Amanieu
commented
1 year ago Can you share a reproducer for this?
Closed elliottt closed 1 year ago
Amanieu
commented
1 year ago Can you share a reproducer for this?
jameysharp
commented
1 year ago Here's a base64-encoded fuzz input I ran into today (after about a half-million iterations of the ion_checker fuzz target), separate from the oss-fuzz case that Trevor is responding to:
aVIAeXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5AQAAAAAAAB95eXl5eXl5eXl5eXl5eXl5eXl5
eXn/AHl5eXl5eXl5eXl5/////////////////1v//////3l5AADt//9v/v///wAAAEBR///////3
JYD+//////+KioqKeXl5eXl5eXl5eXl5eXl5AQAAAAAAAAR5eXl5eXl5eXl5eXl5eXl5eXl5eXl5
eXl5eXl5eXl5eXl5eXl5eXl5aXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5
eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eRJ5eXl5KHl5eXl5eXl5eXl5eXl5eXl5
eXl5eXl5eXl5eXl5eQMGrq6urq6uKgam+xMGBgAAAO0CAAA1AACyAAAAeXl5eXl5eXl5eXl5eXl5
eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5
eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA/ID8AAD8AAAD/AD8AAIqKioqKioqKioqKioqKioqKioqKioqKioqKAAD//wBOAAAA
AAAAioqKigAAAAAIAP8AAAAAAAAA/wAAAAAAAAAAThe debug representation of that fuzz input is:
TestCase {
func: {
REF: v0
REF: v1
REF: v2
REF: v3
REF: v4
REF: v5
REF: v6
REF: v7
REF: v8
REF: v9
REF: v10
REF: v11
REF: v12
REF: v13
REF: v14
REF: v15
REF: v16
REF: v17
REF: v18
REF: v19
REF: v20
REF: v21
REF: v22
REF: v23
REF: v24
REF: v25
REF: v26
REF: v27
REF: v28
REF: v29
REF: v30
REF: v31
REF: v32
REF: v33
REF: v34
REF: v35
block0(): # succs:[1] preds:[]
inst0: Op ops:[Def@Early: v0f reg] clobber:[]
inst1: Op ops:[Def: v1f reuse(1), Use: v0f reg] clobber:[]
inst2: Op ops:[Def: v2f reuse(1), Use: v1f reg] clobber:[]
inst3: Op ops:[Def: v3f reuse(1), Use: v1f reg] clobber:[]
inst4: Op ops:[Def@Early: v4f reg, Use: v3f any] clobber:[]
inst5: Branch ops:[] clobber:[]
params: block1(v4)
block1(v5): # succs:[2] preds:[0, 3]
inst6: Op ops:[Def: v6f fixed(p0f), Use: v5f reg, Use: v0f fixed(p0f)] clobber:[]
inst7: Op ops:[Def: v7f any, Fixed: p63f] clobber:[]
inst8: Op ops:[Def: v8f reuse(1), Use: v6f reg] clobber:[]
inst9: Op ops:[Def: v9f reuse(1), Use: v6f reg] clobber:[]
inst10: Branch ops:[] clobber:[]
params: block2(v1)
block2(v10): # succs:[3, 4] preds:[1]
inst11: Op ops:[Def: v11f reuse(1), Use: v10f reg] clobber:[]
inst12: Op ops:[Def: v12f reuse(1), Use: v11f reg] clobber:[]
inst13: Op ops:[Def@Early: v13i reg, Use: v11f reg] clobber:[]
inst14: Op ops:[Def@Early: v14i reg, Use: v11f reg] clobber:[]
inst15: Branch ops:[] clobber:[]
params: block3(v6), block4(v6)
block3(v15): # succs:[1] preds:[2]
inst16: Op ops:[Def: v16f reuse(1), Use: v15f reg] clobber:[]
inst17: Op ops:[Def: v17f reuse(1), Use: v16f reg] clobber:[]
inst18: Op ops:[Def: v18f reuse(1), Use: v16f reg] clobber:[]
inst19: Op ops:[Def: v19f reuse(1), Use: v16f reg] clobber:[]
inst20: Op ops:[Def: v20f reuse(1), Use: v16f reg] clobber:[]
inst21: Op ops:[Def: v21f reuse(1), Use: v16f reg] clobber:[]
inst22: Op ops:[Def: v22f reg] clobber:[]
inst23: Op ops:[Def: v23f any] clobber:[]
inst24: Op ops:[Def: v24f any] clobber:[]
inst25: Op ops:[Def: v25f any] clobber:[]
inst26: Branch ops:[] clobber:[]
params: block1(v15)
block4(v26): # succs:[5] preds:[2]
inst27: Op ops:[Def: v27f any] clobber:[]
inst28: Op ops:[Def: v28f any] clobber:[]
inst29: Op ops:[Def: v29f reuse(1), Use: v26f reg, Use: v26f any, Use: v26f any] clobber:[]
inst30: Op ops:[Def: v30f reg] clobber:[]
inst31: Branch ops:[] clobber:[]
params: block5(v29)
block5(v31): # succs:[] preds:[4]
inst32: Op ops:[Def: v32f any, Use: v3f any, Use: v3f any] clobber:[PReg(hw = 0, class = Int, index = 0)]
inst33: Op ops:[Def: v33f any] clobber:[]
inst34: Op ops:[Def: v34f any, Use: v31f any, Use: v31f any] clobber:[]
inst35: Op ops:[Def: v35f any] clobber:[]
inst36: Ret ops:[] clobber:[]
}
,
}
elliottt
commented
1 year ago Thanks @jameysharp, the one from the fuzzbug was six times larger!
Reverts bytecodealliance/regalloc2#155
Fuzzing discovered a case that caused the panic on line 1241 of src/ion/process.rs to trigger.