Wasmtime GitHub notifications bot (Aug 23 2022 at 15:46): Wasmtime GitHub notifications bot (Aug 23 2022 at 15:46):cfallin opened issue #4755:
This fuzzbug was discovered on OSS-Fuzz (https://oss-fuzz.com/testcase-detail/5638913573650432):
thread '<unnamed>' panicked at 'assertion failed: `(left == right)` -- | left: `[I16(80), B(false), I16(80), I8(106)]`, | right: `[I16(0), B(false), I16(0), I8(106)]`', wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102:9 thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `[I16(80), B(false), I16(80), I8(106)]`, right: `[I16(0), B(false), I16(0), I8(106)]`', [wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102](https://github.com/bytecodealliance/wasmtime/blob/d620705a323e3da59bd90473b4e627c8502b1255/fuzz/fuzz_targets/cranelift-fuzzgen.rs#L102):9
base64 -dto decode testcase here:amkgICAEIGogaiAgICCCICAg//8AAP8BamogICBQICAgICAgICA=cc @afonso360
Wasmtime GitHub notifications bot (Aug 23 2022 at 16:10):afonso360 commented on issue #4755:
Formatted:
ubuntu@instance-20220805-0848:~/git/wasmtime/fuzz$ cargo fuzz fmt cranelift-fuzzgen ./4755.in --no-default-features Output of `std::fmt::Debug`: ;; Fuzzgen test case test interpret test run set enable_llvm_abi_extensions target aarch64 target s390x target x86_64 function u0:1(i8 sext, b1 sext, i64 sext, i16 sext) -> b1 sext, b1 sext, i16 sext, b1 sext system_v { block0(v0: i8, v1: b1, v2: i64, v3: i16): v4 = iconst.i128 0 v5 = iconst.i64 0 v6 = iconst.i32 0 v7 = iconst.i16 0 v8 = iconst.i8 0 v9 = sshr v3, v2 return v1, v1, v9, v1 } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: u0:1(32, false, 2314885530818453584, 32) == [false, false, 0, false] ; run: u0:1(0, false, 0, 0) == [false, false, 0, false] ; run: u0:1(0, false, 0, 0) == [false, false, 0, false]This looks suspiciously like some form of https://github.com/bytecodealliance/wasmtime/pull/4752
Wasmtime GitHub notifications bot (Aug 23 2022 at 16:11):jameysharp commented on issue #4755:
I'm not sure where you copied that assertion failure message from but the failure for this input, according to both the non-public OSS-Fuzz report and my local reproduction, is:
thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `[B(false), B(false), I16(32), B(false)]`, right: `[B(false), B(false), I16(0), B(false)]`', fuzz/fuzz_targets/cranelift-fuzzgen.rs:102:9Since all three test inputs have v1=false, it's not immediately obvious which one is failing, but I'm going to guess it's the first one, because if the interpreter thinks
sshr 0, 0is not 0 then I'm going to be sad.So I'm assuming that
sshr 32, 2314885530818453584is the problem, and from the assertion we see that the interpreter says the result should be 32, while the x64 backend says it's 0.
Wasmtime GitHub notifications bot (Aug 23 2022 at 17:11):afonso360 commented on issue #4755:
I tested this on https://github.com/bytecodealliance/wasmtime/pull/4752 (with the new changes to preserve the input format) and it no longer crashes, so I think that this should be fixed as soon as that is merged.
Wasmtime GitHub notifications bot (Aug 25 2022 at 17:21):afonso360 commented on issue #4755:
Can someone confirm on OSS Fuzz if this was fixed by #4752?
Wasmtime GitHub notifications bot (Aug 25 2022 at 17:23):jameysharp commented on issue #4755:
It was! Thanks for checking.
Wasmtime GitHub notifications bot (Aug 25 2022 at 17:23):jameysharp closed issue #4755:
This fuzzbug was discovered on OSS-Fuzz (https://oss-fuzz.com/testcase-detail/5638913573650432):
thread '<unnamed>' panicked at 'assertion failed: `(left == right)` -- | left: `[I16(80), B(false), I16(80), I8(106)]`, | right: `[I16(0), B(false), I16(0), I8(106)]`', wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102:9 thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `[I16(80), B(false), I16(80), I8(106)]`, right: `[I16(0), B(false), I16(0), I8(106)]`', [wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102](https://github.com/bytecodealliance/wasmtime/blob/d620705a323e3da59bd90473b4e627c8502b1255/fuzz/fuzz_targets/cranelift-fuzzgen.rs#L102):9
base64 -dto decode testcase here:amkgICAEIGogaiAgICCCICAg//8AAP8BamogICBQICAgICAgICA=cc @afonso360
Last updated: Nov 22 2024 at 17:03 UTC