wasm_runtime_detect_native_stack_overflow works incorrectly under ASAN

[vchigrin]

wasm_runtime_detect_native_stack_overflow function compares address of local variable with stack boundary here

wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c

Line 7898 in a6a9f1f

if ((uint8 *)&boundary < boundary) {

But under ASAN local variables placed on "Fake stack" https://github.com/google/sanitizers/wiki/AddressSanitizerUseAfterReturn#algorithm , so this comparison often produces wrong results, reporting "native stack overflow".

I have no minimal reproducible example for WAMR itself, but here is how that API works under Linux:
Test file

#define _GNU_SOURCE
#include <pthread.h>
#include <stdio.h>

int main(int argc, char* argv[]) {
  int dummy;
  pthread_t self;
  pthread_attr_t attr;
  size_t stack_size;
  void* addr;

  self = pthread_self();
  if (pthread_getattr_np(self, &attr) != 0) {
    printf("Failed get attr\n");
    return 1;
  }
  pthread_attr_getstack(&attr, &addr, &stack_size);
  printf("Stack %p size %zX; Current frame %p\n", addr, stack_size, &dummy);
  pthread_attr_destroy(&attr);
  return 0;
}

Normal run

clang-18 test.c && ./a.out
Stack 0x7ffcc529e000 size 7FF000; Current frame 0x7ffcc5a9ce4c

You see, 0x7ffcc529e000 is less then 0x7ffcc5a9ce4c, so everything works as expected.

ASAN run

clang-18 -fsanitize=address test.c && ./a.out
Stack 0x7fff01009000 size 7FE000; Current frame 0x7fa947d00020

0x7fff01009000 is bigger then 0x7fa947d00020, so check based on this assumption may wrongly decide that "stack already overflown"

Your environment

• Linux

I suggest disabling all logic in wasm_runtime_detect_native_stack_overflow if condition #if __has_feature(address_sanitizer) is true.

If this is OK, I can provide patch.

[TianlongLiang]

That's strange, we do have ASAN CI enabled and don't see any issue yet. Would you mind trying this sample: native-stack-overflow to see whether it will error?

PS: I think if we do need to modify the code, we should use __SANITIZE_ADDRESS__ to disable the logic; __has_feature(address_sanitizer) is only for clang if I remember correctly.

[vchigrin]

Tested native-stack-overflow on my machine on commit a6a9f1f45d9f7ebf044ceac71bcf7a9ea2f90f23.
Without sanitizers it does not work

./run.sh
====== Interpreter test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
unhandled SIGSEGV, si_addr: (nil)
Aborted (core dumped)

With ASAN it produces following output:

./run.sh
====== Interpreter test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
    0 -    16 | failed |     ok | Exception: native stack overflow
   16 - 24576 | failed |     ok | Exception: invalid exec env

====== Interpreter WAMR_DISABLE_HW_BOUND_CHECK=1 test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
    0 - 24576 | failed |     ok | Exception: native stack overflow

====== AOT test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
    0 -    16 | failed |     ok | Exception: native stack overflow
   16 - 24576 | failed |     ok | Exception: invalid exec env

====== AOT w/ signature test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
    0 -    16 | failed |     ok | Exception: native stack overflow
   16 - 24576 | failed |     ok | Exception: invalid exec env

====== AOT WAMR_DISABLE_HW_BOUND_CHECK=1 test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
    0 - 24576 | failed |     ok | Exception: native stack overflow

====== AOT w/ signature WAMR_DISABLE_HW_BOUND_CHECK=1 test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
    0 - 24576 | failed |     ok | Exception: native stack overflow

I checked what happens under GDB for first test case - and seems it fails on the very first stack check. Here is stack:

(gdb) bt
#0  0x0000555555574688 in wasm_set_exception_local (exception=0x5555555fe9c0 "native stack overflow", module_inst=0x516000000080)
    at /home/vchigrin/projects/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:3076
#1  wasm_set_exception (module_inst=0x516000000080, exception=exception@entry=0x5555555fe9c0 "native stack overflow")
    at /home/vchigrin/projects/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:3099
#2  0x0000555555574a3d in wasm_runtime_set_exception (module_inst_comm=<optimized out>,
    exception=exception@entry=0x5555555fe9c0 "native stack overflow")
    at /home/vchigrin/projects/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:3192
#3  0x000055555557a0e7 in wasm_runtime_detect_native_stack_overflow (exec_env=exec_env@entry=0x524000002100)
    at /home/vchigrin/projects/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:7899
#4  0x000055555557a80f in call_wasm_with_hw_bound_check (module_inst=module_inst@entry=0x516000000080,
    exec_env=exec_env@entry=0x524000002100, function=function@entry=0x513000000130, argc=argc@entry=2,
    argv=argv@entry=0x7ffff5700030) at /home/vchigrin/projects/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3609
#5  0x000055555557bd39 in wasm_call_function (exec_env=exec_env@entry=0x524000002100, function=function@entry=0x513000000130,
    argc=argc@entry=2, argv=argv@entry=0x7ffff5700030)
    at /home/vchigrin/projects/wasm-micro-runtime/core/iwasm/interpreter/wasm_runtime.c:3689
#6  0x00005555555745f1 in wasm_runtime_call_wasm (exec_env=exec_env@entry=0x524000002100, function=0x513000000130,
    argc=argc@entry=2, argv=argv@entry=0x7ffff5700030)
    at /home/vchigrin/projects/wasm-micro-runtime/core/iwasm/common/wasm_runtime_common.c:2666
#7  0x00005555555702cf in main (argc=<optimized out>, argv=<optimized out>)
    at /home/vchigrin/projects/wasm-micro-runtime/samples/native-stack-overflow/src/main.c:161

[lum1n0us]

Several observations:

• The native-stack-overflow samples work well with and without -DWAMR_BUILD_SANITIZER=asan on my local Ubuntu 22.04 LTS environment.
• AddressSanitizerUseAfterReturn is off by default. The "fake stack" should not be involved unless another configuration enables it.
• Both GCC and Clang have some kind of ignore list feature, IIUC For example, see https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#index-finstrument-functions-exclude-function-list. It might be better to try them first.

[yamt]

Tested native-stack-overflow on my machine on commit a6a9f1f45d9f7ebf044ceac71bcf7a9ea2f90f23. Without sanitizers it does not work

./run.sh
====== Interpreter test1
 stack size   | fail?  | leak?  | exception
---------------------------------------------------------------------------
unhandled SIGSEGV, si_addr: (nil)
Aborted (core dumped)

can you file a separate bug with a bit more details about this?
i couldn't reproduce it. (macOS, x86-64, clang)

[vchigrin]

AddressSanitizerUseAfterReturn is off by default. The "fake stack" should not be involved unless another configuration enables it.

Seems, documentation is out-of-date. See for example
google/sanitizers#1735

Both GCC and Clang have some kind of ignore list feature, IIUC For example,

Tried -finstrument-functions-exclude-function-list= with GCC 14.3.0, it did not affect this place - test variable still located on the fake stack. I found __attribute__((no_sanitize_address)), which can disable ASAN on per-function basis, and rewrote my patch using this attribute.