Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Wasm][AOT] register_methods_in_jinfo memory access out of bounds #50202

Closed
jeromelaban opened this issue Mar 24, 2021 · 2 comments · Fixed by #50217
Closed

[Wasm][AOT] register_methods_in_jinfo memory access out of bounds #50202

jeromelaban opened this issue Mar 24, 2021 · 2 comments · Fixed by #50217
Labels
arch-wasm WebAssembly architecture area-System.Net.Http
Milestone
6.0.0

Comments

@jeromelaban
Copy link
Contributor

jeromelaban commented Mar 24, 2021
edited
Loading

Description

Repro: https://github.com/jeromelaban/Wasm.Samples/tree/master/Bug50202/Bug50202
Faulty dotnet.wasm file: dotnet.wasm.zip

For an unknown reason, the following error happens:

dotnet.js:6766 Unhandled exception in _finalize_startup RuntimeError: memory access out of bounds
    at register_methods_in_jinfo (<anonymous>:wasm-function[7879]:0x14f441)
    at load_aot_module (<anonymous>:wasm-function[5004]:0xbf7de)
    at mono_assembly_invoke_load_hook_internal (<anonymous>:wasm-function[3116]:0x750e0)
    at mono_assembly_request_load_from (<anonymous>:wasm-function[3108]:0x748ad)
    at search_bundle_for_assembly (<anonymous>:wasm-function[4234]:0xa3ec5)
    at netcore_load_reference (<anonymous>:wasm-function[8007]:0x1545f1)
    at mono_assembly_request_byname (<anonymous>:wasm-function[1372]:0x29900)
    at load_image (<anonymous>:wasm-function[1113]:0x237a5)
    at load_aot_module (<anonymous>:wasm-function[5004]:0xbf86d)
    at mono_assembly_invoke_load_hook_internal (<anonymous>:wasm-function[3116]:0x750e0)

This is the location of the error:

runtime/src/mono/mono/mini/aot-runtime.c

Line 1856 in dc5c909

if (mono_bitset_test_fast (registered, start_method)) {

Which is caused by invalid addresses provided by this:

runtime/src/mono/mono/mini/aot-runtime.c

Line 2175 in dc5c909

addr = get_method (i);

Like so:

load_aot_module: System.Net.Http addr=6271 i=944
dotnet.js:1498 load_aot_module: System.Net.Http addr=6272 i=945
dotnet.js:1498 load_aot_module: System.Net.Http addr=6273 i=946
dotnet.js:1498 load_aot_module: System.Net.Http addr=6274 i=947
dotnet.js:1498 load_aot_module: System.Net.Http addr=6275 i=948
dotnet.js:1498 load_aot_module: System.Net.Http addr=6276 i=953
dotnet.js:1498 load_aot_module: System.Net.Http addr=948 i=954
dotnet.js:1498 load_aot_module: System.Net.Http addr=-2130634233 i=955
dotnet.js:1498 load_aot_module: System.Net.Http addr=84 i=956
dotnet.js:1498 load_aot_module: System.Net.Http addr=654377216 i=958
dotnet.js:1498 load_aot_module: System.Net.Http addr=37290241 i=959

Configuration

2f6c5d6

Regression?

Maybe?

Other information
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Net.Http untriaged New issue has not been triaged by the area owner labels Mar 24, 2021
@ghost
Copy link

ghost commented Mar 24, 2021

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

Repro is coming.

For an unknown reason, the following error happens:

dotnet.js:6766 Unhandled exception in _finalize_startup RuntimeError: memory access out of bounds
    at register_methods_in_jinfo (<anonymous>:wasm-function[7879]:0x14f441)
    at load_aot_module (<anonymous>:wasm-function[5004]:0xbf7de)
    at mono_assembly_invoke_load_hook_internal (<anonymous>:wasm-function[3116]:0x750e0)
    at mono_assembly_request_load_from (<anonymous>:wasm-function[3108]:0x748ad)
    at search_bundle_for_assembly (<anonymous>:wasm-function[4234]:0xa3ec5)
    at netcore_load_reference (<anonymous>:wasm-function[8007]:0x1545f1)
    at mono_assembly_request_byname (<anonymous>:wasm-function[1372]:0x29900)
    at load_image (<anonymous>:wasm-function[1113]:0x237a5)
    at load_aot_module (<anonymous>:wasm-function[5004]:0xbf86d)
    at mono_assembly_invoke_load_hook_internal (<anonymous>:wasm-function[3116]:0x750e0)

This is the location of the error:

runtime/src/mono/mono/mini/aot-runtime.c

Line 1856 in dc5c909

if (mono_bitset_test_fast (registered, start_method)) {

Which is caused by invalid addresses provided by this:

runtime/src/mono/mono/mini/aot-runtime.c

Line 2175 in dc5c909

addr = get_method (i);

Like so:

load_aot_module: System.Net.Http addr=6271 i=944
dotnet.js:1498 load_aot_module: System.Net.Http addr=6272 i=945
dotnet.js:1498 load_aot_module: System.Net.Http addr=6273 i=946
dotnet.js:1498 load_aot_module: System.Net.Http addr=6274 i=947
dotnet.js:1498 load_aot_module: System.Net.Http addr=6275 i=948
dotnet.js:1498 load_aot_module: System.Net.Http addr=6276 i=953
dotnet.js:1498 load_aot_module: System.Net.Http addr=948 i=954
dotnet.js:1498 load_aot_module: System.Net.Http addr=-2130634233 i=955
dotnet.js:1498 load_aot_module: System.Net.Http addr=84 i=956
dotnet.js:1498 load_aot_module: System.Net.Http addr=654377216 i=958
dotnet.js:1498 load_aot_module: System.Net.Http addr=37290241 i=959

Configuration

2f6c5d6

Regression?

Maybe?

Other information

Author: jeromelaban
Assignees: -
Labels:

area-System.Net.Http, untriaged
Milestone: -

jeromelaban added a commit to jeromelaban/Wasm.Samples that referenced this issue Mar 24, 2021
@jeromelaban
repro for dotnet/runtime#50202
82f7b99
@jeromelaban jeromelaban mentioned this issue Mar 24, 2021
Closed
@marek-safar marek-safar added the arch-wasm WebAssembly architecture label Mar 24, 2021
@ghost
Copy link

ghost commented Mar 24, 2021

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

Issue Details

Description

Repro: https://github.com/jeromelaban/Wasm.Samples/tree/master/Bug50202/Bug50202
Faulty dotnet.wasm file: dotnet.wasm.zip

For an unknown reason, the following error happens:

dotnet.js:6766 Unhandled exception in _finalize_startup RuntimeError: memory access out of bounds
    at register_methods_in_jinfo (<anonymous>:wasm-function[7879]:0x14f441)
    at load_aot_module (<anonymous>:wasm-function[5004]:0xbf7de)
    at mono_assembly_invoke_load_hook_internal (<anonymous>:wasm-function[3116]:0x750e0)
    at mono_assembly_request_load_from (<anonymous>:wasm-function[3108]:0x748ad)
    at search_bundle_for_assembly (<anonymous>:wasm-function[4234]:0xa3ec5)
    at netcore_load_reference (<anonymous>:wasm-function[8007]:0x1545f1)
    at mono_assembly_request_byname (<anonymous>:wasm-function[1372]:0x29900)
    at load_image (<anonymous>:wasm-function[1113]:0x237a5)
    at load_aot_module (<anonymous>:wasm-function[5004]:0xbf86d)
    at mono_assembly_invoke_load_hook_internal (<anonymous>:wasm-function[3116]:0x750e0)

This is the location of the error:

runtime/src/mono/mono/mini/aot-runtime.c

Line 1856 in dc5c909

if (mono_bitset_test_fast (registered, start_method)) {

Which is caused by invalid addresses provided by this:

runtime/src/mono/mono/mini/aot-runtime.c

Line 2175 in dc5c909

addr = get_method (i);

Like so:

load_aot_module: System.Net.Http addr=6271 i=944
dotnet.js:1498 load_aot_module: System.Net.Http addr=6272 i=945
dotnet.js:1498 load_aot_module: System.Net.Http addr=6273 i=946
dotnet.js:1498 load_aot_module: System.Net.Http addr=6274 i=947
dotnet.js:1498 load_aot_module: System.Net.Http addr=6275 i=948
dotnet.js:1498 load_aot_module: System.Net.Http addr=6276 i=953
dotnet.js:1498 load_aot_module: System.Net.Http addr=948 i=954
dotnet.js:1498 load_aot_module: System.Net.Http addr=-2130634233 i=955
dotnet.js:1498 load_aot_module: System.Net.Http addr=84 i=956
dotnet.js:1498 load_aot_module: System.Net.Http addr=654377216 i=958
dotnet.js:1498 load_aot_module: System.Net.Http addr=37290241 i=959

Configuration

2f6c5d6

Regression?

Maybe?

Other information

Author: jeromelaban
Assignees: -
Labels:

arch-wasm, area-System.Net.Http, untriaged
Milestone: -

@vargaz vargaz mentioned this issue Mar 24, 2021
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Mar 24, 2021
vargaz added a commit to vargaz/runtime that referenced this issue Mar 25, 2021
@vargaz
[mono][aot] Handle out of range indexes in the generated get_method (…
ddf23f9 
…) functions, they

can happen since mini-llvm.c and aot-compiler.c can compute different table sizes.

Fixes dotnet#50202.
vargaz added a commit that referenced this issue Apr 9, 2021
@vargaz
[mono][aot] Handle out of range indexes in the generated get_method (…
83b8058 
…) functions, they (#50217)

can happen since mini-llvm.c and aot-compiler.c can compute different table sizes.

Fixes #50202.
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Apr 9, 2021
@ghost ghost locked as resolved and limited conversation to collaborators May 9, 2021
@karelz karelz added this to the 6.0.0 milestone May 20, 2021
@karelz karelz removed the untriaged New issue has not been triaged by the area owner label Oct 20, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
arch-wasm WebAssembly architecture area-System.Net.Http
Projects
None yet
Milestone
6.0.0
3 participants
@marek-safar @karelz @jeromelaban