Wasmtime GitHub notifications bot (Apr 15 2025 at 00:33): Wasmtime GitHub notifications bot (Apr 15 2025 at 00:33):abrown added the bug label to Issue #10583.
Wasmtime GitHub notifications bot (Apr 15 2025 at 00:33):abrown added the fuzz-bug label to Issue #10583.
Wasmtime GitHub notifications bot (Apr 15 2025 at 00:33):abrown opened issue #10583:
I was messing around with the
cranelift-fuzzgentarget locally and after about 1M iterations ran into the following crash:cargo +nightly fuzz run --no-default-features --sanitizer=none cranelift-fuzzgen. I tried minimizing, no luck.<!-- TODO: add link to an external bug report, if there is one, such as from OSS-Fuzz -->
<details>
<summary>Test case input</summary><!-- Please base64-encode the input that libFuzzer generated, and paste it in the code-block below. This is required for us to reproduce the issue. -->
MDAwMDAwMDA6IDIzMjUgNzgwMCA3ODc4IDc4MDAgMjUwMCAwMGUxIGUxZTEgZTFlMSAgIyV4Lnh4 eC4lLi4uLi4uLgowMDAwMDAxMDogZTFlMSBhMWUxIGUxZTEgZTFlMSAyNTI1IDI1MDAgZmYyNSAw MDI1ICAuLi4uLi4uLiUlJS4uJS4lCjAwMDAwMDIwOiAyNDAwIGQ5MjUgMjUwMCAwMDAwIGExOGYg YTFmZSA3ODc4IDc4NzggICQuLiUlLi4uLi4uLnh4eHgKMDAwMDAwMzA6IDAzMDMgMjUwMSBmZmZm IGZmZTEgYTFhMSBhMTJmIDAzYTEgMDNhMSAgLi4lLi4uLi4uLi4vLi4uLgowMDAwMDA0MDogZmU3 OCA3ODc4IDc4MDAgMDAyNSAwMzAzIDAzMDMgNGMwMyAwMzAzICAueHh4eC4uJS4uLi5MLi4uCjAw MDAwMDUwOiAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMyZCAwNThlIDVjMDMgIC4uLi4uLi4u Li4uLS4uXC4KMDAwMDAwNjA6IDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDA3MDMgMDMw MyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDA3MDogMDMwMyAwMzAzIDAzMDMgMDMwMSAwMDAwIDAw MDAgMDAwZiBmYzAzICAuLi4uLi4uLi4uLi4uLi4uCjAwMDAwMDgwOiAwNzAzIDAzMDMgMDMwMyAw MzAzIDAzMDMgMzQwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi40Li4uLi4KMDAwMDAwOTA6IDAwMDAg MDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAgLi4uLi4uLi4uLi4uLi4uLgowMDAw MDBhMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMSA0NzNjICAuLi4uLi4uLi4u Li4uLkc8CjAwMDAwMGIwOiAxYWI2IDhhMDQgNzMwMyAwYjAxIGZmMzEgMDNhYiAyYjY0IDY0NjQg IC4uLi5zLi4uLjEuLitkZGQKMDAwMDAwYzA6IDY0NjQgNjQ2NCAyNDY0IDY0MDAgNzg3OCA3ODAw IDI1MDAgMDBlMSAgZGRkZCRkZC54eHguJS4uLgowMDAwMDBkMDogZTFlMSBlMWUxIGUxZTEgYTFl MSBlMWUxIGUxZTEgMjUyNSAyNTAwICAuLi4uLi4uLi4uLi4lJSUuCjAwMDAwMGUwOiBmZjI1IDAw MjUgMjQwMCBkOTI1IDI1MDAgMDAwMCBhMThmIGExZmUgIC4lLiUkLi4lJS4uLi4uLi4KMDAwMDAw ZjA6IDc4NzggNzg3OCAwMzAzIDI1MDEgZmZmZiBmZmUxIGExYTEgYTEyZiAgeHh4eC4uJS4uLi4u Li4uLwowMDAwMDEwMDogMDNhMSAwM2ExIGZlNzggNzg3OCA3ODAwIDAwMjUgMDMwMyAwMzAzICAu Li4uLnh4eHguLiUuLi4uCjAwMDAwMTEwOiA0YzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMjUxMCAy NTAwIGRjMDAgIEwuLi4uLi4uLi4lLiUuLi4KMDAwMDAxMjA6IDAwMjUgMjUyNSBkYjAwIGRjZGMg MDEwMCAwMGZmIGZmZmYgMDYwMCAgLiUlJS4uLi4uLi4uLi4uLgowMDAwMDEzMDogMDAwMCAwMDAw IDAwMDAgMDAwMCAwMDAwIDAwMzIgMDAwMCAwMDAwICAuLi4uLi4uLi4uLjIuLi4uCjAwMDAwMTQw OiA3ZjAwIDAwMDAgMDAwMCAyNDAyIDc0MDQgOWE4MyAwNDAwIDAwMDAgIC4uLi4uLiQudC4uLi4u Li4KMDAwMDAxNTA6IGZmZjQgZjRmNCAwMDAwIDAwNjQgZmZmZiBmZmZmIGZmOWEgOWE5YSAgLi4u Li4uLmQuLi4uLi4uLgowMDAwMDE2MDogZmZmZiBmZmY3IGZmMTIgMDAwMCAwMDc0IDlhODMgMDNm ZiA5YTlhICAuLi4uLi4uLi50Li4uLi4uCjAwMDAwMTcwOiA5YTlhIGZmZmYgZmFmOSBmOWY5IDA2 ZmYgZmZmZiBmZmZmIDAxMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAwMDAxODA6IDAwMDAgMDAwMCAw MDA5IDlhM2IgMjcyNSAyNjI1IDI1MTAgMjUwMCAgLi4uLi4uLjsnJSYlJS4lLgowMDAwMDE5MDog MDBhNiAyNTI1IDI3ZmYgMjUwMCA3NzdmIDc3NzcgZmYyNSA1ZWExICAuLiUlJy4lLncud3cuJV4u CjAwMDAwMWEwOiAwMDAwIDAxMDAgMDBmZiBmZmZmIDA2MDAgMDAwMCAwMDAwIDAwMDAgIC4uLi4u Li4uLi4uLi4uLi4KMDAwMDAxYjA6IDAwMDAgMDAwMCAwMDMyIDAwMDAgMDAwMCA3ZjAwIDAwMDAg MDAwMCAgLi4uLi4yLi4uLi4uLi4uLgowMDAwMDFjMDogMjQwMiA3NDA0IDlhODMgMDQwMCAwMDAw IGZmZjQgZjRmNCAwMDAwICAkLnQuLi4uLi4uLi4uLi4uCjAwMDAwMWQwOiAwMDY0IGZmZmYgZmZm ZiBmZjlhIDAzMDMgMDMwMyAwMzJkIDA1OGUgIC5kLi4uLi4uLi4uLi4tLi4KMDAwMDAxZTA6IDVj MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDcwMyAgXC4uLi4uLi4uLi4uLi4uLgow MDAwMDFmMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAxIDAwMDAgMDAwMCAwMDBmICAuLi4uLi4u Li4uLi4uLi4uCjAwMDAwMjAwOiBmYzAzIDA3MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAzNDAwIDAw MDAgIC4uLi4uLi4uLi4uLjQuLi4KMDAwMDAyMTA6IDAwMDAgMDAwMCAwMzAzIDAzMDMgMDMwMyA5 YTlhIGZmZmYgZmZmNyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDIyMDogZmYxMiAwMDAwIDAwNzQg OWE4MyAwM2ZmIDlhOWEgOWE5YSBmZmZmICAuLi4uLnQuLi4uLi4uLi4uCjAwMDAwMjMwOiBmYWY5 IGY5ZjkgMDZmZiBmZmZmIGZmZmYgMDEwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAw MDAyNDA6IDAwMDkgOWEzYiAyNzI1IDI2MjUgMjUxMCAyNTAzIDAzMDMgMDMwMyAgLi4uOyclJiUl LiUuLi4uLgowMDAwMDI1MDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAwMDAgYTYyNSAyNTI3 ICAuLi4uLi4uLi4uLi4uJSUnCjAwMDAwMjYwOiBmZiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIC4K</details>
<details>
<summary>cargo +nightly fuzz fmtoutput</summary>Running
cargo +nightly fuzz fmt cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-9c0157c21569ca5c828e491b7cc701bcf9eac106seemed to hang. But, before crashing, I did get code like the following (I changed the function name to%test):;; Run test case test interpret test run set opt_level=speed set probestack_size_log2=6 set probestack_strategy=inline set bb_padding_log2_minus_one=4 set enable_alias_analysis=false set enable_llvm_abi_extensions=true set enable_multi_ret_implicit_sret=true set unwind_info=false set machine_code_cfg_info=true set enable_probestack=true set enable_jump_tables=false set enable_heap_access_spectre_mitigation=false target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt function %test(i8 sext, i8, i8, i8x16, i64 sext, i64 sext, i64 sext, f32x4, i16 sext, i16x8, i16x8, i128, f32) -> f32, i16x8, i64 cold { ss0 = explicit_slot 3, align = 8 ss1 = explicit_slot 76, align = 8 ss2 = explicit_slot 3, align = 8 ss3 = explicit_slot 1 ss4 = explicit_slot 1 ss5 = explicit_slot 8, align = 8 ss6 = explicit_slot 8, align = 8 ss7 = explicit_slot 2, align = 2 ss8 = explicit_slot 16, align = 16 ss9 = explicit_slot 16, align = 16 sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = colocated %CeilF32 sig0 fn1 = colocated %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: i8, v1: i8, v2: i8, v3: i8x16, v4: i64, v5: i64, v6: i64, v7: f32x4, v8: i16, v9: i16x8, v10: i16x8, v11: i128, v12: f32): v34 -> v0 v36 -> v1 v45 -> v2 v56 -> v4 v49 -> v5 v31 -> v6 v48 -> v8 v55 -> v9 v52 -> v11 v38 -> v12 stack_store v1, ss3 stack_store v2, ss4 stack_store v4, ss5 stack_store v5, ss6 stack_store v8, ss7 stack_store v9, ss8 stack_store v11, ss9 v13 = iconst.i64 0x2d03_0303_0303_0303 v32 -> v13 v14 = f32const 0x1.06b91cp-121 v15 = iconst.i64 0x0303_0303_0303_0303 v16 = iconst.i8 0 v17 = iconst.i16 0 v18 = iconst.i32 0 v19 = iconst.i64 0 v20 = uextend.i128 v19 ; v19 = 0 v21 = stack_addr.i64 ss0 store notrap vmctx v17, v21 ; v17 = 0 v22 = stack_addr.i64 ss0+2 store notrap vmctx v16, v22 ; v16 = 0 v23 = stack_addr.i64 ss2 store notrap vmctx v17, v23 ; v17 = 0 v24 = stack_addr.i64 ss2+2 store notrap vmctx v16, v24 ; v16 = 0 v25 = stack_addr.i64 ss1 store notrap vmctx v20, v25 v26 = stack_addr.i64 ss1+16 store notrap vmctx v20, v26 v27 = stack_addr.i64 ss1+32 store notrap vmctx v20, v27 v28 = stack_addr.i64 ss1+48 store notrap vmctx v20, v28 v29 = stack_addr.i64 ss1+64 store notrap vmctx v19, v29 ; v19 = 0 v30 = stack_addr.i64 ss1+72 store notrap vmctx v18, v30 ; v18 = 0 brif v0, block1, block1 block1: v33 = umax.i64 v31, v32 ; v32 = 0x2d03_0303_0303_0303 v35 = sshr.i8 v34, v34 v37 = sshr.i8 v36, v35 v39 = call fn0(v38), stack_map=[i8 @ ss3+0, i8 @ ss4+0, i64 @ ss5+0, i64 @ ss6+0, i16 @ ss7+0, i16x8 @ ss8+0, i128 @ ss9+0] v40 = sshr v37, v37 v41 = sshr v40, v40 v42 = sshr v41, v41 v43 = sshr v42, v42 v44 = sshr v43, v43 v46 = sshr.i8 v36, v45 v47 = bor v39, v39 v50 = sshr.i16 v48, v49 v57 = fdiv v47, v47 v58 = f32const +NaN v59 = scalar_to_vector.f32x4 v58 ; v58 = +NaN v60 = scalar_to_vector.f32x4 v57 v61 = fcmp uno v60, v60 v62 = bitcast.f32x4 v61 v63 = bitselect v62, v59, v60 v51 = extractlane v63, 0 v53 = iabs.i128 v52 v54 = iabs v53 return v39, v55, v56 } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: %test(120, 0, 37, 0x25e1e1e1e1e1a1e1e1e1e1e1e1e10000, 2604488122695689509, -6845471432979916544, 250082238140424591, 0xfea103a1032fa1a1a1e1ffffff012503, 30840, 0x0303030303034c030303032500007878, 0xdc00db2525250000dc00251025030303, 504403153970528732, 0.0) == [0.0, 0x00000000000000000000000000000000, 0] ; run: %test(50, 0, 0, 0x0004839a0474022400000000007f0000, 269332919549952, -7277816997830761472, 1369085490627582618, 0xf9faffff9a9a9a9aff03839a74000000, -1543, 0x3b9a0900000000000001ffffffffff06, 0x0025ff272525a6000025102525262527, -20282408394714223036251008172169, 0x0.00000cp-126) == [0.0, 0x00000000000000000000000000000000, 0] ; run: %test(0, 0, 0, 0x000000007f0000000032000000000000, 325272942017651712, 68949227404787712, -10223616, 0x0303030303035c8e052d03030303039a, 771, 0x03030303030303030303070303030303, 0x0303030303030703fc0f000000000001, 4003321963772105628865332499261358851, -sNaN:0x1a9a03) == [0.0, 0x00000000000000000000000000000000, 0] ; run: %test(-1, -1, -9, 0xffff9a9a9a9aff03839a7400000012ff, -1069547914758, 131071, 2676867878952241408, 0x03030303030303030303030303251025, 771, 0x000000000000000000ff272525a60000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0] ; run: %test(0, 0, 0, 0x00000000000000000000000000000000, 0, 0, 0, 0x00000000000000000000000000000000, 0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]</details>
<details>
<summary>Stack trace or other relevant details</summary><!-- If you can, please paste anything that looks relevant from the failure message in the code-block below. This will help reviewers more quickly triage this report. -->
What
[message truncated]
Last updated: Dec 06 2025 at 07:03 UTC