Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV wasm3/source/./m3_exec.h:555:35 in op_CallIndirect #380

Closed
wysyrg opened this issue Aug 29, 2022 · 1 comment
Closed

SEGV wasm3/source/./m3_exec.h:555:35 in op_CallIndirect #380

wysyrg opened this issue Aug 29, 2022 · 1 comment

Comments

@wysyrg
Copy link

wysyrg commented Aug 29, 2022

git commit 7890a2097569fde845881e0b352d813573e371f9

Gdb info

Program received signal SIGSEGV, Segmentation fault.
0x0000000000535f51 in op_CallIndirect (_pc=0x62d000000498, _sp=0x631000000800, _mem=0x631000014800, _r0=1, _fp0=2.2957472741033478e-41) at /home/chuwei/tools/wasm3/source/./m3_exec.h:555
555	    u32 tableIndex              = slot (u32);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x63100003b188 ◂— 0x0
 RBX  0x7fffffffcc80 —▸ 0x514ac0 (metering_usegas) ◂— push   rbp
 RCX  0xc6200007631 ◂— 0x0
 RDX  0x63100003b188 ◂— 0x0
 RDI  0x62d000000490 ◂— 0xea62
 RSI  0xc5a00000000 ◂— 0x0
 R8   0x535e60 (op_CallIndirect) ◂— push   rbp
 R9   0x1
 R10  0x0
 R11  0x4
 R12  0x41c6d0 (_start) ◂— xor    ebp, ebp
 R13  0x7fffffffdc10 ◂— 0x2
 R14  0x10007fff79d4 ◂— 0xf8f8f8f8f8f8f8f8
 R15  0x0
 RBP  0x7fffffffc530 —▸ 0x7fffffffc5b0 —▸ 0x7fffffffc600 —▸ 0x7fffffffc650 —▸ 0x7fffffffc6a0 ◂— ...
 RSP  0x7fffffffc400 —▸ 0x62d00000040c —▸ 0x100000ffd ◂— 0x0
 RIP  0x535f51 (op_CallIndirect+241) ◂— mov    ecx, dword ptr [rax]
─────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────────────────
   0x535f07 <op_CallIndirect+167>    cmp    sil, 0
   0x535f0b <op_CallIndirect+171>    mov    qword ptr [rbp - 0x98], rdx
   0x535f12 <op_CallIndirect+178>    mov    byte ptr [rbp - 0x99], sil
   0x535f19 <op_CallIndirect+185>    je     op_CallIndirect+234                      <op_CallIndirect+234>
    ↓
   0x535f4a <op_CallIndirect+234>    mov    rax, qword ptr [rbp - 0x98]
 ► 0x535f51 <op_CallIndirect+241>    mov    ecx, dword ptr [rax]
   0x535f53 <op_CallIndirect+243>    mov    dword ptr [rbp - 0x34], ecx
   0x535f56 <op_CallIndirect+246>    mov    rdx, qword ptr [rbp - 0x10]
   0x535f5a <op_CallIndirect+250>    mov    rsi, rdx
   0x535f5d <op_CallIndirect+253>    add    rsi, 8
   0x535f61 <op_CallIndirect+257>    mov    qword ptr [rbp - 0x10], rsi
─────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]──────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/chuwei/tools/wasm3/source/m3_exec.h
   550 }
   551 
   552 
   553 d_m3Op  (CallIndirect)
   554 {
 ► 555     u32 tableIndex              = slot (u32);
   556     IM3Module module            = immediate (IM3Module);
   557     IM3FuncType type            = immediate (IM3FuncType);
   558     i32 stackOffset             = immediate (i32);
   559     IM3Memory memory            = m3MemInfo (_mem);
   560 
─────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffffc400 —▸ 0x62d00000040c —▸ 0x100000ffd ◂— 0x0
01:00080x7fffffffc408 ◂— 0x7fff0000001b
02:00100x7fffffffc410 —▸ 0x62d000000408 —▸ 0xffd0000001c ◂— 0x0
03:00180x7fffffffc418 —▸ 0x62d000000400 ◂— 0x0
04:00200x7fffffffc420 —▸ 0x7fffffffc4b0 —▸ 0x631000000800 ◂— 0xc00000000000
05:00280x7fffffffc428 —▸ 0x58b466 (EnsureCodePageNumLines+134) ◂— cmp    eax, dword ptr [rbp - 0xc]
06:00300x7fffffffc430 —▸ 0x62d000000408 —▸ 0xffd0000001c ◂— 0x0
07:00380x7fffffffc438 —▸ 0x626000000360 ◂— 0x4000700060000
───────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x535f51 op_CallIndirect+241
   f 1         0x579efa op_SetSlot_i32+314
   f 2         0x56175a op_f32_Negate_r+154
   f 3         0x56175a op_f32_Negate_r+154
   f 4         0x56175a op_f32_Negate_r+154
   f 5         0x56175a op_f32_Negate_r+154
   f 6         0x56175a op_f32_Negate_r+154
   f 7         0x5618ad op_f32_Negate_s+333
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Asan info

