Stream: git-wasmtime

Topic: wasmtime / issue #4045 fuzz: Excessive memory used with r...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 18 2022 at 17:05):

alexcrichton opened issue #4045:

Found on oss-fuzz recently it looks like this input will fail with:

$ ./target/aarch64-unknown-linux-gnu/release/compile testcase0.wasm
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1075361901
INFO: Loaded 1 modules   (457805 inline 8-bit counters): 457805 [0xaaaaad76d6d0, 0xaaaaad7dd31d),
INFO: Loaded 1 PC tables (457805 PCs): 457805 [0xaaaaad7dd320,0xaaaaaded97f0),
./target/aarch64-unknown-linux-gnu/release/compile: Running 1 inputs 1 time(s) each.
Running: testcase0.wasm
==16743== ERROR: libFuzzer: out-of-memory (used: 2113Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

Live Heap Allocations: 2374660169 bytes in 148074 chunks; quarantined: 145024154 bytes in 262138 chunks; 83118 other chunks; total chunks: 493330; showing top 95% (at most 8 unique contexts)
2184118272 byte(s) (91%) in 6860 allocation(s)
    #0 0xaaaaabc24348 in malloc /checkout/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69
    #1 0xaaaaac6ba230 in smallvec::SmallVec$LT$A$GT$::reserve::h11ac3d59aa9e8a32 cranelift_codegen.c1c00d73-cgu.0
    #2 0xaaaaac7babbc in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::split_and_requeue_bundle::h7c57462fae7e02ef cranelift_codegen.c1c00d73-cgu.0
    #3 0xaaaaac788e08 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::ha3ab44cd09d4647f cranelift_codegen.c1c00d73-cgu.0
    #4 0xaaaaac741f28 in regalloc2::ion::run::hf1107088f9115deb cranelift_codegen.c1c00d73-cgu.0
    #5 0xaaaaac848ef0 in cranelift_codegen::machinst::compile::compile::he206f8f66cbf2234 cranelift_codegen.c1c00d73-cgu.0
    #6 0xaaaaacacecac in _$LT$cranelift_codegen..isa..aarch64..AArch64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::he8bceb159bfeaabf (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-g
nu/release/compile+0x1e72cac) (BuildId: 083d3f4ded358c21)
    #7 0xaaaaacb6b56c in cranelift_codegen::context::Context::compile::h29c1b4be7d26dce4 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x1f0f56c) (BuildId: 083d3f4ded358c21)
    #8 0xaaaaacb69734 in cranelift_codegen::context::Context::compile_and_emit::hc1b3bbe77a481f60 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x1f0d734) (BuildId: 083d3f4ded358c21)
    #9 0xaaaaac3b019c in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compilation..Compiler$GT$::compile_function::h00ea6f11eb3457b1 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/
release/compile+0x175419c) (BuildId: 083d3f4ded358c21)
    #10 0xaaaaabe097ac in rayon::iter::plumbing::bridge_producer_consumer::helper::hd0c27b570f55be34 wasmtime.ead1e54e-cgu.0
    #11 0xaaaaabdc8750 in std::panicking::try::do_call::h59621cc8bf304bad wasmtime.ead1e54e-cgu.0
    #12 0xaaaaabe6c550 in __rust_try wasmtime.ead1e54e-cgu.0
    #13 0xaaaaabdae1f0 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h5e92edc0cddbe60d wasmtime.ead1e54e-cgu.0
    #14 0xaaaaabe0a3c8 in rayon::iter::plumbing::bridge_producer_consumer::helper::hd0c27b570f55be34 wasmtime.ead1e54e-cgu.0
    #15 0xaaaaabdae620 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h5e92edc0cddbe60d wasmtime.ead1e54e-cgu.0
    #16 0xaaaaabdc8bdc in std::panicking::try::do_call::h94a8397b85762af0 wasmtime.ead1e54e-cgu.0
    #17 0xaaaaabe6c550 in __rust_try wasmtime.ead1e54e-cgu.0
    #18 0xaaaaabe215e4 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h80744c13e4b4046a wasmtime.ead1e54e-cgu.0
    #19 0xaaaaaccd0dc4 in rayon_core::registry::WorkerThread::wait_until_cold::h98fa7a62ae01913f (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x2074dc4) (BuildId: 083d3f4ded358c21)
    #20 0xaaaaaccc5578 in rayon_core::registry::ThreadBuilder::run::hc89d8ee678c677b1 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x2069578) (BuildId: 083d3f4ded358c21)
    #21 0xaaaaacc8a9d8 in std::sys_common::backtrace::__rust_begin_short_backtrace::h91cbfa2785fb481a rayon_core.2c495e5f-cgu.0
    #22 0xaaaaacc96314 in std::panicking::try::do_call::h51502bdcea5162d7 rayon_core.2c495e5f-cgu.0
    #23 0xaaaaaccdbf24 in __rust_try rayon_core.2c495e5f-cgu.0
    #24 0xaaaaacc9d23c in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hbf1237bac0a0f2ab rayon_core.2c495e5f-cgu.0
    #25 0xaaaaad4dfac8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h03ae2985518770a1 /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/alloc/src/boxed.rs:18
66:9
    #26 0xaaaaad4dfac8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h473810fbe1e2878e /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/alloc/src/boxed.rs:18
66:9
    #27 0xaaaaad4dfac8 in std::sys::unix::thread::Thread::new::thread_start::h3cc0f03a7010d8fc /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/std/src/sys/unix/thread.rs:108:17
    #28 0xffff848f6598  /build/glibc-RnIqrW/glibc-2.28/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78

(note that the original fuzz bug comes from x86_64, I just reproduced on arm64 locally)

cc @cfallin

view this post on Zulip Wasmtime GitHub notifications bot (Apr 18 2022 at 17:05):

alexcrichton labeled issue #4045:

Found on oss-fuzz recently it looks like this input will fail with:

$ ./target/aarch64-unknown-linux-gnu/release/compile testcase0.wasm
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1075361901
INFO: Loaded 1 modules   (457805 inline 8-bit counters): 457805 [0xaaaaad76d6d0, 0xaaaaad7dd31d),
INFO: Loaded 1 PC tables (457805 PCs): 457805 [0xaaaaad7dd320,0xaaaaaded97f0),
./target/aarch64-unknown-linux-gnu/release/compile: Running 1 inputs 1 time(s) each.
Running: testcase0.wasm
==16743== ERROR: libFuzzer: out-of-memory (used: 2113Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

Live Heap Allocations: 2374660169 bytes in 148074 chunks; quarantined: 145024154 bytes in 262138 chunks; 83118 other chunks; total chunks: 493330; showing top 95% (at most 8 unique contexts)
2184118272 byte(s) (91%) in 6860 allocation(s)
    #0 0xaaaaabc24348 in malloc /checkout/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69
    #1 0xaaaaac6ba230 in smallvec::SmallVec$LT$A$GT$::reserve::h11ac3d59aa9e8a32 cranelift_codegen.c1c00d73-cgu.0
    #2 0xaaaaac7babbc in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::split_and_requeue_bundle::h7c57462fae7e02ef cranelift_codegen.c1c00d73-cgu.0
    #3 0xaaaaac788e08 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::ha3ab44cd09d4647f cranelift_codegen.c1c00d73-cgu.0
    #4 0xaaaaac741f28 in regalloc2::ion::run::hf1107088f9115deb cranelift_codegen.c1c00d73-cgu.0
    #5 0xaaaaac848ef0 in cranelift_codegen::machinst::compile::compile::he206f8f66cbf2234 cranelift_codegen.c1c00d73-cgu.0
    #6 0xaaaaacacecac in _$LT$cranelift_codegen..isa..aarch64..AArch64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::he8bceb159bfeaabf (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-g
nu/release/compile+0x1e72cac) (BuildId: 083d3f4ded358c21)
    #7 0xaaaaacb6b56c in cranelift_codegen::context::Context::compile::h29c1b4be7d26dce4 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x1f0f56c) (BuildId: 083d3f4ded358c21)
    #8 0xaaaaacb69734 in cranelift_codegen::context::Context::compile_and_emit::hc1b3bbe77a481f60 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x1f0d734) (BuildId: 083d3f4ded358c21)
    #9 0xaaaaac3b019c in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compilation..Compiler$GT$::compile_function::h00ea6f11eb3457b1 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/
release/compile+0x175419c) (BuildId: 083d3f4ded358c21)
    #10 0xaaaaabe097ac in rayon::iter::plumbing::bridge_producer_consumer::helper::hd0c27b570f55be34 wasmtime.ead1e54e-cgu.0
    #11 0xaaaaabdc8750 in std::panicking::try::do_call::h59621cc8bf304bad wasmtime.ead1e54e-cgu.0
    #12 0xaaaaabe6c550 in __rust_try wasmtime.ead1e54e-cgu.0
    #13 0xaaaaabdae1f0 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h5e92edc0cddbe60d wasmtime.ead1e54e-cgu.0
    #14 0xaaaaabe0a3c8 in rayon::iter::plumbing::bridge_producer_consumer::helper::hd0c27b570f55be34 wasmtime.ead1e54e-cgu.0
    #15 0xaaaaabdae620 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h5e92edc0cddbe60d wasmtime.ead1e54e-cgu.0
    #16 0xaaaaabdc8bdc in std::panicking::try::do_call::h94a8397b85762af0 wasmtime.ead1e54e-cgu.0
    #17 0xaaaaabe6c550 in __rust_try wasmtime.ead1e54e-cgu.0
    #18 0xaaaaabe215e4 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h80744c13e4b4046a wasmtime.ead1e54e-cgu.0
    #19 0xaaaaaccd0dc4 in rayon_core::registry::WorkerThread::wait_until_cold::h98fa7a62ae01913f (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x2074dc4) (BuildId: 083d3f4ded358c21)
    #20 0xaaaaaccc5578 in rayon_core::registry::ThreadBuilder::run::hc89d8ee678c677b1 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x2069578) (BuildId: 083d3f4ded358c21)
    #21 0xaaaaacc8a9d8 in std::sys_common::backtrace::__rust_begin_short_backtrace::h91cbfa2785fb481a rayon_core.2c495e5f-cgu.0
    #22 0xaaaaacc96314 in std::panicking::try::do_call::h51502bdcea5162d7 rayon_core.2c495e5f-cgu.0
    #23 0xaaaaaccdbf24 in __rust_try rayon_core.2c495e5f-cgu.0
    #24 0xaaaaacc9d23c in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hbf1237bac0a0f2ab rayon_core.2c495e5f-cgu.0
    #25 0xaaaaad4dfac8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h03ae2985518770a1 /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/alloc/src/boxed.rs:18
66:9
    #26 0xaaaaad4dfac8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h473810fbe1e2878e /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/alloc/src/boxed.rs:18
66:9
    #27 0xaaaaad4dfac8 in std::sys::unix::thread::Thread::new::thread_start::h3cc0f03a7010d8fc /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/std/src/sys/unix/thread.rs:108:17
    #28 0xffff848f6598  /build/glibc-RnIqrW/glibc-2.28/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78

(note that the original fuzz bug comes from x86_64, I just reproduced on arm64 locally)

cc @cfallin

view this post on Zulip Wasmtime GitHub notifications bot (Apr 18 2022 at 18:27):

cfallin commented on issue #4045:

Interesting -- this testcase contains a function with 12442 calls to other functions. Most of the allocations (as seen by the DHAT allocation profiler anyway) appear to be CodeRanges for the pinned-vregs representing the physical registers as they get split at every call. They are split because we use phantom defs rather than clobbers on call instructions.

This should be slightly worse on aarch64 because the ABI has more caller-saves (clobbered registers) due to simply having more registers.

The fix is one or both of: (i) use the clobber mechanism, rather than phantom defs, on call instructions; (ii) eventually be rid of pinned-vregs. Both are already planned, I'm not sure which is easier without digging a bit deeper. (I have a big jumble of followup issues and improvements to prioritize right now!) In the meantime, callsites are slightly more memory-intensive than they could be...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 26 2022 at 15:02):

alexcrichton commented on issue #4045:

I'm going to close this given the discussion on https://github.com/bytecodealliance/wasmtime/issues/4060, these sorts of outliers are expected and eventually we'll want to tweak fuzzers to not generate these patterns of code.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 26 2022 at 15:02):

alexcrichton closed issue #4045:

Found on oss-fuzz recently it looks like this input will fail with:

$ ./target/aarch64-unknown-linux-gnu/release/compile testcase0.wasm
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1075361901
INFO: Loaded 1 modules   (457805 inline 8-bit counters): 457805 [0xaaaaad76d6d0, 0xaaaaad7dd31d),
INFO: Loaded 1 PC tables (457805 PCs): 457805 [0xaaaaad7dd320,0xaaaaaded97f0),
./target/aarch64-unknown-linux-gnu/release/compile: Running 1 inputs 1 time(s) each.
Running: testcase0.wasm
==16743== ERROR: libFuzzer: out-of-memory (used: 2113Mb; limit: 2048Mb)
   To change the out-of-memory limit use -rss_limit_mb=<N>

Live Heap Allocations: 2374660169 bytes in 148074 chunks; quarantined: 145024154 bytes in 262138 chunks; 83118 other chunks; total chunks: 493330; showing top 95% (at most 8 unique contexts)
2184118272 byte(s) (91%) in 6860 allocation(s)
    #0 0xaaaaabc24348 in malloc /checkout/src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69
    #1 0xaaaaac6ba230 in smallvec::SmallVec$LT$A$GT$::reserve::h11ac3d59aa9e8a32 cranelift_codegen.c1c00d73-cgu.0
    #2 0xaaaaac7babbc in regalloc2::ion::process::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::split_and_requeue_bundle::h7c57462fae7e02ef cranelift_codegen.c1c00d73-cgu.0
    #3 0xaaaaac788e08 in regalloc2::ion::_$LT$impl$u20$regalloc2..ion..data_structures..Env$LT$F$GT$$GT$::run::ha3ab44cd09d4647f cranelift_codegen.c1c00d73-cgu.0
    #4 0xaaaaac741f28 in regalloc2::ion::run::hf1107088f9115deb cranelift_codegen.c1c00d73-cgu.0
    #5 0xaaaaac848ef0 in cranelift_codegen::machinst::compile::compile::he206f8f66cbf2234 cranelift_codegen.c1c00d73-cgu.0
    #6 0xaaaaacacecac in _$LT$cranelift_codegen..isa..aarch64..AArch64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::he8bceb159bfeaabf (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-g
nu/release/compile+0x1e72cac) (BuildId: 083d3f4ded358c21)
    #7 0xaaaaacb6b56c in cranelift_codegen::context::Context::compile::h29c1b4be7d26dce4 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x1f0f56c) (BuildId: 083d3f4ded358c21)
    #8 0xaaaaacb69734 in cranelift_codegen::context::Context::compile_and_emit::hc1b3bbe77a481f60 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x1f0d734) (BuildId: 083d3f4ded358c21)
    #9 0xaaaaac3b019c in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compilation..Compiler$GT$::compile_function::h00ea6f11eb3457b1 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/
release/compile+0x175419c) (BuildId: 083d3f4ded358c21)
    #10 0xaaaaabe097ac in rayon::iter::plumbing::bridge_producer_consumer::helper::hd0c27b570f55be34 wasmtime.ead1e54e-cgu.0
    #11 0xaaaaabdc8750 in std::panicking::try::do_call::h59621cc8bf304bad wasmtime.ead1e54e-cgu.0
    #12 0xaaaaabe6c550 in __rust_try wasmtime.ead1e54e-cgu.0
    #13 0xaaaaabdae1f0 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h5e92edc0cddbe60d wasmtime.ead1e54e-cgu.0
    #14 0xaaaaabe0a3c8 in rayon::iter::plumbing::bridge_producer_consumer::helper::hd0c27b570f55be34 wasmtime.ead1e54e-cgu.0
    #15 0xaaaaabdae620 in rayon_core::join::join_context::_$u7b$$u7b$closure$u7d$$u7d$::h5e92edc0cddbe60d wasmtime.ead1e54e-cgu.0
    #16 0xaaaaabdc8bdc in std::panicking::try::do_call::h94a8397b85762af0 wasmtime.ead1e54e-cgu.0
    #17 0xaaaaabe6c550 in __rust_try wasmtime.ead1e54e-cgu.0
    #18 0xaaaaabe215e4 in _$LT$rayon_core..job..StackJob$LT$L$C$F$C$R$GT$$u20$as$u20$rayon_core..job..Job$GT$::execute::h80744c13e4b4046a wasmtime.ead1e54e-cgu.0
    #19 0xaaaaaccd0dc4 in rayon_core::registry::WorkerThread::wait_until_cold::h98fa7a62ae01913f (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x2074dc4) (BuildId: 083d3f4ded358c21)
    #20 0xaaaaaccc5578 in rayon_core::registry::ThreadBuilder::run::hc89d8ee678c677b1 (/home/acrichto/code/wasmtime/target/aarch64-unknown-linux-gnu/release/compile+0x2069578) (BuildId: 083d3f4ded358c21)
    #21 0xaaaaacc8a9d8 in std::sys_common::backtrace::__rust_begin_short_backtrace::h91cbfa2785fb481a rayon_core.2c495e5f-cgu.0
    #22 0xaaaaacc96314 in std::panicking::try::do_call::h51502bdcea5162d7 rayon_core.2c495e5f-cgu.0
    #23 0xaaaaaccdbf24 in __rust_try rayon_core.2c495e5f-cgu.0
    #24 0xaaaaacc9d23c in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hbf1237bac0a0f2ab rayon_core.2c495e5f-cgu.0
    #25 0xaaaaad4dfac8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h03ae2985518770a1 /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/alloc/src/boxed.rs:18
66:9
    #26 0xaaaaad4dfac8 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h473810fbe1e2878e /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/alloc/src/boxed.rs:18
66:9
    #27 0xaaaaad4dfac8 in std::sys::unix::thread::Thread::new::thread_start::h3cc0f03a7010d8fc /rustc/34a6c9f26e2ce32cad0d71f5e342365b09f4d12c/library/std/src/sys/unix/thread.rs:108:17
    #28 0xffff848f6598  /build/glibc-RnIqrW/glibc-2.28/misc/../sysdeps/unix/sysv/linux/aarch64/clone.S:78

(note that the original fuzz bug comes from x86_64, I just reproduced on arm64 locally)

cc @cfallin

Last updated: Oct 23 2024 at 20:03 UTC