Wasmtime GitHub notifications bot (Aug 23 2022 at 15:49): Wasmtime GitHub notifications bot (Aug 23 2022 at 15:49):cfallin opened issue #4757:
From oss-fuzz (https://oss-fuzz.com/testcase-detail/4548183442718720).
thread '<unnamed>' panicked at 'index out of bounds: the len is 2 but the index is 2', [wasmtime/cranelift/module/src/module.rs:384](https://github.com/bytecodealliance/wasmtime/blob/d620705a323e3da59bd90473b4e627c8502b1255/cranelift/module/src/module.rs#L384):10with input (base64'd):
IMUg//+CaDTDw8N2w4mJiYmJiYmJiRAAAImJiYmJiQMAAACJiQABqQB9fX19ffJ9AP////8AAQAr KwAAAAAAAAAAAAAAAAHDLn19AH3r6+vr9Ovr/wAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAQArKwAA AAAAAAAAAAAAAAHDLn19AH3rqACCgoKCgoKCEIKCgoIQgoI9AAAAgoKCgpIAAAAAAIKCgoKCgoKC goKCgoKCggEAAIKCgpIAAAAAAIKCgoKCgoKCgoKCgoKCggcwMPBcVVXr6+v06+v///8O6+vr6+vr 6+vr6+vr6+uCgoKCgoKCgoJTFQAAACAAAAAKADECPv8AAP////8AAAAH/////////////2FraXRz bikgfwGCgomJiYmJiYkQAACJiYmJiYkDAAAAiYllAAiCgoKCgmgAgqKCgiHCgoKCgoaCgoKCgoIp goKCgoKCgoKLgoKCAAAgAAAAAAAAAAAIgoJoMMPDw3bDpYmJiYmJiYmJEAAAiYmJAAiCgmg0w8PD dsOliYmJiYmJiYkQAACJiYmJAIKCgoKCgoKCgoKCgoKCgoJcVTAw61xVSUUtZUBuYmVlAAAAAAAA AAAAAAAAAAAAAAAAAAAAEAAIgoKCgoJoAIKigoIhwv///////wD/goKCgoI+AAAAENA=cc @afonso360
Wasmtime GitHub notifications bot (Aug 23 2022 at 16:13):afonso360 commented on issue #4757:
<details>
<summary> Formatted </summary>ubuntu@instance-20220805-0848:~/git/wasmtime/fuzz$ cargo fuzz fmt cranelift-fuzzgen ./4757.in --no-default-features Output of `std::fmt::Debug`: ;; Fuzzgen test case test interpret test run set enable_llvm_abi_extensions target aarch64 target s390x target x86_64 function u0:1(i128 sext, f64, i16 sext, i64, i32, f32, i8 sext, i8 sext, i8 sext, i8 sext, i8 uext, b1, i8 sext, i8 sext, i8 sext) -> b1, b1 sext, i8 system_v { sig0 = (i128 sext, i128, f64, f64, b1 uext, b1 uext) -> b1, b1, b1, b1, b1, b1, i8, f32 sext, i128 system_v sig1 = (i32 uext, i64 uext, i32, b1, b1 uext, b1, b1, b1, b1, b1, b1, b1, b1, b1) system_v sig2 = (i64, i64) -> i64 fast sig3 = () system_v sig4 = (i64, i64) -> i64 fast sig5 = (i64, i64) -> i64 fast sig6 = (i64, i64) -> i64 fast sig7 = (i64, i64) -> i64 fast fn0 = colocated u0:0 sig0 fn1 = colocated u0:1 sig1 fn2 = colocated %UdivI64 sig2 fn3 = u0:2 sig3 fn4 = %UdivI64 sig4 fn5 = %UdivI64 sig5 fn6 = %UdivI64 sig6 fn7 = %UdivI64 sig7 block0(v0: i128, v1: f64, v2: i16, v3: i64, v4: i32, v5: f32, v6: i8, v7: i8, v8: i8, v9: i8, v10: i8, v11: b1, v12: i8, v13: i8, v14: i8): v87 -> v6 v78 -> v10 v15 = iconst.i32 0x007d_7d2e v16 = iconst.i128 0 v17 = iconst.i64 0 v18 = iconst.i32 0 v19 = iconst.i16 0 v20 = iconst.i8 0 v21, v22, v23, v24, v25, v26, v27, v28, v29 = call fn0(v0, v0, v1, v1, v11, v11) nop v30 = ushr v4, v8 v31 = ushr v30, v8 v32 = ushr v31, v8 v33 = udiv v8, v8 nop nop nop v34 = ushr v32, v8 v35 = uextend.i32 v6 nop nop nop v36 = ushr v35, v8 v37 = ushr v36, v8 v38 = ushr v37, v8 v39 = ushr v38, v8 nop nop v40 = ushr v38, v8 nop nop nop nop nop v41 = ushr v40, v8 v42 = ushr v41, v8 v43 = ushr v42, v8 v44 = ushr v43, v8 v45 = rotr v0, v43 v46 = iadd v3, v3 v47 = ishl v46, v46 v48 = ishl v44, v2 call fn3() v49 = isub v48, v48 v50 = udiv v47, v47 v51 = udiv v50, v50 v52 = imul v51, v51 call fn3() call fn3() call fn3() call fn3() call fn3() call fn3() call fn3() v53 = ushr v43, v8 v54 = ushr v53, v8 v55 = ushr v49, v33 nop nop v56 = rotr v2, v2 nop nop nop v57 = isub v45, v45 nop v58 = rotr v57, v52 v59 = iadd v56, v56 v60 = rotl v49, v59 br_icmp sge v52, v52, block1(v52, v59, v58, v49, v8, v5) jump block1(v52, v59, v58, v49, v8, v5) block1(v61: i64, v63: i16, v75: i128, v77: i32, v82: i8, v108: f32) cold: v62 = udiv v61, v61 nop nop nop v64 = isub v63, v63 v65 = udiv v62, v62 v66 = udiv v65, v65 v67 = udiv v66, v66 v68 = udiv v67, v67 v69 = udiv v68, v68 v70 = udiv v69, v69 v71 = udiv v70, v70 v72 = udiv v71, v71 v73 = udiv v72, v72 v74 = udiv v73, v73 v76 = ishl v75, v74 v79 = sshr v77, v78 v80 = sshr v79, v74 v81 = ushr v64, v64 v83 = iadd v82, v82 v84 = ushr v74, v79 v85 = ushr v84, v79 v86 = ushr v85, v79 v88 = udiv.i8 v87, v87 v89 = ushr v86, v79 v90 = ushr v89, v79 v91 = ushr v90, v79 nop nop nop v92 = ushr v91, v79 v93 = sshr.i8 v87, v80 v94 = ushr v80, v93 v95 = sshr v81, v81 nop v96 = ushr v94, v93 v97 = rotr v95, v96 v98 = ushr v96, v93 v99 = ushr v98, v76 v100 = ushr v99, v93 v101 = rotr v92, v93 v102 = ushr v100, v93 v103 = ushr v102, v93 v104 = ushr v102, v93 nop v105 = rotr v97, v97 nop nop nop nop nop nop nop nop v106 = isub v104, v104 v107 = rotr v76, v103 v113 = fma v108, v108, v108 v114 = fcmp ne v113, v113 v115 = f32const +NaN v109 = select v114, v115, v113 ; v115 = +NaN v116 = fma v109, v109, v109 v117 = fcmp ne v116, v116 v118 = f32const +NaN v110 = select v117, v118, v116 ; v118 = +NaN v111 = sshr v107, v105 v119 = fma v110, v110, v110 v120 = fcmp ne v119, v119 v121 = f32const +NaN v112 = select v120, v121, v119 ; v121 = +NaN jump block1(v101, v105, v111, v103, v93, v112) } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: u0:1(-167441178197207787726634081896711485047, -0x1.6c3c3c3346882p56, -30299, 1191634800227223945, -1987510272, -0x1.011312p-123, -126, -126, -126, -126, -126, false, -126, -126, -126) == [false, false, 0] ; run: u0:1(60175015672611943707808577707804099202, 0x0.06565626e4065p-1022, 0, 0, 0, 0.0, 0, 16, 0, 8, -126, false, -126, -126, -126) == [false, false, 0] ; run: u0:1(-1324035698926381049733415222487416728, 0x0.03e8282828282p-1022, 4096, 208, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0] ; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0] ; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0] ; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0] ; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0] ; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0]</details>
Wasmtime GitHub notifications bot (Aug 23 2022 at 16:40):jameysharp commented on issue #4757:
Here's the important part of the stack trace from oss-fuzz. I suspect this is caused by the same issue as #4758 since there are
callinstructions in this program and the panic is happening while trying to perform relocations in cranelift-jit.0x5615862344b1 in cranelift_module::module::ModuleDeclarations::get_function_decl::h5bbdbf571653422e wasmtime/cranelift/module/src/module.rs:384:10
0x5615862138e7 in cranelift_jit::backend::JITModule::get_address::h8d13230c813aade4 wasmtime/cranelift/jit/src/backend.rs:289:44
0x5615862181f8 in cranelift_jit::backend::JITModule::finalize_definitions::_$u7b$$u7b$closure$u7d$$u7d$::h1821fa3c3054b087 wasmtime/cranelift/jit/src/backend.rs:434:24
0x5615862181f8 in cranelift_jit::compiled_blob::CompiledBlob::perform_relocations::h02988f21133ad98f wasmtime/cranelift/jit/src/compiled_blob.rs:41:32
0x5615862181f8 in cranelift_jit::backend::JITModule::finalize_definitions::h914dc1ce0866901e wasmtime/cranelift/jit/src/backend.rs:433:13
0x561585fff42f in cranelift_filetests::function_runner::SingleFunctionCompiler::compile::hd1a840d57445ec31 wasmtime/cranelift/filetests/src/function_runner.rs:102:9
Wasmtime GitHub notifications bot (Aug 29 2022 at 21:30):jameysharp closed issue #4757:
From oss-fuzz (https://oss-fuzz.com/testcase-detail/4548183442718720).
thread '<unnamed>' panicked at 'index out of bounds: the len is 2 but the index is 2', [wasmtime/cranelift/module/src/module.rs:384](https://github.com/bytecodealliance/wasmtime/blob/d620705a323e3da59bd90473b4e627c8502b1255/cranelift/module/src/module.rs#L384):10with input (base64'd):
IMUg//+CaDTDw8N2w4mJiYmJiYmJiRAAAImJiYmJiQMAAACJiQABqQB9fX19ffJ9AP////8AAQAr KwAAAAAAAAAAAAAAAAHDLn19AH3r6+vr9Ovr/wAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAQArKwAA AAAAAAAAAAAAAAHDLn19AH3rqACCgoKCgoKCEIKCgoIQgoI9AAAAgoKCgpIAAAAAAIKCgoKCgoKC goKCgoKCggEAAIKCgpIAAAAAAIKCgoKCgoKCgoKCgoKCggcwMPBcVVXr6+v06+v///8O6+vr6+vr 6+vr6+vr6+uCgoKCgoKCgoJTFQAAACAAAAAKADECPv8AAP////8AAAAH/////////////2FraXRz bikgfwGCgomJiYmJiYkQAACJiYmJiYkDAAAAiYllAAiCgoKCgmgAgqKCgiHCgoKCgoaCgoKCgoIp goKCgoKCgoKLgoKCAAAgAAAAAAAAAAAIgoJoMMPDw3bDpYmJiYmJiYmJEAAAiYmJAAiCgmg0w8PD dsOliYmJiYmJiYkQAACJiYmJAIKCgoKCgoKCgoKCgoKCgoJcVTAw61xVSUUtZUBuYmVlAAAAAAAA AAAAAAAAAAAAAAAAAAAAEAAIgoKCgoJoAIKigoIhwv///////wD/goKCgoI+AAAAENA=cc @afonso360
Last updated: Oct 23 2024 at 20:03 UTC