Integer overflow in GraalWasm

[JFHwang]

Hello, my team was fuzzing GraalWasm for a course project and we noted a NegativeArraySizeException when the wasm file attempts to allocate more memory than are possible with a signed integer (32768 pages * 65536 bytes per page = 2147483648).

Here is an example .wat file to trigger this. Anything over 32767 pages works.

(module
(memory (;0;) 32768))

I was able to reproduce this error on a clone of the master branch, pulled yesterday.

• Commit ID: 647adc0
• JDK major version: 8
• OS: Ubuntu
• Architecture: AMD64

ERROR: java.lang.NegativeArraySizeException
org.graalvm.polyglot.PolyglotException: java.lang.NegativeArraySizeException
at com.oracle.svm.core.genscavenge.ThreadLocalAllocation.slowPathNewArray(ThreadLocalAllocation.java:181)
at org.graalvm.wasm.SymbolTable.lambda$allocateMemory$12(SymbolTable.java:861)
at org.graalvm.wasm.Linker.runLinkActions(Linker.java:139)
at org.graalvm.wasm.Linker.tryLinkOutsidePartialEvaluation(Linker.java:120)
at org.graalvm.wasm.Linker.tryLink(Linker.java:107)
at org.graalvm.wasm.WasmInstance.ensureLinked(WasmInstance.java:101)
at org.graalvm.wasm.WasmInstance.readMember(WasmInstance.java:112)
at org.graalvm.wasm.WasmInstanceGen$InteropLibraryExports$Cached.readMember(WasmInstanceGen.java:76)
at com.oracle.truffle.polyglot.PolyglotValue$InteropCodeCache$GetMemberNode.doCached(PolyglotValue.java:2845)
at com.oracle.truffle.polyglot.PolyglotValueFactory$InteropCodeCacheFactory$GetMemberNodeGen.executeAndSpecialize(PolyglotValueFactory.java:5443)
at com.oracle.truffle.polyglot.PolyglotValueFactory$InteropCodeCacheFactory$GetMemberNodeGen.executeImpl(PolyglotValueFactory.java:5391)
at com.oracle.truffle.polyglot.HostToGuestRootNode.execute(HostToGuestRootNode.java:134)
at org.graalvm.polyglot.Value.getMember(Value.java:747)
at org.graalvm.wasm.launcher.WasmLauncher.detectEntryPoint(WasmLauncher.java:175)
at org.graalvm.wasm.launcher.WasmLauncher.execute(WasmLauncher.java:151)
at org.graalvm.wasm.launcher.WasmLauncher.launch(WasmLauncher.java:141)
at org.graalvm.launcher.AbstractLanguageLauncher.launch(AbstractLanguageLauncher.java:124)
at org.graalvm.launcher.AbstractLanguageLauncher.launch(AbstractLanguageLauncher.java:71)
at org.graalvm.wasm.launcher.WasmLauncher.main(WasmLauncher.java:68)
Original Internal Error:
java.lang.NegativeArraySizeException
at com.oracle.svm.core.genscavenge.ThreadLocalAllocation.slowPathNewArray(ThreadLocalAllocation.java:181)
at org.graalvm.wasm.SymbolTable.lambda$allocateMemory$12(SymbolTable.java:861)
at org.graalvm.wasm.Linker.runLinkActions(Linker.java:139)
at org.graalvm.wasm.Linker.tryLinkOutsidePartialEvaluation(Linker.java:120)
at org.graalvm.wasm.Linker.tryLink(Linker.java:107)
at org.graalvm.wasm.WasmInstance.ensureLinked(WasmInstance.java:101)
at org.graalvm.wasm.WasmInstance.readMember(WasmInstance.java:112)
at org.graalvm.wasm.WasmInstanceGen$InteropLibraryExports$Cached.readMember(WasmInstanceGen.java:76)
at com.oracle.truffle.polyglot.PolyglotValue$InteropCodeCache$GetMemberNode.doCached(PolyglotValue.java:2845)
at com.oracle.truffle.polyglot.PolyglotValueFactory$InteropCodeCacheFactory$GetMemberNodeGen.executeAndSpecialize(PolyglotValueFactory.java:5443)
at com.oracle.truffle.polyglot.PolyglotValueFactory$InteropCodeCacheFactory$GetMemberNodeGen.executeImpl(PolyglotValueFactory.java:5391)
at com.oracle.truffle.polyglot.HostToGuestRootNode.execute(HostToGuestRootNode.java:134)
at org.graalvm.compiler.truffle.runtime.OptimizedCallTarget.executeRootNode(OptimizedCallTarget.java:613)
at org.graalvm.compiler.truffle.runtime.OptimizedCallTarget.profiledPERoot(OptimizedCallTarget.java:584)
at org.graalvm.compiler.truffle.runtime.OptimizedCallTarget.callBoundary(OptimizedCallTarget.java:534)
at com.oracle.svm.truffle.api.SubstrateOptimizedCallTarget.invokeCallBoundary(SubstrateOptimizedCallTarget.java:121)
at com.oracle.svm.truffle.api.SubstrateOptimizedCallTargetInstalledCode.doInvoke(SubstrateOptimizedCallTargetInstalledCode.java:164)
at com.oracle.svm.truffle.api.SubstrateOptimizedCallTarget.doInvoke(SubstrateOptimizedCallTarget.java:104)
at org.graalvm.compiler.truffle.runtime.GraalRuntimeSupport.callProfiled(GraalRuntimeSupport.java:143)
at com.oracle.truffle.polyglot.PolyglotValue$InteropValue.getMember(PolyglotValue.java:4429)
at org.graalvm.polyglot.Value.getMember(Value.java:747)
at org.graalvm.wasm.launcher.WasmLauncher.detectEntryPoint(WasmLauncher.java:175)
at org.graalvm.wasm.launcher.WasmLauncher.execute(WasmLauncher.java:151)
at org.graalvm.wasm.launcher.WasmLauncher.launch(WasmLauncher.java:141)
at org.graalvm.launcher.AbstractLanguageLauncher.launch(AbstractLanguageLauncher.java:124)
at org.graalvm.launcher.AbstractLanguageLauncher.launch(AbstractLanguageLauncher.java:71)
at org.graalvm.wasm.launcher.WasmLauncher.main(WasmLauncher.java:68)
Caused by: Attached Guest Language Frames (1)

Hopefully this is helpful.

[munishchouhan]

@JFHwang thanks for reporting the issue, we will check it out and get back to you

[flohuemer]

This should be fixed in 21.3