HNYuuu
commented
2 years ago It seems like there is a loop from call_indirect to the function itself, which leads to a limitless recursion and OOM.
Closed abc767234318 closed 1 year ago
HNYuuu
commented
2 years ago It seems like there is a loop from call_indirect to the function itself, which leads to a limitless recursion and OOM.
HNYuuu
commented
1 year ago I have fixed the call_indirect issue, however, another issue appears. I think it's the data structure problem in graph.py, please give a check @zzhzz
How to reproduce the issue (make sure you are in fix-84-call-indirect branch):
python3.8 launcher.py -f ~/Wasm-samples/c_samples.nosync/wasi/binaryadd_obfuscated.wasm -s --sym_args 1 1 -v info
Start to analyze: 2022-11-29 19:51:52
Running...
Traceback (most recent call last):
File "launcher.py", line 133, in <module>
main()
File "launcher.py", line 121, in main
graph.traverse()
File "/home/ningyu/Wasm-SE/seewasm/arch/wasm/graph.py", line 392, in traverse
self.final_states[entry_func] = self.traverse_one(entry_func)
File "/home/ningyu/Wasm-SE/seewasm/arch/wasm/graph.py", line 423, in traverse_one
final_states = cls.algo_interval(entry_bb, state, blks)
File "/home/ningyu/Wasm-SE/seewasm/arch/wasm/graph.py", line 485, in algo_interval
final_states = cls.visit_interval([state], entry, heads, "return")
File "/home/ningyu/Wasm-SE/seewasm/arch/wasm/graph.py", line 633, in visit_interval
halt_flag, emul_states = consumer(item)
File "/home/ningyu/Wasm-SE/seewasm/arch/wasm/graph.py", line 623, in consumer
que.put((new_score,
File "/usr/lib/python3.8/queue.py", line 149, in put
self._put(item)
File "/usr/lib/python3.8/queue.py", line 233, in _put
heappush(self.queue, item)
TypeError: '<' not supported between instances of 'dict' and 'dict'
zzhzz
commented
1 year ago The TypeError has been fixed 55b9ee0 . However, another issue appears:
Traceback (most recent call last):
File "launcher.py", line 133, in <module>
main()
File "launcher.py", line 121, in main
graph.traverse()
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/graph.py", line 392, in traverse
self.final_states[entry_func] = self.traverse_one(entry_func)
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/graph.py", line 423, in traverse_one
final_states = cls.algo_interval(entry_bb, state, blks)
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/graph.py", line 485, in algo_interval
final_states = cls.visit_interval([state], entry, heads, "return")
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/graph.py", line 641, in visit_interval
halt_flag, emul_states = consumer(item)
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/graph.py", line 577, in consumer
emul_states = cls.wasmVM.emulate_basic_block(
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/emulator.py", line 341, in emulate_basic_block
next_states.extend(self.emulate_one_instruction(
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/emulator.py", line 379, in emulate_one_instruction
ret_states = instr_obj.emulate(state)
File "/home/zzhzz/Wasm-SE/seewasm/arch/wasm/instructions/ParametricInstructions.py", line 15, in emulate
state.symbolic_stack.pop()
IndexError: pop from empty listseems like the simulation of call_indirect still has some error
HNYuuu
commented
1 year ago fix in #85, closed.
Describe the bug I have a wasm program that has a large number of call_indirect instructions. I found a memory explosion in the middle of symbolic execution.
To Reproduce binaryadd_call.zip
Steps to reproduce the behavior:
Expected behavior Symbolic execution produces normal output.
Additional context There is no output and my computer is getting very clunky.