cfallin opened issue #4755:
This fuzzbug was discovered on OSS-Fuzz (https://oss-fuzz.com/testcase-detail/5638913573650432):
thread '<unnamed>' panicked at 'assertion failed: `(left == right)` -- | left: `[I16(80), B(false), I16(80), I8(106)]`, | right: `[I16(0), B(false), I16(0), I8(106)]`', wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102:9 thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `[I16(80), B(false), I16(80), I8(106)]`, right: `[I16(0), B(false), I16(0), I8(106)]`', [wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102](https://github.com/bytecodealliance/wasmtime/blob/d620705a323e3da59bd90473b4e627c8502b1255/fuzz/fuzz_targets/cranelift-fuzzgen.rs#L102):9
base64 -d
to decode testcase here:amkgICAEIGogaiAgICCCICAg//8AAP8BamogICBQICAgICAgICA=
cc @afonso360
afonso360 commented on issue #4755:
Formatted:
ubuntu@instance-20220805-0848:~/git/wasmtime/fuzz$ cargo fuzz fmt cranelift-fuzzgen ./4755.in --no-default-features Output of `std::fmt::Debug`: ;; Fuzzgen test case test interpret test run set enable_llvm_abi_extensions target aarch64 target s390x target x86_64 function u0:1(i8 sext, b1 sext, i64 sext, i16 sext) -> b1 sext, b1 sext, i16 sext, b1 sext system_v { block0(v0: i8, v1: b1, v2: i64, v3: i16): v4 = iconst.i128 0 v5 = iconst.i64 0 v6 = iconst.i32 0 v7 = iconst.i16 0 v8 = iconst.i8 0 v9 = sshr v3, v2 return v1, v1, v9, v1 } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: u0:1(32, false, 2314885530818453584, 32) == [false, false, 0, false] ; run: u0:1(0, false, 0, 0) == [false, false, 0, false] ; run: u0:1(0, false, 0, 0) == [false, false, 0, false]
This looks suspiciously like some form of https://github.com/bytecodealliance/wasmtime/pull/4752
jameysharp commented on issue #4755:
I'm not sure where you copied that assertion failure message from but the failure for this input, according to both the non-public OSS-Fuzz report and my local reproduction, is:
thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `[B(false), B(false), I16(32), B(false)]`, right: `[B(false), B(false), I16(0), B(false)]`', fuzz/fuzz_targets/cranelift-fuzzgen.rs:102:9
Since all three test inputs have v1=false, it's not immediately obvious which one is failing, but I'm going to guess it's the first one, because if the interpreter thinks
sshr 0, 0
is not 0 then I'm going to be sad.So I'm assuming that
sshr 32, 2314885530818453584
is the problem, and from the assertion we see that the interpreter says the result should be 32, while the x64 backend says it's 0.
afonso360 commented on issue #4755:
I tested this on https://github.com/bytecodealliance/wasmtime/pull/4752 (with the new changes to preserve the input format) and it no longer crashes, so I think that this should be fixed as soon as that is merged.
afonso360 commented on issue #4755:
Can someone confirm on OSS Fuzz if this was fixed by #4752?
jameysharp commented on issue #4755:
It was! Thanks for checking.
jameysharp closed issue #4755:
This fuzzbug was discovered on OSS-Fuzz (https://oss-fuzz.com/testcase-detail/5638913573650432):
thread '<unnamed>' panicked at 'assertion failed: `(left == right)` -- | left: `[I16(80), B(false), I16(80), I8(106)]`, | right: `[I16(0), B(false), I16(0), I8(106)]`', wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102:9 thread '<unnamed>' panicked at 'assertion failed: `(left == right)` left: `[I16(80), B(false), I16(80), I8(106)]`, right: `[I16(0), B(false), I16(0), I8(106)]`', [wasmtime/fuzz/fuzz_targets/cranelift-fuzzgen.rs:102](https://github.com/bytecodealliance/wasmtime/blob/d620705a323e3da59bd90473b4e627c8502b1255/fuzz/fuzz_targets/cranelift-fuzzgen.rs#L102):9
base64 -d
to decode testcase here:amkgICAEIGogaiAgICCCICAg//8AAP8BamogICBQICAgICAgICA=
cc @afonso360
Last updated: Dec 23 2024 at 12:05 UTC