Hi @Chris Fallin and hello everyone.
I'm working on my bachelor thesis together with @Remo Senekowitsch @Falk Zwimpfer
While digging into the code base of cranelift, I executed the the fuzz target cranelift-fuzzgen
on our new branch (named poc) (in a fork).
And it quickly returned me an error.
The crash file: crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
base64 encoded content: BwAAAAAAAAAAAACeugAHADAAuEB1dXV1df///xm6//8AAP//ego=
First, I thought there was an error with my setup.
When I run it on it the main branch, RUST_BACKTRACE=1 cargo fuzz run --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
printed this:
➜ wasmtime git:(052115589) > RUST_BACKTRACE=1 cargo fuzz run --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
Finished release [optimized] target(s) in 0.65s
Finished release [optimized] target(s) in 0.47s
Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 149780969
INFO: Loaded 1 modules (1658484 inline 8-bit counters): 1658484 [0x10c0c12c8, 0x10c25613c),
INFO: Loaded 1 PC tables (1658484 PCs): 1658484 [0x10c256140,0x10dba4880),
target/x86_64-apple-darwin/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
Executed fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7 in 2 ms
***
*** NOTE: fuzzing was not performed, you have only
*** executed the target code on a fixed set of inputs.
***
Digging further I found out that the fuzz_target!(|testcase: TestCase| { ... }
in cranelift-fuzzgen.rs was actually never called on the main branch.
It turns out the the Arbitrary
-impl for TestCase
returns a Err-Result.
So the only relevant difference to our poc branch was the version of the arbitrary crate.
main branch uses "1.0.0"
poc branch uses "1.2.3"
Updating the version in cranelift/fuzzgen/Cargo.toml finally allowed me to reproduce this on the main branch. Here's the output:
➜ wasmtime git:(052115589) ✗ RUST_BACKTRACE=1 cargo fuzz run --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
Finished release [optimized] target(s) in 0.72s
Finished release [optimized] target(s) in 0.47s
Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 824376443
INFO: Loaded 1 modules (1658758 inline 8-bit counters): 1658758 [0x10e03c848, 0x10e1d17ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10e1d17d0,0x10fb21030),
target/x86_64-apple-darwin/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
thread '<unnamed>' panicked at 'called `Result::unwrap()` on an `Err` value: TryFromIntError(())', cranelift/jit/src/compiled_blob.rs:51:80
stack backtrace:
0: rust_begin_unwind
at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/std/src/panicking.rs:579:5
1: core::panicking::panic_fmt
at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/panicking.rs:64:14
2: core::result::unwrap_failed
at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/result.rs:1750:5
3: cranelift_jit::compiled_blob::CompiledBlob::perform_relocations
4: cranelift_jit::backend::JITModule::finalize_definitions
5: cranelift_filetests::function_runner::TestFileCompiler::compile
6: cranelift_fuzzgen::_::run
7: _rust_fuzzer_test_input
8: std::panicking::try::do_call
9: ___rust_try
10: _LLVMFuzzerTestOneInput
11: __ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
12: __ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
13: __ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
14: _main
15: <unknown>
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
==69068== ERROR: libFuzzer: deadly signal
#0 0x111208185 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64h+0x53185) (BuildId: d21cf6fbe4db36c3a2772a5990be16c5240000001000000000070a0000030c00)
#1 0x10cd6a82a in fuzzer::PrintStackTrace()+0x2a (cranelift-fuzzgen:x86_64+0x104e2c82a) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#2 0x10cd5d4f3 in fuzzer::Fuzzer::CrashCallback()+0x43 (cranelift-fuzzgen:x86_64+0x104e1f4f3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#3 0x7ff801402c1c in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x3c1c) (BuildId: f314b62b98f43a7c82968739f8b6855a240000001000000000010d0000010d00)
#4 0x7ff8010d775c in invocation function for block in dyld4::APIs::dlsym(void*, char const*)+0x7c (dyld:x86_64+0xfffffffffffa475c) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
#5 0x7ff801321ca4 in abort+0x7a (libsystem_c.dylib:x86_64+0x81ca4) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
