Panic during mutation in gc_ops fuzzer

This is a public version of https://issues.oss-fuzz.com/issues/487437719 which is an oss-fuzz found bug. Unfortunately there's no reproduction test case for this, however. All we currently have is a Wasmtime revision (755979dd81eb79ff746fb4e63d4570513216e731) and a stack trace:

```
thread '<unnamed>' (4629) panicked at /src/wasmtime/crates/fuzzing/src/generators/gc_ops/mutator.rs:332:22:
	rec_groups not empty
	note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
	AddressSanitizer:DEADLYSIGNAL
	=================================================================
	==4629==ERROR: AddressSanitizer: ABRT on unknown address 0x053900001215 (pc 0x7f3f52a9000b bp 0x7ffe0c2cc450 sp 0x7ffe0c2cc200 T0)
	SCARINESS: 10 (signal)
	    #0 0x7f3f52a9000b in raise /build/glibc-B3wQXB/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
	    #1 0x7f3f52a6f858 in abort /build/glibc-B3wQXB/glibc-2.31/stdlib/abort.c:79:7
	    #2 0x5643af5d13c9 in std::sys::pal::unix::abort_internal /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/std/src/sys/pal/unix/mod.rs:305:14
	    #3 0x5643af5d1178 in std::process::abort /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/std/src/process.rs:2533:5
	    #4 0x5643af5cba74 in libfuzzer_sys::initialize::{closure#0} /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/src/lib.rs:94:9
	    #5 0x5643b3d14571 in <alloc::boxed::Box<dyn for<'a, 'b> core::ops::function::Fn<(&'a std::panic::PanicHookInfo<'b>,), Output = ()> + core::marker::Send + core::marker::Sync> as core::ops::function::Fn<(&std::panic::PanicHookInfo,)>>::call /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/alloc/src/boxed.rs:2220:9
	    #6 0x5643b3d14571 in std::panicking::panic_with_hook /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/std/src/panicking.rs:833:13
	    #7 0x5643b3d01b87 in std::panicking::panic_handler::{closure#0} /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/std/src/panicking.rs:698:13
	    #8 0x5643b3cf6e98 in std::sys::backtrace::__rust_end_short_backtrace::<std::panicking::panic_handler::{closure#0}, !> /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/std/src/sys/backtrace.rs:182:18
	    #9 0x5643b3d029ec in __rustc::rust_begin_unwind /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/std/src/panicking.rs:689:5
	    #10 0x5643af5d23ab in core::panicking::panic_fmt /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/core/src/panicking.rs:80:14
	    #11 0x5643af5d2073 in core::panicking::panic_display::<&str> /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/core/src/panicking.rs:259:5
	    #12 0x5643af5d2073 in core::option::expect_failed /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/core/src/option.rs:2202:5
	    #13 0x5643af7b953e in <core::option::Option<wasmtime_fuzzing::generators::gc_ops::types::RecGroupId>>::expect /rustc/e96bb7e44fbcc23c1e6009e8d0ee8ab208668fb4/library/core/src/option.rs:971:21
	    #14 0x5643af7b953e in <wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator>::split_rec_group::{closure#0} [wasmtime/crates/fuzzing/src/generators/gc_ops/mutator.rs:332](https://github.com/bytecodealliance/wasmtime/blob/755979dd81eb79ff746fb4e63d4570513216e731/crates/fuzzing/src/generators/gc_ops/mutator.rs#L332):22
	    #15 0x5643af7b953e in <mutatis::Candidates>::mutation::<<wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator>::split_rec_group::{closure#0}> /rust/registry/src/index.crates.io-1949cf8c6b5b557f/mutatis-0.3.2/src/lib.rs:459:21
	    #16 0x5643af7b953e in <wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator>::split_rec_group [wasmtime/crates/fuzzing/src/generators/gc_ops/mutator.rs:322](https://github.com/bytecodealliance/wasmtime/blob/755979dd81eb79ff746fb4e63d4570513216e731/crates/fuzzing/src/generators/gc_ops/mutator.rs#L322):11
	    #17 0x5643af813e6d in <wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator as mutatis::Mutate<wasmtime_fuzzing::generators::gc_ops::ops::GcOps>>::mutate [wasmtime/crates/fuzzing/src/generators/gc_ops/mutator.rs:393](https://github.com/bytecodealliance/wasmtime/blob/755979dd81eb79ff746fb4e63d4570513216e731/crates/fuzzing/src/generators/gc_ops/mutator.rs#L393):14
	    #18 0x5643af6ad32d in <mutatis::mutators::core_impls::Tuple2<mutatis::mutators::core_impls::U64, wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator> as mutatis::Mutate<(u64, wasmtime_fuzzing::generators::gc_ops::ops::GcOps)>>::mutate /rust/registry/src/index.crates.io-1949cf8c6b5b557f/mutatis-0.3.2/src/mutators/core_impls.rs:534:33
	    #19 0x5643af6ad32d in <mutatis::Context>::mutate_with::<(u64, wasmtime_fuzzing::generators::gc_ops::ops::GcOps), mutatis::mutators::core_impls::Tuple2<mutatis::mutators::core_impls::U64, wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator>>::{closure#0} /rust/registry/src/index.crates.io-1949cf8c6b5b557f/mutatis-0.3.2/src/lib.rs:322:66
	    #20 0x5643af6914f5 in <mutatis::Context>::choose_and_apply_mutation::<(u64, wasmtime_fuzzing::generators::gc_ops::ops::GcOps), <mutatis::Context>::mutate_with<(u64, wasmtime_fuzzing::generators::gc_ops::ops::GcOps), mutatis::mutators::core_impls::Tuple2<mutatis::mutators::core_impls::U64, wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator>>::{closure#0}> /rust/registry/src/index.crates.io-1949cf8c6b5b557f/mutatis-0.3.2/src/lib.rs:361:15
	    #21 0x5643af6914f5 in <mutatis::Context>::mutate_with::<(u64, wasmtime_fuzzing::generators::gc_ops::ops::GcOps), mutatis::mutators::core_impls::Tuple2<mutatis::mutators::core_impls::U64, wasmtime_fuzzing::generators::gc_ops::mutator::GcOpsMutator>> /rust/registry/src/index.crates.io-1949cf8c6b5b557f/mutatis-0.3.2/src/lib.rs:322:14
	    #22 0x5643af6914f5 in <mutatis::Context>::mutate::<(u64, wasmtime_fuzzing::generators::gc_ops::ops::GcOps)> /rust/registry/src/index.crates.io-1949cf8c6b5b557f/mutatis-0.3.2/src/lib.rs:313:14
	    #23 0x5643af6914f5 in <mutatis::Session>::mutate::<(u64, wasmtime_fuzzing::generators::gc_ops::ops::GcOps)> /rust/registry/src/index.crates.io-1949cf8c6b5b557f/mutatis-0.3.2/src/lib.rs:145:22
	    #24 0x5643af6914f5 in gc_ops::rust_fuzzer_custom_mutator::custom_mutator [wasmtime/fuzz/fuzz_targets/gc_ops.rs:41](https://github.com/bytecodealliance/wasmtime/blob/755979dd81eb79ff746fb4e63d4570513216e731/fuzz/fuzz_targets/gc_ops.rs#L41):16
	    #25 0x5643af6914f5 in LLVMFuzzerCustomMutator /rust/registry/src/index.crates.io-1949cf8c6b5b557f/libfuzzer-sys-0.4.10/src/lib.rs:558:28
	    #26 0x5643b3cbdf68 in MutateImpl /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMutate.cpp:550:22
	    #27 0x5643b3cbdf68 in fuzzer::MutationDispatcher::Mutate(unsigned char*, unsigned long, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMutate.cpp:532:10
	    #28 0x5643b3ca9c52 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:757:20
	    #29 0x5643b3caa865 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile>>&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:910:5
	    #30 0x5643b3c996e5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:917:6
	    #31 0x5643b3cc4252 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
	    #32 0x7f3f52a71082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/libc-start.c:308:16
	    #33 0x5643af5d3d3d in _start
```

Given that this is during a mutation of a test case I think that explains why there's no test case here.

cc @fitzgen and @khagankhan, would the backtrace/panic message be enough to help debug this even without a test case?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Panic during mutation in gc_ops fuzzer #12665

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Panic during mutation in gc_ops fuzzer #12665

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions