[lightbeam] add overflow in debug mode (backend:load:1934 & backend:load:1957)

[pventuzelo]

Issue description

An addition with overflow make lightbeam to panic when compiled in debug mode.

Note: This issue is similar to #738. I suspect other overflows like those ones to be in the code.

Overflowed values are then provided to dynasm, meaning that in release mode, Lightbeam will generate Assembly code that will try to access invalid memory address (like 0x0, kernel address, etc.) leading to different errors/panics.

$ ./target/debug/debug_lightbeam load_add_overflow_lightbeam.wasm 
thread 'main' panicked at 'attempt to add with overflow', XXX/wasmtime/crates/lightbeam/src/backend.rs:1934:106
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

This issue is related to the macro load! when dealing with the i32.load16_s opcode:

wasmtime/crates/lightbeam/src/backend.rs

Lines 1932 to 1935 in 420dcd7

	Ok(imm) => {
	dynasm!(ctx.asm
	; $rq_instr $reg_ty(dst.rq().unwrap()), $ty [Rq(mem_ptr_reg.rq().unwrap()) + offset + imm]
	);

Reproduction

Download:
load_add_overflow_lightbeam.zip

or wasm2wat load_add_overflow_lightbeam.wasm :

(module
  (type (;0;) (func))
  (func (;0;) (type 0)
    i32.const 2
    i32.const 1
    i32.load16_s offset=2147483647 align=1
    unreachable)
  (memory (;0;) 1)
  (export "_start" (func 0))
)

Testing program (need to be compiled in debug mode i.e. RUSTFLAGS=-g cargo build):

use std::env;
use std::fs::{File};
use std::io;
use std::io::Read;
use std::path::PathBuf;

use wasmtime_fuzzing::oracles;
use wasmtime_jit::CompilationStrategy;

/// Read the contents of a file
fn read_contents(path: &PathBuf) -> Result<Vec<u8>, io::Error> {
    let mut buffer: Vec<u8> = Vec::new();
    let mut file = File::open(path)?;
    file.read_to_end(&mut buffer)?;
    drop(file);
    Ok(buffer)
}

fn main() {
	let args: Vec<String> = env::args().collect();
	let wasm_path = std::path::PathBuf::from(&args[1]);
	let wasm_binary: Vec<u8> = read_contents(&wasm_path).unwrap();

    let _res_compile = oracles::compile(&wasm_binary[..], CompilationStrategy::Lightbeam);
}

wasmtime commit: 420dcd7

[pventuzelo]

Another addition overflow is in this part of the load macro:

wasmtime/crates/lightbeam/src/backend.rs

Lines 1955 to 1959 in 31472fb

	(GPR::Rq(r), Ok(imm)) => {
	dynasm!(ctx.asm
	; $rq_instr $reg_ty(r), $ty [Rq(mem_ptr_reg.rq().unwrap()) + offset + imm]
	);
	Ok(())

Crash:

$ debug_diff_compile panic_add_overflow_1957.wasm 
thread 'main' panicked at 'attempt to add with overflow', wasmtime/crates/lightbeam/src/backend.rs:1957:90
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

Reproduction:

(module
  (type (;0;) (func))
  (func (;0;) (type 0)
    i32.const 2
    i32.const 1
    i64.load32_u offset=2147483647 align=1
    unreachable)
  (memory (;0;) 1)
  (export "_start" (func 0))
)

[alexcrichton]

Lightbeam was removed in #3390 as explained in RFC 14, so I'm going to close this.