afonso360 opened PR #8941 from afonso360:fuzzgen-stack-maps
to bytecodealliance:main
:
:wave: Hey,
This PR adds the new variable stack map apis (added in #8937) to cranelift fuzzgen.
I've tried to fuzz this for a bit, but it seems to generate invalid functions that don't pass the validator. I don't know enough about how stackmaps work to debug this. (cc @fitzgen)
I also don't know if this feature is ready for fuzzing yet, so if it isn't let me know!
Here's one of the fuzz bugs:
<details>
<summary>Panic</summary>thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:402:14: called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors Caused by: 0: Verifier errors 1: - inst10 (stack_store.f32 v24, ss1): uses value v24 from non-dominating inst6
</details>
<details>
<summary>base64</summary>/34Vbf91NDQzW23Ny8vLNMvFNDQ3ycvKLjg4ODg4ODAwMHIwMTUxbTMwMDL/Gv8jygI0ODh4MDAwcjAxNTFtMzAwMv8CNDQ0eHg0NDQjygD///8+Pl0+Pj4+PgEBAQEBAQH3AQ==
</details>
<details>
<summary>CLIF</summary>test interpret test run set probestack_size_log2=11 set probestack_strategy=inline set enable_safepoints=true set enable_llvm_abi_extensions=true set preserve_frame_pointers=true set machine_code_cfg_info=true set enable_probestack=true set enable_jump_tables=false set enable_heap_access_spectre_mitigation=false set enable_incremental_compilation_cache_checks=true target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt function u1:0(i64x2, i16 uext, f32, f64x2, i32x4, i32x4, f32x4, i16x8, i8 sext, i32x4, i8x16, i32 uext, i128, i64 sext) -> i32x4, i32x4, i64x2, i32x4, i64x2, i16 uext, f32, f64x2, i32x4, i32x4, f32x4, i16x8 fast { ss0 = explicit_slot 2, align = 2 ss1 = explicit_slot 4, align = 4 ss2 = explicit_slot 16, align = 16 sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: i64x2, v1: i16, v2: f32, v3: f64x2, v4: i32x4, v5: i32x4, v6: f32x4, v7: i16x8, v8: i8, v9: i32x4, v10: i8x16, v11: i32, v12: i128, v13: i64): v22 -> v0 v23 -> v1 v25 -> v3 v26 -> v6 v27 -> v7 v15 = iconst.i16 257 v16 = iconst.i8 0 v17 = iconst.i16 0 v18 = iconst.i32 0 v19 = iconst.i64 0 v20 = uextend.i128 v19 ; v19 = 0 stack_store v23, ss0 stack_store v24, ss1 stack_store v22, ss2 v21 = call fn0(v2), stack_map=[i16 @ ss0+0, f32 @ ss1+0, i64x2 @ ss2+0] v24 -> v21 brif v8, block1(v4), block1(v4) block1(v14: i32x4): return v14, v14, v22, v14, v22, v23, v24, v25, v14, v14, v26, v27 } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: u1:0(0x00000000000000000000000000000000, 0, 0.0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0, 0) == [0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0.0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000]
</details>
fitzgen commented on PR #8941:
Thanks Afonso!!
I'll take a look a little later today.
fitzgen commented on PR #8941:
I have a fix, PR incoming.
fitzgen commented on PR #8941:
I have a fix, PR incoming.
fitzgen commented on PR #8941:
I've been running
cranelift-fuzzgen
with this branch and my fix from that other PR for a little while and nothing else has turned up, so we can probably land this PR as soon as the other lands.
fitzgen submitted PR review.
fitzgen submitted PR review.
fitzgen created PR review comment:
let uses_stack_map = ty.bytes() <= 16 && self.u.arbitrary()?;
fitzgen submitted PR review.
fitzgen created PR review comment:
Not sure if
cranelift-fuzzgen
will generate types larger than 16 bytes in the first place, but even if it doesn't, this is a good guard rail to have for future proofing.
afonso360 submitted PR review.
afonso360 created PR review comment:
Not currently, but probably good to add this in!
afonso360 commented on PR #8941:
Running it locally seems to have run into another crash, this one quite a bit larger. It also doesn't seem to minimize well.
<details>
<summary>base64</summary>/0DfRUooLS0tNEsASwBLS0sxDUt1MUs6/w0KS7//AMgh/4hbAy76HwGo/wL/LHv/fv9/KwD2ODg4ODhVN0I4ODgBAAATODgxAADvFv9A30VKMS0tLS0wSwBJAEtLC7kAS0tLDUtLDQL/v/8AyCGI2FsDLvofAaj/Av9Me3p+/38AAPY0NDgyNjGcnJycnJxenAAAAAAAAAAQAAAAC7kAS0sAAIEAgAgAEx8fHx/X4ODgHwAfHx8fHx8fHx8fHx8lH4j//w0DA9HR0dHR0dHR0dHR0dHRwtHRODg4GDAwMHIwMRM7AP8oAP8fRT7IyE0BKP8Cfv9b/3p/AAAALAHqAPr//5wB9wD/3/v7+/v7+wD2ODg4AQAAA//83P8oRT7IyE0AOwAFABcAAAAA8N0S3QMyAABiYmJiY2JiOhEREf4f3t7f4v8OHQAAAAAAFDQ0GjRHMCol7QAMDv////////8R/8vINADSKzQ1M7HNz8g7GwUAAW3/Kho0NGxsMQcAAAD+/v4BAQF57+pF///v6kVFRUUAgICAgICAAA7PAACTMJNFRUWf
</details>
<details>
<summary>Panic</summary>Running: fuzz/artifacts/cranelift-fuzzgen/crash-64fe78830d244b9bce1bd3fbfa0e14cceff1242c thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:403:14: called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors Caused by: 0: Verifier errors 1: - inst263 (stack_store.i32 v178, ss6+4): uses value arg from non-dominating block3 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==14905== ERROR: libFuzzer: deadly signal NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports.
</details>
<details>
<summary>Clif</summary>;; Run test case test interpret test run set opt_level=speed set bb_padding_log2_minus_one=10 set enable_safepoints=true set enable_llvm_abi_extensions=true set unwind_info=false set machine_code_cfg_info=true target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt function u1:0(i8 sext, i8x16, i64 uext, i16 sext, i16x8, i32 sext, f32, f64, i16x8, i32x4, i16x8, i64x2, i128 sext, f64x2, i128, i128) tail { ss0 = explicit_slot 76, align = 512 ss1 = explicit_slot 59, align = 32 ss2 = explicit_slot 0, align = 2 ss3 = explicit_slot 126, align = 512 ss4 = explicit_slot 52, align = 256 ss5 = explicit_slot 108, align = 32 ss6 = explicit_slot 8, align = 4 ss7 = explicit_slot 16, align = 8 ss8 = explicit_slot 80, align = 16 sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = colocated %CeilF64 sig1 fn2 = colocated %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: i8, v1: i8x16, v2: i64, v3: i16, v4: i16x8, v5: i32, v6: f32, v7: f64, v8: i16x8, v9: i32x4, v10: i16x8, v11: i64x2, v12: i128, v13: f64x2, v14: i128, v15: i128): v32 = iconst.i8 0 v33 = iconst.i16 0 v34 = iconst.i32 0 v35 = iconst.i64 0 v36 = uextend.i128 v35 ; v35 = 0 v37 = stack_addr.i64 ss4 store notrap v36, v37 v38 = stack_addr.i64 ss4+16 store notrap v36, v38 v39 = stack_addr.i64 ss4+32 store notrap v36, v39 v40 = stack_addr.i64 ss4+48 store notrap v34, v40 ; v34 = 0 v41 = stack_addr.i64 ss1 store notrap heap v36, v41 v42 = stack_addr.i64 ss1+16 store notrap heap v36, v42 v43 = stack_addr.i64 ss1+32 store notrap heap v36, v43 v44 = stack_addr.i64 ss1+48 store notrap heap v35, v44 ; v35 = 0 v45 = stack_addr.i64 ss1+56 store notrap heap v33, v45 ; v33 = 0 v46 = stack_addr.i64 ss1+58 store notrap heap v32, v46 ; v32 = 0 v47 = stack_addr.i64 ss0 store notrap v36, v47 v48 = stack_addr.i64 ss0+16 store notrap v36, v48 v49 = stack_addr.i64 ss0+32 store notrap v36, v49 v50 = stack_addr.i64 ss0+48 store notrap v36, v50 v51 = stack_addr.i64 ss0+64 store notrap v35, v51 ; v35 = 0 v52 = stack_addr.i64 ss0+72 store notrap v34, v52 ; v34 = 0 v53 = stack_addr.i64 ss5 store notrap vmctx v36, v53 v54 = stack_addr.i64 ss5+16 store notrap vmctx v36, v54 v55 = stack_addr.i64 ss5+32 store notrap vmctx v36, v55 v56 = stack_addr.i64 ss5+48 store notrap vmctx v36, v56 v57 = stack_addr.i64 ss5+64 store notrap vmctx v36, v57 v58 = stack_addr.i64 ss5+80 store notrap vmctx v36, v58 v59 = stack_addr.i64 ss5+96 store notrap vmctx v35, v59 ; v35 = 0 v60 = stack_addr.i64 ss5+104 store notrap vmctx v34, v60 ; v34 = 0 v61 = stack_addr.i64 ss3 store notrap table v36, v61 v62 = stack_addr.i64 ss3+16 store notrap table v36, v62 v63 = stack_addr.i64 ss3+32 store notrap table v36, v63 v64 = stack_addr.i64 ss3+48 store notrap table v36, v64 v65 = stack_addr.i64 ss3+64 store notrap table v36, v65 v66 = stack_addr.i64 ss3+80 store notrap table v36, v66 v67 = stack_addr.i64 ss3+96 store notrap table v36, v67 v68 = stack_addr.i64 ss3+112 store notrap table v35, v68 ; v35 = 0 v69 = stack_addr.i64 ss3+120 store notrap table v34, v69 ; v34 = 0 v70 = stack_addr.i64 ss3+124 store notrap table v33, v70 ; v33 = 0 v71 = stack_addr.i64 ss3 v72 = load.i64x2 table v71+17 v73 = stack_addr.i64 ss5+27 v74 = sload8.i64 vmctx v73 v75 = insertlane v9, v5, 0 v76 = stack_addr.i64 ss0+69 v77 = sload16.i32 v76+1 v78 = icmp_imm uge v0, 168 brif v78, block7, block6 block7: v79 = icmp_imm.i8 uge v0, 215 brif v79, block9, block8 block9: v80 = icmp_imm.i8 eq v0, 250 brif v80, block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block10 block10: v81 = icmp_imm.i8 uge v0, 215 brif v81, block11, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3) block11: v82 = iadd_imm.i8 v0, -215 v83 = uextend.i32 v82 br_table v83, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3)] block8: v84 = icmp_imm.i8 uge v0, 185 brif v84, block13, block12 block13: v85 = iadd_imm.i8 v0, -185 v86 = uextend.i32 v85 br_table v86, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3)] block12: v87 = icmp_imm.i8 eq v0, 168 brif v87, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3) block6: v88 = icmp_imm.i8 uge v0, 91 brif v88, block15, block14 block15: v89 = icmp_imm.i8 uge v0, 128 brif v89, block17, block16 block17: v90 = iadd_imm.i8 v0, -128 v91 = uextend.i32 v90 br_table v91, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3)] block16: v92 = icmp_imm.i8 eq v0, 91 brif v92, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3) block14: v93 = icmp_imm.i8 eq v0, 75 brif v93, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block18 block18: v94 = uextend.i32 v0 br_table v94, block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), [block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block3(v77, v12, v75, v72, v7, v0, v4, v74, v6, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, v72, v7, v0, v4, v3), block1(v74, v6, v12, v77, v75, [message truncated]
afonso360 updated PR #8941.
afonso360 has marked PR #8941 as ready for review.
afonso360 requested cfallin for a review on PR #8941.
afonso360 requested wasmtime-compiler-reviewers for a review on PR #8941.
fitzgen commented on PR #8941:
Running it locally seems to have run into another crash, this one quite a bit larger. It also doesn't seem to minimize well.
Taking a look, thanks!
fitzgen commented on PR #8941:
@afonso360 huh, that input doesn't fail on
de29ce3598
for me. Will try fuzzing for a while.
afonso360 commented on PR #8941:
Oh, i pushed a new revision that changes the input format! You might want to force reset onto https://github.com/bytecodealliance/wasmtime/pull/8941/commits/635ea5789a1bad50af2695dcca937cf7c53b54cd
afonso360 edited a comment on PR #8941:
Oh, I pushed a new revision that changes the input format! You might want to force reset onto https://github.com/bytecodealliance/wasmtime/pull/8941/commits/635ea5789a1bad50af2695dcca937cf7c53b54cd
afonso360 edited a comment on PR #8941:
@fitzgen Oh, I pushed a new revision that changes the input format! You might want to force reset onto https://github.com/bytecodealliance/wasmtime/pull/8941/commits/635ea5789a1bad50af2695dcca937cf7c53b54cd
fitzgen commented on PR #8941:
@fitzgen Oh, I pushed a new revision that changes the input format! You might want to force reset onto 635ea57
Huh. On top of 635ea5789a, I also don't get any fuzzing failures.
afonso360 commented on PR #8941:
That is super weird :thinking: Can you run
md5sum
on the input file? I was able to reproduce with3cc2b287a4ea60cdb54e87640f0ff0e5
.Otherwise, I have no idea why this wouldn't reproduce.
fitzgen commented on PR #8941:
I'm indeed getting a different md5 sum, even when I re-create the file from the base64 again. Mind uploading the full input as an attachment?
afonso360 commented on PR #8941:
Github doesn't seem to like files without extensions. Here's the original fuzz input
input.txt
fitzgen commented on PR #8941:
After cherry picking #8978 onto this branch, the fuzz input no longer fails. Running a bit longer locally to see if anything else turns up.
fitzgen commented on PR #8941:
Found another bug with this fuzzer overnight, fix over in https://github.com/bytecodealliance/wasmtime/pull/9000
Continuing to run the fuzzer now.
fitzgen commented on PR #8941:
Thought I was in the clear after running the fuzzer all day yesterday without issue, but I woke up to a new fuzz bug.
fitzgen commented on PR #8941:
Thought I was in the clear after running the fuzzer all day yesterday without issue, but I woke up to a new fuzz bug.
Turns out this was actually unrelated to safepoints/stack maps, but generating them in fuzzgen made it more likely to produce the specific shape of code required to trigger a pre-existing bug. Fix in https://github.com/bytecodealliance/wasmtime/pull/9003
fitzgen commented on PR #8941:
At this point, I think we can go ahead and merge this PR and deal with any remaining issues as OSS-Fuzz finds them.
fitzgen commented on PR #8941:
I'll enqueue this to merge after https://github.com/bytecodealliance/wasmtime/pull/9003 merges.
afonso360 merged PR #8941.
Last updated: Dec 23 2024 at 12:05 UTC