Stream: cranelift

Topic: fuzz target - cranelift-fuzzgen


view this post on Zulip Moritz Waser (Mar 16 2023 at 15:39):

Hi @Chris Fallin and hello everyone.
I'm working on my bachelor thesis together with @Remo Senekowitsch @Falk Zwimpfer

While digging into the code base of cranelift, I executed the the fuzz target cranelift-fuzzgen on our new branch (named poc) (in a fork).
And it quickly returned me an error.
The crash file: crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
base64 encoded content: BwAAAAAAAAAAAACeugAHADAAuEB1dXV1df///xm6//8AAP//ego=

First, I thought there was an error with my setup.
When I run it on it the main branch, RUST_BACKTRACE=1 cargo fuzz run --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7 printed this:

➜  wasmtime git:(052115589) > RUST_BACKTRACE=1 cargo fuzz run --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
    Finished release [optimized] target(s) in 0.65s
    Finished release [optimized] target(s) in 0.47s
     Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 149780969
INFO: Loaded 1 modules   (1658484 inline 8-bit counters): 1658484 [0x10c0c12c8, 0x10c25613c),
INFO: Loaded 1 PC tables (1658484 PCs): 1658484 [0x10c256140,0x10dba4880),
target/x86_64-apple-darwin/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
Executed fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7 in 2 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

Digging further I found out that the fuzz_target!(|testcase: TestCase| { ... } in cranelift-fuzzgen.rs was actually never called on the main branch.
It turns out the the Arbitrary-impl for TestCase returns a Err-Result.

So the only relevant difference to our poc branch was the version of the arbitrary crate.
main branch uses "1.0.0"
poc branch uses "1.2.3"

Updating the version in cranelift/fuzzgen/Cargo.toml finally allowed me to reproduce this on the main branch. Here's the output:

➜  wasmtime git:(052115589) ✗ RUST_BACKTRACE=1 cargo fuzz run --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
    Finished release [optimized] target(s) in 0.72s
    Finished release [optimized] target(s) in 0.47s
     Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 824376443
INFO: Loaded 1 modules   (1658758 inline 8-bit counters): 1658758 [0x10e03c848, 0x10e1d17ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10e1d17d0,0x10fb21030),
target/x86_64-apple-darwin/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
thread '<unnamed>' panicked at 'called `Result::unwrap()` on an `Err` value: TryFromIntError(())', cranelift/jit/src/compiled_blob.rs:51:80
stack backtrace:
   0: rust_begin_unwind
             at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/std/src/panicking.rs:579:5
   1: core::panicking::panic_fmt
             at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/panicking.rs:64:14
   2: core::result::unwrap_failed
             at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/result.rs:1750:5
   3: cranelift_jit::compiled_blob::CompiledBlob::perform_relocations
   4: cranelift_jit::backend::JITModule::finalize_definitions
   5: cranelift_filetests::function_runner::TestFileCompiler::compile
   6: cranelift_fuzzgen::_::run
   7: _rust_fuzzer_test_input
   8: std::panicking::try::do_call
   9: ___rust_try
  10: _LLVMFuzzerTestOneInput
  11: __ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
  12: __ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
  13: __ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
  14: _main
  15: <unknown>
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
==69068== ERROR: libFuzzer: deadly signal
    #0 0x111208185 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64h+0x53185) (BuildId: d21cf6fbe4db36c3a2772a5990be16c5240000001000000000070a0000030c00)
    #1 0x10cd6a82a in fuzzer::PrintStackTrace()+0x2a (cranelift-fuzzgen:x86_64+0x104e2c82a) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #2 0x10cd5d4f3 in fuzzer::Fuzzer::CrashCallback()+0x43 (cranelift-fuzzgen:x86_64+0x104e1f4f3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #3 0x7ff801402c1c in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x3c1c) (BuildId: f314b62b98f43a7c82968739f8b6855a240000001000000000010d0000010d00)
    #4 0x7ff8010d775c in invocation function for block in dyld4::APIs::dlsym(void*, char const*)+0x7c (dyld:x86_64+0xfffffffffffa475c) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
    #5 0x7ff801321ca4 in abort+0x7a (libsystem_c.dylib:x86_64+0x81ca4) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
    #6 0x10ce1ca28 in std::sys::unix::abort_internal::h0bc47dd64a160659+0x8 (cranelift-fuzzgen:x86_64+0x104edea28) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #7 0x10d0243f8 in std::process::abort::h25c584e2701866f2+0x8 (cranelift-fuzzgen:x86_64+0x1050e63f8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #8 0x10cd5c4bb in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h10ee930a6387ab24+0xab (cranelift-fuzzgen:x86_64+0x104e1e4bb) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #9 0x10ce12f0b in std::panicking::rust_panic_with_hook::h3da33b5c881860c3+0x24b (cranelift-fuzzgen:x86_64+0x104ed4f0b) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #10 0x10ce12ca3 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h85aa2f2668cf394b+0xc3 (cranelift-fuzzgen:x86_64+0x104ed4ca3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #11 0x10ce0fab8 in std::sys_common::backtrace::__rust_end_short_backtrace::he4c57c0787d4f563+0x8 (cranelift-fuzzgen:x86_64+0x104ed1ab8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #12 0x10ce1296c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x104ed496c) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #13 0x10d027142 in core::panicking::panic_fmt::h485ba1360a5b9d54+0x32 (cranelift-fuzzgen:x86_64+0x1050e9142) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #14 0x10d0275d4 in core::result::unwrap_failed::hfa2c76314834bbf0+0x74 (cranelift-fuzzgen:x86_64+0x1050e95d4) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #15 0x10a04d802 in cranelift_jit::compiled_blob::CompiledBlob::perform_relocations::h8856c1569729ccd9+0xbc2 (cranelift-fuzzgen:x86_64+0x10210f802) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #16 0x10a03d459 in cranelift_jit::backend::JITModule::finalize_definitions::hb4fba36453194359+0x539 (cranelift-fuzzgen:x86_64+0x1020ff459) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #17 0x1087993f5 in cranelift_filetests::function_runner::TestFileCompiler::compile::h5f3773f305f7373d+0x1b5 (cranelift-fuzzgen:x86_64+0x10085b3f5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #18 0x107fd8ade in cranelift_fuzzgen::_::run::hcd37998cabf702ce+0x5ce (cranelift-fuzzgen:x86_64+0x10009aade) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #19 0x107fd79c5 in rust_fuzzer_test_input+0x835 (cranelift-fuzzgen:x86_64+0x1000999c5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #20 0x10cd578f2 in std::panicking::try::do_call::h3a14e111a10954b4+0xd2 (cranelift-fuzzgen:x86_64+0x104e198f2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #21 0x10cd5c693 in __rust_try+0x13 (cranelift-fuzzgen:x86_64+0x104e1e693) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)

... shortened because of the limit

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

view this post on Zulip Jamey Sharp (Mar 16 2023 at 15:41):

Could you also paste the output of cargo fuzz fmt with the same arguments as cargo fuzz run?

view this post on Zulip Moritz Waser (Mar 16 2023 at 15:42):

Sure, here's the output:

cargo fuzz fmt --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7

Output of `std::fmt::Debug`:

;; Fuzzgen test case

test interpret
test run
set opt_level=speed
set regalloc_checker=true
set enable_alias_analysis=false
set use_egraphs=false
set enable_simd=true
set enable_llvm_abi_extensions=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64
function u1:0(f64, i8 uext, i16 sext, f32, f32, f32, f32) system_v {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = colocated %CeilF32 sig0
    fn1 = colocated %CeilF64 sig1
    fn2 = colocated %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = colocated %TruncF32 sig4
    fn5 = colocated %TruncF64 sig5

block0(v0: f64, v1: i8, v2: i16, v3: f32, v4: f32, v5: f32, v6: f32):
    v7 = iconst.i8 0
    v8 = iconst.i16 0
    v9 = iconst.i32 0
    v10 = iconst.i64 0
    v11 = uextend.i128 v10  ; v10 = 0
    v12 = call fn4(v3)
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    return
}

; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: u1:0(0.0, 0, 0, 0.0, 0.0, 0.0, 0.0)

view this post on Zulip Jamey Sharp (Mar 16 2023 at 15:45):

Interesting. I'm not immediately sure what's going on there. It's also worth trying cargo fuzz tmin to see if it can produce a smaller input that still fails.

view this post on Zulip Afonso Bordado (Mar 16 2023 at 15:47):

I think this might be the Page Allocator issues that we have in cranelift-jit:
https://github.com/bytecodealliance/wasmtime/issues/4000

Hey, I'm seeing crashes during finalize_definitions calls related to x86_64 call relocations: thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: TryFromIntError...

view this post on Zulip ghostway (Mar 16 2023 at 15:48):

Digging further I found out that the fuzz_target!(|testcase: TestCase| { ... } in cranelift-fuzzgen.rs was actually never called on the main branch.

