This wasm program:
(module
(import "host" "call" (func $f (param i32)))
(memory 1)
(func $test
(i32.const 42)
call $f
)
(export "test" (func $test))
)Causes this panic
index out of bounds: the len is 8320 but the index is 18446744073709551615
At zkEngine_dev/src/wasm_snark/mcc/multiset_ops.rs:407:26
With a host call that does nothing:
linker
.func_wrap("host", "call", |caller: Caller<()>, i: u32| {})
.unwrap();The overflow seems to originate in the tracer here: https://github.com/ICME-Lab/zkEngine_dev/blob/6e8d49cb74df4356f36704d54dfe053db1397810/third-party/wasmi/crates/wasmi/src/engine/stack/mod.rs#L326C1-L332C1
I think most likely the problem is that the range in the loop should be instead: 1..=len_outputs
For example, in this case the host call doesn't have any outputs, so the post_sp is just 0. But because it has an input, max_inout is 1, introducing the underflow.
There is also however another one in the following if block:
And I'm not sure what that one is for, or what should be the correct value in there.
This wasm program:
Causes this panic
At
zkEngine_dev/src/wasm_snark/mcc/multiset_ops.rs:407:26With a host call that does nothing:
linker .func_wrap("host", "call", |caller: Caller<()>, i: u32| {}) .unwrap();The overflow seems to originate in the tracer here: https://github.com/ICME-Lab/zkEngine_dev/blob/6e8d49cb74df4356f36704d54dfe053db1397810/third-party/wasmi/crates/wasmi/src/engine/stack/mod.rs#L326C1-L332C1
I think most likely the problem is that the range in the loop should be instead:
1..=len_outputsFor example, in this case the host call doesn't have any outputs, so the
post_spis just 0. But because it has an input,max_inoutis 1, introducing the underflow.There is also however another one in the following if block:
zkEngine_dev/third-party/wasmi/crates/wasmi/src/engine/stack/mod.rs
Line 336 in 6e8d49c
And I'm not sure what that one is for, or what should be the correct value in there.