#6 0x10ce1ca28 in std::sys::unix::abort_internal::h0bc47dd64a160659+0x8 (cranelift-fuzzgen:x86_64+0x104edea28) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#7 0x10d0243f8 in std::process::abort::h25c584e2701866f2+0x8 (cranelift-fuzzgen:x86_64+0x1050e63f8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#8 0x10cd5c4bb in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h10ee930a6387ab24+0xab (cranelift-fuzzgen:x86_64+0x104e1e4bb) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#9 0x10ce12f0b in std::panicking::rust_panic_with_hook::h3da33b5c881860c3+0x24b (cranelift-fuzzgen:x86_64+0x104ed4f0b) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#10 0x10ce12ca3 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h85aa2f2668cf394b+0xc3 (cranelift-fuzzgen:x86_64+0x104ed4ca3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#11 0x10ce0fab8 in std::sys_common::backtrace::__rust_end_short_backtrace::he4c57c0787d4f563+0x8 (cranelift-fuzzgen:x86_64+0x104ed1ab8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#12 0x10ce1296c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x104ed496c) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#13 0x10d027142 in core::panicking::panic_fmt::h485ba1360a5b9d54+0x32 (cranelift-fuzzgen:x86_64+0x1050e9142) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#14 0x10d0275d4 in core::result::unwrap_failed::hfa2c76314834bbf0+0x74 (cranelift-fuzzgen:x86_64+0x1050e95d4) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#15 0x10a04d802 in cranelift_jit::compiled_blob::CompiledBlob::perform_relocations::h8856c1569729ccd9+0xbc2 (cranelift-fuzzgen:x86_64+0x10210f802) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#16 0x10a03d459 in cranelift_jit::backend::JITModule::finalize_definitions::hb4fba36453194359+0x539 (cranelift-fuzzgen:x86_64+0x1020ff459) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#17 0x1087993f5 in cranelift_filetests::function_runner::TestFileCompiler::compile::h5f3773f305f7373d+0x1b5 (cranelift-fuzzgen:x86_64+0x10085b3f5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#18 0x107fd8ade in cranelift_fuzzgen::_::run::hcd37998cabf702ce+0x5ce (cranelift-fuzzgen:x86_64+0x10009aade) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#19 0x107fd79c5 in rust_fuzzer_test_input+0x835 (cranelift-fuzzgen:x86_64+0x1000999c5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#20 0x10cd578f2 in std::panicking::try::do_call::h3a14e111a10954b4+0xd2 (cranelift-fuzzgen:x86_64+0x104e198f2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#21 0x10cd5c693 in __rust_try+0x13 (cranelift-fuzzgen:x86_64+0x104e1e693) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
... shortened because of the limit
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────
Error: Fuzz target exited with exit status: 77
Could you also paste the output of cargo fuzz fmt
with the same arguments as cargo fuzz run
?
Sure, here's the output:
cargo fuzz fmt --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
Output of `std::fmt::Debug`:
;; Fuzzgen test case
test interpret
test run
set opt_level=speed
set regalloc_checker=true
set enable_alias_analysis=false
set use_egraphs=false
set enable_simd=true
set enable_llvm_abi_extensions=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64
function u1:0(f64, i8 uext, i16 sext, f32, f32, f32, f32) system_v {
sig0 = (f32) -> f32 system_v
sig1 = (f64) -> f64 system_v
sig2 = (f32) -> f32 system_v
sig3 = (f64) -> f64 system_v
sig4 = (f32) -> f32 system_v
sig5 = (f64) -> f64 system_v
fn0 = colocated %CeilF32 sig0
fn1 = colocated %CeilF64 sig1
fn2 = colocated %FloorF32 sig2
fn3 = %FloorF64 sig3
fn4 = colocated %TruncF32 sig4
fn5 = colocated %TruncF64 sig5
block0(v0: f64, v1: i8, v2: i16, v3: f32, v4: f32, v5: f32, v6: f32):
v7 = iconst.i8 0
v8 = iconst.i16 0
v9 = iconst.i32 0
v10 = iconst.i64 0
v11 = uextend.i128 v10 ; v10 = 0
v12 = call fn4(v3)
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
return
}
; Note: the results in the below test cases are simply a placeholder and probably will be wrong
; run: u1:0(0.0, 0, 0, 0.0, 0.0, 0.0, 0.0)
Interesting. I'm not immediately sure what's going on there. It's also worth trying cargo fuzz tmin
to see if it can produce a smaller input that still fails.
I think this might be the Page Allocator issues that we have in cranelift-jit:
https://github.com/bytecodealliance/wasmtime/issues/4000
Digging further I found out that the fuzz_target!(|testcase: TestCase| { ... } in cranelift-fuzzgen.rs was actually never called on the main branch.
Can you explain? Looking at the code myself, it seemed like fuzz_target!
is exporting a function calling the block you pass it
Somewhat long shot, but does this reproduce with --feature=selinux-fix
? I think that changes some behaviour wrt our allocator
➜ wasmtime git:(052115589) ✗ RUST_BACKTRACE=1 cargo fuzz tmin --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
Finished release [optimized] target(s) in 0.50s
Finished release [optimized] target(s) in 0.48s
Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' -minimize_crash=1 -runs=255 fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1527089668
INFO: Loaded 1 modules (1658758 inline 8-bit counters): 1658758 [0x10c601848, 0x10c7967ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10c7967d0,0x10e0e6030),
CRASH_MIN: minimizing crash input: 'fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7' (38 bytes)
CRASH_MIN: executing: target/x86_64-apple-darwin/release/cranelift-fuzzgen -artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ -runs=255 fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7 2>&1
CRASH_MIN: 'fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7' (38 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: target/x86_64-apple-darwin/release/cranelift-fuzzgen -artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ -runs=255 fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7 -minimize_crash_internal_step=1 -exact_artifact_path=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/minimized-from-7ea007a1e42a044d3b2276afdc93befcdac5fca7 2>&1
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1527432807
INFO: Loaded 1 modules (1658758 inline 8-bit counters): 1658758 [0x10a500848, 0x10a6957ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10a6957d0,0x10bfe5030),
Assertion failed: (Inputs->size() == 1), function MinimizeCrashInputInternalStep, file FuzzerDriver.cpp, line 491.
==69520== ERROR: libFuzzer: deadly signal
#0 0x10d6cc185 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64h+0x53185) (BuildId: d21cf6fbe4db36c3a2772a5990be16c5240000001000000000070a0000030c00)
#1 0x10922e82a in fuzzer::PrintStackTrace()+0x2a (cranelift-fuzzgen:x86_64+0x104e2c82a) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#2 0x1092214f3 in fuzzer::Fuzzer::CrashCallback()+0x43 (cranelift-fuzzgen:x86_64+0x104e1f4f3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#3 0x7ff801402c1c in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x3c1c) (BuildId: f314b62b98f43a7c82968739f8b6855a240000001000000000010d0000010d00)
#4 0x7ff8010b1d09 in dyld4::RuntimeState::_instantiateTLVs(unsigned long)+0xfb (dyld:x86_64+0xfffffffffff7ed09) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
#5 0x7ff801321ca4 in abort+0x7a (libsystem_c.dylib:x86_64+0x81ca4) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
#6 0x7ff801320fbd in __assert_rtn+0x139 (libsystem_c.dylib:x86_64+0x80fbd) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
#7 0x109242d7c in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*)+0xec (cranelift-fuzzgen:x86_64+0x104e40d7c) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#8 0x10924624e in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x19ae (cranelift-fuzzgen:x86_64+0x104e4424e) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#9 0x109254dc2 in main+0x22 (cranelift-fuzzgen:x86_64+0x104e52dc2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#10 0x7ff8010a530f in start+0x97f (dyld:x86_64+0xfffffffffff7230f) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
*********************************
No such directory: /Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/minimized-from-7ea007a1e42a044d3b2276afdc93befcdac5fca7; exiting
────────────────────────────────────────────────────────────────────────────────
Error: Test case minimization failed.
Usually this isn't a hard error, and just means that libfuzzer
doesn't know how to minimize the test case any further while
still reproducing the original crash.
See the logs above for details.
Caused by:
Command `"cargo" "run" "--manifest-path" "/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/Cargo.toml" "--target" "x86_64-apple-darwin" "--release" "--no-default-features" "--bin" "cranelift-fuzzgen" "--" "-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/" "-minimize_crash=1" "-runs=255" "fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7"` exited with exit status: 1
@ghostway I can explain that: changing the version of arbitrary
changed the way that the fuzz input was interpreted, and caused us to reject it as an invalid format. So we couldn't construct the structured TestCase
from it, and the actual fuzz target function didn't get called.
@Moritz Waser, based on the "No such directory" error message, I'm guessing that libFuzzer isn't correctly handling the space in the directory named "Semester 8"
Interesting, so you mean he compiled it after and used a dump that was created before? Or am I just misunderstanding
Yeah, that's right: they were trying to check whether the failure occurred on main
or if it was just introduced by their changes.
@Moritz Waser I'm curious about Afonso's question too: does building with --feature=selinux-fix
make the error go away?
I'm trying to get the cargo fuzz tmin
working ... I'll check it in a minute
Jamey Sharp said:
Moritz Waser I'm curious about Afonso's question too: does building with
--feature=selinux-fix
make the error go away?
Moritz is on macOS, in case --feature=selinux-fix
doesn't apply to that
--feature=selinux-fix
is on the cranelift-jit crate, rather than on the fuzz target!?
I activated it by including it into default = ["selinux-fix"]
in the cranelift-jit crate, please let me know if that's the way to go.
After making this change, the error still seems to be present:
➜ wasmtime git:(052115589) ✗ RUST_BACKTRACE=1 cargo fuzz run --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
Finished release [optimized] target(s) in 0.91s
Finished release [optimized] target(s) in 0.55s
Running `target/x86_64-apple-darwin/release/cranelift-fuzzgen '-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/' fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7`
cranelift-fuzzgen(72930,0x7ff844d088c0) malloc: nano zone abandoned due to inability to preallocate reserved vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3006862256
INFO: Loaded 1 modules (1658758 inline 8-bit counters): 1658758 [0x10f783848, 0x10f9187ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x10f9187d0,0x111268030),
target/x86_64-apple-darwin/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
thread '<unnamed>' panicked at 'called `Result::unwrap()` on an `Err` value: TryFromIntError(())', cranelift/jit/src/compiled_blob.rs:51:80
stack backtrace:
0: rust_begin_unwind
at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/std/src/panicking.rs:579:5
1: core::panicking::panic_fmt
at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/panicking.rs:64:14
2: core::result::unwrap_failed
at /rustc/f77bfb7336f21bfe6a5fb5f7358d4406e2597289/library/core/src/result.rs:1750:5
3: cranelift_jit::compiled_blob::CompiledBlob::perform_relocations
4: cranelift_jit::backend::JITModule::finalize_definitions
5: cranelift_filetests::function_runner::TestFileCompiler::compile
6: cranelift_fuzzgen::_::run
7: _rust_fuzzer_test_input
8: std::panicking::try::do_call
9: ___rust_try
10: _LLVMFuzzerTestOneInput
11: __ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
12: __ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
13: __ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
14: _main
15: <unknown>
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
==72930== ERROR: libFuzzer: deadly signal
#0 0x11294f185 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64h+0x53185) (BuildId: d21cf6fbe4db36c3a2772a5990be16c5240000001000000000070a0000030c00)
#1 0x10e4b182a in fuzzer::PrintStackTrace()+0x2a (cranelift-fuzzgen:x86_64+0x104e2c82a) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#2 0x10e4a44f3 in fuzzer::Fuzzer::CrashCallback()+0x43 (cranelift-fuzzgen:x86_64+0x104e1f4f3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#3 0x7ff801402c1c in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x3c1c) (BuildId: f314b62b98f43a7c82968739f8b6855a240000001000000000010d0000010d00)
#4 0x7ff8010d775c in invocation function for block in dyld4::APIs::dlsym(void*, char const*)+0x7c (dyld:x86_64+0xfffffffffffa475c) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
#5 0x7ff801321ca4 in abort+0x7a (libsystem_c.dylib:x86_64+0x81ca4) (BuildId: 376f7cb76dd23e00976f77dd755bdb0d32000000200000000100000000010d00)
#6 0x10e563a28 in std::sys::unix::abort_internal::h0bc47dd64a160659+0x8 (cranelift-fuzzgen:x86_64+0x104edea28) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#7 0x10e76b3f8 in std::process::abort::h25c584e2701866f2+0x8 (cranelift-fuzzgen:x86_64+0x1050e63f8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#8 0x10e4a34bb in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h10ee930a6387ab24+0xab (cranelift-fuzzgen:x86_64+0x104e1e4bb) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#9 0x10e559f0b in std::panicking::rust_panic_with_hook::h3da33b5c881860c3+0x24b (cranelift-fuzzgen:x86_64+0x104ed4f0b) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#10 0x10e559ca3 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h85aa2f2668cf394b+0xc3 (cranelift-fuzzgen:x86_64+0x104ed4ca3) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#11 0x10e556ab8 in std::sys_common::backtrace::__rust_end_short_backtrace::he4c57c0787d4f563+0x8 (cranelift-fuzzgen:x86_64+0x104ed1ab8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#12 0x10e55996c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x104ed496c) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#13 0x10e76e142 in core::panicking::panic_fmt::h485ba1360a5b9d54+0x32 (cranelift-fuzzgen:x86_64+0x1050e9142) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#14 0x10e76e5d4 in core::result::unwrap_failed::hfa2c76314834bbf0+0x74 (cranelift-fuzzgen:x86_64+0x1050e95d4) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#15 0x10b794802 in cranelift_jit::compiled_blob::CompiledBlob::perform_relocations::h8856c1569729ccd9+0xbc2 (cranelift-fuzzgen:x86_64+0x10210f802) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#16 0x10b784459 in cranelift_jit::backend::JITModule::finalize_definitions::hb4fba36453194359+0x539 (cranelift-fuzzgen:x86_64+0x1020ff459) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#17 0x109ee03f5 in cranelift_filetests::function_runner::TestFileCompiler::compile::h5f3773f305f7373d+0x1b5 (cranelift-fuzzgen:x86_64+0x10085b3f5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#18 0x10971fade in cranelift_fuzzgen::_::run::hcd37998cabf702ce+0x5ce (cranelift-fuzzgen:x86_64+0x10009aade) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#19 0x10971e9c5 in rust_fuzzer_test_input+0x835 (cranelift-fuzzgen:x86_64+0x1000999c5) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#20 0x10e49e8f2 in std::panicking::try::do_call::h3a14e111a10954b4+0xd2 (cranelift-fuzzgen:x86_64+0x104e198f2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#21 0x10e4a3693 in __rust_try+0x13 (cranelift-fuzzgen:x86_64+0x104e1e693) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#22 0x10e4a29ad in LLVMFuzzerTestOneInput+0x1ed (cranelift-fuzzgen:x86_64+0x104e1d9ad) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#23 0x10e4a5e6e in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x12e (cranelift-fuzzgen:x86_64+0x104e20e6e) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#24 0x10e4c3bab in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)+0xdb (cranelift-fuzzgen:x86_64+0x104e3ebab) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#25 0x10e4c99d8 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x2138 (cranelift-fuzzgen:x86_64+0x104e449d8) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#26 0x10e4d7dc2 in main+0x22 (cranelift-fuzzgen:x86_64+0x104e52dc2) (BuildId: 0638d55c9ac83add940a33799dde180332000000200000000100000000000d00)
#27 0x7ff8010a530f in start+0x97f (dyld:x86_64+0xfffffffffff7230f) (BuildId: bb7a09708c623dcea7a25cec9c501f1132000000200000000100000000010d00)
NOTE: libFuzzer has rudimentary signal handlers.
Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────
Error: Fuzz target exited with exit status: 77
About cargo fuzz tmin ...
:
It seems to not be that easy to just create a symlink from /tmp/wasmtime to my wasmtime path that includes a space.
I therefore extracted the following command from the output of RUST_BACKTRACE=1 cargo fuzz tmin --no-default-features cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7
and added the necessary quotes myself.
➜ wasmtime git:(052115589) ✗ target/x86_64-apple-darwin/release/cranelift-fuzzgen "-artifact_prefix=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/" -runs=255 "fuzz/artifacts/cranelift-fuzzgen/crash-7ea007a1e42a044d3b2276afdc93befcdac5fca7" -minimize_crash_internal_step=1 "-exact_artifact_path=/Users/mo_priv/Desktop/Studium/Semester 8/BA/wasmtime/fuzz/artifacts/cranelift-fuzzgen/minimized-from-7ea007a1e42a044d3b2276afdc93befcdac5fca7"
cranelift-fuzzgen(73599,0x7ff844d088c0) malloc: nano zone abandoned due to inability to preallocate reserved vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3368144992
INFO: Loaded 1 modules (1658758 inline 8-bit counters): 1658758 [0x112dbf848, 0x112f547ce),
INFO: Loaded 1 PC tables (1658758 PCs): 1658758 [0x112f547d0,0x1148a4030),
INFO: Starting MinimizeCrashInputInternalStep: 38
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 38 bytes
INFO: Done MinimizeCrashInputInternalStep, no crashes found
Would you be able to try the following test case via clif-util?
test run
target x86_64
function %a(f64, i8 uext, i16 sext, f32, f32, f32, f32) -> i8 system_v {
sig4 = (f32) -> f32 system_v
fn4 = colocated %TruncF32 sig4
block0(v0: f64, v1: i8, v2: i16, v3: f32, v4: f32, v5: f32, v6: f32):
v7 = iconst.i8 0
v12 = call fn4(v3)
return v7
}
; run: %a(0.0, 0, 0, 0.0, 0.0, 0.0, 0.0) == 0
I think this runs essentially what the fuzzer is seeing, but outside the fuzzer. You can run this with: cd cranelift && cargo run test ./the-above.clif
you could also try disabling ASan and see if that gets you any further
cargo fuzz run --sanitizer=none ...
Last updated: Dec 23 2024 at 12:05 UTC