Skip to content

Fix ExpressionRunner issues found by the fuzzer#2790

Merged
kripken merged 7 commits into
WebAssembly:masterfrom
dcodeIO:fix-expressionrunner
Apr 23, 2020
Merged

Fix ExpressionRunner issues found by the fuzzer#2790
kripken merged 7 commits into
WebAssembly:masterfrom
dcodeIO:fix-expressionrunner

Conversation

@dcodeIO

@dcodeIO dcodeIO commented Apr 22, 2020

Copy link
Copy Markdown
Contributor

Fixes #2788 found by the fuzzer, introduced in #2702, which turned out to be incorrect usage of std::move, by removing any std::moves introduced in that PR to be better safe than sorry. Also fixes problems with WASM_INTERPRETER_DEBUG spotted during debugging.

Comment thread src/passes/Precompute.cpp
Comment thread src/wasm-interpreter.h
Comment thread src/wasm-interpreter.h
Comment thread src/passes/Precompute.cpp
Comment thread src/wasm-interpreter.h
Comment thread src/wasm-interpreter.h

@kripken kripken left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This sounds good to me, thanks! The interpreter isn't meant to be super-fast anyhow, optimizing for moves and such is not really the point.

Can we add a testcase in test/passes/?

@dcodeIO

dcodeIO commented Apr 22, 2020

Copy link
Copy Markdown
Contributor Author

Can we add a testcase in test/passes/?

I can try to reduce the original a.wasm even more by using --text, and then add it as a test. That ok?

Edit: Can't be reduced more using --text it seems (even becomes a little larger). But can add the reduced file.

@tlively

tlively commented Apr 22, 2020

Copy link
Copy Markdown
Member

That seems fine to me. I would just add a comment to the test pointing back to the issue to give some context.

@dcodeIO

dcodeIO commented Apr 23, 2020

Copy link
Copy Markdown
Contributor Author

Guess who broke something again. This time: CI

@dcodeIO

dcodeIO commented Apr 23, 2020

Copy link
Copy Markdown
Contributor Author

Guess who fixed something again!

Comment thread test/passes/issue2788.txt Outdated
)
(func $2
(nop)
)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are an awful lot of junk functions in here that are nothing but nops or unreachable. My guess is that the problem will still reproduce if we remove them, and that would make the test much clearer. Even then, I'd almost rather not have a test than check in this beast 😬 @kripken wdyt?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me try to reduce it by hand :)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Managed to isolate the problematic expression tree. Also tried to reduce that tree, but the first two attempts made the error go away, so I guess it's best to preserve its full beauty? :)

@tlively tlively left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I'll let @kripken take another look as well.

Comment thread test/passes/issue2788.wast Outdated
@@ -0,0 +1,171 @@
;; Regression test for 'std::move'-related issues in ExpressionRunner during precompute-propagate

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we possibly reduce this test case? Do we need all this code to reproduce this bug?

@dcodeIO dcodeIO Apr 23, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Attempts to far didn't work so well (see also #2790 (review)), but I can try a little more if you'd like. My current guess is that this depends on the implementation of std::unordered_map a bit, i.e. how and when it shuffles its buffers around, and reducing it scares off the bug.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. I think in that case I'd prefer to not check in the testcase, if it's not going to deterministically hit the bug anyhow.

I think we're ok without a testcase since the fuzzer found it easily multiple times for me.

Comment thread test/passes/issue2788.wast Outdated
@@ -0,0 +1,171 @@
;; Regression test for 'std::move'-related issues in ExpressionRunner during precompute-propagate

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. I think in that case I'd prefer to not check in the testcase, if it's not going to deterministically hit the bug anyhow.

I think we're ok without a testcase since the fuzzer found it easily multiple times for me.

@kripken

kripken commented Apr 23, 2020

Copy link
Copy Markdown
Member

Great, thanks @dcodeIO !

@kripken kripken merged commit 420d0ae into WebAssembly:master Apr 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Fuzz failures after #2702

4 participants