Wasmtime GitHub notifications bot (Jul 11 2024 at 18:08): Wasmtime GitHub notifications bot (Jul 11 2024 at 18:08):afonso360 opened PR #8941 from afonso360:fuzzgen-stack-maps to bytecodealliance:main:
:wave: Hey,
This PR adds the new variable stack map apis (added in #8937) to cranelift fuzzgen.
I've tried to fuzz this for a bit, but it seems to generate invalid functions that don't pass the validator. I don't know enough about how stackmaps work to debug this. (cc @fitzgen)
I also don't know if this feature is ready for fuzzing yet, so if it isn't let me know!
Here's one of the fuzz bugs:
<details>
<summary>Panic</summary>thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:402:14: called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors Caused by: 0: Verifier errors 1: - inst10 (stack_store.f32 v24, ss1): uses value v24 from non-dominating inst6</details>
<details>
<summary>base64</summary>/34Vbf91NDQzW23Ny8vLNMvFNDQ3ycvKLjg4ODg4ODAwMHIwMTUxbTMwMDL/Gv8jygI0ODh4MDAwcjAxNTFtMzAwMv8CNDQ0eHg0NDQjygD///8+Pl0+Pj4+PgEBAQEBAQH3AQ==</details>
<details>
<summary>CLIF</summary>test interpret test run set probestack_size_log2=11 set probestack_strategy=inline set enable_safepoints=true set enable_llvm_abi_extensions=true set preserve_frame_pointers=true set machine_code_cfg_info=true set enable_probestack=true set enable_jump_tables=false set enable_heap_access_spectre_mitigation=false set enable_incremental_compilation_cache_checks=true target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt function u1:0(i64x2, i16 uext, f32, f64x2, i32x4, i32x4, f32x4, i16x8, i8 sext, i32x4, i8x16, i32 uext, i128, i64 sext) -> i32x4, i32x4, i64x2, i32x4, i64x2, i16 uext, f32, f64x2, i32x4, i32x4, f32x4, i16x8 fast { ss0 = explicit_slot 2, align = 2 ss1 = explicit_slot 4, align = 4 ss2 = explicit_slot 16, align = 16 sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: i64x2, v1: i16, v2: f32, v3: f64x2, v4: i32x4, v5: i32x4, v6: f32x4, v7: i16x8, v8: i8, v9: i32x4, v10: i8x16, v11: i32, v12: i128, v13: i64): v22 -> v0 v23 -> v1 v25 -> v3 v26 -> v6 v27 -> v7 v15 = iconst.i16 257 v16 = iconst.i8 0 v17 = iconst.i16 0 v18 = iconst.i32 0 v19 = iconst.i64 0 v20 = uextend.i128 v19 ; v19 = 0 stack_store v23, ss0 stack_store v24, ss1 stack_store v22, ss2 v21 = call fn0(v2), stack_map=[i16 @ ss0+0, f32 @ ss1+0, i64x2 @ ss2+0] v24 -> v21 brif v8, block1(v4), block1(v4) block1(v14: i32x4): return v14, v14, v22, v14, v22, v23, v24, v25, v14, v14, v26, v27 } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: u1:0(0x00000000000000000000000000000000, 0, 0.0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0, 0) == [0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0.0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000]</details>
Wasmtime GitHub notifications bot (Jul 11 2024 at 18:11):fitzgen commented on PR #8941:
Thanks Afonso!!
I'll take a look a little later today.
Wasmtime GitHub notifications bot (Jul 12 2024 at 16:50):fitzgen commented on PR #8941:
I have a fix, PR incoming.
Wasmtime GitHub notifications bot (Jul 12 2024 at 16:58):fitzgen commented on PR #8941:
I have a fix, PR incoming.
Wasmtime GitHub notifications bot (Jul 12 2024 at 17:00):fitzgen commented on PR #8941:
I've been running
cranelift-fuzzgenwith this branch and my fix from that other PR for a little while and nothing else has turned up, so we can probably land this PR as soon as the other lands.
Wasmtime GitHub notifications bot (Jul 12 2024 at 17:02):fitzgen submitted PR review.
Wasmtime GitHub notifications bot (Jul 12 2024 at 17:02):fitzgen submitted PR review.
Wasmtime GitHub notifications bot (Jul 12 2024 at 17:02):fitzgen created PR review comment:
let uses_stack_map = ty.bytes() <= 16 && self.u.arbitrary()?;
Wasmtime GitHub notifications bot (Jul 12 2024 at 17:03):fitzgen submitted PR review.
Wasmtime GitHub notifications bot (Jul 12 2024 at 17:03):fitzgen created PR review comment:
Not sure if
cranelift-fuzzgenwill generate types larger than 16 bytes in the first place, but even if it doesn't, this is a good guard rail to have for future proofing.
Wasmtime GitHub notifications bot (Jul 13 2024 at 19:25):afonso360 submitted PR review.
Wasmtime GitHub notifications bot (Jul 13 2024 at 19:25):afonso360 created PR review comment:
Not currently, but probably good to add this in!
Wasmtime GitHub notifications bot (Jul 13 2024 at 21:02):afonso360 commented on PR #8941:
Running it locally seems to have run into another crash, this one quite a bit larger. It also doesn't seem to minimize well.
<details>
<summary>base64</summary>/0DfRUooLS0tNEsASwBLS0sxDUt1MUs6/w0KS7//AMgh/4hbAy76HwGo/wL/LHv/fv9/KwD2ODg4ODhVN0I4ODgBAAATODgxAADvFv9A30VKMS0tLS0wSwBJAEtLC7kAS0tLDUtLDQL/v/8AyCGI2FsDLvofAaj/Av9Me3p+/38AAPY0NDgyNjGcnJycnJxenAAAAAAAAAAQAAAAC7kAS0sAAIEAgAgAEx8fHx/X4ODgHwAfHx8fHx8fHx8fHx8lH4j//w0DA9HR0dHR0dHR0dHR0dHRwtHRODg4GDAwMHIwMRM7AP8oAP8fRT7IyE0BKP8Cfv9b/3p/AAAALAHqAPr//5wB9wD/3/v7+/v7+wD2ODg4AQAAA//83P8oRT7IyE0AOwAFABcAAAAA8N0S3QMyAABiYmJiY2JiOhEREf4f3t7f4v8OHQAAAAAAFDQ0GjRHMCol7QAMDv////////8R/8vINADSKzQ1M7HNz8g7GwUAAW3/Kho0NGxsMQcAAAD+/v4BAQF57+pF///v6kVFRUUAgICAgICAAA7PAACTMJNFRUWf</details>
<details>
<summary>Panic</summary>Running: fuzz/artifacts/cranelift-fuzzgen/crash-64fe78830d244b9bce1bd3fbfa0e14cceff1242c thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:403:14: called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors Caused by: 0: Verifier errors 1: - inst263 (stack_store.i32 v178, ss6+4): uses value arg from non-dominating block3 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==14905== ERROR: libFuzzer: deadly signal NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports.</details>
<details>
<summary>Clif</summary>;; Run test case test interpret test run set opt_level=speed set bb_padding_log2_minus_one=10 set enable_safepoints=true set enable_llvm_abi_extensions=true set unwind_info=false set machine_code_cfg_info=true target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt function u1:0(i8 sext, i8x16, i64 uext, i16 sext, i16x8, i32 sext, f32, f64, i16x8, i32x4, i16x8, i64x2, i128 sext, f64x2, i128, i128) tail { ss0 = explicit_slot 76, align = 512 ss1 = explicit_slot 59, align = 32 ss2 = explicit_slot 0, align = 2 ss3 = explicit_slot 126, align = 512 ss4 = explicit_slot 52, align = 256 ss5 = explicit_slot 108, align = 32 ss6 = explicit_slot 8, align = 4 ss7 = explicit_slot 16, align = 8 ss8 = explicit_slot 80, align = 16 sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = colocated %CeilF64 sig1 fn2 = colocated %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: i8, v1: i8x16, v2: i64, v3: i16, v4: i16x8, v5: i32, v6: f32, v7: f64, v8: i16x8, v9: i32x4, v10: i16x8, v11: i64x2, v12: i128, v13: f64x2, v14: i128, v15: i128): v32 = iconst.i8 0 v33 = iconst.i16 0 v34 = iconst.i32 0 v35 = iconst.i64 0 v36 = uextend.i128 v35 ; v35 = 0 v37 = stack_addr.i64 ss4 store notrap v36, v37 v38 = stack_addr.i64 ss4+16 store notrap v36, v38 v39 = stack_addr.i64 ss4+32 store notrap v36, v39 v40 = stack_addr.i64 ss4+48 store notrap v34, v40 ; v34 = 0 v41 = stack_addr.i64 ss1 store notrap heap v36, v41 v42 = stack_addr.i64 ss1+16 store notrap heap v36, v42 v43 = stack_addr.i64 ss1+32 store notrap heap v36, v43 v44 = stack_addr.i64 ss1+48 store notrap heap v35, v44 ; v35 = 0 v45 = stack_addr.i64 ss1+56 store notrap heap v33, v45 ; v33 = 0 v46 = stack_addr.i64 ss1+58 store notrap heap v32, v46 ; v32 = 0 v47 = stack_addr.i64 ss0 store notrap v36, v47 v48 = stack_addr.i64 ss0+16 store notrap v36, v48 v49 = stack_addr.i64 ss0+32 store notrap v36, v49 v50 = stack_addr.i64 ss0+48 store notrap v36, v50 v51 = stack_addr.i64 ss0+64 store notrap v35, v51 ; v35 = 0 v52 = stack_addr.i64 ss0+72 store notrap v34, v52 ; v34 = 0 v53 = stack_addr.i64 ss5 store notrap vmctx v36, v53 v54 = stack_addr.i64 ss5+16 store notrap vmctx v36, v54 v55 = stack_addr.i64 ss5+32 store notrap vmctx v36, v55 v56 = stack_addr.i64 ss5+48 store notrap vmctx v36, v56 v57 = stack_addr.i64 ss5+64 store notrap vmctx v36, v57 v58 = stack_addr.i64 ss5+80 store notrap vmctx v36, v58 v59 = stack_addr.i64 ss5+96 store notrap vmctx v35, v59 ; v35 = 0 v60 = stack_addr.i64 ss5+104 store notrap vmctx v34, v60 ; v34 = 0 v61 = stack_addr.i64 ss3 store notrap table v36, v61 v62 = stack_addr.i64 ss3+16 store notrap table v36, v62 v63 = stack_addr.i64 ss3+32 store notrap table v36, v63 v64 = stack_addr.i64 ss3+48 store notrap table v36, v64 v65 = stack_addr.i64 ss3+64 store notrap table v36, v65 v66 = stack_addr.i64 ss3+80 store notrap table v36, v66 v67 = stack_addr.i64 ss3+96 store notrap table v36, v67 v68 = stack_addr.i64 ss3+112 store notrap table v35, v68 ; v35 = 0 v69 = stack_addr.i64 ss3+120 store notrap table v34, v69 ; v34 = 0 v70 = stack_addr.i64 ss3+124 store notrap table v33, v70 ; v33 = 0 v71 = stack_addr.i64 ss3 v72 = load.i64x2 table v71+17 v73 = stack_addr.i64 ss5+27 v74 = sload8.i64 vmctx v73 v75 = insertlane v9, v5, 0 v76 = stack_addr.i64 ss0+69 v77 = sload16.i32 v76+1 v78 = icmp_imm uge v0, 168 brif v78, block7, block6 block7: v79 = icmp_imm.i8 uge v0, 215 brif v79, block9, block8 block9: v80 = icmp_imm.i8 eq v0, 250 brif v80, block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block10 block10: v81 = icmp_imm.i8 uge v0, 215 brif v81, block11, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3) block11: v82 = iadd_imm.i8 v0, -215 v83 = uextend.i32 v82 br_table v83, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3)] block8: v84 = icmp_imm.i8 uge v0, 185 brif v84, block13, block12 block13: v85 = iadd_imm.i8 v0, -185 v86 = uextend.i32 v85 br_table v86, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3)] block12: v87 = icmp_imm.i8 eq v0, 168 brif v87, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3) block6: v88 = icmp_imm.i8 uge v0, 91 brif v88, block15, block14 block15: v89 = icmp_imm.i8 uge v0, 128 brif v89, block17, block16 block17: v90 = iadd_imm.i8 v0, -128 v91 = uextend.i32 v90 br_table v91, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3)] block16: v92 = icmp_imm.i8 eq v0, 91 brif v92, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3) block14: v93 = icmp_imm.i8 eq v0, 75 brif v93, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block18 block18: v94 = uextend.i32 v0 br_table v94, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, [message truncated]
Wasmtime GitHub notifications bot (Jul 13 2024 at 21:03):afonso360 updated PR #8941.
Wasmtime GitHub notifications bot (Jul 13 2024 at 21:05):afonso360 has marked PR #8941 as ready for review.
Wasmtime GitHub notifications bot (Jul 13 2024 at 21:05):afonso360 requested cfallin for a review on PR #8941.
Wasmtime GitHub notifications bot (Jul 13 2024 at 21:05):afonso360 requested wasmtime-compiler-reviewers for a review on PR #8941.
Wasmtime GitHub notifications bot (Jul 15 2024 at 20:11):fitzgen commented on PR #8941:
Running it locally seems to have run into another crash, this one quite a bit larger. It also doesn't seem to minimize well.
Taking a look, thanks!
Wasmtime GitHub notifications bot (Jul 15 2024 at 20:18):fitzgen commented on PR #8941:
@afonso360 huh, that input doesn't fail on
de29ce3598for me. Will try fuzzing for a while.
Wasmtime GitHub notifications bot (Jul 15 2024 at 20:22):afonso360 commented on PR #8941:
Oh, i pushed a new revision that changes the input format! You might want to force reset onto https://github.com/bytecodealliance/wasmtime/pull/8941/commits/635ea5789a1bad50af2695dcca937cf7c53b54cd
Wasmtime GitHub notifications bot (Jul 15 2024 at 20:22):afonso360 edited a comment on PR #8941:
Oh, I pushed a new revision that changes the input format! You might want to force reset onto https://github.com/bytecodealliance/wasmtime/pull/8941/commits/635ea5789a1bad50af2695dcca937cf7c53b54cd
Wasmtime GitHub notifications bot (Jul 15 2024 at 20:23):afonso360 edited a comment on PR #8941:
@fitzgen Oh, I pushed a new revision that changes the input format! You might want to force reset onto https://github.com/bytecodealliance/wasmtime/pull/8941/commits/635ea5789a1bad50af2695dcca937cf7c53b54cd
Wasmtime GitHub notifications bot (Jul 15 2024 at 20:29):fitzgen commented on PR #8941:
@fitzgen Oh, I pushed a new revision that changes the input format! You might want to force reset onto 635ea57
Huh. On top of 635ea5789a, I also don't get any fuzzing failures.
Wasmtime GitHub notifications bot (Jul 15 2024 at 20:46):afonso360 commented on PR #8941:
That is super weird :thinking: Can you run
md5sumon the input file? I was able to reproduce with3cc2b287a4ea60cdb54e87640f0ff0e5.Otherwise, I have no idea why this wouldn't reproduce.
Wasmtime GitHub notifications bot (Jul 15 2024 at 21:52):fitzgen commented on PR #8941:
I'm indeed getting a different md5 sum, even when I re-create the file from the base64 again. Mind uploading the full input as an attachment?
Wasmtime GitHub notifications bot (Jul 15 2024 at 22:14):afonso360 commented on PR #8941:
Github doesn't seem to like files without extensions. Here's the original fuzz input
input.txt
Wasmtime GitHub notifications bot (Jul 22 2024 at 20:27):fitzgen commented on PR #8941:
After cherry picking #8978 onto this branch, the fuzz input no longer fails. Running a bit longer locally to see if anything else turns up.
Wasmtime GitHub notifications bot (Jul 23 2024 at 19:13):fitzgen commented on PR #8941:
Found another bug with this fuzzer overnight, fix over in https://github.com/bytecodealliance/wasmtime/pull/9000
Continuing to run the fuzzer now.
Wasmtime GitHub notifications bot (Jul 24 2024 at 16:09):fitzgen commented on PR #8941:
Thought I was in the clear after running the fuzzer all day yesterday without issue, but I woke up to a new fuzz bug.
Wasmtime GitHub notifications bot (Jul 24 2024 at 18:00):fitzgen commented on PR #8941:
Thought I was in the clear after running the fuzzer all day yesterday without issue, but I woke up to a new fuzz bug.
Turns out this was actually unrelated to safepoints/stack maps, but generating them in fuzzgen made it more likely to produce the specific shape of code required to trigger a pre-existing bug. Fix in https://github.com/bytecodealliance/wasmtime/pull/9003
Wasmtime GitHub notifications bot (Jul 24 2024 at 18:10):fitzgen commented on PR #8941:
At this point, I think we can go ahead and merge this PR and deal with any remaining issues as OSS-Fuzz finds them.
Wasmtime GitHub notifications bot (Jul 24 2024 at 18:11):fitzgen commented on PR #8941:
I'll enqueue this to merge after https://github.com/bytecodealliance/wasmtime/pull/9003 merges.
Wasmtime GitHub notifications bot (Jul 25 2024 at 08:19):afonso360 merged PR #8941.
Last updated: Nov 22 2024 at 16:03 UTC