Can you explain? Looking at the code myself, it seemed like fuzz_target! is exporting a function calling the block you pass it

view this post on Zulip Afonso Bordado (Mar 16 2023 at 15:48):

Somewhat long shot, but does this reproduce with --feature=selinux-fix? I think that changes some behaviour wrt our allocator

view this post on Zulip Moritz Waser (Mar 16 2023 at 15:48):

➜  wasmtime git:(052115589) ✗ RUST_BACKTRACE=1 cargo fuzz tmin --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
    Finished release [optimized] target(s) in 0.50s
    Finished release [optimized] target(s) in 0.48s
     Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' -minimize_crash=1 -runs=255 fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1527089668
INFO: Loaded 1 modules   (1658758 inline 8-bit counters): 1658758 [0x10c601848, 0x10c7967ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10c7967d0,0x10e0e6030),
CRASH_MIN: minimizing crash input: 'fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7' (38 bytes)
CRASH_MIN: executing: target/x86_64-apple-darwin/release/cranelift-fuzzgen -artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ -runs=255 fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7 2>&1
CRASH_MIN: 'fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7' (38 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: target/x86_64-apple-darwin/release/cranelift-fuzzgen -artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ -runs=255 fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7 -minimize_crash_internal_step=1 -exact_artifact_path=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/minimized-from-7ea007a1e42a044d3b2276afdc93befcdac5fca7 2>&1
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1527432807
INFO: Loaded 1 modules   (1658758 inline 8-bit counters): 1658758 [0x10a500848, 0x10a6957ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10a6957d0,0x10bfe5030),
Assertion failed: (Inputs->size() == 1), function MinimizeCrashInputInternalStep, file FuzzerDriver.cpp, line 491.
==69520== ERROR: libFuzzer: deadly signal
    #0 0x10d6cc185 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64h+0x53185) (BuildId: d21cf6fbe4db36c3a2772a5990be16c5240000001000000000070a0000030c00)
    #1 0x10922e82a in fuzzer::PrintStackTrace()+0x2a (cranelift-fuzzgen:x86_64+0x104e2c82a) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #2 0x1092214f3 in fuzzer::Fuzzer::CrashCallback()+0x43 (cranelift-fuzzgen:x86_64+0x104e1f4f3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #3 0x7ff801402c1c in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x3c1c) (BuildId: f314b62b98f43a7c82968739f8b6855a240000001000000000010d0000010d00)
    #4 0x7ff8010b1d09 in dyld4::RuntimeState::_instantiateTLVs(unsigned long)+0xfb (dyld:x86_64+0xfffffffffff7ed09) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
    #5 0x7ff801321ca4 in abort+0x7a (libsystem_c.dylib:x86_64+0x81ca4) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
    #6 0x7ff801320fbd in __assert_rtn+0x139 (libsystem_c.dylib:x86_64+0x80fbd) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
    #7 0x109242d7c in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*)+0xec (cranelift-fuzzgen:x86_64+0x104e40d7c) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #8 0x10924624e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x19ae (cranelift-fuzzgen:x86_64+0x104e4424e) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #9 0x109254dc2 in main+0x22 (cranelift-fuzzgen:x86_64+0x104e52dc2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #10 0x7ff8010a530f in start+0x97f (dyld:x86_64+0xfffffffffff7230f) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
*********************************
No such directory: /Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/minimized-from-7ea007a1e42a044d3b2276afdc93befcdac5fca7; exiting

────────────────────────────────────────────────────────────────────────────────

Error: Test case minimization failed.

Usually this isn't a hard error, and just means that libfuzzer
doesn't know how to minimize the test case any further while
still reproducing the original crash.

See the logs above for details.

Caused by:
    Command `"cargo" "run" "--manifest-path" "/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/Cargo.toml" "--target" "x86_64-apple-darwin" "--release" "--no-default-features" "--bin" "cranelift-fuzzgen" "--" "-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/" "-minimize_crash=1" "-runs=255" "fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7"` exited with exit status: 1

view this post on Zulip Jamey Sharp (Mar 16 2023 at 15:49):

@ghostway I can explain that: changing the version of arbitrary changed the way that the fuzz input was interpreted, and caused us to reject it as an invalid format. So we couldn't construct the structured TestCase from it, and the actual fuzz target function didn't get called.

view this post on Zulip Jamey Sharp (Mar 16 2023 at 15:51):

@Moritz Waser, based on the "No such directory" error message, I'm guessing that libFuzzer isn't correctly handling the space in the directory named "Semester 8"

view this post on Zulip ghostway (Mar 16 2023 at 15:51):

Interesting, so you mean he compiled it after and used a dump that was created before? Or am I just misunderstanding

view this post on Zulip Jamey Sharp (Mar 16 2023 at 15:52):

Yeah, that's right: they were trying to check whether the failure occurred on main or if it was just introduced by their changes.

view this post on Zulip Jamey Sharp (Mar 16 2023 at 15:54):

@Moritz Waser I'm curious about Afonso's question too: does building with --feature=selinux-fix make the error go away?

view this post on Zulip Moritz Waser (Mar 16 2023 at 15:55):

I'm trying to get the cargo fuzz tminworking ... I'll check it in a minute

view this post on Zulip Remo Senekowitsch (Mar 16 2023 at 16:00):

Jamey Sharp said:

Moritz Waser I'm curious about Afonso's question too: does building with --feature=selinux-fix make the error go away?

Moritz is on macOS, in case --feature=selinux-fix doesn't apply to that

view this post on Zulip Moritz Waser (Mar 16 2023 at 16:10):

--feature=selinux-fix is on the cranelift-jit crate, rather than on the fuzz target!?
I activated it by including it into default = ["selinux-fix"] in the cranelift-jit crate, please let me know if that's the way to go.

After making this change, the error still seems to be present:

➜  wasmtime git:(052115589) ✗ RUST_BACKTRACE=1 cargo fuzz run --no-default-features  cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
    Finished release [optimized] target(s) in 0.91s
    Finished release [optimized] target(s) in 0.55s
     Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
cranelift-fuzzgen(72930,0x7ff844d088c0) malloc: nano zone abandoned due to inability to preallocate reserved vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3006862256
INFO: Loaded 1 modules   (1658758 inline 8-bit counters): 1658758 [0x10f783848, 0x10f9187ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10f9187d0,0x111268030),
target/x86_64-apple-darwin/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
thread '<unnamed>' panicked at 'called `Result::unwrap()` on an `Err` value: TryFromIntError(())', cranelift/jit/src/compiled_blob.rs:51:80
stack backtrace:
   0: rust_begin_unwind
             at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/std/src/panicking.rs:579:5
   1: core::panicking::panic_fmt
             at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/panicking.rs:64:14
   2: core::result::unwrap_failed
             at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/result.rs:1750:5
   3: cranelift_jit::compiled_blob::CompiledBlob::perform_relocations
   4: cranelift_jit::backend::JITModule::finalize_definitions
   5: cranelift_filetests::function_runner::TestFileCompiler::compile
   6: cranelift_fuzzgen::_::run
   7: _rust_fuzzer_test_input
   8: std::panicking::try::do_call
   9: ___rust_try
  10: _LLVMFuzzerTestOneInput
  11: __ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
  12: __ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
  13: __ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
  14: _main
  15: <unknown>
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
==72930== ERROR: libFuzzer: deadly signal
    #0 0x11294f185 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64h+0x53185) (BuildId: d21cf6fbe4db36c3a2772a5990be16c5240000001000000000070a0000030c00)
    #1 0x10e4b182a in fuzzer::PrintStackTrace()+0x2a (cranelift-fuzzgen:x86_64+0x104e2c82a) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #2 0x10e4a44f3 in fuzzer::Fuzzer::CrashCallback()+0x43 (cranelift-fuzzgen:x86_64+0x104e1f4f3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #3 0x7ff801402c1c in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x3c1c) (BuildId: f314b62b98f43a7c82968739f8b6855a240000001000000000010d0000010d00)
    #4 0x7ff8010d775c in invocation function for block in dyld4::APIs::dlsym(void*, char const*)+0x7c (dyld:x86_64+0xfffffffffffa475c) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
    #5 0x7ff801321ca4 in abort+0x7a (libsystem_c.dylib:x86_64+0x81ca4) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
    #6 0x10e563a28 in std::sys::unix::abort_internal::h0bc47dd64a160659+0x8 (cranelift-fuzzgen:x86_64+0x104edea28) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #7 0x10e76b3f8 in std::process::abort::h25c584e2701866f2+0x8 (cranelift-fuzzgen:x86_64+0x1050e63f8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #8 0x10e4a34bb in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h10ee930a6387ab24+0xab (cranelift-fuzzgen:x86_64+0x104e1e4bb) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #9 0x10e559f0b in std::panicking::rust_panic_with_hook::h3da33b5c881860c3+0x24b (cranelift-fuzzgen:x86_64+0x104ed4f0b) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #10 0x10e559ca3 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h85aa2f2668cf394b+0xc3 (cranelift-fuzzgen:x86_64+0x104ed4ca3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #11 0x10e556ab8 in std::sys_common::backtrace::__rust_end_short_backtrace::he4c57c0787d4f563+0x8 (cranelift-fuzzgen:x86_64+0x104ed1ab8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #12 0x10e55996c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x104ed496c) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #13 0x10e76e142 in core::panicking::panic_fmt::h485ba1360a5b9d54+0x32 (cranelift-fuzzgen:x86_64+0x1050e9142) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #14 0x10e76e5d4 in core::result::unwrap_failed::hfa2c76314834bbf0+0x74 (cranelift-fuzzgen:x86_64+0x1050e95d4) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #15 0x10b794802 in cranelift_jit::compiled_blob::CompiledBlob::perform_relocations::h8856c1569729ccd9+0xbc2 (cranelift-fuzzgen:x86_64+0x10210f802) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #16 0x10b784459 in cranelift_jit::backend::JITModule::finalize_definitions::hb4fba36453194359+0x539 (cranelift-fuzzgen:x86_64+0x1020ff459) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #17 0x109ee03f5 in cranelift_filetests::function_runner::TestFileCompiler::compile::h5f3773f305f7373d+0x1b5 (cranelift-fuzzgen:x86_64+0x10085b3f5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #18 0x10971fade in cranelift_fuzzgen::_::run::hcd37998cabf702ce+0x5ce (cranelift-fuzzgen:x86_64+0x10009aade) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #19 0x10971e9c5 in rust_fuzzer_test_input+0x835 (cranelift-fuzzgen:x86_64+0x1000999c5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #20 0x10e49e8f2 in std::panicking::try::do_call::h3a14e111a10954b4+0xd2 (cranelift-fuzzgen:x86_64+0x104e198f2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #21 0x10e4a3693 in __rust_try+0x13 (cranelift-fuzzgen:x86_64+0x104e1e693) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #22 0x10e4a29ad in LLVMFuzzerTestOneInput+0x1ed (cranelift-fuzzgen:x86_64+0x104e1d9ad) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #23 0x10e4a5e6e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x12e (cranelift-fuzzgen:x86_64+0x104e20e6e) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #24 0x10e4c3bab in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)+0xdb (cranelift-fuzzgen:x86_64+0x104e3ebab) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #25 0x10e4c99d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x2138 (cranelift-fuzzgen:x86_64+0x104e449d8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #26 0x10e4d7dc2 in main+0x22 (cranelift-fuzzgen:x86_64+0x104e52dc2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
    #27 0x7ff8010a530f in start+0x97f (dyld:x86_64+0xfffffffffff7230f) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

view this post on Zulip Moritz Waser (Mar 16 2023 at 16:20):

About cargo fuzz tmin ...:
It seems to not be that easy to just create a symlink from /tmp/wasmtime to my wasmtime path that includes a space.

I therefore extracted the following command from the output of RUST_BACKTRACE=1 cargo fuzz tmin --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
and added the necessary quotes myself.

➜  wasmtime git:(052115589) ✗ target/x86_64-apple-darwin/release/cranelift-fuzzgen "-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/" -runs=255 "fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7" -minimize_crash_internal_step=1 "-exact_artifact_path=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/minimized-from-7ea007a1e42a044d3b2276afdc93befcdac5fca7"
cranelift-fuzzgen(73599,0x7ff844d088c0) malloc: nano zone abandoned due to inability to preallocate reserved vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3368144992
INFO: Loaded 1 modules   (1658758 inline 8-bit counters): 1658758 [0x112dbf848, 0x112f547ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x112f547d0,0x1148a4030),
INFO: Starting MinimizeCrashInputInternalStep: 38
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 38 bytes
INFO: Done MinimizeCrashInputInternalStep, no crashes found

view this post on Zulip Afonso Bordado (Mar 16 2023 at 16:26):

Would you be able to try the following test case via clif-util?

test run
target x86_64

function %a(f64, i8 uext, i16 sext, f32, f32, f32, f32) -> i8 system_v {
    sig4 = (f32) -> f32 system_v
    fn4 = colocated %TruncF32 sig4

block0(v0: f64, v1: i8, v2: i16, v3: f32, v4: f32, v5: f32, v6: f32):
    v7 = iconst.i8 0
    v12 = call fn4(v3)
    return v7
}

; run: %a(0.0, 0, 0, 0.0, 0.0, 0.0, 0.0) == 0

I think this runs essentially what the fuzzer is seeing, but outside the fuzzer. You can run this with: cd cranelift && cargo run test ./the-above.clif

view this post on Zulip fitzgen (he/him) (Mar 16 2023 at 16:35):

you could also try disabling ASan and see if that gets you any further

cargo fuzz run --sanitizer=none ...

Last updated: Dec 23 2024 at 12:05 UTC