Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Asan sanitizer throws stack-underflow error #5260

Open
grishasobol opened this issue Nov 18, 2024 · 1 comment
Open

Asan sanitizer throws stack-underflow error #5260

grishasobol opened this issue Nov 18, 2024 · 1 comment
Assignees

Comments

@grishasobol
Copy link
Contributor

Hi wasmer team!!

Describe the bug

Catch the problem when run wasmer on Rust thru asan sanitizer:

cargo test output running 1 test ================================================================= ==2857==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x000105e83bc0 at pc 0x000103c30318 bp 0x000105e83a50 sp 0x000105e83200 WRITE of size 48 at 0x000105e83bc0 thread T1 #0 0x103c30314 in __asan_memcpy+0x420 (librustc-nightly_rt.asan.dylib:arm64+0x4c314)

Address 0x000105e83bc0 is a wild pointer inside of access range of size 0x000000000030.
SUMMARY: AddressSanitizer: stack-buffer-underflow (librustc-nightly_rt.asan.dylib:arm64+0x4c314) in __asan_memcpy+0x420
Shadow bytes around the buggy address:
0x000105e83900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000105e83980: f1 f1 f1 f1 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3
0x000105e83a00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x000105e83a80: 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 00 00 00 00
0x000105e83b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000105e83b80: 00 00 00 00 00 00 00 00[f1]f1 f1 f1 00 00 00 00
0x000105e83c00: 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x000105e83c80: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 f3 f3
0x000105e83d00: f3 f3 f3 f3 f8 f8 f2 f2 f2 f2 00 00 00 00 00 f2
0x000105e83d80: f2 f2 f2 f2 00 00 00 00 f1 f1 f1 f1 f8 f8 f8 f8
0x000105e83e00: f8 f8 f2 f2 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T1 created by T0 here:
#0 0x103c2ad88 in pthread_create+0x58 (librustc-nightly_rt.asan.dylib:arm64+0x46d88)
#1 0x101bf68c4 in std::sys::pal::unix::thread::Thread::new::h12e6ce2921b08305+0xc8 (wasmer_fail-80df422d0123702d:arm64+0x10175a8c4)
#2 0x101bc7a80 in test::run_test::hc93c06cf7c970a54+0xaa0 (wasmer_fail-80df422d0123702d:arm64+0x10172ba80)
#3 0x101baf6c8 in test::console::run_tests_console::h368a56c574d5cbc8+0x11dc (wasmer_fail-80df422d0123702d:arm64+0x1017136c8)
#4 0x101bc4f60 in test::test_main::hf6ac6aab472272ca+0x1ec (wasmer_fail-80df422d0123702d:arm64+0x101728f60)
#5 0x101bc5b04 in test::test_main_static::h16ca74eaa6b88285+0x54 (wasmer_fail-80df422d0123702d:arm64+0x101729b04)
#6 0x1004b97b0 in wasmer_fail::main::h5d6fa1596e8ae7f9 lib.rs:1
#7 0x1004a3578 in core::ops::function::FnOnce::call_once::hca11f13f36c3b746 function.rs:250
#8 0x1004adfcc in std::sys::backtrace::__rust_begin_short_backtrace::h8ceea1e0b9f546a8 backtrace.rs:155
#9 0x1004ab23c in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h852f84421ecb4d76 rt.rs:159
#10 0x101be9768 in std::rt::lang_start_internal::hb0f920d1b02fc260+0x27c (wasmer_fail-80df422d0123702d:arm64+0x10174d768)
#11 0x1004ab074 in std::rt::lang_start::h050279d6769f6ad7 rt.rs:158
#12 0x1004b97dc in main+0x20 (wasmer_fail-80df422d0123702d:arm64+0x10001d7dc)
#13 0x19edcb150 ()
#14 0x904ffffffffffffc ()

==2857==ABORTING
error: test failed, to rerun pass --lib

Caused by:
process didn't exit successfully: wasmer-fail/target/aarch64-apple-darwin/debug/deps/wasmer_fail-80df422d0123702d (signal: 6, SIGABRT: process abort signal)

Steps to reproduce

  1. clone repo with test (https://github.com/grishasobol/wasmer-fail):
git clone git@github.com:grishasobol/wasmer-fail.git
  1. run test using santitizer (use your target), you would have output like above:
RUSTFLAGS=-Zsanitizer=address cargo test --target aarch64-apple-darwin

Environment

% rustc --version
rustc 1.81.0-nightly (6868c831a 2024-06-30)
% uname -a
23.6.0 Darwin Kernel Version 23.6.0
% cat Cargo.toml
[package]
name = "wasmer-fail"
version = "0.0.1"
edition = "2021"

[dependencies]
wasmer = { version = "5", default-features = false, features = ["singlepass", "wat"] }

Thoughts

Maybe the problem is connected with how user panics are handled in wasmer using corosensei, which includes complex manipulations with stack.

@ark0f
Copy link

ark0f commented Nov 20, 2024

Note: AddressSanitizer aborts since Wasmer 2.3.0 (corosensei introduced) and don't abort on Wasmer 2.2.1 with latest toolchain

@xdoardo xdoardo self-assigned this Nov 21, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants