Stream: git-wasmtime

Topic: wasmtime / issue #13247 Panic: last_gc_heap_usage <= gc_h...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 30 2026 at 23:02):

alexcrichton assigned fitzgen to issue #13247.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 30 2026 at 23:02):

alexcrichton opened issue #13247:

This fuzz input: input.txt

yields:

$ RUST_LOG=wasmtime_fuzz cargo +nightly fuzz run -s none --dev gc_ops ./input.txt
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/x86_64-unknown-linux-gnu/debug/gc_ops -artifact_prefix=/home/alex/code/wasmtime/fuzz/artifacts/gc_ops/ ./input.txt`
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: found LLVMFuzzerCustomMutator (0x60b9a980afb0). Disabling -len_control by default.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 892323861
INFO: Loaded 1 modules   (797069 inline 8-bit counters): 797069 [0x60b9aec6f1f0, 0x60b9aed31b7d),
INFO: Loaded 1 PC tables (797069 PCs): 797069 [0x60b9aed31b80,0x60b9af95b450),
target/x86_64-unknown-linux-gnu/debug/gc_ops: Running 1 inputs 1 time(s) each.
Running: ./input.txt
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::generators::config] creating wasmtime config with CLI options:
    -Ccompiler=cranelift -Ccollector=null -Ccranelift-debug-verifier=n -Cparallel-compilation=n -Cnative-unwind-info=n -Cinlining=y -Ccranelift-wasmtime_inlining_intra_module=yes -Ccranelift-wasmtime_inlining_small_callee_size=1000 -Ccranelift-wasmtime_inlining_sum_size_threshold=1000 -Oopt-level=0 -Oregalloc-algorithm=backtracking -Omemory-guard-size=3597704682 -Oguard-before-linear-memory=y -Otable-lazy-init=n -Omemory-init-cow=y -Omemory-guaranteed-dense-image-size=16777216 -Osignals-based-traps=n -Wnan-canonicalization=y -Wfuel=18446744073709551615 -Wepoch-interruption=n -Wasync-stack-zeroing=y -Wbulk-memory=y -Wmulti-memory=n -Wmulti-value=y -Wreference-types=y -Wsimd=n -Wrelaxed-simd=n -Wtail-call=y -Wthreads=n -Wshared-memory=n -Wshared-everything-threads=n -Wmemory64=n -Wcomponent-model-async=n -Wcomponent-model-more-async-builtins=n -Wcomponent-model-async-stackful=n -Wcomponent-model-threading=n -Wcomponent-model-error-context=n -Wcomponent-model-gc=n -Wcomponent-model-map=n -Wfunction-references=y -Wstack-switching=n -Wgc=y -Wcustom-page-sizes=n -Wwide-arithmetic=n -Wextended-const=n -Wexceptions=n -Wcomponent-model-fixed-length-lists=n -Daddress-map=y
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] op=Gc stack_len_before=0 num_types=0
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] push result ExternRef
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] push result ExternRef
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] push result ExternRef
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] leave stack=[ExternRef, ExternRef, ExternRef]
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::ops] ops after fixup: [
        Gc,
        Drop,
        Drop,
        Drop,
    ]
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wasm file to `testcase0.wasm`
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wat file to `testcase0.wat`
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wasm file to `testcase1.wasm`
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wat file to `testcase1.wat`
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::oracles] alloc 0x0 bytes
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::oracles] alloc 0x100 bytes
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::oracles] alloc 0x100 bytes
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: begin allocating 10 externref arguments
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: end allocating 10 externref arguments
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: calling into Wasm `run` function
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: GC
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] CountDrops::new: expected drops: 0 -> 1

thread '<unnamed>' (2456128) panicked at crates/wasmtime/src/runtime/store/gc.rs:238:24:
assertion failed: last_gc_heap_usage <= gc_heap_capacity
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==2456128== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

The OSS-Fuzz bisection range is https://github.com/bytecodealliance/wasmtime/compare/42e40934cc8395f7138b311db245b11fac61ccaf...5540f54d3df8ea74e124d4848e6ace14610a373c

view this post on Zulip Wasmtime GitHub notifications bot (Apr 30 2026 at 23:02):

alexcrichton added the fuzz-bug label to Issue #13247.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 30 2026 at 23:02):

alexcrichton added the wasm-proposal:gc label to Issue #13247.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 30 2026 at 23:05):

alexcrichton commented on issue #13247:

To inline it, too, the test case here is:

(module
  (type (;0;) (func (result externref externref externref)))
  (type (;1;) (func))
  (type (;2;) (func (param externref externref externref)))
  (type (;3;) (func (result externref externref externref)))
  (type (;4;) (func (param structref)))
  (import "" "gc" (func (;0;) (type 0)))
  (import "" "take_refs" (func (;1;) (type 2)))
  (import "" "make_refs" (func (;2;) (type 3)))
  (import "" "take_struct" (func (;3;) (type 4)))
  (table (;0;) 32 externref)
  (table (;1;) 32 structref)
  (global (;0;) (mut externref) ref.null extern)
  (global (;1;) (mut externref) ref.null extern)
  (global (;2;) (mut externref) ref.null extern)
  (global (;3;) (mut externref) ref.null extern)
  (global (;4;) (mut externref) ref.null extern)
  (global (;5;) (mut externref) ref.null extern)
  (global (;6;) (mut externref) ref.null extern)
  (global (;7;) (mut externref) ref.null extern)
  (global (;8;) (mut externref) ref.null extern)
  (global (;9;) (mut externref) ref.null extern)
  (global (;10;) (mut structref) ref.null struct)
  (export "run" (func 4))
  (func (;4;) (type 1)
    (local externref structref)
    loop ;; label = @1
      call 0
      drop
      drop
      drop
      br 0 (;@1;)
    end
  )
)

view this post on Zulip Wasmtime GitHub notifications bot (May 01 2026 at 23:52):

fitzgen closed issue #13247:

This fuzz input: input.txt

yields:

$ RUST_LOG=wasmtime_fuzz cargo +nightly fuzz run -s none --dev gc_ops ./input.txt
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/x86_64-unknown-linux-gnu/debug/gc_ops -artifact_prefix=/home/alex/code/wasmtime/fuzz/artifacts/gc_ops/ ./input.txt`
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: found LLVMFuzzerCustomMutator (0x60b9a980afb0). Disabling -len_control by default.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 892323861
INFO: Loaded 1 modules   (797069 inline 8-bit counters): 797069 [0x60b9aec6f1f0, 0x60b9aed31b7d),
INFO: Loaded 1 PC tables (797069 PCs): 797069 [0x60b9aed31b80,0x60b9af95b450),
target/x86_64-unknown-linux-gnu/debug/gc_ops: Running 1 inputs 1 time(s) each.
Running: ./input.txt
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::generators::config] creating wasmtime config with CLI options:
    -Ccompiler=cranelift -Ccollector=null -Ccranelift-debug-verifier=n -Cparallel-compilation=n -Cnative-unwind-info=n -Cinlining=y -Ccranelift-wasmtime_inlining_intra_module=yes -Ccranelift-wasmtime_inlining_small_callee_size=1000 -Ccranelift-wasmtime_inlining_sum_size_threshold=1000 -Oopt-level=0 -Oregalloc-algorithm=backtracking -Omemory-guard-size=3597704682 -Oguard-before-linear-memory=y -Otable-lazy-init=n -Omemory-init-cow=y -Omemory-guaranteed-dense-image-size=16777216 -Osignals-based-traps=n -Wnan-canonicalization=y -Wfuel=18446744073709551615 -Wepoch-interruption=n -Wasync-stack-zeroing=y -Wbulk-memory=y -Wmulti-memory=n -Wmulti-value=y -Wreference-types=y -Wsimd=n -Wrelaxed-simd=n -Wtail-call=y -Wthreads=n -Wshared-memory=n -Wshared-everything-threads=n -Wmemory64=n -Wcomponent-model-async=n -Wcomponent-model-more-async-builtins=n -Wcomponent-model-async-stackful=n -Wcomponent-model-threading=n -Wcomponent-model-error-context=n -Wcomponent-model-gc=n -Wcomponent-model-map=n -Wfunction-references=y -Wstack-switching=n -Wgc=y -Wcustom-page-sizes=n -Wwide-arithmetic=n -Wextended-const=n -Wexceptions=n -Wcomponent-model-fixed-length-lists=n -Daddress-map=y
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] op=Gc stack_len_before=0 num_types=0
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] push result ExternRef
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] push result ExternRef
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] push result ExternRef
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::types] [StackType::emit] leave stack=[ExternRef, ExternRef, ExternRef]
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::generators::gc_ops::ops] ops after fixup: [
        Gc,
        Drop,
        Drop,
        Drop,
    ]
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wasm file to `testcase0.wasm`
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wat file to `testcase0.wat`
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wasm file to `testcase1.wasm`
[2026-04-30T23:01:40Z DEBUG wasmtime_fuzzing::oracles] wrote wat file to `testcase1.wat`
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::oracles] alloc 0x0 bytes
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::oracles] alloc 0x100 bytes
[2026-04-30T23:01:40Z TRACE wasmtime_fuzzing::oracles] alloc 0x100 bytes
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: begin allocating 10 externref arguments
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: end allocating 10 externref arguments
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: calling into Wasm `run` function
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] gc_ops: GC
[2026-04-30T23:01:40Z INFO  wasmtime_fuzzing::oracles] CountDrops::new: expected drops: 0 -> 1

thread '<unnamed>' (2456128) panicked at crates/wasmtime/src/runtime/store/gc.rs:238:24:
assertion failed: last_gc_heap_usage <= gc_heap_capacity
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==2456128== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

The OSS-Fuzz bisection range is https://github.com/bytecodealliance/wasmtime/compare/42e40934cc8395f7138b311db245b11fac61ccaf...5540f54d3df8ea74e124d4848e6ace14610a373c

Last updated: May 03 2026 at 22:13 UTC