Stream: git-wasmtime

Topic: wasmtime / issue #6965 Cranelift verifier fuzz-bug: const...


view this post on Zulip Wasmtime GitHub notifications bot (Sep 05 2023 at 19:12):

alexcrichton opened issue #6965:

Given this fuzz input: clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072.gz on current main (https://github.com/bytecodealliance/wasmtime/commit/9377dfd7b82c8cc5bfdfbc435df1b633b2506f08)

I can reproduce a crash locally with:

$ cargo +nightly fuzz run --target x86_64-apple-darwin --dev --no-default-features cranelift-fuzzgen ~/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072
    Finished dev [unoptimized + debuginfo] target(s) in 0.30s
    Finished dev [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/x86_64-apple-darwin/debug/cranelift-fuzzgen -artifact_prefix=/Users/alex/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072`
cranelift-fuzzgen(19284,0x211431280) malloc: nano zone abandoned due to inability to reserve vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1537930642
INFO: Loaded 1 modules   (2164864 inline 8-bit counters): 2164864 [0x10b96b000, 0x10bb7b880),
INFO: Loaded 1 PC tables (2164864 PCs): 2164864 [0x10bb7b880,0x10dc84080),
target/x86_64-apple-darwin/debug/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072
thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:401:14:
called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors

Caused by:
    0: Verifier errors
    1: - inst0 (v0 = iconst.i8 -1): constant immediate is out of bounds

note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==19284== ERROR: libFuzzer: deadly signal
    #0 0x1305d6375 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64+0x5f375)
    #1 0x1054a7d82 in fuzzer::PrintStackTrace()+0x52 (cranelift-fuzzgen:x86_64+0x10515cd82)
    #2 0x105482b12 in fuzzer::Fuzzer::CrashCallback()+0x62 (cranelift-fuzzgen:x86_64+0x105137b12)
    #3 0x105482aad in fuzzer::Fuzzer::StaticCrashSignalCallback()+0x4d (cranelift-fuzzgen:x86_64+0x105137aad)
    #4 0x1054e0b17 in fuzzer::CrashHandler(int, __siginfo*, void*)+0x17 (cranelift-fuzzgen:x86_64+0x105195b17)
    #5 0x7ff80df1c5ec in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x35ec)
    #6 0x10e1bd3ff in fuzzer::EF+0xb7 (cranelift-fuzzgen:x86_64+0x10de723ff)
    #7 0x7ff80de15b44 in abort+0x7a (libsystem_c.dylib:x86_64+0x7fb44)
    #8 0x10a5e7168 in std::sys::unix::abort_internal::h4b39ba0715c21a29+0x8 (cranelift-fuzzgen:x86_64+0x10a29c168)
    #9 0x10a87a838 in std::process::abort::h7379b6c0ec5fccbd+0x8 (cranelift-fuzzgen:x86_64+0x10a52f838)
    #10 0x105480e66 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h617d6ea4d03058ee+0x26 (cranelift-fuzzgen:x86_64+0x105135e66)
    #11 0x10a5dce6f in std::panicking::rust_panic_with_hook::hb249569931f012dd+0x23f (cranelift-fuzzgen:x86_64+0x10a291e6f)
    #12 0x10a5dcc12 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hbb360767c8175684+0xc2 (cranelift-fuzzgen:x86_64+0x10a291c12)
    #13 0x10a5d9648 in std::sys_common::backtrace::__rust_end_short_backtrace::h979bc602ffc46c13+0x8 (cranelift-fuzzgen:x86_64+0x10a28e648)
    #14 0x10a5dc93c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x10a29193c)
    #15 0x10a87d4c2 in core::panicking::panic_fmt::hd706d57bad8730a6+0x32 (cranelift-fuzzgen:x86_64+0x10a5324c2)
    #16 0x10a87d990 in core::result::unwrap_failed::h266c11806b9860b9+0x70 (cranelift-fuzzgen:x86_64+0x10a532990)
    #17 0x1003b7ebd in core::result::Result$LT$T$C$E$GT$::unwrap::h50d21a64bc71123a result.rs:1077
    #18 0x1003e07ad in cranelift_fuzzgen::_::run::he3c7c16cd1528c50 cranelift-fuzzgen.rs:399
    #19 0x1003df078 in rust_fuzzer_test_input lib.rs:297
    #20 0x10547fcde in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hd28ae9962b9c0d1f+0x55e (cranelift-fuzzgen:x86_64+0x105134cde)
    #21 0x10547577d in std::panicking::try::do_call::hb7c53064d7a34cec+0x29d (cranelift-fuzzgen:x86_64+0x10512a77d)
    #22 0x1054817b0 in __rust_try+0x30 (cranelift-fuzzgen:x86_64+0x1051367b0)
    #23 0x105475026 in std::panicking::try::h8dae756f4e644bf0+0x4e6 (cranelift-fuzzgen:x86_64+0x10512a026)
    #24 0x105474ac5 in std::panic::catch_unwind::h2a5190780cb395b5+0x1d5 (cranelift-fuzzgen:x86_64+0x105129ac5)
    #25 0x10547f245 in LLVMFuzzerTestOneInput+0x415 (cranelift-fuzzgen:x86_64+0x105134245)
    #26 0x105484881 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x1a1 (cranelift-fuzzgen:x86_64+0x105139881)
    #27 0x1054cc2d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)+0xf4 (cranelift-fuzzgen:x86_64+0x1051812d4)
    #28 0x1054d133b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x173b (cranelift-fuzzgen:x86_64+0x10518633b)
    #29 0x1054f0249 in main+0x29 (cranelift-fuzzgen:x86_64+0x1051a5249)
    #30 0x21138f41e  (<unknown module>)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

<details>

<summary>Output of <code>fuzz fmt</code></summary>

Output of `std::fmt::Debug`:

;; Run test case

test interpret
test run
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_llvm_abi_extensions=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_popcnt

function u1:0() system_v {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = %CeilF32 sig0
    fn1 = %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0:
    v0 = iconst.i8 -1
    v1 = iconst.i8 0
    v2 = iconst.i8 0
    v3 = iconst.i8 0
    v4 = iconst.i8 0
    v5 = iconst.i8 0
    v6 = iconst.i8 0
    v7 = iconst.i8 0
    v8 = iconst.i8 0
    v9 = iconst.i8 0
    v10 = iconst.i8 0
    v11 = iconst.i8 0
    v12 = iconst.i8 0
    v13 = iconst.i8 0
    v14 = iconst.i8 0
    v15 = iconst.i8 0
    v16 = iconst.i16 0
    v17 = iconst.i32 0
    v18 = iconst.i64 0
    v19 = uextend.i128 v18  ; v18 = 0
    return
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: u1:0()

</details>

I can't seem to get the text output to crash clif-util the tool, however, so I suspect that this may be fuzzing-infrastructure-specific.

cc @timjrd and @jameysharp as folks on https://github.com/bytecodealliance/wasmtime/pull/6850 as this seems like a likely regression from that
cc @afonso360 as you may have an idea off the top of your head related to the fuzzing infra

view this post on Zulip Wasmtime GitHub notifications bot (Sep 05 2023 at 19:12):

alexcrichton added the fuzz-bug label to Issue #6965.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 05 2023 at 19:38):

afonso360 commented on issue #6965:

I'm looking into this, the source of the immediate bug is here but after fixing that I've run into another failure, so I think there might be something wrong in the interpreter as well.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 05 2023 at 20:11):

timjrd commented on issue #6965:

As you pointed out, after applying the following patch the crash disappears with this input. However, on Linux I don't face any other failures (with this input only).

diff --git a/cranelift/fuzzgen/src/function_generator.rs b/cranelift/fuzzgen/src/function_generator.rs
index b2ce4e1ee..4ef643205 100644
--- a/cranelift/fuzzgen/src/function_generator.rs
+++ b/cranelift/fuzzgen/src/function_generator.rs
@@ -1375,9 +1375,9 @@ where
     /// Generates an instruction(`iconst`/`fconst`/etc...) to introduce a constant value
     fn generate_const(&mut self, builder: &mut FunctionBuilder, ty: Type) -> Result<Value> {
         Ok(match self.u.datavalue(ty)? {
-            DataValue::I8(i) => builder.ins().iconst(ty, i as i64),
-            DataValue::I16(i) => builder.ins().iconst(ty, i as i64),
-            DataValue::I32(i) => builder.ins().iconst(ty, i as i64),
+            DataValue::I8(i) => builder.ins().iconst(ty, i as u8 as i64),
+            DataValue::I16(i) => builder.ins().iconst(ty, i as u16 as i64),
+            DataValue::I32(i) => builder.ins().iconst(ty, i as u32 as i64),
             DataValue::I64(i) => builder.ins().iconst(ty, i as i64),
             DataValue::I128(i) => {
                 let hi = builder.ins().iconst(I64, (i >> 64) as i64);

view this post on Zulip Wasmtime GitHub notifications bot (Sep 05 2023 at 21:18):

afonso360 commented on issue #6965:

Yeah, the failure was when running with different inputs, but I don't think it's related to this. Would you like to open a PR with that change? That looks pretty much like what I expected the fix to look like.

view this post on Zulip Wasmtime GitHub notifications bot (Sep 05 2023 at 21:28):

timjrd commented on issue #6965:

sure :smile:

view this post on Zulip Wasmtime GitHub notifications bot (Sep 05 2023 at 23:24):

afonso360 closed issue #6965:

Given this fuzz input: clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072.gz on current main (https://github.com/bytecodealliance/wasmtime/commit/9377dfd7b82c8cc5bfdfbc435df1b633b2506f08)

I can reproduce a crash locally with:

$ cargo +nightly fuzz run --target x86_64-apple-darwin --dev --no-default-features cranelift-fuzzgen ~/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072
    Finished dev [unoptimized + debuginfo] target(s) in 0.30s
    Finished dev [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/x86_64-apple-darwin/debug/cranelift-fuzzgen -artifact_prefix=/Users/alex/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072`
cranelift-fuzzgen(19284,0x211431280) malloc: nano zone abandoned due to inability to reserve vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1537930642
INFO: Loaded 1 modules   (2164864 inline 8-bit counters): 2164864 [0x10b96b000, 0x10bb7b880),
INFO: Loaded 1 PC tables (2164864 PCs): 2164864 [0x10bb7b880,0x10dc84080),
target/x86_64-apple-darwin/debug/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072
thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:401:14:
called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors

Caused by:
    0: Verifier errors
    1: - inst0 (v0 = iconst.i8 -1): constant immediate is out of bounds

note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==19284== ERROR: libFuzzer: deadly signal
    #0 0x1305d6375 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64+0x5f375)
    #1 0x1054a7d82 in fuzzer::PrintStackTrace()+0x52 (cranelift-fuzzgen:x86_64+0x10515cd82)
    #2 0x105482b12 in fuzzer::Fuzzer::CrashCallback()+0x62 (cranelift-fuzzgen:x86_64+0x105137b12)
    #3 0x105482aad in fuzzer::Fuzzer::StaticCrashSignalCallback()+0x4d (cranelift-fuzzgen:x86_64+0x105137aad)
    #4 0x1054e0b17 in fuzzer::CrashHandler(int, __siginfo*, void*)+0x17 (cranelift-fuzzgen:x86_64+0x105195b17)
    #5 0x7ff80df1c5ec in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x35ec)
    #6 0x10e1bd3ff in fuzzer::EF+0xb7 (cranelift-fuzzgen:x86_64+0x10de723ff)
    #7 0x7ff80de15b44 in abort+0x7a (libsystem_c.dylib:x86_64+0x7fb44)
    #8 0x10a5e7168 in std::sys::unix::abort_internal::h4b39ba0715c21a29+0x8 (cranelift-fuzzgen:x86_64+0x10a29c168)
    #9 0x10a87a838 in std::process::abort::h7379b6c0ec5fccbd+0x8 (cranelift-fuzzgen:x86_64+0x10a52f838)
    #10 0x105480e66 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h617d6ea4d03058ee+0x26 (cranelift-fuzzgen:x86_64+0x105135e66)
    #11 0x10a5dce6f in std::panicking::rust_panic_with_hook::hb249569931f012dd+0x23f (cranelift-fuzzgen:x86_64+0x10a291e6f)
    #12 0x10a5dcc12 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hbb360767c8175684+0xc2 (cranelift-fuzzgen:x86_64+0x10a291c12)
    #13 0x10a5d9648 in std::sys_common::backtrace::__rust_end_short_backtrace::h979bc602ffc46c13+0x8 (cranelift-fuzzgen:x86_64+0x10a28e648)
    #14 0x10a5dc93c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x10a29193c)
    #15 0x10a87d4c2 in core::panicking::panic_fmt::hd706d57bad8730a6+0x32 (cranelift-fuzzgen:x86_64+0x10a5324c2)
    #16 0x10a87d990 in core::result::unwrap_failed::h266c11806b9860b9+0x70 (cranelift-fuzzgen:x86_64+0x10a532990)
    #17 0x1003b7ebd in core::result::Result$LT$T$C$E$GT$::unwrap::h50d21a64bc71123a result.rs:1077
    #18 0x1003e07ad in cranelift_fuzzgen::_::run::he3c7c16cd1528c50 cranelift-fuzzgen.rs:399
    #19 0x1003df078 in rust_fuzzer_test_input lib.rs:297
    #20 0x10547fcde in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hd28ae9962b9c0d1f+0x55e (cranelift-fuzzgen:x86_64+0x105134cde)
    #21 0x10547577d in std::panicking::try::do_call::hb7c53064d7a34cec+0x29d (cranelift-fuzzgen:x86_64+0x10512a77d)
    #22 0x1054817b0 in __rust_try+0x30 (cranelift-fuzzgen:x86_64+0x1051367b0)
    #23 0x105475026 in std::panicking::try::h8dae756f4e644bf0+0x4e6 (cranelift-fuzzgen:x86_64+0x10512a026)
    #24 0x105474ac5 in std::panic::catch_unwind::h2a5190780cb395b5+0x1d5 (cranelift-fuzzgen:x86_64+0x105129ac5)
    #25 0x10547f245 in LLVMFuzzerTestOneInput+0x415 (cranelift-fuzzgen:x86_64+0x105134245)
    #26 0x105484881 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x1a1 (cranelift-fuzzgen:x86_64+0x105139881)
    #27 0x1054cc2d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)+0xf4 (cranelift-fuzzgen:x86_64+0x1051812d4)
    #28 0x1054d133b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x173b (cranelift-fuzzgen:x86_64+0x10518633b)
    #29 0x1054f0249 in main+0x29 (cranelift-fuzzgen:x86_64+0x1051a5249)
    #30 0x21138f41e  (<unknown module>)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

<details>

<summary>Output of <code>fuzz fmt</code></summary>

Output of `std::fmt::Debug`:

;; Run test case

test interpret
test run
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_llvm_abi_extensions=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_popcnt

function u1:0() system_v {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = %CeilF32 sig0
    fn1 = %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0:
    v0 = iconst.i8 -1
    v1 = iconst.i8 0
    v2 = iconst.i8 0
    v3 = iconst.i8 0
    v4 = iconst.i8 0
    v5 = iconst.i8 0
    v6 = iconst.i8 0
    v7 = iconst.i8 0
    v8 = iconst.i8 0
    v9 = iconst.i8 0
    v10 = iconst.i8 0
    v11 = iconst.i8 0
    v12 = iconst.i8 0
    v13 = iconst.i8 0
    v14 = iconst.i8 0
    v15 = iconst.i8 0
    v16 = iconst.i16 0
    v17 = iconst.i32 0
    v18 = iconst.i64 0
    v19 = uextend.i128 v18  ; v18 = 0
    return
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: u1:0()

</details>

I can't seem to get the text output to crash clif-util the tool, however, so I suspect that this may be fuzzing-infrastructure-specific.

cc @timjrd and @jameysharp as folks on https://github.com/bytecodealliance/wasmtime/pull/6850 as this seems like a likely regression from that
cc @afonso360 as you may have an idea off the top of your head related to the fuzzing infra


Last updated: Dec 23 2024 at 12:05 UTC