WasmEdge icon indicating copy to clipboard operation
WasmEdge copied to clipboard

Published 20 hours ago verified publisher icon WasmEdge

bug: AOT compiler wrongly optimizes invalid loads

Open candymate opened this issue 1 year ago • 1 comments
trafficstars

Summary

AOT compiler wrongly optmizes invalid loads. When loads with invalid offsets are in the execution path, the program should trap with "out of bound memory access". However, due to optimizations, this kind of trap is not occurred.

(module
  (type (;0;) (func (result i32)))
  (func (;0;) (type 0) (result i32)
    i64.const 0xcafebabe
    i32.const 0xdeadbeef
    i64.load8_s
    i64.eq)
  (memory (;0;) 1)
  (export "mem" (memory 0))
  (export "main" (func 0)))

In this example, the trap should occur due to invalid load of i32.const 0xdeadbeef and i64.load8_s. However, the trap does not occur when optimization is applied.

Current State

We can compare two optimization levels on AOT compiler.

$ wasmedge/bin/wasmedgec --optimize 0 test.wasm test.so; wasmedge/bin/wasmedge test.so main
[2024-04-19 08:26:08.995] [info] compile start
[2024-04-19 08:26:08.996] [info] verify start
[2024-04-19 08:26:08.996] [info] optimize start
[2024-04-19 08:26:08.997] [info] codegen start
[2024-04-19 08:26:08.998] [info] output start
[2024-04-19 08:26:09.001] [info] compile done
[2024-04-19 08:26:09.017] [error] execution failed: out of bounds memory access, Code: 0x88
[2024-04-19 08:26:09.017] [error]     When executing function name: "main"

$ wasmedge/bin/wasmedgec --optimize 1 test.wasm test.so; wasmedge/bin/wasmedge test.so main
[2024-04-19 08:26:13.799] [info] compile start
[2024-04-19 08:26:13.799] [info] verify start
[2024-04-19 08:26:13.799] [info] optimize start
[2024-04-19 08:26:13.802] [info] codegen start
[2024-04-19 08:26:13.804] [info] output start
[2024-04-19 08:26:13.808] [info] compile done
0

Expected State

The correct result comes from -O0. The program should trap.

Reproduction steps

  • Download the release version of wasmedge
  • Run wasmedgec to get AOT compiled .so, run the .so with wasmedge runtime
  • Give optimization levels differently using --optimize option for wasmedgec

Screenshots

DESCRIPTION

Any logs you want to share for showing the specific issue

No response

Components

CLI

WasmEdge Version or Commit you used

0.13.5

Operating system information

Ubuntu 22.04

Hardware Architecture

x86_64

Compiler flags and options

Using the release version of wasmedge 0.13.5 - see above

candymate avatar Apr 19 '24 08:04 candymate

I looked into this using wasmedge --dump to check the llvm IR being generated for the -O0 and -O1 options. It seems that the replacement of the load instruction with a load volatile instruction in the -O1 is what's causing the difference in memory access checks.

@hydai I checked the compiler.cpp file, it seems there are no wasmedge-specific optimizations happening here. How would we go about preventing this "optimization" from happening? Or is there a better approach for analyzing and preventing this behavior?

suryyyansh avatar Apr 29 '24 10:04 suryyyansh

Hello, it seems that this issue has already been resolved because it correctly raised an error regardless of the optimization level (0, 1, 2, 3) on my environment as follows.

WasmEdge: version 0.14.1-rc.5-2-gcc41c247 OS: Ubuntu22.04 Architecture: x86-64

root@c8cd019fe045:/workspaces/WasmEdge/build# cat test.wat
(module
  (type (;0;) (func (result i32)))
  (func (;0;) (type 0) (result i32)
    i64.const 0xcafebabe
    i32.const 0xdeadbeef
    i64.load8_s
    i64.eq)
  (memory (;0;) 1)
  (export "mem" (memory 0))
  (export "main" (func 0)))root@c8cd019fe045:/workspaces/WasmEdge/build# 
root@c8cd019fe045:/workspaces/WasmEdge/build# wat2wasm test.wat -o test.wasm
root@c8cd019fe045:/workspaces/WasmEdge/build# ./tools/wasmedge/wasmedge compile --optimize 0 test.wasm test.so; ./tools/wasmedge/wasmedge test.so main
[2024-09-18 10:55:56.105] [info] compile start
[2024-09-18 10:55:56.106] [info] verify start
[2024-09-18 10:55:56.106] [info] optimize start
[2024-09-18 10:55:56.107] [info] optimize done
[2024-09-18 10:55:56.107] [info] codegen start
[2024-09-18 10:55:56.108] [info] output start
[2024-09-18 10:55:56.110] [info] codegen done
[2024-09-18 10:55:56.127] [error] execution failed: out of bounds memory access, Code: 0x408
[2024-09-18 10:55:56.127] [error]     When executing function name: "main"
root@c8cd019fe045:/workspaces/WasmEdge/build# ./tools/wasmedge/wasmedge compile --optimize 1 test.wasm test.so; ./tools/wasmedge/wasmedge test.so main
[2024-09-18 10:56:04.939] [info] compile start
[2024-09-18 10:56:04.940] [info] verify start
[2024-09-18 10:56:04.940] [info] optimize start
[2024-09-18 10:56:04.941] [info] optimize done
[2024-09-18 10:56:04.941] [info] codegen start
[2024-09-18 10:56:04.944] [info] output start
[2024-09-18 10:56:04.945] [info] codegen done
[2024-09-18 10:56:04.963] [error] execution failed: out of bounds memory access, Code: 0x408
[2024-09-18 10:56:04.964] [error]     When executing function name: "main"
root@c8cd019fe045:/workspaces/WasmEdge/build#

Could someone (@candymate @suryyyansh) verify this again?

yomaytk avatar Sep 18 '24 11:09 yomaytk

@yomaytk Getting the same output (generates errors as expected) on WasmEdge 0.14.1 (latest release)

OS: Ubuntu 24.04 Architecture: x86_64

suryyyansh avatar Sep 18 '24 20:09 suryyyansh

@suryyyansh Thank you for the verification.

@hydai It seems this issue can be closed. Could you check it?

yomaytk avatar Sep 19 '24 00:09 yomaytk

Sure, close as fixed, thanks all!

dannypsnl avatar Sep 19 '24 04:09 dannypsnl