wasmtime / issue #10033 Wasmtime/Cranelift: translation t... · git-wasmtime

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:53):

The OSS-Fuzz fuzzing input yields the following Wasm file: https://gist.github.com/Robbepop/c82b13448227f3130c05c2252f3859e7
Unfortunately it is quite big but maybe it can be minified further.

Wasmi itself compiles the Wasm input extremely quickly thus I strongly assume the time-out happens due to Wasmtime or Cranelift.

The OSS-Fuzz console reports the Wasmtime requires over 60 seconds to compile this particular Wasm module.
Find the OSS-Fuzz console logs below:

Crash Stacktrace

[Environment] ASAN_OPTIONS=exitcode=77
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    Time ran: 62.636693477630615

    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 3073010528
    INFO: Loaded 1 modules   (1564427 inline 8-bit counters): 1564427 [0x57a75f0a5810, 0x57a75f22371b),
    INFO: Loaded 1 PC tables (1564427 PCs): 1564427 [0x57a75f223720,0x57a760a027d0),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    ALARM: working on the last Unit for 61 seconds
           and the timeout value is 60 (use -timeout=N to change)
    ==403== ERROR: libFuzzer: timeout after 61 seconds
        #0 0x57a759b911b1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
        #1 0x57a75e23f708 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
        #2 0x57a75e222a17 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5
        #3 0x7bc5684d441f in libpthread.so.0
        #4 0x57a75e23d128 in HandleCmp<unsigned char> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:32
        #5 0x57a75e23d128 in __sanitizer_cov_trace_const_cmp1 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:545:15
        #6 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::probe_seq::h63969da1eb5bb981 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:2609:29
        #7 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::find_or_find_insert_slot_inner::h1f836dc4db44aa10 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1960:34
        #8 0x57a75b6e522a in hashbrown::raw::inner::RawTable$LT$T$C$A$GT$::find_or_find_insert_slot::hbea28ee0e469ced8 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1423:19
        #9 0x57a75b6e522a in hashbrown::map::HashMap$LT$K$C$V$C$S$C$A$GT$::insert::h17daa005d09750a1 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/map.rs:1754:15
        #10 0x57a75b79feea in hashbrown::set::HashSet$LT$T$C$S$C$A$GT$::insert::h2f5d75470f63f1f7 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/set.rs:1115:9
        #11 0x57a75b79feea in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_to_allocate_bundle_to_reg::h9a8b01b7177ec712 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/process.rs:159:42
        #12 0x57a75b785bf0 in regalloc2::ion::spill::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_allocating_regs_for_spilled_bundles::h2a5c834a3e5c9abc /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/spill.rs:48:21
        #13 0x57a75b754df6 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::h2fbed0629b0003d7 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:106:9
        #14 0x57a75b754df6 in regalloc2::ion::run::hb20e7d7a22125a54 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:129:17
        #15 0x57a75b809c64 in regalloc2::run::hdd4da390bb40d529 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/lib.rs:1507:5
        #16 0x57a75b809c64 in cranelift_codegen::machinst::compile::compile::hffbbd822f84c84ad /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/machinst/compile.rs:66:9
        #17 0x57a75b9da947 in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h10221be5233594c4 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:61:9
        #18 0x57a75b9dac0e in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::h702bdc255680a236 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:73:40
        #19 0x57a75ba5c245 in cranelift_codegen::context::Context::compile_stencil::h29b342563e49c281 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:138:9
        #20 0x57a75ba5db8a in cranelift_codegen::context::Context::compile::h8f5dbae767eabee7 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:204:23
        #21 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_uncached::hdab0bcbc29395652 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:631:5
        #22 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_maybe_cached::h04d062fabb4d51e9 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:624:5
        #23 0x57a75b0d5a40 in wasmtime_cranelift::compiler::FunctionCompiler::finish_with_info::h813a8da83fb3ef50 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:813:13
        #24 0x57a75b0c728a in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compile..Compiler$GT$::compile_function::h5c73ca60a8c009d2 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:233:28
        #25 0x57a75abce031 in wasmtime::compile::CompileInputs::collect_inputs_in_translations::_$u7b$$u7b$closure$u7d$$u7d$::hefbd4a7802a57aad /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:469:25
        #26 0x57a75a79b677 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h25fb832484ec2cab /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/ops/function.rs:250:5
        #27 0x57a75a5791df in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h5a340560af018e25 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
        #28 0x57a75a5791df in wasmtime::compile::CompileInputs::compile::_$u7b$$u7b$closure$u7d$$u7d$::hf5e1e564c87b6984 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:552:74
        #29 0x57a75a5791df in wasmtime::engine::Engine::run_maybe_parallel::_$u7b$$u7b$closure$u7d$$u7d$::h2cdaa1fa84b333f6 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/engine.rs:167:22
        #30 0x57a75a5791df in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::h0953a78a8c13adfe /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:96:28
        #31 0x57a75a5791df in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::he867e1572ce4e7c2 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/into_iter.rs:340:25
        #32 0x57a75a910123 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h2a4667ef0928a914 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:122:9
        #33 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h923a60b65f94e761 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:204:9
        #34 0x57a75a910123 in core::iter::traits::iterator::Iterator::try_for_each::hb7d72d45cf615007 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/traits/iterator.rs:2472:9
        #35 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h83881f48a7ec7e26 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:187:14
        #36 0x57a75a910123 in alloc::vec::Vec$LT$T$C$A$GT$::extend_desugared::h4e62389177be8aa7 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/mod.rs:3075:35
        #37 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h31a0fe13406694e0 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/spec_extend.rs:17:9
        #38 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h33396339ede9fe08 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/spec_from_iter_nested.rs:43:9
        #39 0x57a75a833ab0 in alloc::vec::in_place_collect::_$LT$impl$u20$alloc..vec..s
[message truncated]

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:54):

Robbepop edited issue #10033:

Recently OSS-Fuzz has found a time-out in Wasmi's differential fuzzing target.
In Wasmi's differential fuzzing target we compare Wasmi and Wasmtime runtimes to yield the same values or errors for Wasm executions.
Find the Wasmtime differential fuzzing oracle implementation here: https://github.com/wasmi-labs/wasmi/blob/main/crates/fuzz/Cargo.toml

The OSS-Fuzz fuzzing input yields the following Wasm file: https://gist.github.com/Robbepop/c82b13448227f3130c05c2252f3859e7
Unfortunately it is quite big but maybe it can be minified further.

Wasmi itself compiles the Wasm input extremely quickly thus I strongly assume the time-out happens due to Wasmtime or Cranelift.

The OSS-Fuzz console reports the Wasmtime requires over 60 seconds to compile this particular Wasm module.
Find the OSS-Fuzz console logs below:

Crash Stacktrace

[Environment] ASAN_OPTIONS=exitcode=77
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    Time ran: 62.636693477630615

    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 3073010528
    INFO: Loaded 1 modules   (1564427 inline 8-bit counters): 1564427 [0x57a75f0a5810, 0x57a75f22371b),
    INFO: Loaded 1 PC tables (1564427 PCs): 1564427 [0x57a75f223720,0x57a760a027d0),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    ALARM: working on the last Unit for 61 seconds
           and the timeout value is 60 (use -timeout=N to change)
    ==403== ERROR: libFuzzer: timeout after 61 seconds
        #0 0x57a759b911b1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
        #1 0x57a75e23f708 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
        #2 0x57a75e222a17 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5
        #3 0x7bc5684d441f in libpthread.so.0
        #4 0x57a75e23d128 in HandleCmp<unsigned char> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:32
        #5 0x57a75e23d128 in __sanitizer_cov_trace_const_cmp1 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:545:15
        #6 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::probe_seq::h63969da1eb5bb981 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:2609:29
        #7 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::find_or_find_insert_slot_inner::h1f836dc4db44aa10 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1960:34
        #8 0x57a75b6e522a in hashbrown::raw::inner::RawTable$LT$T$C$A$GT$::find_or_find_insert_slot::hbea28ee0e469ced8 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1423:19
        #9 0x57a75b6e522a in hashbrown::map::HashMap$LT$K$C$V$C$S$C$A$GT$::insert::h17daa005d09750a1 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/map.rs:1754:15
        #10 0x57a75b79feea in hashbrown::set::HashSet$LT$T$C$S$C$A$GT$::insert::h2f5d75470f63f1f7 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/set.rs:1115:9
        #11 0x57a75b79feea in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_to_allocate_bundle_to_reg::h9a8b01b7177ec712 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/process.rs:159:42
        #12 0x57a75b785bf0 in regalloc2::ion::spill::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_allocating_regs_for_spilled_bundles::h2a5c834a3e5c9abc /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/spill.rs:48:21
        #13 0x57a75b754df6 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::h2fbed0629b0003d7 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:106:9
        #14 0x57a75b754df6 in regalloc2::ion::run::hb20e7d7a22125a54 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:129:17
        #15 0x57a75b809c64 in regalloc2::run::hdd4da390bb40d529 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/lib.rs:1507:5
        #16 0x57a75b809c64 in cranelift_codegen::machinst::compile::compile::hffbbd822f84c84ad /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/machinst/compile.rs:66:9
        #17 0x57a75b9da947 in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h10221be5233594c4 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:61:9
        #18 0x57a75b9dac0e in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::h702bdc255680a236 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:73:40
        #19 0x57a75ba5c245 in cranelift_codegen::context::Context::compile_stencil::h29b342563e49c281 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:138:9
        #20 0x57a75ba5db8a in cranelift_codegen::context::Context::compile::h8f5dbae767eabee7 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:204:23
        #21 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_uncached::hdab0bcbc29395652 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:631:5
        #22 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_maybe_cached::h04d062fabb4d51e9 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:624:5
        #23 0x57a75b0d5a40 in wasmtime_cranelift::compiler::FunctionCompiler::finish_with_info::h813a8da83fb3ef50 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:813:13
        #24 0x57a75b0c728a in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compile..Compiler$GT$::compile_function::h5c73ca60a8c009d2 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:233:28
        #25 0x57a75abce031 in wasmtime::compile::CompileInputs::collect_inputs_in_translations::_$u7b$$u7b$closure$u7d$$u7d$::hefbd4a7802a57aad /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:469:25
        #26 0x57a75a79b677 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h25fb832484ec2cab /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/ops/function.rs:250:5
        #27 0x57a75a5791df in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h5a340560af018e25 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
        #28 0x57a75a5791df in wasmtime::compile::CompileInputs::compile::_$u7b$$u7b$closure$u7d$$u7d$::hf5e1e564c87b6984 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:552:74
        #29 0x57a75a5791df in wasmtime::engine::Engine::run_maybe_parallel::_$u7b$$u7b$closure$u7d$$u7d$::h2cdaa1fa84b333f6 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/engine.rs:167:22
        #30 0x57a75a5791df in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::h0953a78a8c13adfe /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:96:28
        #31 0x57a75a5791df in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::he867e1572ce4e7c2 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/into_iter.rs:340:25
        #32 0x57a75a910123 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h2a4667ef0928a914 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:122:9
        #33 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h923a60b65f94e761 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:204:9
        #34 0x57a75a910123 in core::iter::traits::iterator::Iterator::try_for_each::hb7d72d45cf615007 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/traits/iterator.rs:2472:9
        #35 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h83881f48a7ec7e26 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:187:14
        #36 0x57a75a910123 in alloc::vec::Vec$LT$T$C$A$GT$::extend_desugared::h4e62389177be8aa7 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/mod.rs:3075:35
        #37 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h31a0fe13406694e0 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/spec_extend.rs:17:9
        #38 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h33396339ede9fe08 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/
[message truncated]

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:56):

Robbepop edited issue #10033:

The OSS-Fuzz fuzzing input yields the following Wasm file can be find here.
Unfortunately it is quite big but maybe it can be minified further.

Wasmi itself compiles the Wasm input extremely quickly thus I strongly assume the time-out happens due to Wasmtime or Cranelift.

The OSS-Fuzz console reports the Wasmtime requires over 60 seconds to compile this particular Wasm module.
Find the OSS-Fuzz console logs below:

Crash Stacktrace

[Environment] ASAN_OPTIONS=exitcode=77
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    Time ran: 62.636693477630615

    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 3073010528
    INFO: Loaded 1 modules   (1564427 inline 8-bit counters): 1564427 [0x57a75f0a5810, 0x57a75f22371b),
    INFO: Loaded 1 PC tables (1564427 PCs): 1564427 [0x57a75f223720,0x57a760a027d0),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    ALARM: working on the last Unit for 61 seconds
           and the timeout value is 60 (use -timeout=N to change)
    ==403== ERROR: libFuzzer: timeout after 61 seconds
        #0 0x57a759b911b1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
        #1 0x57a75e23f708 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
        #2 0x57a75e222a17 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5
        #3 0x7bc5684d441f in libpthread.so.0
        #4 0x57a75e23d128 in HandleCmp<unsigned char> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:32
        #5 0x57a75e23d128 in __sanitizer_cov_trace_const_cmp1 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:545:15
        #6 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::probe_seq::h63969da1eb5bb981 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:2609:29
        #7 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::find_or_find_insert_slot_inner::h1f836dc4db44aa10 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1960:34
        #8 0x57a75b6e522a in hashbrown::raw::inner::RawTable$LT$T$C$A$GT$::find_or_find_insert_slot::hbea28ee0e469ced8 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1423:19
        #9 0x57a75b6e522a in hashbrown::map::HashMap$LT$K$C$V$C$S$C$A$GT$::insert::h17daa005d09750a1 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/map.rs:1754:15
        #10 0x57a75b79feea in hashbrown::set::HashSet$LT$T$C$S$C$A$GT$::insert::h2f5d75470f63f1f7 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/set.rs:1115:9
        #11 0x57a75b79feea in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_to_allocate_bundle_to_reg::h9a8b01b7177ec712 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/process.rs:159:42
        #12 0x57a75b785bf0 in regalloc2::ion::spill::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_allocating_regs_for_spilled_bundles::h2a5c834a3e5c9abc /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/spill.rs:48:21
        #13 0x57a75b754df6 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::h2fbed0629b0003d7 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:106:9
        #14 0x57a75b754df6 in regalloc2::ion::run::hb20e7d7a22125a54 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:129:17
        #15 0x57a75b809c64 in regalloc2::run::hdd4da390bb40d529 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/lib.rs:1507:5
        #16 0x57a75b809c64 in cranelift_codegen::machinst::compile::compile::hffbbd822f84c84ad /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/machinst/compile.rs:66:9
        #17 0x57a75b9da947 in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h10221be5233594c4 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:61:9
        #18 0x57a75b9dac0e in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::h702bdc255680a236 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:73:40
        #19 0x57a75ba5c245 in cranelift_codegen::context::Context::compile_stencil::h29b342563e49c281 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:138:9
        #20 0x57a75ba5db8a in cranelift_codegen::context::Context::compile::h8f5dbae767eabee7 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:204:23
        #21 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_uncached::hdab0bcbc29395652 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:631:5
        #22 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_maybe_cached::h04d062fabb4d51e9 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:624:5
        #23 0x57a75b0d5a40 in wasmtime_cranelift::compiler::FunctionCompiler::finish_with_info::h813a8da83fb3ef50 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:813:13
        #24 0x57a75b0c728a in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compile..Compiler$GT$::compile_function::h5c73ca60a8c009d2 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:233:28
        #25 0x57a75abce031 in wasmtime::compile::CompileInputs::collect_inputs_in_translations::_$u7b$$u7b$closure$u7d$$u7d$::hefbd4a7802a57aad /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:469:25
        #26 0x57a75a79b677 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h25fb832484ec2cab /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/ops/function.rs:250:5
        #27 0x57a75a5791df in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h5a340560af018e25 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
        #28 0x57a75a5791df in wasmtime::compile::CompileInputs::compile::_$u7b$$u7b$closure$u7d$$u7d$::hf5e1e564c87b6984 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:552:74
        #29 0x57a75a5791df in wasmtime::engine::Engine::run_maybe_parallel::_$u7b$$u7b$closure$u7d$$u7d$::h2cdaa1fa84b333f6 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/engine.rs:167:22
        #30 0x57a75a5791df in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::h0953a78a8c13adfe /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:96:28
        #31 0x57a75a5791df in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::he867e1572ce4e7c2 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/into_iter.rs:340:25
        #32 0x57a75a910123 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h2a4667ef0928a914 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:122:9
        #33 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h923a60b65f94e761 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:204:9
        #34 0x57a75a910123 in core::iter::traits::iterator::Iterator::try_for_each::hb7d72d45cf615007 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/traits/iterator.rs:2472:9
        #35 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h83881f48a7ec7e26 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:187:14
        #36 0x57a75a910123 in alloc::vec::Vec$LT$T$C$A$GT$::extend_desugared::h4e62389177be8aa7 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/mod.rs:3075:35
        #37 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h31a0fe13406694e0 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/spec_extend.rs:17:9
        #38 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h33396339ede9fe08 /rustc/5315cb
[message truncated]

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:04):

Robbepop edited issue #10033:

Used Wasmtime version: v27

The OSS-Fuzz fuzzing input yields the following Wasm file can be find here.
Unfortunately it is quite big but maybe it can be minified further.

Wasmi itself compiles the Wasm input extremely quickly thus I strongly assume the time-out happens due to Wasmtime or Cranelift.

The OSS-Fuzz console reports the Wasmtime requires over 60 seconds to compile this particular Wasm module.
Find the OSS-Fuzz console logs below:

Crash Stacktrace

[Environment] ASAN_OPTIONS=exitcode=77
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    Time ran: 62.636693477630615

    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 3073010528
    INFO: Loaded 1 modules   (1564427 inline 8-bit counters): 1564427 [0x57a75f0a5810, 0x57a75f22371b),
    INFO: Loaded 1 PC tables (1564427 PCs): 1564427 [0x57a75f223720,0x57a760a027d0),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    ALARM: working on the last Unit for 61 seconds
           and the timeout value is 60 (use -timeout=N to change)
    ==403== ERROR: libFuzzer: timeout after 61 seconds
        #0 0x57a759b911b1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
        #1 0x57a75e23f708 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
        #2 0x57a75e222a17 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5
        #3 0x7bc5684d441f in libpthread.so.0
        #4 0x57a75e23d128 in HandleCmp<unsigned char> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:32
        #5 0x57a75e23d128 in __sanitizer_cov_trace_const_cmp1 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:545:15
        #6 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::probe_seq::h63969da1eb5bb981 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:2609:29
        #7 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::find_or_find_insert_slot_inner::h1f836dc4db44aa10 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1960:34
        #8 0x57a75b6e522a in hashbrown::raw::inner::RawTable$LT$T$C$A$GT$::find_or_find_insert_slot::hbea28ee0e469ced8 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1423:19
        #9 0x57a75b6e522a in hashbrown::map::HashMap$LT$K$C$V$C$S$C$A$GT$::insert::h17daa005d09750a1 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/map.rs:1754:15
        #10 0x57a75b79feea in hashbrown::set::HashSet$LT$T$C$S$C$A$GT$::insert::h2f5d75470f63f1f7 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/set.rs:1115:9
        #11 0x57a75b79feea in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_to_allocate_bundle_to_reg::h9a8b01b7177ec712 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/process.rs:159:42
        #12 0x57a75b785bf0 in regalloc2::ion::spill::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_allocating_regs_for_spilled_bundles::h2a5c834a3e5c9abc /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/spill.rs:48:21
        #13 0x57a75b754df6 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::h2fbed0629b0003d7 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:106:9
        #14 0x57a75b754df6 in regalloc2::ion::run::hb20e7d7a22125a54 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:129:17
        #15 0x57a75b809c64 in regalloc2::run::hdd4da390bb40d529 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/lib.rs:1507:5
        #16 0x57a75b809c64 in cranelift_codegen::machinst::compile::compile::hffbbd822f84c84ad /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/machinst/compile.rs:66:9
        #17 0x57a75b9da947 in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h10221be5233594c4 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:61:9
        #18 0x57a75b9dac0e in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::h702bdc255680a236 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:73:40
        #19 0x57a75ba5c245 in cranelift_codegen::context::Context::compile_stencil::h29b342563e49c281 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:138:9
        #20 0x57a75ba5db8a in cranelift_codegen::context::Context::compile::h8f5dbae767eabee7 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:204:23
        #21 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_uncached::hdab0bcbc29395652 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:631:5
        #22 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_maybe_cached::h04d062fabb4d51e9 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:624:5
        #23 0x57a75b0d5a40 in wasmtime_cranelift::compiler::FunctionCompiler::finish_with_info::h813a8da83fb3ef50 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:813:13
        #24 0x57a75b0c728a in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compile..Compiler$GT$::compile_function::h5c73ca60a8c009d2 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:233:28
        #25 0x57a75abce031 in wasmtime::compile::CompileInputs::collect_inputs_in_translations::_$u7b$$u7b$closure$u7d$$u7d$::hefbd4a7802a57aad /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:469:25
        #26 0x57a75a79b677 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h25fb832484ec2cab /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/ops/function.rs:250:5
        #27 0x57a75a5791df in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h5a340560af018e25 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
        #28 0x57a75a5791df in wasmtime::compile::CompileInputs::compile::_$u7b$$u7b$closure$u7d$$u7d$::hf5e1e564c87b6984 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:552:74
        #29 0x57a75a5791df in wasmtime::engine::Engine::run_maybe_parallel::_$u7b$$u7b$closure$u7d$$u7d$::h2cdaa1fa84b333f6 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/engine.rs:167:22
        #30 0x57a75a5791df in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::h0953a78a8c13adfe /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:96:28
        #31 0x57a75a5791df in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::he867e1572ce4e7c2 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/into_iter.rs:340:25
        #32 0x57a75a910123 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h2a4667ef0928a914 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:122:9
        #33 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h923a60b65f94e761 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:204:9
        #34 0x57a75a910123 in core::iter::traits::iterator::Iterator::try_for_each::hb7d72d45cf615007 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/traits/iterator.rs:2472:9
        #35 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h83881f48a7ec7e26 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:187:14
        #36 0x57a75a910123 in alloc::vec::Vec$LT$T$C$A$GT$::extend_desugared::h4e62389177be8aa7 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/mod.rs:3075:35
        #37 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h31a0fe13406694e0 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/spec_extend.rs:17:9
        #38 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h33
[message truncated]

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:08):

Robbepop edited issue #10033:

Tested Wasmtime versions: v27, v28

The OSS-Fuzz fuzzing input yields the following Wasm file can be find here.
Unfortunately it is quite big but maybe it can be minified further.

Wasmi itself compiles the Wasm input extremely quickly thus I strongly assume the time-out happens due to Wasmtime or Cranelift.

The OSS-Fuzz console reports the Wasmtime requires over 60 seconds to compile this particular Wasm module.
Find the OSS-Fuzz console logs below:

Crash Stacktrace

[Environment] ASAN_OPTIONS=exitcode=77
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    Time ran: 62.636693477630615

    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 3073010528
    INFO: Loaded 1 modules   (1564427 inline 8-bit counters): 1564427 [0x57a75f0a5810, 0x57a75f22371b),
    INFO: Loaded 1 PC tables (1564427 PCs): 1564427 [0x57a75f223720,0x57a760a027d0),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    ALARM: working on the last Unit for 61 seconds
           and the timeout value is 60 (use -timeout=N to change)
    ==403== ERROR: libFuzzer: timeout after 61 seconds
        #0 0x57a759b911b1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
        #1 0x57a75e23f708 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
        #2 0x57a75e222a17 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5
        #3 0x7bc5684d441f in libpthread.so.0
        #4 0x57a75e23d128 in HandleCmp<unsigned char> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:32
        #5 0x57a75e23d128 in __sanitizer_cov_trace_const_cmp1 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:545:15
        #6 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::probe_seq::h63969da1eb5bb981 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:2609:29
        #7 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::find_or_find_insert_slot_inner::h1f836dc4db44aa10 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1960:34
        #8 0x57a75b6e522a in hashbrown::raw::inner::RawTable$LT$T$C$A$GT$::find_or_find_insert_slot::hbea28ee0e469ced8 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1423:19
        #9 0x57a75b6e522a in hashbrown::map::HashMap$LT$K$C$V$C$S$C$A$GT$::insert::h17daa005d09750a1 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/map.rs:1754:15
        #10 0x57a75b79feea in hashbrown::set::HashSet$LT$T$C$S$C$A$GT$::insert::h2f5d75470f63f1f7 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/set.rs:1115:9
        #11 0x57a75b79feea in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_to_allocate_bundle_to_reg::h9a8b01b7177ec712 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/process.rs:159:42
        #12 0x57a75b785bf0 in regalloc2::ion::spill::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_allocating_regs_for_spilled_bundles::h2a5c834a3e5c9abc /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/spill.rs:48:21
        #13 0x57a75b754df6 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::h2fbed0629b0003d7 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:106:9
        #14 0x57a75b754df6 in regalloc2::ion::run::hb20e7d7a22125a54 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:129:17
        #15 0x57a75b809c64 in regalloc2::run::hdd4da390bb40d529 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/lib.rs:1507:5
        #16 0x57a75b809c64 in cranelift_codegen::machinst::compile::compile::hffbbd822f84c84ad /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/machinst/compile.rs:66:9
        #17 0x57a75b9da947 in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h10221be5233594c4 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:61:9
        #18 0x57a75b9dac0e in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::h702bdc255680a236 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:73:40
        #19 0x57a75ba5c245 in cranelift_codegen::context::Context::compile_stencil::h29b342563e49c281 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:138:9
        #20 0x57a75ba5db8a in cranelift_codegen::context::Context::compile::h8f5dbae767eabee7 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:204:23
        #21 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_uncached::hdab0bcbc29395652 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:631:5
        #22 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_maybe_cached::h04d062fabb4d51e9 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:624:5
        #23 0x57a75b0d5a40 in wasmtime_cranelift::compiler::FunctionCompiler::finish_with_info::h813a8da83fb3ef50 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:813:13
        #24 0x57a75b0c728a in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compile..Compiler$GT$::compile_function::h5c73ca60a8c009d2 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:233:28
        #25 0x57a75abce031 in wasmtime::compile::CompileInputs::collect_inputs_in_translations::_$u7b$$u7b$closure$u7d$$u7d$::hefbd4a7802a57aad /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:469:25
        #26 0x57a75a79b677 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h25fb832484ec2cab /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/ops/function.rs:250:5
        #27 0x57a75a5791df in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h5a340560af018e25 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
        #28 0x57a75a5791df in wasmtime::compile::CompileInputs::compile::_$u7b$$u7b$closure$u7d$$u7d$::hf5e1e564c87b6984 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:552:74
        #29 0x57a75a5791df in wasmtime::engine::Engine::run_maybe_parallel::_$u7b$$u7b$closure$u7d$$u7d$::h2cdaa1fa84b333f6 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/engine.rs:167:22
        #30 0x57a75a5791df in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::h0953a78a8c13adfe /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:96:28
        #31 0x57a75a5791df in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::he867e1572ce4e7c2 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/into_iter.rs:340:25
        #32 0x57a75a910123 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h2a4667ef0928a914 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:122:9
        #33 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h923a60b65f94e761 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:204:9
        #34 0x57a75a910123 in core::iter::traits::iterator::Iterator::try_for_each::hb7d72d45cf615007 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/traits/iterator.rs:2472:9
        #35 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h83881f48a7ec7e26 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:187:14
        #36 0x57a75a910123 in alloc::vec::Vec$LT$T$C$A$GT$::extend_desugared::h4e62389177be8aa7 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/mod.rs:3075:35
        #37 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h31a0fe13406694e0 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/spec_extend.rs:17:9
        #38 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_i
[message truncated]

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:40):

abrown added the fuzz-bug label to Issue #10033.

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:51):

Robbepop commented on issue #10033:

Questions: in order to fix the time-out issue on my end while continue using Wasmtime as fuzzing oracle: What could I do to improve translation times? Is enforcing Winch or Pulley a viable alternative?

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:51):

Robbepop edited a comment on issue #10033:

Questions: in order to fix the time-out issue on my end while continue using Wasmtime as fuzzing oracle: What could I do to improve translation times? Is enforcing Winch or Pulley a viable alternative? Or is there a concept such as translation fuel with which I can put a deterministic barrier into the translation process?

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:06):

alexcrichton commented on issue #10033:

This is, unfortunately, expected. We hit this semi-frequently in Wasmtime as well and there's not a great answer for it. The cause of this is more-or-less:

OSS-Fuzz has a 60 second timeout for each test case.

ASAN + Fuzzing can add up to 20x slowdown, meaning we now have a 3s (on native budget)

Parallel compilation is typically disabled in fuzzing (or there's few cores anyway), and "large" input modules often have ~100+ functions, meaning we now have 0.03s budget per function.

Fuzz-generated functions can often have pretty pathological structure so 30ms for compiling a function isn't unheard of.

Fuzzing typically finds these sorts of functions eventually and can create nasty modules where 100+ functions all take 30+ms to compile natively which then pretty easily blows the 60s budget on OSS-Fuzz.

Up to now we've never gotten to a point where 100% of timeouts are avoided on OSS-Fuzz. Various options to mitigate this include (a) configuring wasm-smith to avoid generating "big" modules, (b) using the new "single-pass" register allocator in Cranelift, and (c) disabling cranelift optimizations for "big" modules. Cranelift has no notion of fuel-for-itself at this time.

Currently in Wasmtime's fuzzing we basically just ignore timeouts once it looks like it's due to compilation speed. I still try to investigate other timeouts (leading to fixes such as https://github.com/bytecodealliance/wasmtime/pull/10026). It's not a great state-of-affairs to be in IMO, but I've never figured out a better tradeoff for fixing these timeouts on OSS-Fuzz.

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:25):

cfallin commented on issue #10033:

To add (i) a bit of meta-discussion, and (ii) a specific answer, as well:

What should we do? Are these failures "real"? When fuzzing one needs to define what property one is testing, and then ensure the oracle agrees with that (or not generate cases one expects to fail). Here we are implicitly saying "we expect our compiler to be X fast" but we don't have a crisply delineated line where we say that a program with these properties can be compiled in this time budget. For an optimizing compiler in particular that's intractable -- we simply don't know algorithms in the compilers field that have better than, in many cases, super-linear complexity and surprising worst cases (unless we design our compiler from scratch not to optimize). Doing better here is an extremely challenging research problem and you'd advance the state of the art if you could delineate the complexity cleanly or come up with tightly-bound algorithms.

(This may be obvious to folks here but I just wanted to make sure it's explicitly stated: in the state of the art understanding of the field, there is no solution to the core problem of unpredictable latency of optimization at our expected optimization tier, and it's unlikely we will come up with one.)

So arguably then the best we could do with fuzzing is to have the oracle expectation be "successful compilation [with matching execution results etc] OR timeout", and instrument Cranelift with fuel throughout. We have the start of that with the "control plane" abstraction, and someone could push it further. (Basically: we have the place where one would store fuel: u64 and we need to check it at every loop and recursion.) It's probably a month of work to carefully go through all the different parts of Cranelift and modify it appropriately, and ensure we haven't missed anything.

What can you (@Robbepop) do today? If your goal is to have some differential fuzzing comparison point, Winch is a good answer (it is designed to compile code in time linear with its size), but be aware you're testing something different: it has its own lowerings of Wasm semantics that are different from Cranelift's. In both cases you're testing against the same Wasmtime runtime. Maybe all you want is "some other engine" as a comparison point in which case either is totally reasonable. Winch does currently lag somewhat in feature-completeness.

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:25):

cfallin edited a comment on issue #10033:

To add (i) a bit of meta-discussion, and (ii) a specific answer, as well:

What should we do? Are these failures "real"? When fuzzing one needs to define what property one is testing, and then ensure the oracle agrees with that (or not generate cases one expects to fail). Here we are implicitly saying "we expect our compiler to be X fast" but we don't have a crisply delineated line where we say that a program with these properties can be compiled in this time budget. For an optimizing compiler in particular that's intractable -- we simply don't know algorithms in the compilers field that have better than, in many cases, super-linear complexity and surprising worst cases (unless we design our compiler from scratch not to optimize). Doing better here is an extremely challenging research problem and you'd advance the state of the art if you could delineate the complexity cleanly or come up with tightly-bound algorithms.

(This may be obvious to folks here but I just wanted to make sure it's explicitly stated: in the state of the art understanding of the field, there is no solution to the core problem of unpredictable latency of optimization at our expected optimization tier, and it's unlikely we will come up with one.)

So arguably then the best we could do with fuzzing is to have the oracle expectation be "successful compilation [with matching execution results etc] OR timeout", and instrument Cranelift with fuel throughout. We have the start of that with the "control plane" abstraction, and someone could push it further. (Basically: we have the place where one would store fuel: u64 and we need to check it at every loop and recursion.) It's probably a month of work to carefully go through all the different parts of Cranelift and modify it appropriately, and ensure we haven't missed anything.

What can you (@Robbepop) do today? If your goal is to have some differential fuzzing comparison point, Winch is a good answer (it is designed to compile code in time linear with its size), but be aware you're testing something different: it has its own lowerings of Wasm semantics that are different from Cranelift's. In both cases you're testing against the same Wasmtime runtime. Maybe all you want is "some other engine" as a comparison point in which case either is totally reasonable. Winch does currently lag somewhat in feature-completeness.

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:56):

Robbepop commented on issue #10033:

Thank you both for your valuable answers!

For my use case with Wasmi I am mostly interested in fuzzing Wasmi against another Wasm runtime that is well tested. And since I am very fond of Wasmtime testing and quality I think it is one of the best contenders for this. I used the Cranelift backend so far because I was not sure how stable the Winch backend is. If Winch is considered stable and robust and covers all the Wasm features that Wasmi needs, then it is probably the better choice.

@alexcrichton Thanks for the hints to disable optimizations and use a more light-weight register allocation. I suppose this works with the following APIs:

https://docs.rs/wasmtime/28.0.1/wasmtime/struct.Config.html#method.cranelift_opt_level

https://docs.rs/wasmtime/28.0.1/wasmtime/struct.Config.html#method.cranelift_regalloc_algorithm

Will definitely try this out and see how big the differences are.
Are there more options that could yield improvements here?

@cfallin Thanks for your recommendation to use Winch and for the additional information, I appreciate that!

Could Pulley (once stable) also be an alternative to Cranelift like Winch? Or does Pulley share the more complex translation scheme of the Cranelift backend?

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:01):

alexcrichton commented on issue #10033:

We've just recently started fuzzing Winch ourselves on OSS-Fuzz in addition to Pulley. In that sense they're probably not quite as robust as Cranelift but our goal is to get them there (and there are no known shortcomings in that sense). It's worth pointing out we have found at least one bug between single_pass register allocation and the (default) backtracking -- https://github.com/bytecodealliance/wasmtime/issues/9980. My gut is that the "backtracking" register allocation is what primarily needs to be swapped out, so if you're only looking for a potential differential target I think it'd be reasonable to hardcod the "single_pass" register allocation pass.

Pulley won't be a great alternative here because its bytecode is compiled in the same manner as native code. It's not expected that Pulley compilation is significantly faster or slower than native x64 compilation. Winch is definitely the other best alternative to the defaults of Wasmtime as its design goal is to generate code quickly.

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:05):

Robbepop commented on issue #10033:

@alexcrichton I just tested the OSS-Fuzz input with Wasmtime with
        config.cranelift_opt_level(wasmtime::OptLevel::None);
        config.cranelift_regalloc_algorithm(wasmtime::RegallocAlgorithm::SinglePass);
... and can confirm that the fuzz test case now runs in ~3.3ms whereas before it took ~45ms.
So quite an improvement already.

I think in the long run it is a good idea to use Winch instead, but I am going to wait until it is battle hardened further before going down this path. Thank you for the quick help!

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:05):

Robbepop edited a comment on issue #10033:

@alexcrichton I just tested the OSS-Fuzz input with Wasmtime with
config.cranelift_opt_level(wasmtime::OptLevel::None);
config.cranelift_regalloc_algorithm(wasmtime::RegallocAlgorithm::SinglePass);
... and can confirm that the fuzz test case now runs in ~3.3ms whereas before it took ~45ms.
So quite an improvement already.

I think in the long run it is a good idea to use Winch instead, but I am going to wait until it is battle hardened further before going down this path. Thank you for the quick help!

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:06):

Robbepop edited a comment on issue #10033:

@alexcrichton I just tested the OSS-Fuzz input with Wasmtime with
config.cranelift_opt_level(wasmtime::OptLevel::None);
config.cranelift_regalloc_algorithm(wasmtime::RegallocAlgorithm::SinglePass);
... and can confirm that the fuzz test case now runs in ~3.3ms whereas before it took ~45ms.
So quite an improvement already.
I think it is safe to say that optimizations won't make sense for my fuzzing use case anyway, since fuzzing inputs are immediately discarded after being executed once.

I think in the long run it is a good idea to use Winch instead, but I am going to wait until it is battle hardened further before going down this path. Thank you for the quick help!

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:08):

Robbepop edited a comment on issue #10033:

@alexcrichton I just tested the OSS-Fuzz input with Wasmtime with
config.cranelift_opt_level(wasmtime::OptLevel::None);
config.cranelift_regalloc_algorithm(wasmtime::RegallocAlgorithm::SinglePass);
... and can confirm that the fuzz test case now runs in ~3.3ms whereas before it took ~45ms.
So quite an improvement already.
I think it is safe to say that optimizations won't make sense for my fuzzing use case anyway, since fuzzing inputs are immediately discarded after being executed once.

With optimizations enabled and using singlepass register allocation, the fuzz test case time goes up from ~3.3ms to ~7.7ms. So I think going forward with optimizations disabled is best for my fuzzing needs.

I think in the long run it is a good idea to use Winch instead, but I am going to wait until it is battle hardened further before going down this path. Thank you for the quick help!

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:15):

Robbepop commented on issue #10033:

@alexcrichton @cfallin Thank you for your solutions. As said in my previous post, my problem has been fixed (for now :upside_down:) and I consider this issue resolved. :rocket:

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:15):

Robbepop edited a comment on issue #10033:

@alexcrichton @cfallin Thank you for your solutions. As said in my previous post, my problem has been fixed (for now :upside_down:), I am aware of future improvements (using Winch), so I consider this issue resolved. :rocket:

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:16):

cfallin closed issue #10033:

Tested Wasmtime versions: v27, v28

The OSS-Fuzz fuzzing input yields the following Wasm file can be find here.
Unfortunately it is quite big but maybe it can be minified further.

Wasmi itself compiles the Wasm input extremely quickly thus I strongly assume the time-out happens due to Wasmtime or Cranelift.

The OSS-Fuzz console reports the Wasmtime requires over 60 seconds to compile this particular Wasm module.
Find the OSS-Fuzz console logs below:

Crash Stacktrace

[Environment] ASAN_OPTIONS=exitcode=77
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    Time ran: 62.636693477630615

    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 3073010528
    INFO: Loaded 1 modules   (1564427 inline 8-bit counters): 1564427 [0x57a75f0a5810, 0x57a75f22371b),
    INFO: Loaded 1 PC tables (1564427 PCs): 1564427 [0x57a75f223720,0x57a760a027d0),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_wasmi_e3ba127336643e55feba7865dfa1735df8d42d60/revisions/differential: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/timeout-8b7c87999d86caecd1391d9ea0205b3fd15da844
    ALARM: working on the last Unit for 61 seconds
           and the timeout value is 60 (use -timeout=N to change)
    ==403== ERROR: libFuzzer: timeout after 61 seconds
        #0 0x57a759b911b1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
        #1 0x57a75e23f708 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
        #2 0x57a75e222a17 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5
        #3 0x7bc5684d441f in libpthread.so.0
        #4 0x57a75e23d128 in HandleCmp<unsigned char> /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:390:32
        #5 0x57a75e23d128 in __sanitizer_cov_trace_const_cmp1 /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerTracePC.cpp:545:15
        #6 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::probe_seq::h63969da1eb5bb981 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:2609:29
        #7 0x57a75b6e522a in hashbrown::raw::inner::RawTableInner::find_or_find_insert_slot_inner::h1f836dc4db44aa10 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1960:34
        #8 0x57a75b6e522a in hashbrown::raw::inner::RawTable$LT$T$C$A$GT$::find_or_find_insert_slot::hbea28ee0e469ced8 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/raw/mod.rs:1423:19
        #9 0x57a75b6e522a in hashbrown::map::HashMap$LT$K$C$V$C$S$C$A$GT$::insert::h17daa005d09750a1 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/map.rs:1754:15
        #10 0x57a75b79feea in hashbrown::set::HashSet$LT$T$C$S$C$A$GT$::insert::h2f5d75470f63f1f7 /rust/registry/src/index.crates.io-6f17d22bba15001f/hashbrown-0.14.5/src/set.rs:1115:9
        #11 0x57a75b79feea in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_to_allocate_bundle_to_reg::h9a8b01b7177ec712 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/process.rs:159:42
        #12 0x57a75b785bf0 in regalloc2::ion::spill::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::try_allocating_regs_for_spilled_bundles::h2a5c834a3e5c9abc /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/spill.rs:48:21
        #13 0x57a75b754df6 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::h2fbed0629b0003d7 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:106:9
        #14 0x57a75b754df6 in regalloc2::ion::run::hb20e7d7a22125a54 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/ion/mod.rs:129:17
        #15 0x57a75b809c64 in regalloc2::run::hdd4da390bb40d529 /rust/registry/src/index.crates.io-6f17d22bba15001f/regalloc2-0.10.2/src/lib.rs:1507:5
        #16 0x57a75b809c64 in cranelift_codegen::machinst::compile::compile::hffbbd822f84c84ad /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/machinst/compile.rs:66:9
        #17 0x57a75b9da947 in cranelift_codegen::isa::x64::X64Backend::compile_vcode::h10221be5233594c4 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:61:9
        #18 0x57a75b9dac0e in _$LT$cranelift_codegen..isa..x64..X64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::h702bdc255680a236 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/isa/x64/mod.rs:73:40
        #19 0x57a75ba5c245 in cranelift_codegen::context::Context::compile_stencil::h29b342563e49c281 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:138:9
        #20 0x57a75ba5db8a in cranelift_codegen::context::Context::compile::h8f5dbae767eabee7 /rust/registry/src/index.crates.io-6f17d22bba15001f/cranelift-codegen-0.114.0/src/context.rs:204:23
        #21 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_uncached::hdab0bcbc29395652 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:631:5
        #22 0x57a75b0d5a40 in wasmtime_cranelift::compiler::compile_maybe_cached::h04d062fabb4d51e9 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:624:5
        #23 0x57a75b0d5a40 in wasmtime_cranelift::compiler::FunctionCompiler::finish_with_info::h813a8da83fb3ef50 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:813:13
        #24 0x57a75b0c728a in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compile..Compiler$GT$::compile_function::h5c73ca60a8c009d2 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-cranelift-27.0.0/src/compiler.rs:233:28
        #25 0x57a75abce031 in wasmtime::compile::CompileInputs::collect_inputs_in_translations::_$u7b$$u7b$closure$u7d$$u7d$::hefbd4a7802a57aad /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:469:25
        #26 0x57a75a79b677 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h25fb832484ec2cab /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/ops/function.rs:250:5
        #27 0x57a75a5791df in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h5a340560af018e25 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
        #28 0x57a75a5791df in wasmtime::compile::CompileInputs::compile::_$u7b$$u7b$closure$u7d$$u7d$::hf5e1e564c87b6984 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/compile.rs:552:74
        #29 0x57a75a5791df in wasmtime::engine::Engine::run_maybe_parallel::_$u7b$$u7b$closure$u7d$$u7d$::h2cdaa1fa84b333f6 /rust/registry/src/index.crates.io-6f17d22bba15001f/wasmtime-27.0.0/src/engine.rs:167:22
        #30 0x57a75a5791df in core::iter::adapters::map::map_try_fold::_$u7b$$u7b$closure$u7d$$u7d$::h0953a78a8c13adfe /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:96:28
        #31 0x57a75a5791df in _$LT$alloc..vec..into_iter..IntoIter$LT$T$C$A$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::he867e1572ce4e7c2 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/into_iter.rs:340:25
        #32 0x57a75a910123 in _$LT$core..iter..adapters..map..Map$LT$I$C$F$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h2a4667ef0928a914 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/map.rs:122:9
        #33 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::try_fold::h923a60b65f94e761 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:204:9
        #34 0x57a75a910123 in core::iter::traits::iterator::Iterator::try_for_each::hb7d72d45cf615007 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/traits/iterator.rs:2472:9
        #35 0x57a75a910123 in _$LT$core..iter..adapters..GenericShunt$LT$I$C$R$GT$$u20$as$u20$core..iter..traits..iterator..Iterator$GT$::next::h83881f48a7ec7e26 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/iter/adapters/mod.rs:187:14
        #36 0x57a75a910123 in alloc::vec::Vec$LT$T$C$A$GT$::extend_desugared::h4e62389177be8aa7 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/mod.rs:3075:35
        #37 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$alloc..vec..spec_extend..SpecExtend$LT$T$C$I$GT$$GT$::spec_extend::h31a0fe13406694e0 /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/vec/spec_extend.rs:17:9
        #38 0x57a75a5f1d21 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_it
[message truncated]

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:16):

Robbepop edited a comment on issue #10033:

Thank you both for your valuable answers!

For my use case with Wasmi I am mostly interested in fuzzing Wasmi against another Wasm runtime that is well tested. And since I am very fond of Wasmtime testing and quality. I think it is one of the best contenders for this. I used the Cranelift backend so far because I was not sure how stable the Winch backend is. If Winch is considered stable and robust and covers all the Wasm features that Wasmi needs, then it is probably the better choice.

@alexcrichton Thanks for the hints to disable optimizations and use a more light-weight register allocation. I suppose this works with the following APIs:

https://docs.rs/wasmtime/28.0.1/wasmtime/struct.Config.html#method.cranelift_opt_level

https://docs.rs/wasmtime/28.0.1/wasmtime/struct.Config.html#method.cranelift_regalloc_algorithm

Will definitely try this out and see how big the differences are.
Are there more options that could yield improvements here?

@cfallin Thanks for your recommendation to use Winch and for the additional information, I appreciate that!

Could Pulley (once stable) also be an alternative to Cranelift like Winch? Or does Pulley share the more complex translation scheme of the Cranelift backend?

Last updated: Jan 24 2025 at 00:11 UTC

Stream: git-wasmtime

Topic: wasmtime / issue #10033 Wasmtime/Cranelift: translation t...

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:52):

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:52):

Crash Stacktrace

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:53):

Crash Stacktrace

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:54):

Crash Stacktrace

Wasmtime GitHub notifications bot (Jan 16 2025 at 16:56):

Crash Stacktrace

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:04):

Crash Stacktrace

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:08):

Crash Stacktrace

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:40):

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:51):

Wasmtime GitHub notifications bot (Jan 16 2025 at 17:51):

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:06):

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:25):

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:25):

Wasmtime GitHub notifications bot (Jan 16 2025 at 21:56):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:01):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:05):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:05):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:06):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:08):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:15):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:15):

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:16):

Crash Stacktrace

Wasmtime GitHub notifications bot (Jan 16 2025 at 22:16):