Wasmtime GitHub notifications bot (Jul 30 2025 at 15:01): Wasmtime GitHub notifications bot (Jul 30 2025 at 15:01):alexcrichton opened issue #11346:
An issue was opened at https://oss-fuzz.com/testcase-detail/6690130233720832 and the reproduction is input.gz. I'll note though that this is flagged as "fixed on main" right now but I'm not sure why. OSS-Fuzz claims this deterministically fails on https://github.com/bytecodealliance/wasmtime/commit/6047d27e1cbe3b8d168bd823da8b4e1dd1db25e0 but no longer fails on main, and that's probably also worth investigating.
cc @fitzgen @khagankhan
thread '<unnamed>' panicked at /src/wasmtime/crates/fuzzing/src/oracles.rs:917:64: called `Result::unwrap()` on an `Err` value: table minimum size of 258809871 elements exceeds table limits note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace AddressSanitizer:DEADLYSIGNAL ================================================================= ==411==ERROR: AddressSanitizer: ABRT on unknown address 0x05390000019b (pc 0x7f144979a00b bp 0x7ffe92c99540 sp 0x7ffe92c992f0 T0) SCARINESS: 10 (signal) #0 0x7f144979a00b in raise /build/glibc-LcI20x/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1 #1 0x7f1449779858 in abort /build/glibc-LcI20x/glibc-2.31/stdlib/abort.c:79:7 #2 0x58cf1a0a4069 in std::sys::pal::unix::abort_internal::h96857ca33d9110f4 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/sys/pal/unix/mod.rs:366:14 #3 0x58cf1a0a39a8 in std::process::abort::hbb0da5b195767e3b /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/process.rs:2499:5 #4 0x58cf1a09ee74 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::he6c18c4a427ce4b8 /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:95:9 #5 0x58cf1ea34a7d in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h2b5c5d3b4f513895 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/boxed.rs:1985:9 #6 0x58cf1ea34a7d in std::panicking::rust_panic_with_hook::hceef4321c6f4ad8a /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:841:13 #7 0x58cf1ea34769 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf9fd67a226c3bb3d /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:706:13 #8 0x58cf1ea32e18 in std::sys::backtrace::__rust_end_short_backtrace::h52410ec1fdc70787 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/sys/backtrace.rs:174:18 #9 0x58cf1ea343fc in __rustc::rust_begin_unwind /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:697:5 #10 0x58cf1a0a537f in core::panicking::panic_fmt::hf04b323265684a46 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/core/src/panicking.rs:75:14 #11 0x58cf1a0a5895 in core::result::unwrap_failed::hdf92484becbba54e /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/core/src/result.rs:1761:5 #12 0x58cf1a255f6f in core::result::Result$LT$T$C$E$GT$::unwrap::h7e1023d17b9826b9 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/core/src/result.rs:1167:23 #13 0x58cf1a255f6f in wasmtime_fuzzing::oracles::table_ops::h1258dea938babadb [wasmtime/crates/fuzzing/src/oracles.rs:917](https://github.com/bytecodealliance/wasmtime/blob/6047d27e1cbe3b8d168bd823da8b4e1dd1db25e0/crates/fuzzing/src/oracles.rs#L917):64 #14 0x58cf1a16bca3 in table_ops::_::__libfuzzer_sys_run::hd372e81851c90cf6 [wasmtime/fuzz/fuzz_targets/table_ops.rs:24](https://github.com/bytecodealliance/wasmtime/blob/6047d27e1cbe3b8d168bd823da8b4e1dd1db25e0/fuzz/fuzz_targets/table_ops.rs#L24):13 #15 0x58cf1a16a8f8 in rust_fuzzer_test_input /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:220:17 #16 0x58cf1e9aca65 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hc47f5c1a54e86fdf /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:62:9 #17 0x58cf1e9aca65 in std::panicking::catch_unwind::do_call::h35b330ae262933fc /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:589:40 #18 0x58cf1e9ae358 in __rust_try libfuzzer_sys.d7ab0406284dc5ef-cgu.0:0 #19 0x58cf1e9adcad in std::panicking::catch_unwind::h3a14830225e80213 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:552:19 #20 0x58cf1e9adcad in std::panic::catch_unwind::h769558a23004d421 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panic.rs:359:14 #21 0x58cf1e9adcad in LLVMFuzzerTestOneInput /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:60:22 #22 0x58cf1e9ca8d0 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #23 0x58cf1e9b5c95 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #24 0x58cf1e9bb72f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #25 0x58cf1e9e5aa2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #26 0x7f144977b082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16 #27 0x58cf1a0a727d in _start
Wasmtime GitHub notifications bot (Jul 30 2025 at 15:01):alexcrichton added the fuzz-bug label to Issue #11346.
Wasmtime GitHub notifications bot (Jul 30 2025 at 16:02):fitzgen commented on issue #11346:
This was probably "fixed" due to changes due to how we actually interpret the fuzzer's bytes in the fuzz target, and the switch from generative-via-mutatis to actually mutation-based.
That said, it looks like we just aren't enforcing a maximum size on table limits in our mapping from the AST representation to the Wasm binary encoding. Our fixup method currently only fixes up the operand stack. Either we should extend the fixup method to also enforce maximum sizes on table limits or we should just handle that while encoding the Wasm binary.
@khagankhan could you investigate the above? Let me know if what I said makes sense or if it needs clarification or whatever.
Wasmtime GitHub notifications bot (Jul 30 2025 at 16:20):khagankhan commented on issue #11346:
@fitzgen yes sure thing!!
Wasmtime GitHub notifications bot (Jul 30 2025 at 22:18):alexcrichton commented on issue #11346:
Another fuzz bug (https://oss-fuzz.com/testcase-detail/5130988654231552) came in with a new input: input.gz which should reproduce on
main
Wasmtime GitHub notifications bot (Jul 30 2025 at 22:19):khagankhan commented on issue #11346:
Thanks @alexcrichton have been looking at them...
Wasmtime GitHub notifications bot (Jul 30 2025 at 23:36):khagankhan commented on issue #11346:
@fitzgen is right. After enforcing size limits in encoding the bytes the issues seem to be resolved. We will discuss it in our meeting and make subsequently the necessary changes.
Wasmtime GitHub notifications bot (Jul 31 2025 at 14:17):alexcrichton commented on issue #11346:
Another crash that showed up last night (https://oss-fuzz.com/testcase-detail/6739786699440128) with input.gz looks like:
thread '<unnamed>' panicked at /src/wasmtime/fuzz/fuzz_targets/table_ops.rs:22:10: should be able to generate config from seed: EmptyChoose note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==402== ERROR: libFuzzer: deadly signal #0 0x59a976cad961 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x59a97b5fcd28 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5 #2 0x59a97b5e0d73 in fuzzer::Fuzzer::CrashCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:231:3 #3 0x7bbbac96441f in libpthread.so.0 #4 0x7bbbac64c00a in __libc_signal_restore_set /build/glibc-LcI20x/glibc-2.31/sysdeps/unix/sysv/linux/internal-signals.h:86:3 #5 0x7bbbac64c00a in raise /build/glibc-LcI20x/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:48:3 #6 0x7bbbac62b858 in abort /build/glibc-LcI20x/glibc-2.31/stdlib/abort.c:79:7 #7 0x59a976c15079 in std::sys::pal::unix::abort_internal::h96857ca33d9110f4 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/sys/pal/unix/mod.rs:366:14 #8 0x59a976c149b8 in std::process::abort::hbb0da5b195767e3b /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/process.rs:2499:5 #9 0x59a976c0fe84 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::he6c18c4a427ce4b8 /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:95:9 #10 0x59a97b64c42d in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..Fn$LT$Args$GT$$GT$::call::h2b5c5d3b4f513895 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/alloc/src/boxed.rs:1985:9 #11 0x59a97b64c42d in std::panicking::rust_panic_with_hook::hceef4321c6f4ad8a /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:841:13 #12 0x59a97b64c119 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hf9fd67a226c3bb3d /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:706:13 #13 0x59a97b64a7c8 in std::sys::backtrace::__rust_end_short_backtrace::h52410ec1fdc70787 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/sys/backtrace.rs:174:18 #14 0x59a97b64bdac in __rustc::rust_begin_unwind /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:697:5 #15 0x59a976c1638f in core::panicking::panic_fmt::hf04b323265684a46 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/core/src/panicking.rs:75:14 #16 0x59a976c168a5 in core::result::unwrap_failed::hdf92484becbba54e /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/core/src/result.rs:1761:5 #17 0x59a976cdcfc5 in core::result::Result$LT$T$C$E$GT$::expect::h397e6cd3c6778578 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/core/src/result.rs:1119:23 #18 0x59a976cdcfc5 in table_ops::_::__libfuzzer_sys_run::h5b228f3df854d86e [wasmtime/fuzz/fuzz_targets/table_ops.rs:22](https://github.com/bytecodealliance/wasmtime/blob/1a0f9538fd5720e01ad87d6f3d2ff64d17cd2c6d/fuzz/fuzz_targets/table_ops.rs#L22):10 #19 0x59a976cdb908 in rust_fuzzer_test_input /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:220:17 #20 0x59a97b5c4415 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hc47f5c1a54e86fdf /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:62:9 #21 0x59a97b5c4415 in std::panicking::catch_unwind::do_call::h35b330ae262933fc /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:589:40 #22 0x59a97b5c5d08 in __rust_try libfuzzer_sys.d7ab0406284dc5ef-cgu.0:0 #23 0x59a97b5c565d in std::panicking::catch_unwind::h3a14830225e80213 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:552:19 #24 0x59a97b5c565d in std::panic::catch_unwind::h769558a23004d421 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panic.rs:359:14 #25 0x59a97b5c565d in LLVMFuzzerTestOneInput /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:60:22 #26 0x59a97b5e2280 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #27 0x59a97b5cd645 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #28 0x59a97b5d30df in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #29 0x59a97b5fd452 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #30 0x7bbbac62d082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16 #31 0x59a976c1828d in _start
Wasmtime GitHub notifications bot (Jul 31 2025 at 16:49):fitzgen commented on issue #11346:
Another crash that showed up last night (https://oss-fuzz.com/testcase-detail/6739786699440128) with input.gz looks like:
@khagankhan for this one I think we need to just return from the fuzz target when the
Config::arbitrary_take_restreturns an error.
Last updated: Dec 06 2025 at 07:03 UTC