-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cranelift verifier fuzz-bug: constant immediate is out of bounds #6965
Comments
I'm looking into this, the source of the immediate bug is here but after fixing that I've run into another failure, so I think there might be something wrong in the interpreter as well. |
As you pointed out, after applying the following patch the crash disappears with this input. However, on Linux I don't face any other failures (with this input only). diff --git a/cranelift/fuzzgen/src/function_generator.rs b/cranelift/fuzzgen/src/function_generator.rs
index b2ce4e1ee..4ef643205 100644
--- a/cranelift/fuzzgen/src/function_generator.rs
+++ b/cranelift/fuzzgen/src/function_generator.rs
@@ -1375,9 +1375,9 @@ where
/// Generates an instruction(`iconst`/`fconst`/etc...) to introduce a constant value
fn generate_const(&mut self, builder: &mut FunctionBuilder, ty: Type) -> Result<Value> {
Ok(match self.u.datavalue(ty)? {
- DataValue::I8(i) => builder.ins().iconst(ty, i as i64),
- DataValue::I16(i) => builder.ins().iconst(ty, i as i64),
- DataValue::I32(i) => builder.ins().iconst(ty, i as i64),
+ DataValue::I8(i) => builder.ins().iconst(ty, i as u8 as i64),
+ DataValue::I16(i) => builder.ins().iconst(ty, i as u16 as i64),
+ DataValue::I32(i) => builder.ins().iconst(ty, i as u32 as i64),
DataValue::I64(i) => builder.ins().iconst(ty, i as i64),
DataValue::I128(i) => {
let hi = builder.ins().iconst(I64, (i >> 64) as i64); |
Yeah, the failure was when running with different inputs, but I don't think it's related to this. Would you like to open a PR with that change? That looks pretty much like what I expected the fix to look like. |
sure 🙂 |
Resolves bytecodealliance#6965 Linked to bytecodealliance#3059 bytecodealliance#6850 bytecodealliance#6958 Co-authored-by: Afonso Bordado <[email protected]>
Resolves #6965 Linked to #3059 #6850 #6958 Co-authored-by: Afonso Bordado <[email protected]>
Resolves bytecodealliance#6965 Linked to bytecodealliance#3059 bytecodealliance#6850 bytecodealliance#6958 Co-authored-by: Afonso Bordado <[email protected]>
Given this fuzz input: clusterfuzz-testcase-minimized-cranelift-fuzzgen-6560475218051072.gz on current
main
(9377dfd)I can reproduce a crash locally with:
Output of
fuzz fmt
I can't seem to get the text output to crash
clif-util
the tool, however, so I suspect that this may be fuzzing-infrastructure-specific.cc @timjrd and @jameysharp as folks on #6850 as this seems like a likely regression from that
cc @afonso360 as you may have an idea off the top of your head related to the fuzzing infra
The text was updated successfully, but these errors were encountered: