Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[wasm] System.Linq.Expressions.Tests - memory access out of bounds #81558

Closed
radical opened this issue Feb 2, 2023 · 5 comments · Fixed by #81620
Closed

[wasm] System.Linq.Expressions.Tests - memory access out of bounds #81558

radical opened this issue Feb 2, 2023 · 5 comments · Fixed by #81620
Labels
arch-wasm WebAssembly architecture area-Codegen-Interpreter-mono area-VM-meta-mono

Comments

@radical
Copy link
Member

radical commented Feb 2, 2023

Build, and log:

[FAIL] System.Linq.Expressions.Tests.MemberAccessTests.CheckMemberAccessClassInstanceFieldAssignNullReferenceTest(useInterpreter: True)
System.ArrayTypeMismatchException : Attempted to access an element as a type incompatible with the array.
   at System.Collections.Generic.List`1[[System.Linq.Expressions.Interpreter.Instruction, System.Linq.Expressions, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].AddWithResize(Instruction item)
   at System.Linq.Expressions.Interpreter.InstructionList.Emit(Instruction instruction)
   at System.Linq.Expressions.Interpreter.InstructionList.EmitLoad(Object value, Type type)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileConstantExpression(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileNoLabelPush(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.Compile(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileAddress(Expression node, Int32 index)
   at System.Linq.Expressions.Interpreter.LightCompiler.EmitThisForMethodCall(Expression node)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileMemberAssignment(BinaryExpression node, Boolean asVoid)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileAssignBinaryExpression(Expression expr, Boolean asVoid)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileNoLabelPush(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.Compile(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileTop(LambdaExpression node)
   at System.Linq.Expressions.Expression`1[[System.Func`1[[System.Int32, System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].Compile(Boolean preferInterpretation)
   at System.Linq.Expressions.Tests.MemberAccessTests.CheckMemberAccessClassInstanceFieldAssignNullReferenceTest(Boolean useInterpreter)
   at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, IntPtr* args)
   at System.Reflection.MethodInvoker.Invoke(Object obj, IntPtr* args, BindingFlags invokeAttr)

RuntimeError: memory access out of bounds
    at get_target_imethod (get_target_imethod (http://127.0.0.1:37795/dotnet.wasm:wasm-function[377]:0x1e0e9))
    at get_virtual_method_fast (get_virtual_method_fast (http://127.0.0.1:37795/dotnet.wasm:wasm-function[248]:0x1a916))
    at mono_interp_exec_method (mono_interp_exec_method (http://127.0.0.1:37795/dotnet.wasm:wasm-function[244]:0xf213))
    at interp_runtime_invoke (interp_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[286]:0x1bb78))
    at mono_jit_runtime_invoke (mono_jit_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[8325]:0x1b280b))
    at do_runtime_invoke (do_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2154]:0x8ec69))
    at mono_runtime_invoke_checked (mono_runtime_invoke_checked (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2152]:0x8ebdf))
    at ves_icall_InternalInvoke_raw (ves_icall_InternalInvoke_raw (http://127.0.0.1:37795/dotnet.wasm:wasm-function[1495]:0x71231))
    at do_icall (do_icall (http://127.0.0.1:37795/dotnet.wasm:wasm-function[378]:0x1e208))
    at do_icall_wrapper (do_icall_wrapper (http://127.0.0.1:37795/dotnet.wasm:wasm-function[254]:0x1ac3e))

RuntimeError: memory access out of bounds
    at get_target_imethod (get_target_imethod (http://127.0.0.1:37795/dotnet.wasm:wasm-function[377]:0x1e0e9))
    at get_virtual_method_fast (get_virtual_method_fast (http://127.0.0.1:37795/dotnet.wasm:wasm-function[248]:0x1a916))
    at mono_interp_exec_method (mono_interp_exec_method (http://127.0.0.1:37795/dotnet.wasm:wasm-function[244]:0xf213))
    at interp_runtime_invoke (interp_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[286]:0x1bb78))
    at mono_jit_runtime_invoke (mono_jit_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[8325]:0x1b280b))
    at do_runtime_invoke (do_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2154]:0x8ec69))
    at mono_runtime_invoke_checked (mono_runtime_invoke_checked (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2152]:0x8ebdf))
    at ves_icall_InternalInvoke_raw (ves_icall_InternalInvoke_raw (http://127.0.0.1:37795/dotnet.wasm:wasm-function[1495]:0x71231))
    at do_icall (do_icall (http://127.0.0.1:37795/dotnet.wasm:wasm-function[378]:0x1e208))
    at do_icall_wrapper (do_icall_wrapper (http://127.0.0.1:37795/dotnet.wasm:wasm-function[254]:0x1ac3e))

RuntimeError: memory access out of bounds
    at get_target_imethod (get_target_imethod (http://127.0.0.1:37795/dotnet.wasm:wasm-function[377]:0x1e0e9))
    at get_virtual_method_fast (get_virtual_method_fast (http://127.0.0.1:37795/dotnet.wasm:wasm-function[248]:0x1a916))
    at mono_interp_exec_method (mono_interp_exec_method (http://127.0.0.1:37795/dotnet.wasm:wasm-function[244]:0xf213))
    at interp_runtime_invoke (interp_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[286]:0x1bb78))
    at mono_jit_runtime_invoke (mono_jit_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[8325]:0x1b280b))
    at do_runtime_invoke (do_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2154]:0x8ec69))
    at mono_runtime_invoke_checked (mono_runtime_invoke_checked (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2152]:0x8ebdf))
    at ves_icall_InternalInvoke_raw (ves_icall_InternalInvoke_raw (http://127.0.0.1:37795/dotnet.wasm:wasm-function[1495]:0x71231))
    at do_icall (do_icall (http://127.0.0.1:37795/dotnet.wasm:wasm-function[378]:0x1e208))
    at do_icall_wrapper (do_icall_wrapper (http://127.0.0.1:37795/dotnet.wasm:wasm-function[254]:0x1ac3e))

This did pass on an automatic retry. And wasn't hit on the next rolling build.
Changes since the previous working build - 9e05d33...3c47b2c
@ghost ghost added the untriaged New issue has not been triaged by the area owner label Feb 2, 2023
@ghost
Copy link

ghost commented Feb 2, 2023

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

Issue Details

Build, and log:

[FAIL] System.Linq.Expressions.Tests.MemberAccessTests.CheckMemberAccessClassInstanceFieldAssignNullReferenceTest(useInterpreter: True)
System.ArrayTypeMismatchException : Attempted to access an element as a type incompatible with the array.
   at System.Collections.Generic.List`1[[System.Linq.Expressions.Interpreter.Instruction, System.Linq.Expressions, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a]].AddWithResize(Instruction item)
   at System.Linq.Expressions.Interpreter.InstructionList.Emit(Instruction instruction)
   at System.Linq.Expressions.Interpreter.InstructionList.EmitLoad(Object value, Type type)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileConstantExpression(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileNoLabelPush(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.Compile(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileAddress(Expression node, Int32 index)
   at System.Linq.Expressions.Interpreter.LightCompiler.EmitThisForMethodCall(Expression node)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileMemberAssignment(BinaryExpression node, Boolean asVoid)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileAssignBinaryExpression(Expression expr, Boolean asVoid)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileNoLabelPush(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.Compile(Expression expr)
   at System.Linq.Expressions.Interpreter.LightCompiler.CompileTop(LambdaExpression node)
   at System.Linq.Expressions.Expression`1[[System.Func`1[[System.Int32, System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]], System.Private.CoreLib, Version=8.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].Compile(Boolean preferInterpretation)
   at System.Linq.Expressions.Tests.MemberAccessTests.CheckMemberAccessClassInstanceFieldAssignNullReferenceTest(Boolean useInterpreter)
   at System.Reflection.MethodInvoker.InterpretedInvoke(Object obj, IntPtr* args)
   at System.Reflection.MethodInvoker.Invoke(Object obj, IntPtr* args, BindingFlags invokeAttr)

RuntimeError: memory access out of bounds
    at get_target_imethod (get_target_imethod (http://127.0.0.1:37795/dotnet.wasm:wasm-function[377]:0x1e0e9))
    at get_virtual_method_fast (get_virtual_method_fast (http://127.0.0.1:37795/dotnet.wasm:wasm-function[248]:0x1a916))
    at mono_interp_exec_method (mono_interp_exec_method (http://127.0.0.1:37795/dotnet.wasm:wasm-function[244]:0xf213))
    at interp_runtime_invoke (interp_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[286]:0x1bb78))
    at mono_jit_runtime_invoke (mono_jit_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[8325]:0x1b280b))
    at do_runtime_invoke (do_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2154]:0x8ec69))
    at mono_runtime_invoke_checked (mono_runtime_invoke_checked (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2152]:0x8ebdf))
    at ves_icall_InternalInvoke_raw (ves_icall_InternalInvoke_raw (http://127.0.0.1:37795/dotnet.wasm:wasm-function[1495]:0x71231))
    at do_icall (do_icall (http://127.0.0.1:37795/dotnet.wasm:wasm-function[378]:0x1e208))
    at do_icall_wrapper (do_icall_wrapper (http://127.0.0.1:37795/dotnet.wasm:wasm-function[254]:0x1ac3e))

RuntimeError: memory access out of bounds
    at get_target_imethod (get_target_imethod (http://127.0.0.1:37795/dotnet.wasm:wasm-function[377]:0x1e0e9))
    at get_virtual_method_fast (get_virtual_method_fast (http://127.0.0.1:37795/dotnet.wasm:wasm-function[248]:0x1a916))
    at mono_interp_exec_method (mono_interp_exec_method (http://127.0.0.1:37795/dotnet.wasm:wasm-function[244]:0xf213))
    at interp_runtime_invoke (interp_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[286]:0x1bb78))
    at mono_jit_runtime_invoke (mono_jit_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[8325]:0x1b280b))
    at do_runtime_invoke (do_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2154]:0x8ec69))
    at mono_runtime_invoke_checked (mono_runtime_invoke_checked (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2152]:0x8ebdf))
    at ves_icall_InternalInvoke_raw (ves_icall_InternalInvoke_raw (http://127.0.0.1:37795/dotnet.wasm:wasm-function[1495]:0x71231))
    at do_icall (do_icall (http://127.0.0.1:37795/dotnet.wasm:wasm-function[378]:0x1e208))
    at do_icall_wrapper (do_icall_wrapper (http://127.0.0.1:37795/dotnet.wasm:wasm-function[254]:0x1ac3e))

RuntimeError: memory access out of bounds
    at get_target_imethod (get_target_imethod (http://127.0.0.1:37795/dotnet.wasm:wasm-function[377]:0x1e0e9))
    at get_virtual_method_fast (get_virtual_method_fast (http://127.0.0.1:37795/dotnet.wasm:wasm-function[248]:0x1a916))
    at mono_interp_exec_method (mono_interp_exec_method (http://127.0.0.1:37795/dotnet.wasm:wasm-function[244]:0xf213))
    at interp_runtime_invoke (interp_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[286]:0x1bb78))
    at mono_jit_runtime_invoke (mono_jit_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[8325]:0x1b280b))
    at do_runtime_invoke (do_runtime_invoke (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2154]:0x8ec69))
    at mono_runtime_invoke_checked (mono_runtime_invoke_checked (http://127.0.0.1:37795/dotnet.wasm:wasm-function[2152]:0x8ebdf))
    at ves_icall_InternalInvoke_raw (ves_icall_InternalInvoke_raw (http://127.0.0.1:37795/dotnet.wasm:wasm-function[1495]:0x71231))
    at do_icall (do_icall (http://127.0.0.1:37795/dotnet.wasm:wasm-function[378]:0x1e208))
    at do_icall_wrapper (do_icall_wrapper (http://127.0.0.1:37795/dotnet.wasm:wasm-function[254]:0x1ac3e))

This did pass on an automatic retry. And wasn't hit on the next rolling build.
Changes since the previous working build - 9e05d33...3c47b2c

Author: radical
Assignees: -
Labels:

arch-wasm, area-Codegen-Interpreter-mono, area-VM-meta-mono
Milestone: -

@radical
Copy link
Member Author

radical commented Feb 2, 2023

cc @vargaz

@radical
Copy link
Member Author

radical commented Feb 2, 2023

cc @BrzVlad @kg

@kg
Copy link
Member

kg commented Feb 3, 2023

The interp access out of bounds stuff looks like heap corruption, so the ArrayTypeMismatch earlier on is probably the important thing to be looking at. It doesn't seem like you could reach get_target_imethod without having a valid vtable (pulled out of a valid object you're doing a call on), I think, and get_target_imethod walks a linked list so if the heap got trashed it's a natural spot for crashes to happen.

I'm not sure how S.L.E would end up corrupting the heap though, unless there's unsafe code in it? It's interesting that according to the log a bunch of tests all failed in the same spot before we finally crashed. Looking at the source for the tests, they're compiling fresh expression trees for every iteration, so they should have their own unique lists of instructions etc.

@kg
Copy link
Member

kg commented Feb 3, 2023

I was able to reproduce this by using the same random seed (683046707) but not without locking the seed. Looking into whether it's jiterp.

@kg kg mentioned this issue Feb 3, 2023
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Feb 3, 2023
@kg kg closed this as completed in #81620 Feb 4, 2023
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Feb 4, 2023
kg added a commit that referenced this issue Feb 4, 2023
@kg
[wasm] Jiterpreter field op refactorings; fixes #81558 (#81620)
ec9fb02 
* Refactor jiterpreter field op implementation into separate static and nonstatic field implementations
* Add more diagnostic infrastructure
* fixes issue #81558 (dictionary.findvalue bug)
@ghost ghost removed the untriaged New issue has not been triaged by the area owner label Feb 4, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Mar 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
arch-wasm WebAssembly architecture area-Codegen-Interpreter-mono area-VM-meta-mono
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[wasm] Jiterpreter field op refactorings; fixes #81558 kg/runtime
2 participants
@radical @kg