cranelift_codegen: panic with shift left with overflow

[Robbepop]

• Version: Wasmtime v31.0.0
• Architecture: aarch64
• OS: MacOS

While differentially fuzzing Wasmi and Wasmtime I encountered this Cranelift panic:

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 EraseBytes-EraseBytes- DE: "asmtime.info"-; base unit: 0000000000000000000000000000000000000000
artifact_prefix='/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/'; Test unit written to /Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-de00244b92a84f05f080a7fdff69dee621206cd4
*********************************
CRASH_MIN: minimizing crash input: '/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-de00244b92a84f05f080a7fdff69dee621206cd4' (466 bytes)
CRASH_MIN: executing: target/aarch64-apple-darwin/release/differential -artifact_prefix=/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/ -runs=255 /Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-de00244b92a84f05f080a7fdff69dee621206cd4 2>&1
CRASH_MIN: '/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-de00244b92a84f05f080a7fdff69dee621206cd4' (466 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: target/aarch64-apple-darwin/release/differential -artifact_prefix=/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/ -runs=255 /Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-de00244b92a84f05f080a7fdff69dee621206cd4 -minimize_crash_internal_step=1 -exact_artifact_path=/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-6bc04e97d6ade6982223726c65803bbebce42325 2>&1
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3290884671
INFO: Loaded 1 modules   (1917030 inline 8-bit counters): 1917030 [0x10c22c620, 0x10c400686), 
INFO: Loaded 1 PC tables (1917030 PCs): 1917030 [0x10c400688,0x10e140ce8), 
INFO: Starting MinimizeCrashInputInternalStep: 466
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 466 bytes

thread '<unnamed>' panicked at /Users/me/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/cranelift-codegen-0.118.0/src/isa/aarch64/lower/isle.rs:76:5:
attempt to shift left with overflow
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==7505== ERROR: libFuzzer: deadly signal
    #0 0x000111449cc0 in __sanitizer_print_stack_trace+0x28 (librustc-nightly_rt.asan.dylib:arm64+0x5dcc0)
    #1 0x00010ac19c6c in fuzzer::PrintStackTrace()+0x30 (differential:arm64+0x106041c6c)
    #2 0x00010ac0ced0 in fuzzer::Fuzzer::CrashCallback()+0x54 (differential:arm64+0x106034ed0)
    #3 0x00019959ede0 in _sigtramp+0x34 (libsystem_platform.dylib:arm64+0x3de0)
    #4 0x000199567f6c in pthread_kill+0x11c (libsystem_pthread.dylib:arm64+0x6f6c)
    #5 0x000199474904 in abort+0x7c (libsystem_c.dylib:arm64+0x79904)
    #6 0x00010ae2aff4 in std::sys::pal::unix::abort_internal::h3a58f5c5277e2a33+0x8 (differential:arm64+0x106252ff4)
    #7 0x00010ae2a0e8 in std::process::abort::hd17a0e4c17c95c53+0x8 (differential:arm64+0x1062520e8)
    #8 0x00010ae28248 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::haf75e4bfd0726774+0xb8 (differential:arm64+0x106250248)
    #9 0x00010aca6f10 in std::panicking::rust_panic_with_hook::h5c8e54d4834ba2ab+0x258 (differential:arm64+0x1060cef10)
    #10 0x00010aca6ad8 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h572ee2d46423c444+0x64 (differential:arm64+0x1060cead8)
    #11 0x00010aca463c in std::sys::backtrace::__rust_end_short_backtrace::h22ba52595261f65a+0x8 (differential:arm64+0x1060cc63c)
    #12 0x00010aca67a8 in _RNvCsexUFXDsTyjl_7___rustc17rust_begin_unwind+0x1c (differential:arm64+0x1060ce7a8)
    #13 0x00010ae2c0ec in core::panicking::panic_fmt::h40a35e81076930e8+0x1c (differential:arm64+0x1062540ec)
    #14 0x00010ae2ca90 in core::panicking::panic_const::panic_const_shl_overflow::hc0bf5177532c5135+0x30 (differential:arm64+0x106254a90)
    #15 0x0001075c44e4 in cranelift_codegen::isa::aarch64::lower::isle::generated_code::constructor_amode_no_more_iconst::h5cb6604fa9f3f57f+0x245c (differential:arm64+0x1029ec4e4)
    #16 0x0001075bf37c in cranelift_codegen::isa::aarch64::lower::isle::generated_code::constructor_amode::h54b0698bb9889b3b+0x470 (differential:arm64+0x1029e737c)
    #17 0x0001075eca94 in cranelift_codegen::isa::aarch64::lower::isle::generated_code::constructor_lower::hc04acc7b0efa0e52+0xbb78 (differential:arm64+0x102a14a94)
    #18 0x0001070689d8 in cranelift_codegen::machinst::lower::Lower$LT$I$GT$::lower_clif_block::h1c3c8ae4219a90b2+0x1844 (differential:arm64+0x1024909d8)
    #19 0x00010708ef90 in cranelift_codegen::machinst::lower::Lower$LT$I$GT$::lower::hee14631b664556c5+0x1730 (differential:arm64+0x1024b6f90)
    #20 0x000107111c18 in cranelift_codegen::machinst::compile::compile::h5d77ec5ff2a3f978+0x8d0 (differential:arm64+0x102539c18)
    #21 0x00010737d088 in cranelift_codegen::isa::aarch64::AArch64Backend::compile_vcode::h036392921792ad88+0x368 (differential:arm64+0x1027a5088)
    #22 0x00010737d928 in _$LT$cranelift_codegen..isa..aarch64..AArch64Backend$u20$as$u20$cranelift_codegen..isa..TargetIsa$GT$::compile_function::hcb31f50ca7c8e58d+0x224 (differential:arm64+0x1027a5928)
    #23 0x00010748de1c in cranelift_codegen::context::Context::compile_stencil::h6cdb966f98fc48b1+0x508 (differential:arm64+0x1028b5e1c)
    #24 0x00010748f80c in cranelift_codegen::context::Context::compile::ha270ad8ed2236830+0x1ac (differential:arm64+0x1028b780c)
    #25 0x00010640e8e0 in wasmtime_cranelift::compiler::FunctionCompiler::finish_with_info::h7f3812d7ae02e919+0x358 (differential:arm64+0x1018368e0)
    #26 0x0001063fbd20 in _$LT$wasmtime_cranelift..compiler..Compiler$u20$as$u20$wasmtime_environ..compile..Compiler$GT$::compile_function::hacb979ee7f120409+0x1290 (differential:arm64+0x101823d20)
    #27 0x000105e4f488 in wasmtime::compile::CompileInputs::collect_inputs_in_translations::_$u7b$$u7b$closure$u7d$$u7d$::h3e041c0c5b0da3ac+0x338 (differential:arm64+0x101277488)
    #28 0x000105ad50d0 in alloc::vec::Vec$LT$T$C$A$GT$::extend_desugared::h6f6bf23f80b42a1c+0x314 (differential:arm64+0x100efd0d0)
    #29 0x0001057a945c in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..spec_from_iter_nested..SpecFromIterNested$LT$T$C$I$GT$$GT$::from_iter::h0fc751aab0a16a74+0x5e0 (differential:arm64+0x100bd145c)
    #30 0x0001059de0f4 in core::iter::adapters::try_process::h5c9bb7d6d0610cc6+0x1a0 (differential:arm64+0x100e060f4)
    #31 0x000105e51a94 in wasmtime::compile::CompileInputs::compile::h5981ac84720f3726+0x264 (differential:arm64+0x101279a94)
    #32 0x000105e4a6f4 in wasmtime::compile::build_artifacts::hf8e5ceda73da360e+0x714 (differential:arm64+0x1012726f4)
    #33 0x000105e45ac0 in wasmtime::compile::runtime::_$LT$impl$u20$wasmtime..compile..code_builder..CodeBuilder$GT$::compile_cached::h578e279adc41f2b7+0x404 (differential:arm64+0x10126dac0)
    #34 0x000105e468d0 in wasmtime::compile::runtime::_$LT$impl$u20$wasmtime..compile..code_builder..CodeBuilder$GT$::compile_module::hbe0e9aa8ea7cad5b+0x26c (differential:arm64+0x10126e8d0)
    #35 0x000104f186b0 in _$LT$wasmi_fuzz..oracle..wasmtime..WasmtimeOracle$u20$as$u20$wasmi_fuzz..oracle..DifferentialOracleMeta$GT$::setup::h2303ebd0f8be8e1d+0x314 (differential:arm64+0x1003406b0)
    #36 0x000104f1cc30 in wasmi_fuzz::oracle::ChosenOracle::setup::h7f5022588851a5a1+0x1cc (differential:arm64+0x100344c30)
    #37 0x000104c0bb8c in differential::FuzzState::setup::h408b52229af257db differential.rs:78
    #38 0x000104c117a8 in differential::_::__libfuzzer_sys_run::he9d1ec5f3c48db42 differential.rs:59
    #39 0x000104c10fc0 in rust_fuzzer_test_input lib.rs:359
    #40 0x00010ac0889c in std::panicking::try::do_call::ha19fc646eab30df2+0xc4 (differential:arm64+0x10603089c)
    #41 0x00010ac0c130 in __rust_try+0x18 (differential:arm64+0x106034130)
    #42 0x00010ac0b490 in LLVMFuzzerTestOneInput+0x16c (differential:arm64+0x106033490)
    #43 0x00010ac0e7c8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x150 (differential:arm64+0x1060367c8)
    #44 0x00010ac108d4 in fuzzer::Fuzzer::MinimizeCrashLoop(std::__1::vector<unsigned char, std::__1::allocator<unsigned char>> const&)+0x128 (differential:arm64+0x1060388d4)
    #45 0x00010ac2dacc in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*)+0xd8 (differential:arm64+0x106055acc)
    #46 0x00010ac30d70 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1adc (differential:arm64+0x106058d70)
    #47 0x00010ac3e87c in main+0x24 (differential:arm64+0x10606687c)
    #48 0x0001991e8270  (<unknown module>)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 1 EraseBytes-; base unit: 0000000000000000000000000000000000000000
artifact_prefix='/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/'; Test unit written to /Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-6bc04e97d6ade6982223726c65803bbebce42325
*********************************
CRASH_MIN: minimizing crash input: '/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-6bc04e97d6ade6982223726c65803bbebce42325' (450 bytes)
CRASH_MIN: executing: target/aarch64-apple-darwin/release/differential -artifact_prefix=/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/ -runs=255 /Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-6bc04e97d6ade6982223726c65803bbebce42325 2>&1
CRASH_MIN: '/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-6bc04e97d6ade6982223726c65803bbebce42325' (450 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: target/aarch64-apple-darwin/release/differential -artifact_prefix=/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/ -runs=255 /Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-6bc04e97d6ade6982223726c65803bbebce42325 -minimize_crash_internal_step=1 -exact_artifact_path=/Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-38816497dbbb381f79c00add4f61eddd43743b9e 2>&1
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 3291247842
INFO: Loaded 1 modules   (1917030 inline 8-bit counters): 1917030 [0x1097b8620, 0x10998c686), 
INFO: Loaded 1 PC tables (1917030 PCs): 1917030 [0x10998c688,0x10b6ccce8), 
INFO: Starting MinimizeCrashInputInternalStep: 450
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 450 bytes
#256    pulse  exec/s: 128 rss: 516Mb
INFO: Done MinimizeCrashInputInternalStep, no crashes found
CRASH_MIN: failed to minimize beyond /Users/me/Documents/GitHub/wasmi/fuzz/artifacts/differential/minimized-from-6bc04e97d6ade6982223726c65803bbebce42325 (450 bytes), exiting

Fuzzer config:

config: Config {
    available_imports: None,
    exports: None,
    allow_start_export: true,
    allowed_instructions: InstructionKinds(
        FlagSet(NumericInt | Numeric | VectorInt | Vector | Reference | Parametric | Variable | Table | MemoryInt | Memory | Control | Aggregate),
    ),
    allow_floats: true,
    bulk_memory_enabled: true,
    canonicalize_nans: true,
    disallow_traps: false,
    exceptions_enabled: false,
    export_everything: true,
    gc_enabled: false,
    custom_page_sizes_enabled: true,
    generate_custom_sections: false,
    max_aliases: 1000,
    max_components: 10,
    max_data_segments: 765,
    max_element_segments: 296,
    max_elements: 313,
    max_exports: 158,
    max_funcs: 579,
    max_globals: 775,
    max_imports: 604,
    max_instances: 10,
    max_instructions: 859,
    max_memories: 53,
    max_memory32_bytes: 4294967190,
    max_memory64_bytes: 18446742970693987329,
    max_modules: 10,
    max_nesting_depth: 10,
    max_table_elements: 108670,
    max_tables: 1,
    max_tags: 0,
    max_type_size: 1000,
    max_types: 203,
    max_values: 10,
    memory64_enabled: true,
    memory_max_size_required: false,
    memory_offset_choices: MemoryOffsetChoices(
        90,
        9,
        1,
    ),
    min_data_segments: 0,
    min_element_segments: 0,
    min_elements: 0,
    min_exports: 0,
    min_funcs: 0,
    min_globals: 0,
    min_imports: 0,
    min_memories: 0,
    min_tables: 0,
    min_tags: 0,
    min_types: 0,
    min_uleb_size: 5,
    multi_value_enabled: true,
    reference_types_enabled: false,
    relaxed_simd_enabled: false,
    saturating_float_to_int_enabled: true,
    sign_extension_ops_enabled: true,
    shared_everything_threads_enabled: false,
    simd_enabled: true,
    tail_call_enabled: true,
    table_max_size_required: false,
    threads_enabled: false,
    allow_invalid_funcs: false,
    wide_arithmetic_enabled: true,
    extended_const_enabled: true,
}

Wasm:

This is already what cargo fuzz minified. Not really mini ...

(module
    (type (;0;) (func (result i32 i32 f32 i32 i32 f32)))
    (type (;1;) (func (result f32 i32 i32 f32 i32 f32 i32 v128)))
    (type (;2;) (func))
    (type (;3;) (func (result i32 i32 i32 f32 i32 f32 i32 i32 i32 f32 i32)))
    (type (;4;) (func (result f32 i32 i32)))
    (type (;5;) (func (result i32 i32 f32 i32 i32)))
    (type (;6;) (func (result i32 i32 v128)))
    (type (;7;) (func (result i32 f32 i32)))
    (type (;8;) (func (result i32 f64 f64)))
    (type (;9;) (func (result i32 f32)))
    (type (;10;) (func (result i32 i32 f32 f32 f32)))
    (type (;11;) (func (param f32 f32 f64)))
    (memory (;0;) i64 0 14901616385566)
    (global (;0;) (mut i32) i32.const 0)
    (global (;1;) (mut i32) i32.const 1000)
    (export "\u{1e}\u{1e}\u{1e}\u{1e}\u{1e}\u{1e}\u{1e}\u{1e}\u{1e}" (func 0))
    (export "" (func 1))
    (export "2" (func 2))
    (export "3" (func 3))
    (export "4" (func 4))
    (export "5" (func 5))
    (export "6" (func 6))
    (export "7" (func 7))
    (export "8" (func 8))
    (export "9" (func 9))
    (export "10" (func 10))
    (export "11" (func 11))
    (export "12" (func 12))
    (export "13" (func 13))
    (export "14" (func 14))
    (export "15" (func 15))
    (export "16" (func 16))
    (export "17" (func 17))
    (export "18" (func 18))
    (export "19" (memory 0))
    (elem (;0;) declare func)
    (func (;0;) (type 8) (result i32 f64 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    f32.const 0x1.3c3cbcp-67 (;=0.00000000000000000000837073;)
    f32.const 0x1.fffe3cp-66 (;=0.000000000000000000027104689;)
    f32.const 0x1.3c3c3cp-67 (;=0.0000000000000000000083706784;)
    f32.lt
    nop
    i32.clz
    f32.reinterpret_i32
    i32.reinterpret_f32
    global.get 0
    i32.xor
    global.set 0
    i32.reinterpret_f32
    global.get 0
    i32.xor
    global.set 0
    i32.const 1345126445
    f64.const 0x1.p-1068 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000316;)
    f64.const 0x1.02d00db5d202fp-266 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000008526421283209315;)
    )
    (func (;1;) (type 11) (param f32 f32 f64)
    (local f32 f32 f32)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    call 16
    local.get 0
    memory.size
    f32.load align=1
    memory.size
    f32.load align=1
    memory.size
    f32.load align=1
    f32.neg
    local.get 1
    f32.trunc
    local.tee 3
    f32.const nan (;=NaN;)
    local.get 3
    local.get 3
    f32.eq
    select
    f32.eq
    i32.clz
    i32.clz
    select
    memory.size
    i64.const 255
    i64.shl
    i64.const 2139095039
    i32.load8_u
    nop
    f32.convert_i32_s
    f32.store align=1
    br 0
    return
    return
    return
    return
    return
    br 0
    f32.trunc
    local.tee 4
    f32.const nan (;=NaN;)
    local.get 4
    local.get 4
    f32.eq
    select
    f32.trunc
    local.tee 5
    f32.const nan (;=NaN;)
    local.get 5
    local.get 5
    f32.eq
    select
    unreachable
    unreachable
    )
    (func (;2;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;3;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;4;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;5;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;6;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;7;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;8;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;9;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;10;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;11;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;12;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;13;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;14;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;15;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
    (func (;16;) (type 5) (result i32 i32 f32 i32 i32)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    unreachable
    )
    (func (;17;) (type 4) (result f32 i32 i32)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    unreachable
    )
    (func (;18;) (type 11) (param f32 f32 f64)
    global.get 1
    i32.eqz
    if ;; label = @1
        unreachable
    end
    global.get 1
    i32.const 1
    i32.sub
    global.set 1
    )
)

[alexcrichton]

For @fitzgen when you look into this, the panic here looks similar to #10382 which hasn't made it into any releases yet so this may already be fixed on main (unsure, I have not tested myself)

[fitzgen]

Can't reproduce this anymore, I think this was a dupe of #10382

Thanks for reporting, @Robbepop!