Cranelift verifier fuzz-bug: constant immediate is out of bounds

[alexcrichton]

Given this fuzz input: clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072.gz on current main (9377dfd)

I can reproduce a crash locally with:

$ cargo +nightly fuzz run --target x86_64-apple-darwin --dev --no-default-features cranelift-fuzzgen ~/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072
    Finished dev [unoptimized + debuginfo] target(s) in 0.30s
    Finished dev [unoptimized + debuginfo] target(s) in 0.10s
     Running `target/x86_64-apple-darwin/debug/cranelift-fuzzgen -artifact_prefix=/Users/alex/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072`
cranelift-fuzzgen(19284,0x211431280) malloc: nano zone abandoned due to inability to reserve vm space.
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1537930642
INFO: Loaded 1 modules   (2164864 inline 8-bit counters): 2164864 [0x10b96b000, 0x10bb7b880),
INFO: Loaded 1 PC tables (2164864 PCs): 2164864 [0x10bb7b880,0x10dc84080),
target/x86_64-apple-darwin/debug/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: /Users/alex/Downloads/clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072
thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:401:14:
called `Result::unwrap()` on an `Err` value: Compilation error: Verifier errors

Caused by:
    0: Verifier errors
    1: - inst0 (v0 = iconst.i8 -1): constant immediate is out of bounds

note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==19284== ERROR: libFuzzer: deadly signal
    #0 0x1305d6375 in __sanitizer_print_stack_trace+0x35 (librustc-nightly_rt.asan.dylib:x86_64+0x5f375)
    #1 0x1054a7d82 in fuzzer::PrintStackTrace()+0x52 (cranelift-fuzzgen:x86_64+0x10515cd82)
    #2 0x105482b12 in fuzzer::Fuzzer::CrashCallback()+0x62 (cranelift-fuzzgen:x86_64+0x105137b12)
    #3 0x105482aad in fuzzer::Fuzzer::StaticCrashSignalCallback()+0x4d (cranelift-fuzzgen:x86_64+0x105137aad)
    #4 0x1054e0b17 in fuzzer::CrashHandler(int, __siginfo*, void*)+0x17 (cranelift-fuzzgen:x86_64+0x105195b17)
    #5 0x7ff80df1c5ec in _sigtramp+0x1c (libsystem_platform.dylib:x86_64+0x35ec)
    #6 0x10e1bd3ff in fuzzer::EF+0xb7 (cranelift-fuzzgen:x86_64+0x10de723ff)
    #7 0x7ff80de15b44 in abort+0x7a (libsystem_c.dylib:x86_64+0x7fb44)
    #8 0x10a5e7168 in std::sys::unix::abort_internal::h4b39ba0715c21a29+0x8 (cranelift-fuzzgen:x86_64+0x10a29c168)
    #9 0x10a87a838 in std::process::abort::h7379b6c0ec5fccbd+0x8 (cranelift-fuzzgen:x86_64+0x10a52f838)
    #10 0x105480e66 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h617d6ea4d03058ee+0x26 (cranelift-fuzzgen:x86_64+0x105135e66)
    #11 0x10a5dce6f in std::panicking::rust_panic_with_hook::hb249569931f012dd+0x23f (cranelift-fuzzgen:x86_64+0x10a291e6f)
    #12 0x10a5dcc12 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hbb360767c8175684+0xc2 (cranelift-fuzzgen:x86_64+0x10a291c12)
    #13 0x10a5d9648 in std::sys_common::backtrace::__rust_end_short_backtrace::h979bc602ffc46c13+0x8 (cranelift-fuzzgen:x86_64+0x10a28e648)
    #14 0x10a5dc93c in rust_begin_unwind+0x6c (cranelift-fuzzgen:x86_64+0x10a29193c)
    #15 0x10a87d4c2 in core::panicking::panic_fmt::hd706d57bad8730a6+0x32 (cranelift-fuzzgen:x86_64+0x10a5324c2)
    #16 0x10a87d990 in core::result::unwrap_failed::h266c11806b9860b9+0x70 (cranelift-fuzzgen:x86_64+0x10a532990)
    #17 0x1003b7ebd in core::result::Result$LT$T$C$E$GT$::unwrap::h50d21a64bc71123a result.rs:1077
    #18 0x1003e07ad in cranelift_fuzzgen::_::run::he3c7c16cd1528c50 cranelift-fuzzgen.rs:399
    #19 0x1003df078 in rust_fuzzer_test_input lib.rs:297
    #20 0x10547fcde in libfuzzer_sys::test_input_wrap::_$u7b$$u7b$closure$u7d$$u7d$::hd28ae9962b9c0d1f+0x55e (cranelift-fuzzgen:x86_64+0x105134cde)
    #21 0x10547577d in std::panicking::try::do_call::hb7c53064d7a34cec+0x29d (cranelift-fuzzgen:x86_64+0x10512a77d)
    #22 0x1054817b0 in __rust_try+0x30 (cranelift-fuzzgen:x86_64+0x1051367b0)
    #23 0x105475026 in std::panicking::try::h8dae756f4e644bf0+0x4e6 (cranelift-fuzzgen:x86_64+0x10512a026)
    #24 0x105474ac5 in std::panic::catch_unwind::h2a5190780cb395b5+0x1d5 (cranelift-fuzzgen:x86_64+0x105129ac5)
    #25 0x10547f245 in LLVMFuzzerTestOneInput+0x415 (cranelift-fuzzgen:x86_64+0x105134245)
    #26 0x105484881 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x1a1 (cranelift-fuzzgen:x86_64+0x105139881)
    #27 0x1054cc2d4 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)+0xf4 (cranelift-fuzzgen:x86_64+0x1051812d4)
    #28 0x1054d133b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x173b (cranelift-fuzzgen:x86_64+0x10518633b)
    #29 0x1054f0249 in main+0x29 (cranelift-fuzzgen:x86_64+0x1051a5249)
    #30 0x21138f41e  (<unknown module>)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

