Stream: git-wasmtime

Topic: wasmtime / issue #4676 fuzz: failed to compile `f32.demot...

view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2022 at 16:21):

abrown labeled issue #4676:

Test Case

(module
  (type (;0;) (func (param f64) (result f32)))
  (func (;0;) (type 0) (param f64) (result f32)
    local.get 0
    f32.demote_f64
  )
  (export "test" (func 0))
)

Also see attached files (annoyingly renamed with .txt appended due to GitHub upload restrictions):
- testcase0.wat.txt
- testcase0.wasm.txt
- crash-2e8676223581e0545a2e41bfb6f56b261b85239d.txt

Steps to Reproduce

$ RUST_LOG=trace cargo +nightly fuzz run differential_meta fuzz/artifacts/differential_meta/crash-2e8676223581e0545a2e41bfb6f56b261b85239d

Expected Results

No failure.

Actual Results

The module fails to compile:

thread '<unnamed>' panicked at 'failed to instantiate `lhs` module: unable to compile module in wasmtime', /home/abrown/Code/wasmtime/crates/fuzzing/src/oracles/engine.rs:99:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==167601== ERROR: libFuzzer: deadly signal
    #0 0x558ed9957ae1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x558ee1ede4ab in fuzzer::PrintStackTrace() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6434ab) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #2 0x558ee1ec9855 in fuzzer::Fuzzer::CrashCallback() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62e855) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #3 0x7f2efd75134f  (/lib64/libc.so.6+0x5534f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #4 0x7f2efd79dafb in __pthread_kill_implementation (/lib64/libc.so.6+0xa1afb) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #5 0x7f2efd7512a5 in gsignal (/lib64/libc.so.6+0x552a5) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #6 0x7f2efd7247f2 in abort (/lib64/libc.so.6+0x287f2) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #7 0x558ee1f91266 in std::sys::unix::abort_internal::h4e06726a6bdbfc44 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys/unix/mod.rs:258:14
    #8 0x558ed98ca696 in std::process::abort::hded51ab3f7a359d3 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/process.rs:2059:5
    #9 0x558ee1ec36e5 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h404fe37255dada4f (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6286e5) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #10 0x558ee1f86a3f in std::panicking::rust_panic_with_hook::h73dbf64f0060aa58 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:702:17
    #11 0x558ee1f86876 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h57f62f8b0c4aa3d9 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:588:13
    #12 0x558ee1f83843 in std::sys_common::backtrace::__rust_end_short_backtrace::h3194a80099ffb120 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys_common/backtrace.rs:138:18
    #13 0x558ee1f865a8 in rust_begin_unwind /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:584:5
    #14 0x558ed98cba42 in core::panicking::panic_fmt::h77eb0c9a0a627689 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/core/src/panicking.rs:142:14
    #15 0x558ed998c21b in _$LT$core..result..Result$LT$T$C$anyhow..Error$GT$$u20$as$u20$wasmtime_fuzzing..oracles..engine..DiffIgnorable$LT$T$GT$$GT$::expect_or_ignore::h10a9f7d84e5ccc9e (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40f121b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #16 0x558ed99a0f3c in differential_meta::run::h900bcd92a959bbf7 (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4105f3c) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #17 0x558ed99a434d in rust_fuzzer_test_input (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x410934d) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #18 0x558ee1ec3838 in __rust_try libfuzzer_sys.1c73df0b-cgu.0
    #19 0x558ee1ec2c68 in LLVMFuzzerTestOneInput (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc627c68) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #20 0x558ee1ec9d91 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62ed91) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #21 0x558ee1eebf3b in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc650f3b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #22 0x558ee1eefb86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc654b86) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #23 0x558ed98cc3d2 in main (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40313d2) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #24 0x7f2efd73c43f in __libc_start_call_main (/lib64/libc.so.6+0x4043f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #25 0x7f2efd73c4ef in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x404ef) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #26 0x558ed98cc534 in _start (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4031534) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)

I tried to replicate this with the following, but that succeeds:

$ RUST_LOG=debug wasmtime compile testcase0.wat

I can see the following configuration is being used:

[2022-08-10T16:13:44Z DEBUG wasmtime_fuzzing::generators::config] creating wasmtime config with WasmtimeConfig {
        opt_level: Speed,
        debug_info: false,
        canonicalize_nans: false,
        interruptable: false,
        consume_fuel: false,
        epoch_interruption: false,
        memory_config: Normal(
            NormalMemoryConfig {
                static_memory_maximum_size: Some(
                    655360,
                ),
                static_memory_guard_size: None,
                dynamic_memory_guard_size: None,
                guard_before_linear_memory: true,
            },
        ),
        force_jump_veneers: false,
        memory_init_cow: false,
        memory_guaranteed_dense_image_size: 9114861713173151358,
        use_precompiled_cwasm: false,
        strategy: Pooling {
            strategy: ReuseAffinity,
            instance_limits: InstanceLimits {
                count: 55,
                memories: 1,
                tables: 1,
                memory_pages: 10,
                table_elements: 1000,
                size: 0,
            },
        },
        codegen: Native,
        padding_between_functions: None,
        generate_address_map: true,
        native_unwind_info: true,
    }

And Cranelift seems to be finishing OK:

...
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Global value numbering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Global value numbering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode lowering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode lowering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Register allocation, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Register allocation
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission finalization, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission finalization
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Compilation passes

How can I figure out what is causing this compilation failure?

Versions and Environment

Wasmtime version or commit: meta-diff branch

Operating system: Fedora 35

Architecture: x86-64

Extra Info

Anything else you'd like to add?

view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2022 at 16:21):

abrown opened issue #4676:

Test Case

(module
  (type (;0;) (func (param f64) (result f32)))
  (func (;0;) (type 0) (param f64) (result f32)
    local.get 0
    f32.demote_f64
  )
  (export "test" (func 0))
)

Also see attached files (annoyingly renamed with .txt appended due to GitHub upload restrictions):
- testcase0.wat.txt
- testcase0.wasm.txt
- crash-2e8676223581e0545a2e41bfb6f56b261b85239d.txt

Steps to Reproduce

$ RUST_LOG=trace cargo +nightly fuzz run differential_meta fuzz/artifacts/differential_meta/crash-2e8676223581e0545a2e41bfb6f56b261b85239d

Expected Results

No failure.

Actual Results

The module fails to compile:

thread '<unnamed>' panicked at 'failed to instantiate `lhs` module: unable to compile module in wasmtime', /home/abrown/Code/wasmtime/crates/fuzzing/src/oracles/engine.rs:99:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==167601== ERROR: libFuzzer: deadly signal
    #0 0x558ed9957ae1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x558ee1ede4ab in fuzzer::PrintStackTrace() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6434ab) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #2 0x558ee1ec9855 in fuzzer::Fuzzer::CrashCallback() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62e855) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #3 0x7f2efd75134f  (/lib64/libc.so.6+0x5534f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #4 0x7f2efd79dafb in __pthread_kill_implementation (/lib64/libc.so.6+0xa1afb) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #5 0x7f2efd7512a5 in gsignal (/lib64/libc.so.6+0x552a5) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #6 0x7f2efd7247f2 in abort (/lib64/libc.so.6+0x287f2) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #7 0x558ee1f91266 in std::sys::unix::abort_internal::h4e06726a6bdbfc44 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys/unix/mod.rs:258:14
    #8 0x558ed98ca696 in std::process::abort::hded51ab3f7a359d3 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/process.rs:2059:5
    #9 0x558ee1ec36e5 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h404fe37255dada4f (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6286e5) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #10 0x558ee1f86a3f in std::panicking::rust_panic_with_hook::h73dbf64f0060aa58 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:702:17
    #11 0x558ee1f86876 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h57f62f8b0c4aa3d9 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:588:13
    #12 0x558ee1f83843 in std::sys_common::backtrace::__rust_end_short_backtrace::h3194a80099ffb120 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys_common/backtrace.rs:138:18
    #13 0x558ee1f865a8 in rust_begin_unwind /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:584:5
    #14 0x558ed98cba42 in core::panicking::panic_fmt::h77eb0c9a0a627689 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/core/src/panicking.rs:142:14
    #15 0x558ed998c21b in _$LT$core..result..Result$LT$T$C$anyhow..Error$GT$$u20$as$u20$wasmtime_fuzzing..oracles..engine..DiffIgnorable$LT$T$GT$$GT$::expect_or_ignore::h10a9f7d84e5ccc9e (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40f121b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #16 0x558ed99a0f3c in differential_meta::run::h900bcd92a959bbf7 (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4105f3c) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #17 0x558ed99a434d in rust_fuzzer_test_input (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x410934d) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #18 0x558ee1ec3838 in __rust_try libfuzzer_sys.1c73df0b-cgu.0
    #19 0x558ee1ec2c68 in LLVMFuzzerTestOneInput (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc627c68) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #20 0x558ee1ec9d91 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62ed91) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #21 0x558ee1eebf3b in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc650f3b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #22 0x558ee1eefb86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc654b86) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #23 0x558ed98cc3d2 in main (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40313d2) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #24 0x7f2efd73c43f in __libc_start_call_main (/lib64/libc.so.6+0x4043f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #25 0x7f2efd73c4ef in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x404ef) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #26 0x558ed98cc534 in _start (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4031534) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)

I tried to replicate this with the following, but that succeeds:

$ RUST_LOG=debug wasmtime compile testcase0.wat

I can see the following configuration is being used:

[2022-08-10T16:13:44Z DEBUG wasmtime_fuzzing::generators::config] creating wasmtime config with WasmtimeConfig {
        opt_level: Speed,
        debug_info: false,
        canonicalize_nans: false,
        interruptable: false,
        consume_fuel: false,
        epoch_interruption: false,
        memory_config: Normal(
            NormalMemoryConfig {
                static_memory_maximum_size: Some(
                    655360,
                ),
                static_memory_guard_size: None,
                dynamic_memory_guard_size: None,
                guard_before_linear_memory: true,
            },
        ),
        force_jump_veneers: false,
        memory_init_cow: false,
        memory_guaranteed_dense_image_size: 9114861713173151358,
        use_precompiled_cwasm: false,
        strategy: Pooling {
            strategy: ReuseAffinity,
            instance_limits: InstanceLimits {
                count: 55,
                memories: 1,
                tables: 1,
                memory_pages: 10,
                table_elements: 1000,
                size: 0,
            },
        },
        codegen: Native,
        padding_between_functions: None,
        generate_address_map: true,
        native_unwind_info: true,
    }

And Cranelift seems to be finishing OK:

...
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Global value numbering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Global value numbering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode lowering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode lowering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Register allocation, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Register allocation
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission finalization, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission finalization
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Compilation passes

How can I figure out what is causing this compilation failure?

Versions and Environment

Wasmtime version or commit: meta-diff branch

Operating system: Fedora 35

Architecture: x86-64

Extra Info

Anything else you'd like to add?

view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2022 at 16:22):

abrown edited issue #4676:

Test Case

(module
  (type (;0;) (func (param f64) (result f32)))
  (func (;0;) (type 0) (param f64) (result f32)
    local.get 0
    f32.demote_f64
  )
  (export "test" (func 0))
)

Also see attached files (annoyingly renamed with .txt appended due to GitHub upload restrictions):
- testcase0.wat.txt
- testcase0.wasm.txt
- crash-2e8676223581e0545a2e41bfb6f56b261b85239d.txt

Steps to Reproduce

$ RUST_LOG=trace cargo +nightly fuzz run differential_meta fuzz/artifacts/differential_meta/crash-2e8676223581e0545a2e41bfb6f56b261b85239d

Expected Results

No failure.

Actual Results

The module fails to compile:

thread '<unnamed>' panicked at 'failed to instantiate `lhs` module: unable to compile module in wasmtime', /home/abrown/Code/wasmtime/crates/fuzzing/src/oracles/engine.rs:99:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==167601== ERROR: libFuzzer: deadly signal
    #0 0x558ed9957ae1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x558ee1ede4ab in fuzzer::PrintStackTrace() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6434ab) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #2 0x558ee1ec9855 in fuzzer::Fuzzer::CrashCallback() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62e855) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #3 0x7f2efd75134f  (/lib64/libc.so.6+0x5534f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #4 0x7f2efd79dafb in __pthread_kill_implementation (/lib64/libc.so.6+0xa1afb) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #5 0x7f2efd7512a5 in gsignal (/lib64/libc.so.6+0x552a5) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #6 0x7f2efd7247f2 in abort (/lib64/libc.so.6+0x287f2) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #7 0x558ee1f91266 in std::sys::unix::abort_internal::h4e06726a6bdbfc44 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys/unix/mod.rs:258:14
    #8 0x558ed98ca696 in std::process::abort::hded51ab3f7a359d3 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/process.rs:2059:5
    #9 0x558ee1ec36e5 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h404fe37255dada4f (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6286e5) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #10 0x558ee1f86a3f in std::panicking::rust_panic_with_hook::h73dbf64f0060aa58 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:702:17
    #11 0x558ee1f86876 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h57f62f8b0c4aa3d9 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:588:13
    #12 0x558ee1f83843 in std::sys_common::backtrace::__rust_end_short_backtrace::h3194a80099ffb120 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys_common/backtrace.rs:138:18
    #13 0x558ee1f865a8 in rust_begin_unwind /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:584:5
    #14 0x558ed98cba42 in core::panicking::panic_fmt::h77eb0c9a0a627689 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/core/src/panicking.rs:142:14
    #15 0x558ed998c21b in _$LT$core..result..Result$LT$T$C$anyhow..Error$GT$$u20$as$u20$wasmtime_fuzzing..oracles..engine..DiffIgnorable$LT$T$GT$$GT$::expect_or_ignore::h10a9f7d84e5ccc9e (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40f121b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #16 0x558ed99a0f3c in differential_meta::run::h900bcd92a959bbf7 (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4105f3c) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #17 0x558ed99a434d in rust_fuzzer_test_input (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x410934d) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #18 0x558ee1ec3838 in __rust_try libfuzzer_sys.1c73df0b-cgu.0
    #19 0x558ee1ec2c68 in LLVMFuzzerTestOneInput (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc627c68) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #20 0x558ee1ec9d91 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62ed91) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #21 0x558ee1eebf3b in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc650f3b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #22 0x558ee1eefb86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc654b86) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #23 0x558ed98cc3d2 in main (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40313d2) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #24 0x7f2efd73c43f in __libc_start_call_main (/lib64/libc.so.6+0x4043f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #25 0x7f2efd73c4ef in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x404ef) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #26 0x558ed98cc534 in _start (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4031534) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)

I tried to replicate this with the following, but that succeeds:

$ RUST_LOG=debug wasmtime compile testcase0.wat

I can see the following configuration is being used:

[2022-08-10T16:13:44Z DEBUG wasmtime_fuzzing::generators::config] creating wasmtime config with WasmtimeConfig {
        opt_level: Speed,
        debug_info: false,
        canonicalize_nans: false,
        interruptable: false,
        consume_fuel: false,
        epoch_interruption: false,
        memory_config: Normal(
            NormalMemoryConfig {
                static_memory_maximum_size: Some(
                    655360,
                ),
                static_memory_guard_size: None,
                dynamic_memory_guard_size: None,
                guard_before_linear_memory: true,
            },
        ),
        force_jump_veneers: false,
        memory_init_cow: false,
        memory_guaranteed_dense_image_size: 9114861713173151358,
        use_precompiled_cwasm: false,
        strategy: Pooling {
            strategy: ReuseAffinity,
            instance_limits: InstanceLimits {
                count: 55,
                memories: 1,
                tables: 1,
                memory_pages: 10,
                table_elements: 1000,
                size: 0,
            },
        },
        codegen: Native,
        padding_between_functions: None,
        generate_address_map: true,
        native_unwind_info: true,
    }

And Cranelift seems to be finishing OK:

...
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Global value numbering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Global value numbering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode lowering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode lowering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Register allocation, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Register allocation
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission finalization, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission finalization
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Compilation passes

How can I figure out what is causing this compilation failure?

Versions and Environment

Wasmtime version or commit: meta-diff branch

Operating system: Fedora 35

Architecture: x86-64

Extra Info

It is is unclear what is going on here so this is less a bug at this point and more a request for troubleshooting help.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2022 at 16:47):

abrown closed issue #4676:

Test Case

(module
  (type (;0;) (func (param f64) (result f32)))
  (func (;0;) (type 0) (param f64) (result f32)
    local.get 0
    f32.demote_f64
  )
  (export "test" (func 0))
)

Also see attached files (annoyingly renamed with .txt appended due to GitHub upload restrictions):
- testcase0.wat.txt
- testcase0.wasm.txt
- crash-2e8676223581e0545a2e41bfb6f56b261b85239d.txt

Steps to Reproduce

$ RUST_LOG=trace cargo +nightly fuzz run differential_meta fuzz/artifacts/differential_meta/crash-2e8676223581e0545a2e41bfb6f56b261b85239d

Expected Results

No failure.

Actual Results

The module fails to compile:

thread '<unnamed>' panicked at 'failed to instantiate `lhs` module: unable to compile module in wasmtime', /home/abrown/Code/wasmtime/crates/fuzzing/src/oracles/engine.rs:99:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==167601== ERROR: libFuzzer: deadly signal
    #0 0x558ed9957ae1 in __sanitizer_print_stack_trace /rustc/llvm/src/llvm-project/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x558ee1ede4ab in fuzzer::PrintStackTrace() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6434ab) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #2 0x558ee1ec9855 in fuzzer::Fuzzer::CrashCallback() (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62e855) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #3 0x7f2efd75134f  (/lib64/libc.so.6+0x5534f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #4 0x7f2efd79dafb in __pthread_kill_implementation (/lib64/libc.so.6+0xa1afb) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #5 0x7f2efd7512a5 in gsignal (/lib64/libc.so.6+0x552a5) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #6 0x7f2efd7247f2 in abort (/lib64/libc.so.6+0x287f2) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #7 0x558ee1f91266 in std::sys::unix::abort_internal::h4e06726a6bdbfc44 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys/unix/mod.rs:258:14
    #8 0x558ed98ca696 in std::process::abort::hded51ab3f7a359d3 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/process.rs:2059:5
    #9 0x558ee1ec36e5 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h404fe37255dada4f (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc6286e5) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #10 0x558ee1f86a3f in std::panicking::rust_panic_with_hook::h73dbf64f0060aa58 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:702:17
    #11 0x558ee1f86876 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h57f62f8b0c4aa3d9 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:588:13
    #12 0x558ee1f83843 in std::sys_common::backtrace::__rust_end_short_backtrace::h3194a80099ffb120 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/sys_common/backtrace.rs:138:18
    #13 0x558ee1f865a8 in rust_begin_unwind /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/std/src/panicking.rs:584:5
    #14 0x558ed98cba42 in core::panicking::panic_fmt::h77eb0c9a0a627689 /rustc/90ca44752a79dd414d9a0ccf7a74533a99080988/library/core/src/panicking.rs:142:14
    #15 0x558ed998c21b in _$LT$core..result..Result$LT$T$C$anyhow..Error$GT$$u20$as$u20$wasmtime_fuzzing..oracles..engine..DiffIgnorable$LT$T$GT$$GT$::expect_or_ignore::h10a9f7d84e5ccc9e (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40f121b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #16 0x558ed99a0f3c in differential_meta::run::h900bcd92a959bbf7 (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4105f3c) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #17 0x558ed99a434d in rust_fuzzer_test_input (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x410934d) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #18 0x558ee1ec3838 in __rust_try libfuzzer_sys.1c73df0b-cgu.0
    #19 0x558ee1ec2c68 in LLVMFuzzerTestOneInput (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc627c68) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #20 0x558ee1ec9d91 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc62ed91) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #21 0x558ee1eebf3b in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc650f3b) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #22 0x558ee1eefb86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0xc654b86) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #23 0x558ed98cc3d2 in main (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x40313d2) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)
    #24 0x7f2efd73c43f in __libc_start_call_main (/lib64/libc.so.6+0x4043f) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #25 0x7f2efd73c4ef in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x404ef) (BuildId: 137d2c7b8ec99dd2d2c357b21e06cdad2edc6afd)
    #26 0x558ed98cc534 in _start (/home/abrown/Code/wasmtime/target/x86_64-unknown-linux-gnu/release/differential_meta+0x4031534) (BuildId: 5a2ef6038ae664e1fec6b5a760adfe91619bbae4)

I tried to replicate this with the following, but that succeeds:

$ RUST_LOG=debug wasmtime compile testcase0.wat

I can see the following configuration is being used:

[2022-08-10T16:13:44Z DEBUG wasmtime_fuzzing::generators::config] creating wasmtime config with WasmtimeConfig {
        opt_level: Speed,
        debug_info: false,
        canonicalize_nans: false,
        interruptable: false,
        consume_fuel: false,
        epoch_interruption: false,
        memory_config: Normal(
            NormalMemoryConfig {
                static_memory_maximum_size: Some(
                    655360,
                ),
                static_memory_guard_size: None,
                dynamic_memory_guard_size: None,
                guard_before_linear_memory: true,
            },
        ),
        force_jump_veneers: false,
        memory_init_cow: false,
        memory_guaranteed_dense_image_size: 9114861713173151358,
        use_precompiled_cwasm: false,
        strategy: Pooling {
            strategy: ReuseAffinity,
            instance_limits: InstanceLimits {
                count: 55,
                memories: 1,
                tables: 1,
                memory_pages: 10,
                table_elements: 1000,
                size: 0,
            },
        },
        codegen: Native,
        padding_between_functions: None,
        generate_address_map: true,
        native_unwind_info: true,
    }

And Cranelift seems to be finishing OK:

...
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Global value numbering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Global value numbering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode lowering, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode lowering
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting Register allocation, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Register allocation
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Starting VCode emission finalization, (during Compilation passes)
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending VCode emission finalization
[2022-08-10T16:13:44Z DEBUG cranelift_codegen::timing::details] timing: Ending Compilation passes

How can I figure out what is causing this compilation failure?

Versions and Environment

Wasmtime version or commit: meta-diff branch

Operating system: Fedora 35

Architecture: x86-64

Extra Info

It is is unclear what is going on here so this is less a bug at this point and more a request for troubleshooting help.

view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2022 at 22:35):

jameysharp commented on issue #4676:

I see you closed this; did you figure it out?

view this post on Zulip Wasmtime GitHub notifications bot (Aug 10 2022 at 22:56):

abrown commented on issue #4676:

Ok, yeah, I should have documented it here: I chatted with @alexcrichton about this and eventually figured out that it was the pooling allocation strategy that was causing the problem. In oracles.rs, the compile_module function ignores some cases when the randomly-generated allocation strategy makes compilation fail. I was treating the None that was returned there as a compilation failure when I really needed to either a) ignore that the failure happened or b) figure out some way to avoid these kinds of compilation failures in the first place.

Since I'm not sure how to reliably do "b" (I mean, how high do we need to raise the minimum size bound, e.g.?), I think for now I'll probably go with option "a." In my meta-diff branch, I have a DiffIgnoreError wrapper that I can use for marking this error as something that shouldn't fail the fuzz case. (@alexcrichton wasn't too excited about DiffIgnoreError; I think he was thinking that Result<Option<...>> is a better way to convey that information--thoughts?).

Last updated: Oct 23 2024 at 20:03 UTC