Wasmtime GitHub notifications bot (Aug 23 2022 at 15:56): Wasmtime GitHub notifications bot (Aug 23 2022 at 15:56):cfallin opened issue #4760:
https://oss-fuzz.com/testcase-detail/5258173635756032
ERROR: AddressSanitizer: FPE on unknown address 0x627000024418 (pc 0x627000024418 bp 0x7ffece9cd500 sp 0x7ffece9cd3e0 T0) SCARINESS: 10 (signal) #0 0x627000024418 (<unknown module>) #1 0x6270000252f7 (<unknown module>) #0 0x561a4f7ef6c4 in cranelift_filetests::function_runner::CompiledFunction::call::ha6b9162cd2e21784 [wasmtime/cranelift/filetests/src/function_runner.rs:183](https://github.com/bytecodealliance/wasmtime/blob/418dbc15bd2a5269b338587661387e05fc77b983/cranelift/filetests/src/function_runner.rs#L183):9input: here
cc @afonso360
Wasmtime GitHub notifications bot (Aug 23 2022 at 16:22):afonso360 commented on issue #4760:
Huh, I can't format this input:
ubuntu@instance-20220805-0848:~/git/wasmtime/fuzz$ cargo fuzz fmt cranelift-fuzzgen ./4760.in --no-default-features Output of `std::fmt::Debug`: Arbitrary Error: The raw data is not of the correct format to construct this type
Wasmtime GitHub notifications bot (Aug 23 2022 at 16:25):afonso360 commented on issue #4760:
Nevermind, forgot to base64 decode it :sweat_smile:
<details>
<summary> Formatted </summary>ubuntu@instance-20220805-0848:~/git/wasmtime/fuzz$ cargo fuzz fmt cranelift-fuzzgen ./4760.in --no-default-features Output of `std::fmt::Debug`: ;; Fuzzgen test case test interpret test run set enable_llvm_abi_extensions target aarch64 target s390x target x86_64 function u0:1(i8, i32, f32 sext, f32 sext, i64 uext, b1, b1, b1, b1 uext, b1, i128 uext, i64, i16 sext, i8, f64 sext, i8 sext) -> i8, f64, f64 sext, i8, i32, f32 sext, b1 sext, i64 uext, i128, i128, i128 uext, i128 uext, b1 sext, i8 sext, i128 uext, i64 system_v { ss0 = explicit_slot 54 ss1 = explicit_slot 54 ss2 = explicit_slot 54 sig0 = (i64, i64) -> i64 fast sig1 = () -> b1, f64, f64, f64, f64, f64, f64, f64, f64, f64, f64, f64, f64, f64 system_v sig2 = (i64, i64) -> i64 fast fn0 = %UdivI64 sig0 fn1 = colocated u0:0 sig1 fn2 = colocated %UdivI64 sig2 jt0 = jump_table [block11, block12, block12, block4, block3, block3, block3, block2, block12, block12, block12, block2, block9, block5] jt1 = jump_table [block3, block12, block12, block4, block3, block3, block3] jt2 = jump_table [block12, block12, block12, block2, block9, block5, block11, block3, block12, block12, block12, block12, block11, block12] jt3 = jump_table [block2, block2, block5, block4, block11, block2, block2, block2, block11, block2, block2, block2, block2, block3, block3, block4, block12, block12, block12, block12, block4, block9, block5, block3, block2, block3, block12, block12] jt4 = jump_table [block2, block4, block12, block4, block9, block5, block3, block2, block3, block12, block12, block5, block12, block12, block12] jt5 = jump_table [block2, block3, block4, block5, block2, block2, block2, block3, block2] jt6 = jump_table [block2, block4] jt7 = jump_table [block4, block4, block4, block3, block2, block12, block3, block3, block3, block3, block3, block3, block3, block3] jt8 = jump_table [block2, block2, block2] jt9 = jump_table [block3, block3] jt10 = jump_table [block12, block12] jt11 = jump_table [block12, block3, block3, block3, block12, block12, block12, block12, block5, block5, block5, block5, block3, block3, block12, block12, block5, block12, block12] jt12 = jump_table [block2, block3, block4, block9, block5, block3, block3, block12, block12, block12, block3, block11, block12, block12, block4, block3, block3, block3, block5] jt13 = jump_table [block2, block2] jt14 = jump_table [block3, block3, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2] jt15 = jump_table [block12, block11, block12, block12, block12, block3, block3, block3, block12, block12, block12, block12, block2, block12, block12, block12, block12, block3, block4] jt16 = jump_table [block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2] jt17 = jump_table [block12, block4, block9, block5, block3, block3, block12, block12, block5, block12, block12, block12, block12, block2, block3, block4, block2, block4, block12] jt18 = jump_table [block9, block5, block3, block3, block12, block12, block4, block3, block3, block3, block12, block12, block12, block12, block2, block9, block5, block11, block3, block12] jt19 = jump_table [block2, block2, block4, block2, block3, block3, block3, block3, block2] jt20 = jump_table [block5, block2, block2, block2, block2, block11, block2, block2, block2, block2, block2, block2, block2, block4, block2, block3, block4, block2, block4, block12, block4, block9, block5, block3, block2, block3, block12, block12] jt21 = jump_table [block2, block11] jt22 = jump_table [block4, block4, block4, block4, block4, block4, block3, block2, block12, block3, block3, block3, block3, block3] jt23 = jump_table [block3, block3, block12, block12, block12, block12, block2, block9, block5, block11, block3, block12, block12, block12, block12, block11, block12, block12, block12, block3, block3, block3, block12, block12, block12, block12, block2, block12, block12, block12, block12, block3] jt24 = jump_table [block3, block2, block2, block2, block2, block2, block2, block2, block2, block9, block4, block2, block9, block5, block2, block3, block4, block5, block2, block2, block2, block3, block2, block2, block2, block2, block2, block2, block2] jt25 = jump_table [block2, block2] jt26 = jump_table [block5, block3, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2] jt27 = jump_table [block5, block2] jt28 = jump_table [block3, block3, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2, block2] jt29 = jump_table [block3, block12, block12, block5, block12, block12, block4, block9, block5, block3] jt30 = jump_table [block12, block12, block2, block3, block4, block4, block4, block12, block4, block9, block5, block3, block3, block12, block12, block5, block12, block12, block12] jt31 = jump_table [block11, block12, block12, block4, block3, block3, block3, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5] jt32 = jump_table [block12, block2, block2, block2, block2, block2, block2, block2, block5, block2, block2, block2, block3, block2, block4, block2, block2, block2, block2] jt33 = jump_table [block5, block11, block12, block3, block12, block4, block12, block3, block2, block9, block5, block11, block9, block12, block3] jt34 = jump_table [block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block5, block11, block2, block11, block9, block11, block9, block11, block5, block5, block11, block2, block11, block4, block2, block2] jt35 = jump_table [block4, block2] jt36 = jump_table [block5, block2, block9, block12, block12, block12, block2, block2, block2, block12, block12] jt37 = jump_table [block2, block2] jt38 = jump_table [block5, block4, block11, block2, block12, block12, block12, block2, block2, block2, block12, block12, block12, block12, block2, block2, block2, block2, block3, block3, block3, block3, block3] jt39 = jump_table [block4, block12, block9, block4, block9, block5, block3, block2, block3, block12, block12, block5, block12, block12, block12, block12, block5, block3, block3, block2, block2, block2, block2, block2, block2, block2, block2] jt40 = jump_table [block4, block2, block9, block11, block11, block11, block11, block12, block4, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5, block5] jt41 = jump_table [block11, block5] jt42 = jump_table [block12, block11, block12, block12, block12, block3, block3, block3, block12, block12, block12, block12, block5, block5, block5, block5, block3, block3, block12] jt43 = jump_table [block4, block2] jt44 = jump_table [block9, block9, block12, block2, block2, block2, block2, block2, block2, block2, block5, block2, block2, block2, block3, block2, block4, block2, block2, block2, block2, block2, block2, block2] jt45 = jump_table [block2, block4] jt46 = jump_table [block2, block9, block5, block3, block3, block12, block12, block4, block3, block3, block3, block12, block12, block12, block12, block2, block9, block5, block11] jt47 = jump_table [block2, block5, block5, block5, block5, block9, block2, block2, block2, block2, block2, block2, block3, block9, block5] jt48 = jump_table [block4, block5, block5, block2, block2, block2, block4, block2] jt49 = jump_table [block2, block2, block4] jt50 = jump_table [block12, block2, block2, block2, block12, block12, block12, block12, block2, block2, block2, block2, block3, block3, block3, block3, block3, block3, block3] jt51 = jump_table [block9, block4, block9, block5, block3, block2, block3, block12, block12, block5, block12, block12, block12, block12, block5, block3, block3, block2, block2] jt52 = jump_table [block11, block4, block2, block2, block2, block2, block12, block12, block12, block12, block12, block12, block12, block2, block2, block2, block2, block2, block2, block2, block2, block2] jt53 = jump_table [block12, block11, block12, block12, block12, block3, block3, block3, block12, block12, block12, block12, block5, block5, block5, block5, block3, block3, block12] jt54 = jump_table [block2, block11, block5, block11, block9, block5, block5, block5, block5, block11, block5, block9, block9, block9, block9, block3, block3, block3] jt55 = jump_table [block2, block4] jt56 = jump_table [block5, block5, block3, block2, block3, block12, block12, block11, block3, block9, block5, block2, block2, block5] jt57 = jump_table [block2, block2, block2, block2, block2, block5, block5, block5, block5, block9, block2, block2, block2, block2, block2] jt58 = jump_table [block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block3, block5, block11, block2, block11, block9, block11, block9, block11, block5, block5, block11, block2, block3, block11, block2, block2] jt59 = jump_table [block4, block3, block2, block [message truncated]
Wasmtime GitHub notifications bot (Aug 23 2022 at 16:28):abrown commented on issue #4760:
Ah, fuzzing... good to know we can use jump tables:laughing:
Wasmtime GitHub notifications bot (Aug 23 2022 at 18:35):afonso360 commented on issue #4760:
Interesting, trying to reproduce this on windows (via the generated clif test case) gives me a different result (
STATUS_INTEGER_DIVIDE_BY_ZERO).PS C:\Users\Afonso\CLionProjects\wasmtime\cranelift> cargo run -- test .\lmao.clif Finished dev [unoptimized + debuginfo] target(s) in 0.36s Running `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` error: process didn't exit successfully: `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` (exit code: 0xc0000094, STATUS_INTEGER_DIVIDE_BY_ZERO)And I did confirm, the debugger stops in a
divinstruction. I'll have to continue on a linux machine.
Wasmtime GitHub notifications bot (Aug 23 2022 at 18:36):afonso360 edited a comment on issue #4760:
Interesting, trying to reproduce this on windows (via the generated clif test case) gives me a different result (
STATUS_INTEGER_DIVIDE_BY_ZERO).The only change I did to the test case was altering the calling convention from
system_vtowindows_fastcall.PS C:\Users\Afonso\CLionProjects\wasmtime\cranelift> cargo run -- test .\lmao.clif Finished dev [unoptimized + debuginfo] target(s) in 0.36s Running `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` error: process didn't exit successfully: `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` (exit code: 0xc0000094, STATUS_INTEGER_DIVIDE_BY_ZERO)And I did confirm, the debugger stops in a
divinstruction. I'll have to continue on a linux machine.
Wasmtime GitHub notifications bot (Aug 23 2022 at 18:37):afonso360 edited a comment on issue #4760:
Interesting, trying to reproduce this on windows (via the generated clif test case) gives me a different result (
STATUS_INTEGER_DIVIDE_BY_ZERO).The only change I did to the test case was altering the calling convention from
system_vtowindows_fastcall.PS C:\Users\Afonso\CLionProjects\wasmtime\cranelift> cargo run -- test .\lmao.clif Finished dev [unoptimized + debuginfo] target(s) in 0.36s Running `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` error: process didn't exit successfully: `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` (exit code: 0xc0000094, STATUS_INTEGER_DIVIDE_BY_ZERO)And I did confirm, the debugger stops in a
divinstruction. I'll have to continue on a linux machine (which I just confirmed, can reproduce the issue via the clif test case).
Wasmtime GitHub notifications bot (Aug 23 2022 at 18:40):afonso360 edited a comment on issue #4760:
Interesting, trying to reproduce this on windows (via the generated clif test case) gives me a different result (
STATUS_INTEGER_DIVIDE_BY_ZERO).The only change I did to the test case was altering the calling convention from
system_vtowindows_fastcall.PS C:\Users\Afonso\CLionProjects\wasmtime\cranelift> cargo run -- test .\lmao.clif Finished dev [unoptimized + debuginfo] target(s) in 0.36s Running `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` error: process didn't exit successfully: `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` (exit code: 0xc0000094, STATUS_INTEGER_DIVIDE_BY_ZERO)And I did confirm, the debugger stops in a
divinstruction. I'll have to continue on a linux machine (which I just confirmed, can reproduce the issue via the clif test case).Edit: Ah, seems to be a POSIX thing
Wasmtime GitHub notifications bot (Aug 23 2022 at 18:40):afonso360 edited a comment on issue #4760:
Interesting, trying to reproduce this on windows (via the generated clif test case) gives me a different result (
STATUS_INTEGER_DIVIDE_BY_ZERO).The only change I did to the test case was altering the calling convention from
system_vtowindows_fastcall.PS C:\Users\Afonso\CLionProjects\wasmtime\cranelift> cargo run -- test .\lmao.clif Finished dev [unoptimized + debuginfo] target(s) in 0.36s Running `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` error: process didn't exit successfully: `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` (exit code: 0xc0000094, STATUS_INTEGER_DIVIDE_BY_ZERO)And I did confirm, the debugger stops in a
divinstruction. I'll have to continue on a linux machine (which I just confirmed, can reproduce the issue via the clif test case).Edit: Ah, seems to be a POSIX thing, its probably the same issue.
Wasmtime GitHub notifications bot (Aug 24 2022 at 15:56):afonso360 edited a comment on issue #4760:
Interesting, trying to reproduce this on windows (via the generated clif test case) gives me a different result (
STATUS_INTEGER_DIVIDE_BY_ZERO).The only change I did to the test case was altering the calling convention from
system_vtowindows_fastcall.PS C:\Users\Afonso\CLionProjects\wasmtime\cranelift> cargo run -- test .\lmao.clif Finished dev [unoptimized + debuginfo] target(s) in 0.36s Running `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` error: process didn't exit successfully: `C:\Users\Afonso\CLionProjects\wasmtime\target\debug\clif-util.exe test .\lmao.clif` (exit code: 0xc0000094, STATUS_INTEGER_DIVIDE_BY_ZERO)And I did confirm, the debugger stops in a
divinstruction. I'll have to continue on a linux machine (which I just confirmed, can reproduce the issue via the clif test case).Edit: Ah, seems to be a POSIX thing, its probably the same issue.
Wasmtime GitHub notifications bot (Aug 26 2022 at 20:44):jameysharp commented on issue #4760:
OSS-Fuzz thinks this was fixed, and indeed, I can reproduce the SIGFPE on 9cb987c67 but not on d394edcef. However I don't immediately see why #4752 would have actually fixed this.
On top of that, the same input produces a new error now:
thread '<unnamed>' panicked at 'called `Result::unwrap()` on an `Err` value: Undeclared function u0:0 is referenced by u0:1!', fuzz/fuzz_targets/cranelift-fuzzgen.rs:73:53
git bisectpoints at #4667 as the commit that introduced this new failure mode.
Wasmtime GitHub notifications bot (Aug 26 2022 at 21:36):jameysharp commented on issue #4760:
Okay, #4752 does not change the CLIF that this fuzz target generates, which is good: we didn't accidentally "fix" the fuzz bug by changing the input format.
It does dramatically change the assembly generated from that CLIF, including making the stack frame slightly smaller and the function slightly larger. But both versions have almost 1,200 instructions and I don't have any hope of getting to a root cause from there.
There's a
rotlinstruction in the generated CLIF whose result (v216) is the discriminant for what looks like a "switch" construct, so it could be that this divide-by-zero is on a branch that isn't executed if the rotate is performed correctly. There's also at least oneudivthat operates on the result of anishl. There's probably plenty of other ways that shifts or rotates could affect the inputs to the many division instructions in this test case.So it's plausible enough that fixing shifts/rotates made this test case pass that I'm going to just declare that OSS-Fuzz is right, and this bug is fixed by that PR. Hooray!
The new error is another matter which I'll bring up in #4667.
Wasmtime GitHub notifications bot (Aug 26 2022 at 21:36):jameysharp closed issue #4760:
https://oss-fuzz.com/testcase-detail/5258173635756032
ERROR: AddressSanitizer: FPE on unknown address 0x627000024418 (pc 0x627000024418 bp 0x7ffece9cd500 sp 0x7ffece9cd3e0 T0) SCARINESS: 10 (signal) #0 0x627000024418 (<unknown module>) #1 0x6270000252f7 (<unknown module>) #0 0x561a4f7ef6c4 in cranelift_filetests::function_runner::CompiledFunction::call::ha6b9162cd2e21784 [wasmtime/cranelift/filetests/src/function_runner.rs:183](https://github.com/bytecodealliance/wasmtime/blob/418dbc15bd2a5269b338587661387e05fc77b983/cranelift/filetests/src/function_runner.rs#L183):9input: here
cc @afonso360
Last updated: Nov 22 2024 at 17:03 UTC