang00
pushed a commit
to victoryang00/wamr-aot-gc-checkpoint-restore
that referenced
this issue
May 27, 2024
`wasm_loader_push_pop_frame_offset` may pop n operands by using `loader_ctx->stack_cell_num` to check whether the operand can be popped or not. While `loader_ctx->stack_cell_num` is updated in the later `wasm_loader_push_pop_frame_ref`, the check may fail if the stack is in polymorphic state and lead to `ctx->frame_offset` underflow. Fix issue bytecodealliance#2577 and bytecodealliance#2586.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Bug
When executing a valid WebAssembly module using the
iwasm
, the program terminates with a "double free or corruption" error, probably originating from thewasm_loader_ctx_destroy
function inwasm_loader.c
.iwasm --version
: iwasm 1.2.3uname -a
: Linux node0.wamr.randtest-pg0.utah.cloudlab.us 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/LinuxSteps to reproduce:
crash.wat
(Remove .txt extension)wat2wasm
from WABT can be used to convertcrash.wat
intocrash.wasm
using:wat2wasm crash.wat -o crash.wasm
. I have also addedcrash.wasm
that obviates the need to usewat2wasm
)iwasm crash.wasm
abort
.Files that cause the
abort
:crash.wat.txt (Remove .txt extension when to save)
crash.wasm.txt (Remove .txt extension when to save)
Observed Behavior:
Expected behavior:
iwasm
is supposed to run the module successfully.wasmer
andwasmtime
run the module successfully.GDB Backtrace
Reduced code that caused the abort (
cat crash.wat
):Additional information
A combination of AFL++ and Wasmlike, an Xsmith-based random program generator produced the snippet of code that found the issue. Xsmith Project
The text was updated successfully, but these errors were encountered: