alexcrichton opened issue #4733:
Found on oss-fuzz with this input: input.gz
$ cargo +nightly fuzz run --strip-dead-code --no-default-features -s none cranelift-fuzzgen ./input Finished release [optimized] target(s) in 0.12s Finished release [optimized] target(s) in 0.12s Running `target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen -artifact_prefix=/home/acrichto/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368` WARNING: Failed to find function "__sanitizer_acquire_crash_state". WARNING: Failed to find function "__sanitizer_print_stack_trace". WARNING: Failed to find function "__sanitizer_set_death_callback". INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1634239619 INFO: Loaded 1 modules (123805 inline 8-bit counters): 123805 [0xaaaae7df0fd8, 0xaaaae7e0f375), INFO: Loaded 1 PC tables (123805 PCs): 123805 [0xaaaae7e0f378,0xaaaae7ff2d48), target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each. Running: ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368 thread '<unnamed>' panicked at 'Instruction format doesn't have a designated operand, bad opcode.', cranelift/codegen/src/ir/dfg.rs:865:17 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==2894== ERROR: libFuzzer: deadly signal NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal ──────────────────────────────────────────────────────────────────────────────── Error: Fuzz target exited with exit status: 77
alexcrichton commented on issue #4733:
cc @afonso360
alexcrichton labeled issue #4733:
Found on oss-fuzz with this input: input.gz
$ cargo +nightly fuzz run --strip-dead-code --no-default-features -s none cranelift-fuzzgen ./input Finished release [optimized] target(s) in 0.12s Finished release [optimized] target(s) in 0.12s Running `target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen -artifact_prefix=/home/acrichto/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368` WARNING: Failed to find function "__sanitizer_acquire_crash_state". WARNING: Failed to find function "__sanitizer_print_stack_trace". WARNING: Failed to find function "__sanitizer_set_death_callback". INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1634239619 INFO: Loaded 1 modules (123805 inline 8-bit counters): 123805 [0xaaaae7df0fd8, 0xaaaae7e0f375), INFO: Loaded 1 PC tables (123805 PCs): 123805 [0xaaaae7e0f378,0xaaaae7ff2d48), target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each. Running: ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368 thread '<unnamed>' panicked at 'Instruction format doesn't have a designated operand, bad opcode.', cranelift/codegen/src/ir/dfg.rs:865:17 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==2894== ERROR: libFuzzer: deadly signal NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal ──────────────────────────────────────────────────────────────────────────────── Error: Fuzz target exited with exit status: 77
jameysharp commented on issue #4733:
This panic is occurring when trying to generate an error context for an "instruction opcode doesn't match instruction format" error in
instruction_integrity
in cranelift's verifier, after doing thecanonicalize_nans
pass.I patched this panic message to give more detail:
Instruction format for MultiAry { opcode: Iconcat, args: EntityList { index: 25, unused: PhantomData } } doesn't have a designated operand
So at least that tells us what's failing.
jameysharp commented on issue #4733:
Looks like my suggestion a while back to use
MultiAry
for all opcodes is biting us here. The instruction format forIconcat
isBinary
, which returns its first operand fortypevar_operand
. ButMultiAry
returnsNone
from that function.Apparently, this hasn't been an issue before because many of the instructions that use the
Binary
format haverequires_typevar_operand=false
. ButIsplit
andIconcat
are exceptions, and there are quite a few other more obscure instructions where we'll have the same problem.
jameysharp closed issue #4733:
Found on oss-fuzz with this input: input.gz
$ cargo +nightly fuzz run --strip-dead-code --no-default-features -s none cranelift-fuzzgen ./input Finished release [optimized] target(s) in 0.12s Finished release [optimized] target(s) in 0.12s Running `target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen -artifact_prefix=/home/acrichto/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368` WARNING: Failed to find function "__sanitizer_acquire_crash_state". WARNING: Failed to find function "__sanitizer_print_stack_trace". WARNING: Failed to find function "__sanitizer_set_death_callback". INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1634239619 INFO: Loaded 1 modules (123805 inline 8-bit counters): 123805 [0xaaaae7df0fd8, 0xaaaae7e0f375), INFO: Loaded 1 PC tables (123805 PCs): 123805 [0xaaaae7e0f378,0xaaaae7ff2d48), target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each. Running: ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368 thread '<unnamed>' panicked at 'Instruction format doesn't have a designated operand, bad opcode.', cranelift/codegen/src/ir/dfg.rs:865:17 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==2894== ERROR: libFuzzer: deadly signal NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal ──────────────────────────────────────────────────────────────────────────────── Error: Fuzz target exited with exit status: 77
Last updated: Dec 23 2024 at 13:07 UTC