Stream: git-wasmtime

Topic: wasmtime / PR #3299 Cranelift CLIF Fuzzer add jump tables...


view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 18:43):

afonso360 opened PR #3299 from fuzzer-brtable to main:

Hey!

A small addition #3094. This is the last planned branch instruction for the CLIF fuzzer (since it looks like brif/brff are going to be removed), and means that we have completed the branch / jump part of the fuzzer :tada:

This change independently found #3100 which was fixed in #3282.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 18:49):

afonso360 edited PR #3299 from fuzzer-brtable to main:

Hey!

A small addition to #3094. This is the last planned branch instruction for the CLIF fuzzer (since it looks like brif/brff are going to be removed), and means that we have completed the branch / jump part of the fuzzer :tada:

This change independently found #3100 which was fixed in #3282.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:06):

cfallin submitted PR review.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:06):

cfallin submitted PR review.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:06):

cfallin created PR review comment:

The "empty blockparams" condition is of course necessary, but how do we guard against cases where no blocks fit this requirement, and we end up doing a choose() on an empty list (which will panic)? Possibly I'm just missing this invariant elsewhere -- if so, could you add a comment describing why it'll always succeed, and maybe an assert!(target_blocks.len() > 0) or somesuch?

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:17):

afonso360 created PR review comment:

This already happens all the time. i.e. we are never guaranteed to generate variables of any type, so any instruction that requests a value of a type that doesn't exist ends up doing a choose on an empty block.

https://github.com/bytecodealliance/wasmtime/blob/3db8043a0284dd40e2859f8df3e05e730a706624/cranelift/fuzzgen/src/function_generator.rs#L194-L198

What ends up happening here, is that choose returns an error, we bubble the error up and into cargo-fuzz, which marks this input as invalid and starts another round of fuzzing.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:17):

afonso360 submitted PR review.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:19):

afonso360 edited PR review comment.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:21):

cfallin submitted PR review.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:21):

cfallin created PR review comment:

Ah, great, the key bit is that the failure bubbles up; I couldn't recall if choose() just panics in this case instead. All good then -- I'll go ahead and merge, thanks!

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:21):

afonso360 edited PR review comment.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:21):

afonso360 edited PR review comment.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 03 2021 at 19:43):

cfallin merged PR #3299.


Last updated: Dec 23 2024 at 12:05 UTC