-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cranelift CLIF Fuzzer generate blocks and branches #3094
Conversation
This currently quickly crashes in the verify fuzzer with a out of memory error. This crash is reproducible with:
Here's what the
This input doesn't look unreasonable to me. None of the blocks have a I just noticed now that 2 of the Here is the output of
|
Subscribe to Label Actioncc @fitzgen
This issue or pull request has been labeled: "cranelift", "cranelift:area:aarch64", "fuzzing"
Thus the following users have been cc'd because of the following labels:
To subscribe or unsubscribe from this label, edit the |
c833bc2
to
73ef713
Compare
Nope, a function that does not terminate (loops infinitely) is legal CLIF, though of course that should hit the timeout mechanism you've added to the interpreter.
This looks like uncontrolled |
73ef713
to
37096f5
Compare
Hey, Had a busy week and couldn't really look at this until today. I think this is what is going on, but I tried to build a minimized test demonstrating this behaviour and couldn't reproduce it. It looks like there are 2 blocks that are important here The infinite loop happens after calling
This then repeats forever increasing the I've pushed the log calls into a separate commit. Edit: Had some further progress here. We are indeed looking for variable 3 in Looking at the code, So, should we stop the lookup in This also brings up another issue, which is: If I understand the paper correctly, they deal with this in Algorithm 3 by DCE'ing these blocks? |
Ah -- yes, we need to handle the self-predecessor case specially here, I think. This likely never came up before because the Wasm translator will not generate code of that form.
Yes, it looks like they replace any phi whose only input is itself with Unreachable code can create all sorts of interesting edge cases in analyses. As one design point, in the regalloc2 fuzzer I took care to only generate reachable blocks in CFGs by construction, and require that for all input code; but I don't think it makes as much sense to create such a mandate in a general-purpose compiler, as it imposes too much on the IR producer. The upshot is that fuzzing like this will certainly expose our unreachable-code-related bugs, so thank you :-) |
This issue was found by the CLIF fuzzer in bytecodealliance#3094.
This issue was found by the CLIF fuzzer in bytecodealliance#3094.
This issue was found by the CLIF fuzzer in bytecodealliance#3094.
Perform a search over block predecessors trying to find loops of unreachable predecessors. We do this by iterating on predecessors and marking them as visited, stopping if we find a previously visited block or if we find a block with multiple predecessors. This issue was found by the CLIF fuzzer in bytecodealliance#3094.
37096f5
to
f0f2efb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Thanks for the work in tracking down the SSA-builder issues to enable this, too. I'm interested to see what sorts of new fuzzbugs this might find...
Hey,
Continuing the implementation of the CLIF Fuzzer (tracked in #3050), this PR implements block generation and generating basic branch instructions (jump, brnz, brz, br_icmp).
In this implementation we generate all blocks and signatures up front, and then while generating instructions pick random target blocks to jump to.
This PR is based on top of #3062 which should be merged soon, but I think we can get some issues sorted out while waiting for that to be merged.