AddressSanitizer:DEADLYSIGNAL
=================================================================
==10355==ERROR: AddressSanitizer: SEGV on unknown address 0x63100003b188 (pc 0x000000535f51 bp 0x7ffe3d8772d0 sp 0x7ffe3d8771a0 T0)
==10355==The signal is caused by a READ memory access.
    #0 0x535f50 in op_CallIndirect /home/chuwei/tools/wasm3/source/./m3_exec.h:555:35
    #1 0x579ef9 in op_SetSlot_i32 /home/chuwei/tools/wasm3/source/./m3_exec.h:941:1
    #2 0x561759 in op_f32_Negate_r /home/chuwei/tools/wasm3/source/./m3_exec.h:277:1
    #3 0x561759 in op_f32_Negate_r /home/chuwei/tools/wasm3/source/./m3_exec.h:277:1
    #4 0x561759 in op_f32_Negate_r /home/chuwei/tools/wasm3/source/./m3_exec.h:277:1
    #5 0x561759 in op_f32_Negate_r /home/chuwei/tools/wasm3/source/./m3_exec.h:277:1
    #6 0x561759 in op_f32_Negate_r /home/chuwei/tools/wasm3/source/./m3_exec.h:277:1
    #7 0x5618ac in op_f32_Negate_s /home/chuwei/tools/wasm3/source/./m3_exec.h:277:1
    #8 0x54dbf2 in op_MemGrow /home/chuwei/tools/wasm3/source/./m3_exec.h:704:5
    #9 0x54ed80 in op_i32_EqualToZero_s /home/chuwei/tools/wasm3/source/./m3_exec.h:282:1
    #10 0x5741a5 in op_Entry /home/chuwei/tools/wasm3/source/./m3_exec.h:808:21
    #11 0x5933da in RunCode /home/chuwei/tools/wasm3/source/./m3_exec_defs.h:58:5
    #12 0x59a9ba in m3_CallArgv /home/chuwei/tools/wasm3/source/m3_env.c:953:25
    #13 0x515fe1 in repl_call /home/chuwei/tools/wasm3/platforms/app/main.c:274:18
    #14 0x518cc8 in main /home/chuwei/tools/wasm3/platforms/app/main.c:634:26
    #15 0x7f6fe6325c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #16 0x41c6f9 in _start (/home/chuwei/tools/wasm3/build/wasm3+0x41c6f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/chuwei/tools/wasm3/source/./m3_exec.h:555:35 in op_CallIndirect
==10355==ABORTING

Credit

wysyrg、hushs1gnal

op_CallIndirect.zip

@wysyrg wysyrg changed the title SEGV /home/chuwei/tools/wasm3/source/./m3_exec.h:555:35 in op_CallIndirect SEGV /wasm3/source/./m3_exec.h:555:35 in op_CallIndirect Aug 29, 2022
@wysyrg wysyrg changed the title SEGV /wasm3/source/./m3_exec.h:555:35 in op_CallIndirect SEGV wasm3/source/./m3_exec.h:555:35 in op_CallIndirect Aug 29, 2022
@vshymanskyy
Copy link
Member

@wysyrg sorry I will be closing any fuzzer reports, as this is covered by #344

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

2 participants