Skip to content

Report a host limit for memories too large for the shell to allocate#8898

Merged
kripken merged 2 commits into
WebAssembly:mainfrom
JPL11:interp-mem64-overflow
Jul 13, 2026
Merged

Report a host limit for memories too large for the shell to allocate#8898
kripken merged 2 commits into
WebAssembly:mainfrom
JPL11:interp-mem64-overflow

Conversation

@JPL11

@JPL11 JPL11 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Fixes the fuzzer finding from #8882 (comment): a maximal memory64 (2^48 pages, exactly 2^64 bytes) hit shellMemory.resize(memory->initial << memory->pageSizeLog2) in the shell interface, where the byte size wrapped to 0. Instantiation then "succeeded" with an empty buffer, and every memory access spuriously trapped as out of bounds, including the memory.init of active segments during startup. When an optimization legitimately removes such an access (MemoryPacking dropping a provably in-bounds zero segment), the spurious trap disappears and the fuzzer sees a behavior change.

The fix reports a host limit at instantiation when the byte size is unrepresentable or the allocation fails, like a real VM whose instantiation fails. This slots into existing machinery: growMemory already applies a size limit, and the fuzz-exec harness already catches HostLimitException during instance creation and excludes such runs from comparison, precisely because optimizations can change whether a host limit is reached.

With this, the reproducer prints [host limit memory too large] both before and after --memory-packing, so there is no differential. Added as a lit test under test/lit/exec/.

This is the same overflow pattern in the third of the three sites @MaxGraey pointed at on #8882 (the pass itself, module-splitting.cpp, and shell-interface.h); module-splitting is now the only one left, and I can pick that up along with the shared Memory helper discussed there if you would like.

The fuzzer found (in WebAssembly#8882) that a maximal memory64 (2^48 pages, exactly
2^64 bytes) instantiated in the shell interface with the byte size
wrapped to 0: instantiation "succeeded" with an empty buffer and then
every memory access spuriously trapped as out of bounds, including the
memory.init of active segments. Optimizations that legitimately remove
such accesses (like MemoryPacking dropping a provably in-bounds zero
segment) then changed observable behavior, tripping the fuzzer.

Instead, report a host limit during instantiation when the byte size is
unrepresentable or the allocation fails, like a real VM whose
instantiation fails. The fuzzer already ignores host limits reached
during instance creation, and growMemory already applies a size limit,
so this brings init in line with existing policy.
@JPL11 JPL11 requested a review from a team as a code owner July 13, 2026 21:26
@JPL11 JPL11 requested review from aheejin and Copilot and removed request for a team July 13, 2026 21:26

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@kripken kripken left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks good with one minor comment.

Comment thread test/lit/exec/memory64-max-size.wast Outdated
@@ -0,0 +1,16 @@
;; NOTE: Assertions have been generated by update_lit_checks.py --output=fuzz-exec and should not be edited.

;; RUN: wasm-opt %s -all --fuzz-exec -q -o /dev/null 2>&1 | filecheck %s

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
;; RUN: wasm-opt %s -all --fuzz-exec -q -o /dev/null 2>&1 | filecheck %s
;; RUN: wasm-opt %s -all --fuzz-exec-before -q -o /dev/null 2>&1 | filecheck %s

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will execute it once, not twice (fuzz-exec runs one before opts, once after, but there are no opts here).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks. The checks regenerate to a single [host limit memory too large] line, which is also a nicer statement of what the test is about.

Comment thread src/shell-interface.h
Comment on lines +97 to +102
uint64_t bytes = uint64_t(memory->initial) << memory->pageSizeLog2;
if ((bytes >> memory->pageSizeLog2) != uint64_t(memory->initial)) {
// The byte size is not even representable; we certainly cannot
// allocate it, just like a real VM could not.
hostLimit("memory too large");
}

This comment was marked as resolved.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That works for validated modules: as we established on #8882, under the validator's bound the only value the shift can wrap to is exactly 0. The round trip form additionally stays correct for modules that skipped validation (--no-validation), where an out of range initial can wrap to a nonzero value that !bytes would silently accept as a real size. Since both compile to the same couple of instructions I kept the self contained one, but happy to switch if @kripken prefers the shorter form.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can assume that modules being executed are valid. The only place a module might be invalid is during parsing, basically. But I think the current code is clearer as it stands, as it is self-contained - the short form would need a longer comment, in my opinion.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the validation limit might change if the spec changes, in theory...

@kripken kripken merged commit 99f6fc6 into WebAssembly:main Jul 13, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants