GitHub (Dec 20 2019 at 22:21): GitHub (Dec 20 2019 at 22:21):pventuzelo opened Issue #1306:
Issue description
During fuzzing of lightbeam, i found this crash that seems to be related to cranelift.
$ cargo +nightly fuzz run compile assert_failed_cranelift_entity.wasm Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1Note: crash will not happen if you are calling
wasmtimebinary but only usingcompileAPI.
Also, the crash happen using both fuzzing strategy (i.e. cranelift or ligthbeam)Reproduction
Download assert_failed_cranelift_entity.zip
Run the fuzzer:
$ cargo +nightly fuzz run compile assert_failed_cranelift_entity.wasm Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1wasmtime commit: 086ff63e6b38efcb9a69379fb4e3f6ea3a622a9c
Crash details
Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1 stack backtrace: 0: backtrace::backtrace::libunwind::trace at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/libunwind.rs:88 1: backtrace::backtrace::trace_unsynchronized at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/mod.rs:66 2: std::sys_common::backtrace::_print_fmt at src/libstd/sys_common/backtrace.rs:77 3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt at src/libstd/sys_common/backtrace.rs:61 4: core::fmt::write at src/libcore/fmt/mod.rs:1030 5: std::io::Write::write_fmt at src/libstd/io/mod.rs:1412 6: std::sys_common::backtrace::_print at src/libstd/sys_common/backtrace.rs:65 7: std::sys_common::backtrace::print at src/libstd/sys_common/backtrace.rs:50 8: std::panicking::default_hook::{{closure}} at src/libstd/panicking.rs:188 9: std::panicking::default_hook at src/libstd/panicking.rs:205 10: <alloc::boxed::Box<F> as core::ops::function::Fn<A>>::call at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/liballoc/boxed.rs:956 11: libfuzzer_sys::initialize::{{closure}} at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:50 12: std::panicking::rust_panic_with_hook at src/libstd/panicking.rs:468 13: std::panicking::begin_panic at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:400 14: cranelift_wasm::translation_utils::FuncIndex::from_u32 at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/<::cranelift_entity::entity_impl macros>:20 15: cranelift_wasm::sections_translator::parse_function_name_subsection at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/sections_translator.rs:419 16: core::ops::function::FnOnce::call_once at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libcore/ops/function.rs:227 17: core::option::Option<T>::and_then at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libcore/option.rs:657 18: cranelift_wasm::sections_translator::parse_name_section at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/sections_translator.rs:395 19: cranelift_wasm::module_translator::translate_module at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/module_translator.rs:83 20: wasmtime_environ::module_environ::ModuleEnvironment::translate at crates/environ/src/module_environ.rs:83 21: wasmtime_jit::instantiate::RawCompiledModule::new at crates/jit/src/instantiate.rs:68 22: wasmtime_jit::instantiate::CompiledModule::new at crates/jit/src/instantiate.rs:159 23: wasmtime_fuzzing::oracles::compile at crates/fuzzing/src/oracles.rs:84 24: rust_fuzzer_test_input at fuzz/fuzz_targets/compile.rs:8 25: libfuzzer_sys::test_input_wrap::{{closure}} at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:27 26: std::panicking::try::do_call at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:287 27: __rust_maybe_catch_panic at src/libpanic_unwind/lib.rs:79 28: std::panicking::try at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:265 29: std::panic::catch_unwind at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panic.rs:396 30: LLVMFuzzerTestOneInput at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:25 31: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm at libfuzzer/FuzzerLoop.cpp:553 32: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm at libfuzzer/FuzzerDriver.cpp:292 33: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE 34: main at libfuzzer/FuzzerMain.cpp:19 35: __libc_start_main 36: _start
GitHub (Dec 20 2019 at 22:39):fitzgen commented on Issue #1306:
reduced test case:
min-issue-1306.zip
GitHub (Dec 20 2019 at 22:40):fitzgen edited a comment on Issue #1306:
reduced test case:
min-issue-1306.zip
GitHub (Dec 20 2019 at 22:41):fitzgen labeled Issue #1306:
Issue description
During fuzzing of lightbeam, i found this crash that seems to be related to cranelift.
$ cargo +nightly fuzz run compile assert_failed_cranelift_entity.wasm Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1Note: crash will not happen if you are calling
wasmtimebinary but only usingcompileAPI.
Also, the crash happen using both fuzzing strategy (i.e. cranelift or ligthbeam)Reproduction
Download assert_failed_cranelift_entity.zip
Run the fuzzer:
$ cargo +nightly fuzz run compile assert_failed_cranelift_entity.wasm Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1wasmtime commit: 086ff63e6b38efcb9a69379fb4e3f6ea3a622a9c
Crash details
Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1 stack backtrace: 0: backtrace::backtrace::libunwind::trace at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/libunwind.rs:88 1: backtrace::backtrace::trace_unsynchronized at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/mod.rs:66 2: std::sys_common::backtrace::_print_fmt at src/libstd/sys_common/backtrace.rs:77 3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt at src/libstd/sys_common/backtrace.rs:61 4: core::fmt::write at src/libcore/fmt/mod.rs:1030 5: std::io::Write::write_fmt at src/libstd/io/mod.rs:1412 6: std::sys_common::backtrace::_print at src/libstd/sys_common/backtrace.rs:65 7: std::sys_common::backtrace::print at src/libstd/sys_common/backtrace.rs:50 8: std::panicking::default_hook::{{closure}} at src/libstd/panicking.rs:188 9: std::panicking::default_hook at src/libstd/panicking.rs:205 10: <alloc::boxed::Box<F> as core::ops::function::Fn<A>>::call at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/liballoc/boxed.rs:956 11: libfuzzer_sys::initialize::{{closure}} at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:50 12: std::panicking::rust_panic_with_hook at src/libstd/panicking.rs:468 13: std::panicking::begin_panic at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:400 14: cranelift_wasm::translation_utils::FuncIndex::from_u32 at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/<::cranelift_entity::entity_impl macros>:20 15: cranelift_wasm::sections_translator::parse_function_name_subsection at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/sections_translator.rs:419 16: core::ops::function::FnOnce::call_once at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libcore/ops/function.rs:227 17: core::option::Option<T>::and_then at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libcore/option.rs:657 18: cranelift_wasm::sections_translator::parse_name_section at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/sections_translator.rs:395 19: cranelift_wasm::module_translator::translate_module at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/module_translator.rs:83 20: wasmtime_environ::module_environ::ModuleEnvironment::translate at crates/environ/src/module_environ.rs:83 21: wasmtime_jit::instantiate::RawCompiledModule::new at crates/jit/src/instantiate.rs:68 22: wasmtime_jit::instantiate::CompiledModule::new at crates/jit/src/instantiate.rs:159 23: wasmtime_fuzzing::oracles::compile at crates/fuzzing/src/oracles.rs:84 24: rust_fuzzer_test_input at fuzz/fuzz_targets/compile.rs:8 25: libfuzzer_sys::test_input_wrap::{{closure}} at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:27 26: std::panicking::try::do_call at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:287 27: __rust_maybe_catch_panic at src/libpanic_unwind/lib.rs:79 28: std::panicking::try at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:265 29: std::panic::catch_unwind at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panic.rs:396 30: LLVMFuzzerTestOneInput at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:25 31: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm at libfuzzer/FuzzerLoop.cpp:553 32: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm at libfuzzer/FuzzerDriver.cpp:292 33: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE 34: main at libfuzzer/FuzzerMain.cpp:19 35: __libc_start_main 36: _start
GitHub (Dec 21 2019 at 21:37):abrown closed Issue #1306:
Issue description
During fuzzing of lightbeam, i found this crash that seems to be related to cranelift.
$ cargo +nightly fuzz run compile assert_failed_cranelift_entity.wasm Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1Note: crash will not happen if you are calling
wasmtimebinary but only usingcompileAPI.
Also, the crash happen using both fuzzing strategy (i.e. cranelift or ligthbeam)Reproduction
Download assert_failed_cranelift_entity.zip
Run the fuzzer:
$ cargo +nightly fuzz run compile assert_failed_cranelift_entity.wasm Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1wasmtime commit: 086ff63e6b38efcb9a69379fb4e3f6ea3a622a9c
Crash details
Running: assert_failed_cranelift_entity.wasm thread '<unnamed>' panicked at 'assertion failed: x < ::cranelift_entity::__core::u32::MAX', /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/translation_utils.rs:18:1 stack backtrace: 0: backtrace::backtrace::libunwind::trace at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/libunwind.rs:88 1: backtrace::backtrace::trace_unsynchronized at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/mod.rs:66 2: std::sys_common::backtrace::_print_fmt at src/libstd/sys_common/backtrace.rs:77 3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt at src/libstd/sys_common/backtrace.rs:61 4: core::fmt::write at src/libcore/fmt/mod.rs:1030 5: std::io::Write::write_fmt at src/libstd/io/mod.rs:1412 6: std::sys_common::backtrace::_print at src/libstd/sys_common/backtrace.rs:65 7: std::sys_common::backtrace::print at src/libstd/sys_common/backtrace.rs:50 8: std::panicking::default_hook::{{closure}} at src/libstd/panicking.rs:188 9: std::panicking::default_hook at src/libstd/panicking.rs:205 10: <alloc::boxed::Box<F> as core::ops::function::Fn<A>>::call at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/liballoc/boxed.rs:956 11: libfuzzer_sys::initialize::{{closure}} at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:50 12: std::panicking::rust_panic_with_hook at src/libstd/panicking.rs:468 13: std::panicking::begin_panic at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:400 14: cranelift_wasm::translation_utils::FuncIndex::from_u32 at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/<::cranelift_entity::entity_impl macros>:20 15: cranelift_wasm::sections_translator::parse_function_name_subsection at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/sections_translator.rs:419 16: core::ops::function::FnOnce::call_once at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libcore/ops/function.rs:227 17: core::option::Option<T>::and_then at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libcore/option.rs:657 18: cranelift_wasm::sections_translator::parse_name_section at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/sections_translator.rs:395 19: cranelift_wasm::module_translator::translate_module at /XXX/.cargo/registry/src/github.com-1ecc6299db9ec823/cranelift-wasm-0.50.0/src/module_translator.rs:83 20: wasmtime_environ::module_environ::ModuleEnvironment::translate at crates/environ/src/module_environ.rs:83 21: wasmtime_jit::instantiate::RawCompiledModule::new at crates/jit/src/instantiate.rs:68 22: wasmtime_jit::instantiate::CompiledModule::new at crates/jit/src/instantiate.rs:159 23: wasmtime_fuzzing::oracles::compile at crates/fuzzing/src/oracles.rs:84 24: rust_fuzzer_test_input at fuzz/fuzz_targets/compile.rs:8 25: libfuzzer_sys::test_input_wrap::{{closure}} at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:27 26: std::panicking::try::do_call at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:287 27: __rust_maybe_catch_panic at src/libpanic_unwind/lib.rs:79 28: std::panicking::try at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panicking.rs:265 29: std::panic::catch_unwind at /rustc/4f03f4a989d1c8346c19dfb417a77c09b34408b8/src/libstd/panic.rs:396 30: LLVMFuzzerTestOneInput at /XXX/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/0c45075/src/lib.rs:25 31: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm at libfuzzer/FuzzerLoop.cpp:553 32: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm at libfuzzer/FuzzerDriver.cpp:292 33: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE 34: main at libfuzzer/FuzzerMain.cpp:19 35: __libc_start_main 36: _start
Last updated: Nov 22 2024 at 17:03 UTC