Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Asan sanitizer throws stack-underflow error #5260

Open
grishasobol opened this issue Nov 18, 2024 · 1 comment
Open

Asan sanitizer throws stack-underflow error #5260

grishasobol opened this issue Nov 18, 2024 · 1 comment
Assignees

Comments

@grishasobol
Copy link
Contributor

Hi wasmer team!!

Describe the bug

Catch the problem when run wasmer on Rust thru asan sanitizer:

cargo test output running 1 test ================================================================= ==2857==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x000105e83bc0 at pc 0x000103c30318 bp 0x000105e83a50 sp 0x000105e83200 WRITE of size 48 at 0x000105e83bc0 thread T1 #0 0x103c30314 in __asan_memcpy+0x420 (librustc-nightly_rt.asan.dylib:arm64+0x4c314)

Address 0x000105e83bc0 is a wild pointer inside of access range of size 0x000000000030.
SUMMARY: AddressSanitizer: stack-buffer-underflow (librustc-nightly_rt.asan.dylib:arm64+0x4c314) in __asan_memcpy+0x420
Shadow bytes around the buggy address:
0x000105e83900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000105e83980: f1 f1 f1 f1 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3
0x000105e83a00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x000105e83a80: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
0x000105e83b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000105e83b80: 00 00 00 00 00 00 00 00[f1]f1 f1 f1 00 00 00 00
0x000105e83c00: 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x000105e83c80: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 f3 f3
0x000105e83d00: f3 f3 f3 f3 f8 f8 f2 f2 f2 f2 00 00 00 00 00 f2
0x000105e83d80: f2 f2 f2 f2 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
0x000105e83e00: f8 f8 f2 f2 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T1 created by T0 here:
#0 0x103c2ad88 in pthread_create+0x58 (librustc-nightly_rt.asan.dylib:arm64+0x46d88)
#1 0x101bf68c4 in std::sys::pal::unix::thread::Thread::new::h12e6ce2921b08305+0xc8 (wasmer_fail-80df422d0123702d:arm64+0x10175a8c4)
#2 0x101bc7a80 in test::run_test::hc93c06cf7c970a54+0xaa0 (wasmer_fail-80df422d0123702d:arm64+0x10172ba80)
#3 0x101baf6c8 in test::console::run_tests_console::h368a56c574d5cbc8+0x11dc (wasmer_fail-80df422d0123702d:arm64+0x1017136c8)
#4 0x101bc4f60 in test::test_main::hf6ac6aab472272ca+0x1ec (wasmer_fail-80df422d0123702d:arm64+0x101728f60)
#5 0x101bc5b04 in test::test_main_static::h16ca74eaa6b88285+0x54 (wasmer_fail-80df422d0123702d:arm64+0x101729b04)
#6 0x1004b97b0 in wasmer_fail::main::h5d6fa1596e8ae7f9 lib.rs:1
#7 0x1004a3578 in core::ops::function::FnOnce::call_once::hca11f13f36c3b746 function.rs:250
#8 0x1004adfcc in std::sys::backtrace::__rust_begin_short_backtrace::h8ceea1e0b9f546a8 backtrace.rs:155
#9 0x1004ab23c in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h852f84421ecb4d76 rt.rs:159
#10 0x101be9768 in std::rt::lang_start_internal::hb0f920d1b02fc260+0x27c (wasmer_fail-80df422d0123702d:arm64+0x10174d768)
#11 0x1004ab074 in std::rt::lang_start::h050279d6769f6ad7 rt.rs:158
#12 0x1004b97dc in main+0x20 (wasmer_fail-80df422d0123702d:arm64+0x10001d7dc)
#13 0x19edcb150 ()
#14 0x904ffffffffffffc ()

==2857==ABORTING
error: test failed, to rerun pass --lib

Caused by:
process didn't exit successfully: wasmer-fail/target/aarch64-apple-darwin/debug/deps/wasmer_fail-80df422d0123702d (signal: 6, SIGABRT: process abort signal)

Steps to reproduce

  1. clone repo with test (https://github.com/grishasobol/wasmer-fail):
git clone [email protected]:grishasobol/wasmer-fail.git
  1. run test using santitizer (use your target), you would have output like above:
RUSTFLAGS=-Zsanitizer=address cargo test --target aarch64-apple-darwin

Environment

% rustc --version
rustc 1.81.0-nightly (6868c831a 2024-06-30)
% uname -a
23.6.0 Darwin Kernel Version 23.6.0
% cat Cargo.toml
[package]
name = "wasmer-fail"
version = "0.0.1"
edition = "2021"

[dependencies]
wasmer = { version = "5", default-features = false, features = ["singlepass", "wat"] }

Thoughts

Maybe the problem is connected with how user panics are handled in wasmer using corosensei, which includes complex manipulations with stack.

@ark0f
Copy link

ark0f commented Nov 20, 2024

Note: AddressSanitizer aborts since Wasmer 2.3.0 (corosensei introduced) and don't abort on Wasmer 2.2.1 with latest toolchain

@xdoardo xdoardo self-assigned this Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants