Wasmtime GitHub notifications bot (Aug 21 2025 at 17:00): Wasmtime GitHub notifications bot (Aug 21 2025 at 17:00):fitzgen opened issue #11491:
https://issues.oss-fuzz.com/issues/435536866
Test Case
(not actually a text file, just need that to upload to github)
Steps to Reproduce
$ cargo fuzz run -s none table_ops table-ops-input.txt
Stack trace from OSS-fuzz:
==449== ERROR: libFuzzer: timeout after 61 seconds #0 0x581f1e356f21 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x581f22ba1c08 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5 #2 0x581f22b85bc7 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5 #3 0x7a366102441f in libpthread.so.0 #4 0x581f1e2cec73 in MemToShadow /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_mapping.h:376:10 #5 0x581f1e2cec73 in SetShadow /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_fake_stack.cpp:30:40 #6 0x581f1e2cec73 in OnMalloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_fake_stack.cpp:233:3 #7 0x581f1e2cec73 in __asan_stack_malloc_1 /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_fake_stack.cpp:274:1 #8 0x581f2278f8ef in wasm_encoder::core::code::ConstExpr::ref_null::h7b70704cd3c0fe4c /rust/registry/src/index.crates.io-1949cf8c6b5b557f/wasm-encoder-0.236.0/src/core/code.rs:0 #9 0x581f1e46434b in wasmtime_fuzzing::generators::table_ops::TableOps::to_wasm_binary::h054e7ad507246124 [wasmtime/crates/fuzzing/src/generators/table_ops.rs:103](https://github.com/bytecodealliance/wasmtime/blob/82f3b2a16c139297684ae0c84a7568a30c762f41/crates/fuzzing/src/generators/table_ops.rs#L103):18 #10 0x581f1e46ed91 in wasmtime_fuzzing::oracles::table_ops::h4325903beb41f5dd [wasmtime/crates/fuzzing/src/oracles.rs:789](https://github.com/bytecodealliance/wasmtime/blob/82f3b2a16c139297684ae0c84a7568a30c762f41/crates/fuzzing/src/oracles.rs#L789):24 #11 0x581f1e386243 in table_ops::_::__libfuzzer_sys_run::h10f1279d2a4b997f [wasmtime/fuzz/fuzz_targets/table_ops.rs:25](https://github.com/bytecodealliance/wasmtime/blob/82f3b2a16c139297684ae0c84a7568a30c762f41/fuzz/fuzz_targets/table_ops.rs#L25):13 #12 0x581f1e384de8 in rust_fuzzer_test_input /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:220:17 #13 0x581f22b692f5 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hc47f5c1a54e86fdf /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:62:9 #14 0x581f22b692f5 in std::panicking::catch_unwind::do_call::h35b330ae262933fc /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:589:40 #15 0x581f22b6abe8 in __rust_try libfuzzer_sys.d7ab0406284dc5ef-cgu.0:0 #16 0x581f22b6a53d in std::panicking::catch_unwind::h3a14830225e80213 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:552:19 #17 0x581f22b6a53d in std::panic::catch_unwind::h769558a23004d421 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panic.rs:359:14 #18 0x581f22b6a53d in LLVMFuzzerTestOneInput /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:60:22 #19 0x581f22b87160 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #20 0x581f22b72525 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #21 0x581f22b77fbf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #22 0x581f22ba2332 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #23 0x7a3660ced082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16 #24 0x581f1e2c184d in _startI suspect we either have an accidental infinite loop or else need to tweak some limits or something.
+cc @khagankhan
Wasmtime GitHub notifications bot (Aug 21 2025 at 17:00):fitzgen added the fuzz-bug label to Issue #11491.
Wasmtime GitHub notifications bot (Aug 25 2025 at 19:50):khagankhan commented on issue #11491:
@fitzgen it appears to be fixed after the PR #11392 that applies limits to the number of the generated ops:
I ran it with the version before the PR and it "hangs" for a while
Result with the buggy version (before PR):
Running: /users/khan22/table-ops-input.bin Executed /users/khan22/table-ops-input.bin in 8382 ms *** *** NOTE: fuzzing was not performed, you have only *** executed the target code on a fixed set of inputs. ***Result with the fixed version (After PR):
Running: /users/khan22/table-ops-input.bin Executed /users/khan22/table-ops-input.bin in 12 ms *** *** NOTE: fuzzing was not performed, you have only *** executed the target code on a fixed set of inputs. ***
Wasmtime GitHub notifications bot (Aug 28 2025 at 19:14):fitzgen commented on issue #11491:
I suspect that the changes in that PR (the extraction of the
TableLimitstype) might have just changed the serialized format of aTableOpssuch that something that previously deserialized successfully no longer does, and therefore we aren't testing the "same" thing anymore.I'll take a quick look but if I don't see anything obvious we can close this issue and just reopen it if the fuzzers find the "same" timeout again.
Wasmtime GitHub notifications bot (Aug 28 2025 at 19:36):khagankhan commented on issue #11491:
Yes! that would be more useful and helpful I guess to find the issue
Wasmtime GitHub notifications bot (Aug 28 2025 at 20:06):fitzgen closed issue #11491:
https://issues.oss-fuzz.com/issues/435536866
Test Case
(not actually a text file, just need that to upload to github)
Steps to Reproduce
$ cargo fuzz run -s none table_ops table-ops-input.txt
Stack trace from OSS-fuzz:
==449== ERROR: libFuzzer: timeout after 61 seconds #0 0x581f1e356f21 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3 #1 0x581f22ba1c08 in fuzzer::PrintStackTrace() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5 #2 0x581f22b85bc7 in fuzzer::Fuzzer::AlarmCallback() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:304:5 #3 0x7a366102441f in libpthread.so.0 #4 0x581f1e2cec73 in MemToShadow /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_mapping.h:376:10 #5 0x581f1e2cec73 in SetShadow /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_fake_stack.cpp:30:40 #6 0x581f1e2cec73 in OnMalloc /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_fake_stack.cpp:233:3 #7 0x581f1e2cec73 in __asan_stack_malloc_1 /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_fake_stack.cpp:274:1 #8 0x581f2278f8ef in wasm_encoder::core::code::ConstExpr::ref_null::h7b70704cd3c0fe4c /rust/registry/src/index.crates.io-1949cf8c6b5b557f/wasm-encoder-0.236.0/src/core/code.rs:0 #9 0x581f1e46434b in wasmtime_fuzzing::generators::table_ops::TableOps::to_wasm_binary::h054e7ad507246124 [wasmtime/crates/fuzzing/src/generators/table_ops.rs:103](https://github.com/bytecodealliance/wasmtime/blob/82f3b2a16c139297684ae0c84a7568a30c762f41/crates/fuzzing/src/generators/table_ops.rs#L103):18 #10 0x581f1e46ed91 in wasmtime_fuzzing::oracles::table_ops::h4325903beb41f5dd [wasmtime/crates/fuzzing/src/oracles.rs:789](https://github.com/bytecodealliance/wasmtime/blob/82f3b2a16c139297684ae0c84a7568a30c762f41/crates/fuzzing/src/oracles.rs#L789):24 #11 0x581f1e386243 in table_ops::_::__libfuzzer_sys_run::h10f1279d2a4b997f [wasmtime/fuzz/fuzz_targets/table_ops.rs:25](https://github.com/bytecodealliance/wasmtime/blob/82f3b2a16c139297684ae0c84a7568a30c762f41/fuzz/fuzz_targets/table_ops.rs#L25):13 #12 0x581f1e384de8 in rust_fuzzer_test_input /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:220:17 #13 0x581f22b692f5 in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hc47f5c1a54e86fdf /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:62:9 #14 0x581f22b692f5 in std::panicking::catch_unwind::do_call::h35b330ae262933fc /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:589:40 #15 0x581f22b6abe8 in __rust_try libfuzzer_sys.d7ab0406284dc5ef-cgu.0:0 #16 0x581f22b6a53d in std::panicking::catch_unwind::h3a14830225e80213 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panicking.rs:552:19 #17 0x581f22b6a53d in std::panic::catch_unwind::h769558a23004d421 /rustc/3014e79f9c8d5510ea7b3a3b70d171d0948b1e96/library/std/src/panic.rs:359:14 #18 0x581f22b6a53d in LLVMFuzzerTestOneInput /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.8/src/lib.rs:60:22 #19 0x581f22b87160 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13 #20 0x581f22b72525 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6 #21 0x581f22b77fbf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9 #22 0x581f22ba2332 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #23 0x7a3660ced082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/libc-start.c:308:16 #24 0x581f1e2c184d in _startI suspect we either have an accidental infinite loop or else need to tweak some limits or something.
+cc @khagankhan
Wasmtime GitHub notifications bot (Aug 28 2025 at 20:06):fitzgen commented on issue #11491:
Yeah this was an issue of ~unbounded globals, should be fixed after #11392.
Last updated: Dec 06 2025 at 07:03 UTC