[crash] assertion failed in wasmtime_debug::transform::simulate::generate_simulated_dwarf #1506
Description
Description
I found a reachable assertion (CWE-617) during fuzzing wasmtime with cranelift backend and almost all features enabled in the config (specifically config.debug_info(true)). The bug seems to be related to generation of DWARF debugging.
Maybe related to #1489
@yurydelendik
Crash
./target/debug/debug_wasmtime_all_cranelift assert_wasmtime_debug_simulated_dwarf.wasm
Start debugging of wasmtime_all_cranelift
file_to_process: "assert_wasmtime_debug_simulated_dwarf.wasm"
thread 'main' panicked at 'assertion failed: !bytes.contains(&0)', <::std::macros::panic macros>:2:4
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.What are the steps to reproduce the issue?
Download the crashing file:
assert_wasmtime_debug_simulated_dwarf.zip
Testing piece of code:
use wasmtime::{Config, Engine, Module, Store, Strategy};
// read data from provided file
let data = read_contents_from_path(&args[1]).expect("cannot read file content");
let mut config = Config::new();
match config.strategy(Strategy::Cranelift) {
Ok(o) => o,
_ => return,
};
config
.debug_info(true)
.wasm_threads(true)
.wasm_reference_types(true)
.wasm_simd(true)
.wasm_bulk_memory(true)
.wasm_multi_value(true);
let store = Store::new(&Engine::new(&config));
let _module = Module::from_binary(&store, &data);
}Which Wasmtime version / commit hash / branch are you using?
crates version: wasmtime = "0.15"
BACKTRACE
RUST_BACKTRACE=1 ./target/debug/debug_wasmtime_all_cranelift assert_wasmtime_debug_simulated_dwarf.wasm
file_to_process: "assert_wasmtime_debug_simulated_dwarf.wasm"
thread 'main' panicked at 'assertion failed: !bytes.contains(&0)', <::std::macros::panic macros>:2:4
stack backtrace:
0: backtrace::backtrace::libunwind::trace
at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/libunwind.rs:88
[...]
11: std::panicking::begin_panic
at /rustc/85976442558bf2d09cec3aa49c9c9ba86fb15c1f/src/libstd/panicking.rs:390
12: gimli::write::str::StringTable::add
at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-debug-0.15.0/<::std::macros::panic macros>:2
==> 13: wasmtime_debug::transform::simulate::generate_simulated_dwarf
==> at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-debug-0.15.0/src/transform/simulate.rs:293
==> 14: wasmtime_debug::transform::transform_dwarf
==> at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-debug-0.15.0/src/transform/mod.rs:107
==> 15: wasmtime_debug::emit_debugsections_image
==> at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-debug-0.15.0/src/lib.rs:82
16: wasmtime_jit::compiler::Compiler::compile
at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-jit-0.15.0/src/compiler.rs:215
17: wasmtime_jit::instantiate::RawCompiledModule::new
at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-jit-0.15.0/src/instantiate.rs:83
18: wasmtime_jit::instantiate::CompiledModule::new
at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-jit-0.15.0/src/instantiate.rs:154
19: wasmtime::module::Module::compile
at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-0.15.0/src/module.rs:366
20: wasmtime::module::Module::from_binary_unchecked
at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-0.15.0/src/module.rs:335
21: wasmtime::module::Module::from_binary
at /home/scop/.cargo/registry/src/github.com-1ecc6299db9ec823/wasmtime-0.15.0/src/module.rs:304
[...]
32: main
33: __libc_start_main
34: _start
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.