Panic in `table.init`

Question

Panic in `table.init`

ShinWonho opened this issue 2 months ago · comments

Test Case

;; table-init.wat
(module
  (table 0 0 externref)
  (func (export "table-init")
    (i32.const 0)
    (i32.const 0)
    (i32.const 0)
    (table.init 0 0)
  )
  (elem declare externref)
)

Steps to Reproduce

wasmtime --invoke table-init table-init.wat

Expected Results

terminate normally

Actual Results

thread 'main' panicked at crates/runtime/src/table.rs:539:9:
assertion `left == right` failed
  left: Extern
 right: Func
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
zsh: abort      wasmtime --invoke table-init table-init.wat

Versions and Environment

Wasmtime version or commit: 19.0.0

Operating system: macOS Ventura 13.6.6

Architecture: x86_64

Alex Crichton · Answer 1 · Tue Apr 02 2024 22:53:29 GMT+0800 (China Standard Time)

Thanks for the report! Do you perhaps have more detail on how this was discovered? For example is this a reduced module? Or perhaps a fuzz-generated test case?

Also as per our documentation this is a security issue so we'll be issuing a CVE and a 19.0.1 release for this. If you discover more issues like this we'd be grateful if you'd contact us privately so we can coordinate this, thanks!

ShinWonho · Answer 2 · Wed Apr 03 2024 10:57:07 GMT+0800 (China Standard Time)

We are in progress of implementing a wasm fuzzer based on SpecTec. Currently, it generates short wasm programs by a simple syntax-driven approach. We performed differential testing with the latest wasmtime and previous versions, and luckily found the bug. We reduced the buggy program manually as the generated program was simple.

Alex Crichton · Answer 3 · Wed Apr 03 2024 22:46:33 GMT+0800 (China Standard Time)

Nice! If y'all need any help with fuzzing or such we're happy to talk as well. And thank you for fuzzing, we very much appreciate it!