Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fuzz: different results for shr_s #4671

Closed
abrown opened this issue Aug 10, 2022 · 1 comment · Fixed by #4672
Closed

fuzz: different results for shr_s #4671

abrown opened this issue Aug 10, 2022 · 1 comment · Fixed by #4672
Labels
bug Incorrect behavior in the current implementation that needs fixing

Comments

@abrown
Copy link
Contributor

abrown commented Aug 10, 2022

Test Case

(module
  (type (;0;) (func (param i32 i32) (result i32)))
  (func (;0;) (type 0) (param i32 i32) (result i32)
    local.get 0
    local.get 1
    i32.shr_s
  )
  (export "test" (func 0))
)

Also see attached files (annoyingly renamed with .txt appended due to GitHub upload restrictions):

Steps to Reproduce

On the abrown:meta-diff branch:

$ RUST_LOG=wasmtime_fuzzing=debug cargo +nightly fuzz run differential-new fuzz/artifacts/differential-new/crash-3be2c01861adcd71b08427e6ad1251de6fb3159b

Expected Results

Execution to match for both the Wasmtime and wasm-spec-interpreter run.

Actual Results

The results of the shift do not match:

[2022-08-10T12:14:39Z DEBUG wasmtime_fuzzing::oracles] Evaluating: test([I32(1795123818), I32(-2147483648)])
[2022-08-10T12:14:39Z DEBUG wasmtime_fuzzing::oracles]  -> results on spec: [I32(-2097152)]
[2022-08-10T12:14:39Z DEBUG wasmtime_fuzzing::oracles]  -> results on wasmtime: [I32(1795123818)]

Versions and Environment

Wasmtime version or commit: abrown:meta-diff branch

Operating system: Fedora 35

Architecture: x86-64

Other

I am reporting this to clean up any fuzz bugs found before trying to merge #4515. In talking to @alexcrichton, the first reaction seemed to be that this is a bug in the spec interpreter OCaml bindings (after all, Wasmtime passes all spec tests for this kind of simple operation as does the spec interpreter, I assume). @conrad-watt, any thoughts on this?
@abrown abrown added the bug Incorrect behavior in the current implementation that needs fixing label Aug 10, 2022
@abrown abrown changed the title fuzz: fuzz: different results for shr_s Aug 10, 2022
@conrad-watt
Copy link
Contributor

conrad-watt commented Aug 10, 2022
edited
Loading

This is the result that would be obtained if the arguments were provided in reverse order. I think the solution is to change the following line of interpret.ml:

line 58:
let opt_params_ = Option.map (List.map convert_to_wasm) opt_params in

to

line 58:
let opt_params_ = Option.map (List.rev_map convert_to_wasm) opt_params in

This matches the existing use of List.rev_map in processing the execution result (line 64). The Some path was never exercised before, so sorry for missing this!

EDIT: it looks like this path was exercised in the unit tests, but hilariously none of the current unit tests care about order of arguments!

abrown added a commit to abrown/wasmtime that referenced this issue Aug 10, 2022
@abrown
[fuzz] Fix order of operands passed in to wasm-spec-interpreter
e7ad7d1 
In bytecodealliance#4671, the meta-differential fuzz target was finding errors when
running certain Wasm modules (specifically `shr_s` in that case).
@conrad-watt diagnosed the issue as a missing reversal in the operands
passed to the spec interpreter. This change fixes bytecodealliance#4671 and adds an
additional unit test to keep it fixed.
@abrown abrown mentioned this issue Aug 10, 2022
Merged
abrown added a commit to abrown/wasmtime that referenced this issue Aug 10, 2022
@abrown
[fuzz] Fix order of operands passed in to wasm-spec-interpreter
be78c8b 
In bytecodealliance#4671, the meta-differential fuzz target was finding errors when
running certain Wasm modules (specifically `shr_s` in that case).
@conrad-watt diagnosed the issue as a missing reversal in the operands
passed to the spec interpreter. This change fixes bytecodealliance#4671 and adds an
additional unit test to keep it fixed.
abrown added a commit to abrown/wasmtime that referenced this issue Aug 10, 2022
@abrown
[fuzz] Fix order of operands passed in to wasm-spec-interpreter
142eaae 
In bytecodealliance#4671, the meta-differential fuzz target was finding errors when
running certain Wasm modules (specifically `shr_s` in that case).
@conrad-watt diagnosed the issue as a missing reversal in the operands
passed to the spec interpreter. This change fixes bytecodealliance#4671 and adds an
additional unit test to keep it fixed.
alexcrichton pushed a commit that referenced this issue Aug 10, 2022
@abrown
[fuzz] Fix order of operands passed in to wasm-spec-interpreter (#4672
7fa89c4 
)

In #4671, the meta-differential fuzz target was finding errors when
running certain Wasm modules (specifically `shr_s` in that case).
@conrad-watt diagnosed the issue as a missing reversal in the operands
passed to the spec interpreter. This change fixes #4671 and adds an
additional unit test to keep it fixed.
@abrown abrown mentioned this issue Aug 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Incorrect behavior in the current implementation that needs fixing
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[fuzz] Fix order of arguments passed in to wasm-spec-interpreter abrown/wasmtime
2 participants
@abrown @conrad-watt