Stream: git-wasmtime

Topic: wasmtime / issue #11345 table_ops fuzzer: OOM after mutat...

view this post on Zulip Wasmtime GitHub notifications bot (Jul 30 2025 at 14:58):

alexcrichton opened issue #11345:

Reported here -- https://oss-fuzz.com/testcase-detail/5456731321991168. The input is input.gz and the stack trace is:

==403== ERROR: libFuzzer: out-of-memory (used: 2580Mb; limit: 2560Mb)
       To change the out-of-memory limit use -rss_limit_mb=<N>

    Live Heap Allocations: 2524276551 bytes in 78 chunks; quarantined: 134229108 bytes in 69 chunks; 35603 other chunks; total chunks: 35750; showing top 95% (at most 8 unique contexts)
    2365587444 byte(s) (93%) in 1 allocation(s)
        #0 0x5d0074f3d1f4 in ___interceptor_malloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:67:3
        #1 0x5d007504fc2a in alloc::alloc::alloc::h161817ac8df9dac2 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/alloc.rs:94:9
        #2 0x5d007504fc2a in alloc::alloc::Global::alloc_impl::h68eb0e971a2ac1b9 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/alloc.rs:189:73
        #3 0x5d007504fc2a in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::allocate::hd9c700362a4cc407 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/alloc.rs:250:14
        #4 0x5d007504fc2a in alloc::raw_vec::RawVecInner$LT$A$GT$::try_allocate_in::h25bfe463846116c0 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/raw_vec/mod.rs:476:47
        #5 0x5d007504fc2a in alloc::raw_vec::RawVecInner$LT$A$GT$::with_capacity_in::h41ac2431073e79dd /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/raw_vec/mod.rs:422:15
        #6 0x5d007504fc2a in alloc::raw_vec::RawVec$LT$T$C$A$GT$::with_capacity_in::hc20b78c85c524ad6 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/raw_vec/mod.rs:190:20
        #7 0x5d007504fc2a in alloc::vec::Vec$LT$T$C$A$GT$::with_capacity_in::hb61fefb2a7499d7e /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/vec/mod.rs:929:20
        #8 0x5d007504fc2a in alloc::vec::Vec$LT$T$GT$::with_capacity::hf922ff8dc4b44372 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/vec/mod.rs:500:9
        #9 0x5d007504fc2a in wasmtime_fuzzing::generators::table_ops::TableOps::to_wasm_binary::h338da5ac7809fca2 [wasmtime/crates/fuzzing/src/generators/table_ops.rs:59](https://github.com/bytecodealliance/wasmtime/blob/6047d27e1cbe3b8d168bd823da8b4e1dd1db25e0/crates/fuzzing/src/generators/table_ops.rs#L59):40
        #10 0x5d007505ac91 in wasmtime_fuzzing::oracles::table_ops::h1258dea938babadb [wasmtime/crates/fuzzing/src/oracles.rs:789](https://github.com/bytecodealliance/wasmtime/blob/6047d27e1cbe3b8d168bd823da8b4e1dd1db25e0/crates/fuzzing/src/oracles.rs#L789):24
        #11 0x5d0074f74ca3 in table_ops::_::__libfuzzer_sys_run::hd372e81851c90cf6 [wasmtime/fuzz/fuzz_targets/table_ops.rs:24](https://github.com/bytecodealliance/wasmtime/blob/6047d27e1cbe3b8d168bd823da8b4e1dd1db25e0/fuzz/fuzz_targets/table_ops.rs#L24):13
        #12 0x5d0074f738f8 in rust_fuzzer_test_input /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:220:17
        #13 0x5d00797b5a65 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hc47f5c1a54e86fdf /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:62:9
        #14 0x5d00797b5a65 in std::panicking::catch_unwind::do_call::h35b330ae262933fc /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:589:40
        #15 0x5d00797b7358 in __rust_try libfuzzer_sys.d7ab0406284dc5ef-cgu.0:0
        #16 0x5d00797b6cad in std::panicking::catch_unwind::h3a14830225e80213 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:552:19
        #17 0x5d00797b6cad in std::panic::catch_unwind::h769558a23004d421 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panic.rs:359:14
        #18 0x5d00797b6cad in LLVMFuzzerTestOneInput /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:60:22
        #19 0x5d00797d38d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
        #20 0x5d00797bec95 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
        #21 0x5d00797c472f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
        #22 0x5d00797eeaa2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
        #23 0x78da8157d082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16

    134217728 byte(s) (5%) in 1 allocation(s)
        #0 0x5d0074f3d5ec in __interceptor_realloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:81:3

cc @fitzgen @khagankhan

view this post on Zulip Wasmtime GitHub notifications bot (Jul 30 2025 at 15:01):

alexcrichton added the fuzz-bug label to Issue #11345.

view this post on Zulip Wasmtime GitHub notifications bot (Jul 30 2025 at 15:57):

fitzgen commented on issue #11345:

@khagankhan can you look into this? I think that the following command should reproduce the bug:

$ cargo fuzz run --no-default-features [--sanitizer=none] table_ops path/to/extracted/input

You can try minimizing the test case with cargo fuzz tmin as well, see its --help for details.

I suspect we just need to impose some limits on the number of table ops or something.

Happy to help if you have trouble reproducing or diagnosing what is going wrong or anything else, just let me know!

view this post on Zulip Wasmtime GitHub notifications bot (Jul 30 2025 at 16:05):

khagankhan commented on issue #11345:

Sure thing! o7

Last updated: Dec 06 2025 at 07:03 UTC