Stream: git-wasmtime

Topic: wasmtime / issue #12488 cranelift-fuzzgen using `preserve...


view this post on Zulip Wasmtime GitHub notifications bot (Feb 02 2026 at 15:55):

alexcrichton opened issue #12488:

Using input.txt as input:

$ cargo +nightly fuzz run -s none --dev cranelift-fuzzgen ./input.txt
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.11s
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.11s
     Running `target/x86_64-unknown-linux-gnu/debug/cranelift-fuzzgen -artifact_prefix=/home/alex/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-6203223651450880`
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2634861286
INFO: Loaded 1 modules   (384706 inline 8-bit counters): 384706 [0x5b3c82422440, 0x5b3c82480302),
INFO: Loaded 1 PC tables (384706 PCs): 384706 [0x5b3c82480308,0x5b3c82a5ef28),
target/x86_64-unknown-linux-gnu/debug/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-6203223651450880

thread '<unnamed>' (427986) panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:255:61:
called `Result::unwrap()` on an `Err` value: Verifier(VerifierErrors([VerifierError { location: function, context: None, message: "Signature with `preserve_all` ABI cannot have return values" }]))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==427986== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

and fmt shows:

$ cargo +nightly fuzz fmt -s none --dev cranelift-fuzzgen ./input.txt
Output of `std::fmt::Debug`:

;; Testing against optimized version
;; Run test case

test interpret
test run
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_nan_canonicalization=true
set enable_llvm_abi_extensions=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt

function u1:0(i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext) -> i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext preserve_all {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = %CeilF32 sig0
    fn1 = %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0(v0: i8, v1: i8, v2: i8, v3: i8, v4: i8, v5: i8, v6: i8, v7: i8, v8: i8, v9: i8, v10: i8, v11: i8, v12: i8, v13: i8, v14: i8):
    v15 = iconst.i8 0
    v16 = iconst.i16 0
    v17 = iconst.i32 0
    v18 = iconst.i64 0
    v19 = uextend.i128 v18  ; v18 = 0
    return v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: u1:0(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) == [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

cc @cfallin

view this post on Zulip Wasmtime GitHub notifications bot (Feb 02 2026 at 15:55):

alexcrichton added the fuzz-bug label to Issue #12488.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 03 2026 at 01:29):

cfallin closed issue #12488:

Using input.txt as input:

$ cargo +nightly fuzz run -s none --dev cranelift-fuzzgen ./input.txt
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.11s
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.11s
     Running `target/x86_64-unknown-linux-gnu/debug/cranelift-fuzzgen -artifact_prefix=/home/alex/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-6203223651450880`
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2634861286
INFO: Loaded 1 modules   (384706 inline 8-bit counters): 384706 [0x5b3c82422440, 0x5b3c82480302),
INFO: Loaded 1 PC tables (384706 PCs): 384706 [0x5b3c82480308,0x5b3c82a5ef28),
target/x86_64-unknown-linux-gnu/debug/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-6203223651450880

thread '<unnamed>' (427986) panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:255:61:
called `Result::unwrap()` on an `Err` value: Verifier(VerifierErrors([VerifierError { location: function, context: None, message: "Signature with `preserve_all` ABI cannot have return values" }]))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==427986== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

and fmt shows:

$ cargo +nightly fuzz fmt -s none --dev cranelift-fuzzgen ./input.txt
Output of `std::fmt::Debug`:

;; Testing against optimized version
;; Run test case

test interpret
test run
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_nan_canonicalization=true
set enable_llvm_abi_extensions=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt

function u1:0(i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext) -> i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext preserve_all {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = %CeilF32 sig0
    fn1 = %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0(v0: i8, v1: i8, v2: i8, v3: i8, v4: i8, v5: i8, v6: i8, v7: i8, v8: i8, v9: i8, v10: i8, v11: i8, v12: i8, v13: i8, v14: i8):
    v15 = iconst.i8 0
    v16 = iconst.i16 0
    v17 = iconst.i32 0
    v18 = iconst.i64 0
    v19 = uextend.i128 v18  ; v18 = 0
    return v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: u1:0(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) == [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

cc @cfallin


Last updated: Feb 24 2026 at 04:36 UTC