Output of fuzz fmt

Output of `std::fmt::Debug`:

;; Run test case

test interpret
test run
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_llvm_abi_extensions=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_sse41 has_sse42 has_popcnt

function u1:0() system_v {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = %CeilF32 sig0
    fn1 = %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0:
    v0 = iconst.i8 -1
    v1 = iconst.i8 0
    v2 = iconst.i8 0
    v3 = iconst.i8 0
    v4 = iconst.i8 0
    v5 = iconst.i8 0
    v6 = iconst.i8 0
    v7 = iconst.i8 0
    v8 = iconst.i8 0
    v9 = iconst.i8 0
    v10 = iconst.i8 0
    v11 = iconst.i8 0
    v12 = iconst.i8 0
    v13 = iconst.i8 0
    v14 = iconst.i8 0
    v15 = iconst.i8 0
    v16 = iconst.i16 0
    v17 = iconst.i32 0
    v18 = iconst.i64 0
    v19 = uextend.i128 v18  ; v18 = 0
    return
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: u1:0()

I can't seem to get the text output to crash clif-util the tool, however, so I suspect that this may be fuzzing-infrastructure-specific.

cc @timjrd and @jameysharp as folks on #6850 as this seems like a likely regression from that
cc @afonso360 as you may have an idea off the top of your head related to the fuzzing infra

[afonso360]

I'm looking into this, the source of the immediate bug is here but after fixing that I've run into another failure, so I think there might be something wrong in the interpreter as well.

As you pointed out, after applying the following patch the crash disappears with this input. However, on Linux I don't face any other failures (with this input only).

diff --git a/cranelift/fuzzgen/src/function_generator.rs b/cranelift/fuzzgen/src/function_generator.rs
index b2ce4e1ee..4ef643205 100644
--- a/cranelift/fuzzgen/src/function_generator.rs
+++ b/cranelift/fuzzgen/src/function_generator.rs
@@ -1375,9 +1375,9 @@ where
     /// Generates an instruction(`iconst`/`fconst`/etc...) to introduce a constant value
     fn generate_const(&mut self, builder: &mut FunctionBuilder, ty: Type) -> Result<Value> {
         Ok(match self.u.datavalue(ty)? {
-            DataValue::I8(i) => builder.ins().iconst(ty, i as i64),
-            DataValue::I16(i) => builder.ins().iconst(ty, i as i64),
-            DataValue::I32(i) => builder.ins().iconst(ty, i as i64),
+            DataValue::I8(i) => builder.ins().iconst(ty, i as u8 as i64),
+            DataValue::I16(i) => builder.ins().iconst(ty, i as u16 as i64),
+            DataValue::I32(i) => builder.ins().iconst(ty, i as u32 as i64),
             DataValue::I64(i) => builder.ins().iconst(ty, i as i64),
             DataValue::I128(i) => {
                 let hi = builder.ins().iconst(I64, (i >> 64) as i64);

[afonso360]

Yeah, the failure was when running with different inputs, but I don't think it's related to this. Would you like to open a PR with that change? That looks pretty much like what I expected the fix to look like.

sure 🙂