alexcrichton opened issue #6965:
Given this fuzz input: clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072.gz on current
main
(https://github.com/bytecodealliance/wasmtime/commit/9377dfd7b82c8cc5bfdfbc435df1b633b2506f08)I can reproduce a crash locally with:
$ cargo +nightly fuzz run --target x86_64-apple-darwin --dev --no-default-features cranelift-fuzzgen ~/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072 Finished dev [unoptimized + debuginfo] target(s) in 0.30s Finished dev [unoptimized + debuginfo] target(s) in 0.10s Running `target/x86_64-apple-darwin/debug/cranelift-fuzzgen -artifact_prefix=/Users/alex/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072` cranelift-fuzzgen(19284,0x211431280) malloc: nano zone abandoned due to inability to reserve vm space. INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1537930642 INFO: Loaded 1 modules (2164864 inline 8-bit counters): 2164864 [0x10b96b000, 0x10bb7b880), INFO: Loaded 1 PC tables (2164864 PCs): 2164864 [0x10bb7b880,0x10dc84080), target/x86_64-apple-darwin/debug/cranelift-fuzzgen: Running 1 inputs 1 time(s) each. Running: /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072 thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:401:14: called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors Caused by: 0: Verifier errors 1: - inst0 (v0 = iconst.i8 -1): constant immediate is out of bounds note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==19284== ERROR: libFuzzer: deadly signal #0 0x1305d6375 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64+0x5f375) #1 0x1054a7d82 in fuzzer::PrintStackTrace()+0x52 (cranelift-fuzzgen:x86_64+0x10515cd82) #2 0x105482b12 in fuzzer::Fuzzer::CrashCallback()+0x62 (cranelift-fuzzgen:x86_64+0x105137b12) #3 0x105482aad in fuzzer::Fuzzer::StaticCrashSignalCallback()+0x4d (cranelift-fuzzgen:x86_64+0x105137aad) #4 0x1054e0b17 in fuzzer::CrashHandler(int, __siginfo*, void*)+0x17 (cranelift-fuzzgen:x86_64+0x105195b17) #5 0x7ff80df1c5ec in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x35ec) #6 0x10e1bd3ff in fuzzer::EF+0xb7 (cranelift-fuzzgen:x86_64+0x10de723ff) #7 0x7ff80de15b44 in abort+0x7a (libsystem_c.dylib:x86_64+0x7fb44) #8 0x10a5e7168 in std::sys::unix::abort_internal::h4b39ba0715c21a29+0x8 (cranelift-fuzzgen:x86_64+0x10a29c168) #9 0x10a87a838 in std::process::abort::h7379b6c0ec5fccbd+0x8 (cranelift-fuzzgen:x86_64+0x10a52f838) #10 0x105480e66 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h617d6ea4d03058ee+0x26 (cranelift-fuzzgen:x86_64+0x105135e66) #11 0x10a5dce6f in std::panicking::rust_panic_with_hook::hb249569931f012dd+0x23f (cranelift-fuzzgen:x86_64+0x10a291e6f) #12 0x10a5dcc12 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hbb360767c8175684+0xc2 (cranelift-fuzzgen:x86_64+0x10a291c12) #13 0x10a5d9648 in std::sys_common::backtrace::__rust_end_short_backtrace::h979bc602ffc46c13+0x8 (cranelift-fuzzgen:x86_64+0x10a28e648) #14 0x10a5dc93c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x10a29193c) #15 0x10a87d4c2 in core::panicking::panic_fmt::hd706d57bad8730a6+0x32 (cranelift-fuzzgen:x86_64+0x10a5324c2) #16 0x10a87d990 in core::result::unwrap_failed::h266c11806b9860b9+0x70 (cranelift-fuzzgen:x86_64+0x10a532990) #17 0x1003b7ebd in core::result::Result$LT$T$C$E$GT$::unwrap::h50d21a64bc71123a result.rs:1077 #18 0x1003e07ad in cranelift_fuzzgen::_::run::he3c7c16cd1528c50 cranelift-fuzzgen.rs:399 #19 0x1003df078 in rust_fuzzer_test_input lib.rs:297 #20 0x10547fcde in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hd28ae9962b9c0d1f+0x55e (cranelift-fuzzgen:x86_64+0x105134cde) #21 0x10547577d in std::panicking::try::do_call::hb7c53064d7a34cec+0x29d (cranelift-fuzzgen:x86_64+0x10512a77d) #22 0x1054817b0 in __rust_try+0x30 (cranelift-fuzzgen:x86_64+0x1051367b0) #23 0x105475026 in std::panicking::try::h8dae756f4e644bf0+0x4e6 (cranelift-fuzzgen:x86_64+0x10512a026) #24 0x105474ac5 in std::panic::catch_unwind::h2a5190780cb395b5+0x1d5 (cranelift-fuzzgen:x86_64+0x105129ac5) #25 0x10547f245 in LLVMFuzzerTestOneInput+0x415 (cranelift-fuzzgen:x86_64+0x105134245) #26 0x105484881 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x1a1 (cranelift-fuzzgen:x86_64+0x105139881) #27 0x1054cc2d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)+0xf4 (cranelift-fuzzgen:x86_64+0x1051812d4) #28 0x1054d133b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x173b (cranelift-fuzzgen:x86_64+0x10518633b) #29 0x1054f0249 in main+0x29 (cranelift-fuzzgen:x86_64+0x1051a5249) #30 0x21138f41e (<unknown module>) NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal ──────────────────────────────────────────────────────────────────────────────── Error: Fuzz target exited with exit status: 77
<details>
<summary>Output of <code>fuzz fmt</code></summary>
Output of `std::fmt::Debug`: ;; Run test case test interpret test run set opt_level=speed_and_size set bb_padding_log2_minus_one=6 set enable_alias_analysis=false set enable_llvm_abi_extensions=true set unwind_info=false set machine_code_cfg_info=true set enable_jump_tables=false set enable_heap_access_spectre_mitigation=false set enable_table_access_spectre_mitigation=false target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_popcnt function u1:0() system_v { sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0: v0 = iconst.i8 -1 v1 = iconst.i8 0 v2 = iconst.i8 0 v3 = iconst.i8 0 v4 = iconst.i8 0 v5 = iconst.i8 0 v6 = iconst.i8 0 v7 = iconst.i8 0 v8 = iconst.i8 0 v9 = iconst.i8 0 v10 = iconst.i8 0 v11 = iconst.i8 0 v12 = iconst.i8 0 v13 = iconst.i8 0 v14 = iconst.i8 0 v15 = iconst.i8 0 v16 = iconst.i16 0 v17 = iconst.i32 0 v18 = iconst.i64 0 v19 = uextend.i128 v18 ; v18 = 0 return } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: u1:0()
</details>
I can't seem to get the text output to crash
clif-util
the tool, however, so I suspect that this may be fuzzing-infrastructure-specific.cc @timjrd and @jameysharp as folks on https://github.com/bytecodealliance/wasmtime/pull/6850 as this seems like a likely regression from that
cc @afonso360 as you may have an idea off the top of your head related to the fuzzing infra
alexcrichton added the fuzz-bug label to Issue #6965.
afonso360 commented on issue #6965:
I'm looking into this, the source of the immediate bug is here but after fixing that I've run into another failure, so I think there might be something wrong in the interpreter as well.
timjrd commented on issue #6965:
As you pointed out, after applying the following patch the crash disappears with this input. However, on Linux I don't face any other failures (with this input only).
diff --git a/cranelift/fuzzgen/src/function_generator.rs b/cranelift/fuzzgen/src/function_generator.rs index b2ce4e1ee..4ef643205 100644 --- a/cranelift/fuzzgen/src/function_generator.rs +++ b/cranelift/fuzzgen/src/function_generator.rs @@ -1375,9 +1375,9 @@ where /// Generates an instruction(`iconst`/`fconst`/etc...) to introduce a constant value fn generate_const(&mut self, builder: &mut FunctionBuilder, ty: Type) -> Result<Value> { Ok(match self.u.datavalue(ty)? { - DataValue::I8(i) => builder.ins().iconst(ty, i as i64), - DataValue::I16(i) => builder.ins().iconst(ty, i as i64), - DataValue::I32(i) => builder.ins().iconst(ty, i as i64), + DataValue::I8(i) => builder.ins().iconst(ty, i as u8 as i64), + DataValue::I16(i) => builder.ins().iconst(ty, i as u16 as i64), + DataValue::I32(i) => builder.ins().iconst(ty, i as u32 as i64), DataValue::I64(i) => builder.ins().iconst(ty, i as i64), DataValue::I128(i) => { let hi = builder.ins().iconst(I64, (i >> 64) as i64);
afonso360 commented on issue #6965:
Yeah, the failure was when running with different inputs, but I don't think it's related to this. Would you like to open a PR with that change? That looks pretty much like what I expected the fix to look like.
timjrd commented on issue #6965:
sure :smile:
afonso360 closed issue #6965:
Given this fuzz input: clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072.gz on current
main
(https://github.com/bytecodealliance/wasmtime/commit/9377dfd7b82c8cc5bfdfbc435df1b633b2506f08)I can reproduce a crash locally with:
$ cargo +nightly fuzz run --target x86_64-apple-darwin --dev --no-default-features cranelift-fuzzgen ~/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072 Finished dev [unoptimized + debuginfo] target(s) in 0.30s Finished dev [unoptimized + debuginfo] target(s) in 0.10s Running `target/x86_64-apple-darwin/debug/cranelift-fuzzgen -artifact_prefix=/Users/alex/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072` cranelift-fuzzgen(19284,0x211431280) malloc: nano zone abandoned due to inability to reserve vm space. INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1537930642 INFO: Loaded 1 modules (2164864 inline 8-bit counters): 2164864 [0x10b96b000, 0x10bb7b880), INFO: Loaded 1 PC tables (2164864 PCs): 2164864 [0x10bb7b880,0x10dc84080), target/x86_64-apple-darwin/debug/cranelift-fuzzgen: Running 1 inputs 1 time(s) each. Running: /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072 thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:401:14: called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors Caused by: 0: Verifier errors 1: - inst0 (v0 = iconst.i8 -1): constant immediate is out of bounds note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ==19284== ERROR: libFuzzer: deadly signal #0 0x1305d6375 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64+0x5f375) #1 0x1054a7d82 in fuzzer::PrintStackTrace()+0x52 (cranelift-fuzzgen:x86_64+0x10515cd82) #2 0x105482b12 in fuzzer::Fuzzer::CrashCallback()+0x62 (cranelift-fuzzgen:x86_64+0x105137b12) #3 0x105482aad in fuzzer::Fuzzer::StaticCrashSignalCallback()+0x4d (cranelift-fuzzgen:x86_64+0x105137aad) #4 0x1054e0b17 in fuzzer::CrashHandler(int, __siginfo*, void*)+0x17 (cranelift-fuzzgen:x86_64+0x105195b17) #5 0x7ff80df1c5ec in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x35ec) #6 0x10e1bd3ff in fuzzer::EF+0xb7 (cranelift-fuzzgen:x86_64+0x10de723ff) #7 0x7ff80de15b44 in abort+0x7a (libsystem_c.dylib:x86_64+0x7fb44) #8 0x10a5e7168 in std::sys::unix::abort_internal::h4b39ba0715c21a29+0x8 (cranelift-fuzzgen:x86_64+0x10a29c168) #9 0x10a87a838 in std::process::abort::h7379b6c0ec5fccbd+0x8 (cranelift-fuzzgen:x86_64+0x10a52f838) #10 0x105480e66 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h617d6ea4d03058ee+0x26 (cranelift-fuzzgen:x86_64+0x105135e66) #11 0x10a5dce6f in std::panicking::rust_panic_with_hook::hb249569931f012dd+0x23f (cranelift-fuzzgen:x86_64+0x10a291e6f) #12 0x10a5dcc12 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hbb360767c8175684+0xc2 (cranelift-fuzzgen:x86_64+0x10a291c12) #13 0x10a5d9648 in std::sys_common::backtrace::__rust_end_short_backtrace::h979bc602ffc46c13+0x8 (cranelift-fuzzgen:x86_64+0x10a28e648) #14 0x10a5dc93c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x10a29193c) #15 0x10a87d4c2 in core::panicking::panic_fmt::hd706d57bad8730a6+0x32 (cranelift-fuzzgen:x86_64+0x10a5324c2) #16 0x10a87d990 in core::result::unwrap_failed::h266c11806b9860b9+0x70 (cranelift-fuzzgen:x86_64+0x10a532990) #17 0x1003b7ebd in core::result::Result$LT$T$C$E$GT$::unwrap::h50d21a64bc71123a result.rs:1077 #18 0x1003e07ad in cranelift_fuzzgen::_::run::he3c7c16cd1528c50 cranelift-fuzzgen.rs:399 #19 0x1003df078 in rust_fuzzer_test_input lib.rs:297 #20 0x10547fcde in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hd28ae9962b9c0d1f+0x55e (cranelift-fuzzgen:x86_64+0x105134cde) #21 0x10547577d in std::panicking::try::do_call::hb7c53064d7a34cec+0x29d (cranelift-fuzzgen:x86_64+0x10512a77d) #22 0x1054817b0 in __rust_try+0x30 (cranelift-fuzzgen:x86_64+0x1051367b0) #23 0x105475026 in std::panicking::try::h8dae756f4e644bf0+0x4e6 (cranelift-fuzzgen:x86_64+0x10512a026) #24 0x105474ac5 in std::panic::catch_unwind::h2a5190780cb395b5+0x1d5 (cranelift-fuzzgen:x86_64+0x105129ac5) #25 0x10547f245 in LLVMFuzzerTestOneInput+0x415 (cranelift-fuzzgen:x86_64+0x105134245) #26 0x105484881 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x1a1 (cranelift-fuzzgen:x86_64+0x105139881) #27 0x1054cc2d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)+0xf4 (cranelift-fuzzgen:x86_64+0x1051812d4) #28 0x1054d133b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x173b (cranelift-fuzzgen:x86_64+0x10518633b) #29 0x1054f0249 in main+0x29 (cranelift-fuzzgen:x86_64+0x1051a5249) #30 0x21138f41e (<unknown module>) NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal ──────────────────────────────────────────────────────────────────────────────── Error: Fuzz target exited with exit status: 77
<details>
<summary>Output of <code>fuzz fmt</code></summary>
Output of `std::fmt::Debug`: ;; Run test case test interpret test run set opt_level=speed_and_size set bb_padding_log2_minus_one=6 set enable_alias_analysis=false set enable_llvm_abi_extensions=true set unwind_info=false set machine_code_cfg_info=true set enable_jump_tables=false set enable_heap_access_spectre_mitigation=false set enable_table_access_spectre_mitigation=false target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_popcnt function u1:0() system_v { sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0: v0 = iconst.i8 -1 v1 = iconst.i8 0 v2 = iconst.i8 0 v3 = iconst.i8 0 v4 = iconst.i8 0 v5 = iconst.i8 0 v6 = iconst.i8 0 v7 = iconst.i8 0 v8 = iconst.i8 0 v9 = iconst.i8 0 v10 = iconst.i8 0 v11 = iconst.i8 0 v12 = iconst.i8 0 v13 = iconst.i8 0 v14 = iconst.i8 0 v15 = iconst.i8 0 v16 = iconst.i16 0 v17 = iconst.i32 0 v18 = iconst.i64 0 v19 = uextend.i128 v18 ; v18 = 0 return } ; Note: the results in the below test cases are simply a placeholder and probably will be wrong ; run: u1:0()
</details>
I can't seem to get the text output to crash
clif-util
the tool, however, so I suspect that this may be fuzzing-infrastructure-specific.cc @timjrd and @jameysharp as folks on https://github.com/bytecodealliance/wasmtime/pull/6850 as this seems like a likely regression from that
cc @afonso360 as you may have an idea off the top of your head related to the fuzzing infra
Last updated: Dec 23 2024 at 12:05 UTC