cranelift-fuzzgen fuzzbug: "index out of bounds: the len is 2 but the index is 2"

[cfallin]

From oss-fuzz (https://oss-fuzz.com/testcase-detail/4548183442718720).

thread '<unnamed>' panicked at 'index out of bounds: the len is 2 but the index is 2', [wasmtime/cranelift/module/src/module.rs:384](https://github.com/bytecodealliance/wasmtime/blob/d620705a323e3da59bd90473b4e627c8502b1255/cranelift/module/src/module.rs#L384):10

with input (base64'd):

IMUg//+CaDTDw8N2w4mJiYmJiYmJiRAAAImJiYmJiQMAAACJiQABqQB9fX19ffJ9AP////8AAQAr
KwAAAAAAAAAAAAAAAAHDLn19AH3r6+vr9Ovr/wAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAQArKwAA
AAAAAAAAAAAAAAHDLn19AH3rqACCgoKCgoKCEIKCgoIQgoI9AAAAgoKCgpIAAAAAAIKCgoKCgoKC
goKCgoKCggEAAIKCgpIAAAAAAIKCgoKCgoKCgoKCgoKCggcwMPBcVVXr6+v06+v///8O6+vr6+vr
6+vr6+vr6+uCgoKCgoKCgoJTFQAAACAAAAAKADECPv8AAP////8AAAAH/////////////2FraXRz
bikgfwGCgomJiYmJiYkQAACJiYmJiYkDAAAAiYllAAiCgoKCgmgAgqKCgiHCgoKCgoaCgoKCgoIp
goKCgoKCgoKLgoKCAAAgAAAAAAAAAAAIgoJoMMPDw3bDpYmJiYmJiYmJEAAAiYmJAAiCgmg0w8PD
dsOliYmJiYmJiYkQAACJiYmJAIKCgoKCgoKCgoKCgoKCgoJcVTAw61xVSUUtZUBuYmVlAAAAAAAA
AAAAAAAAAAAAAAAAAAAAEAAIgoKCgoJoAIKigoIhwv///////wD/goKCgoI+AAAAENA=

cc @afonso360

[afonso360]

Formatted

ubuntu@instance-20220805-0848:~/git/wasmtime/fuzz$ cargo fuzz fmt cranelift-fuzzgen ./4757.in --no-default-features

Output of `std::fmt::Debug`:

;; Fuzzgen test case

test interpret
test run
set enable_llvm_abi_extensions
target aarch64
target s390x
target x86_64

function u0:1(i128 sext, f64, i16 sext, i64, i32, f32, i8 sext, i8 sext, i8 sext, i8 sext, i8 uext, b1, i8 sext, i8 sext, i8 sext) -> b1, b1 sext, i8 system_v {
    sig0 = (i128 sext, i128, f64, f64, b1 uext, b1 uext) -> b1, b1, b1, b1, b1, b1, i8, f32 sext, i128 system_v
    sig1 = (i32 uext, i64 uext, i32, b1, b1 uext, b1, b1, b1, b1, b1, b1, b1, b1, b1) system_v
    sig2 = (i64, i64) -> i64 fast
    sig3 = () system_v
    sig4 = (i64, i64) -> i64 fast
    sig5 = (i64, i64) -> i64 fast
    sig6 = (i64, i64) -> i64 fast
    sig7 = (i64, i64) -> i64 fast
    fn0 = colocated u0:0 sig0
    fn1 = colocated u0:1 sig1
    fn2 = colocated %UdivI64 sig2
    fn3 = u0:2 sig3
    fn4 = %UdivI64 sig4
    fn5 = %UdivI64 sig5
    fn6 = %UdivI64 sig6
    fn7 = %UdivI64 sig7

block0(v0: i128, v1: f64, v2: i16, v3: i64, v4: i32, v5: f32, v6: i8, v7: i8, v8: i8, v9: i8, v10: i8, v11: b1, v12: i8, v13: i8, v14: i8):
    v87 -> v6
    v78 -> v10
    v15 = iconst.i32 0x007d_7d2e
    v16 = iconst.i128 0
    v17 = iconst.i64 0
    v18 = iconst.i32 0
    v19 = iconst.i16 0
    v20 = iconst.i8 0
    v21, v22, v23, v24, v25, v26, v27, v28, v29 = call fn0(v0, v0, v1, v1, v11, v11)
    nop
    v30 = ushr v4, v8
    v31 = ushr v30, v8
    v32 = ushr v31, v8
    v33 = udiv v8, v8
    nop
    nop
    nop
    v34 = ushr v32, v8
    v35 = uextend.i32 v6
    nop
    nop
    nop
    v36 = ushr v35, v8
    v37 = ushr v36, v8
    v38 = ushr v37, v8
    v39 = ushr v38, v8
    nop
    nop
    v40 = ushr v38, v8
    nop
    nop
    nop
    nop
    nop
    v41 = ushr v40, v8
    v42 = ushr v41, v8
    v43 = ushr v42, v8
    v44 = ushr v43, v8
    v45 = rotr v0, v43
    v46 = iadd v3, v3
    v47 = ishl v46, v46
    v48 = ishl v44, v2
    call fn3()
    v49 = isub v48, v48
    v50 = udiv v47, v47
    v51 = udiv v50, v50
    v52 = imul v51, v51
    call fn3()
    call fn3()
    call fn3()
    call fn3()
    call fn3()
    call fn3()
    call fn3()
    v53 = ushr v43, v8
    v54 = ushr v53, v8
    v55 = ushr v49, v33
    nop
    nop
    v56 = rotr v2, v2
    nop
    nop
    nop
    v57 = isub v45, v45
    nop
    v58 = rotr v57, v52
    v59 = iadd v56, v56
    v60 = rotl v49, v59
    br_icmp sge v52, v52, block1(v52, v59, v58, v49, v8, v5)
    jump block1(v52, v59, v58, v49, v8, v5)

block1(v61: i64, v63: i16, v75: i128, v77: i32, v82: i8, v108: f32) cold:
    v62 = udiv v61, v61
    nop
    nop
    nop
    v64 = isub v63, v63
    v65 = udiv v62, v62
    v66 = udiv v65, v65
    v67 = udiv v66, v66
    v68 = udiv v67, v67
    v69 = udiv v68, v68
    v70 = udiv v69, v69
    v71 = udiv v70, v70
    v72 = udiv v71, v71
    v73 = udiv v72, v72
    v74 = udiv v73, v73
    v76 = ishl v75, v74
    v79 = sshr v77, v78
    v80 = sshr v79, v74
    v81 = ushr v64, v64
    v83 = iadd v82, v82
    v84 = ushr v74, v79
    v85 = ushr v84, v79
    v86 = ushr v85, v79
    v88 = udiv.i8 v87, v87
    v89 = ushr v86, v79
    v90 = ushr v89, v79
    v91 = ushr v90, v79
    nop
    nop
    nop
    v92 = ushr v91, v79
    v93 = sshr.i8 v87, v80
    v94 = ushr v80, v93
    v95 = sshr v81, v81
    nop
    v96 = ushr v94, v93
    v97 = rotr v95, v96
    v98 = ushr v96, v93
    v99 = ushr v98, v76
    v100 = ushr v99, v93
    v101 = rotr v92, v93
    v102 = ushr v100, v93
    v103 = ushr v102, v93
    v104 = ushr v102, v93
    nop
    v105 = rotr v97, v97
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    nop
    v106 = isub v104, v104
    v107 = rotr v76, v103
    v113 = fma v108, v108, v108
    v114 = fcmp ne v113, v113
    v115 = f32const +NaN
    v109 = select v114, v115, v113  ; v115 = +NaN
    v116 = fma v109, v109, v109
    v117 = fcmp ne v116, v116
    v118 = f32const +NaN
    v110 = select v117, v118, v116  ; v118 = +NaN
    v111 = sshr v107, v105
    v119 = fma v110, v110, v110
    v120 = fcmp ne v119, v119
    v121 = f32const +NaN
    v112 = select v120, v121, v119  ; v121 = +NaN
    jump block1(v101, v105, v111, v103, v93, v112)
}

; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: u0:1(-167441178197207787726634081896711485047, -0x1.6c3c3c3346882p56, -30299, 1191634800227223945, -1987510272, -0x1.011312p-123, -126, -126, -126, -126, -126, false, -126, -126, -126) == [false, false, 0]
; run: u0:1(60175015672611943707808577707804099202, 0x0.06565626e4065p-1022, 0, 0, 0, 0.0, 0, 16, 0, 8, -126, false, -126, -126, -126) == [false, false, 0]
; run: u0:1(-1324035698926381049733415222487416728, 0x0.03e8282828282p-1022, 4096, 208, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0]
; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0]
; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0]
; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0]
; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0]
; run: u0:1(0, 0.0, 0, 0, 0, 0.0, 0, 0, 0, 0, 0, false, 0, 0, 0) == [false, false, 0]

[jameysharp]

Here's the important part of the stack trace from oss-fuzz. I suspect this is caused by the same issue as #4758 since there are call instructions in this program and the panic is happening while trying to perform relocations in cranelift-jit.

0x5615862344b1 in cranelift_module::module::ModuleDeclarations::get_function_decl::h5bbdbf571653422e wasmtime/cranelift/module/src/module.rs:384:10
0x5615862138e7 in cranelift_jit::backend::JITModule::get_address::h8d13230c813aade4 wasmtime/cranelift/jit/src/backend.rs:289:44
0x5615862181f8 in cranelift_jit::backend::JITModule::finalize_definitions::_$u7b$$u7b$closure$u7d$$u7d$::h1821fa3c3054b087 wasmtime/cranelift/jit/src/backend.rs:434:24
0x5615862181f8 in cranelift_jit::compiled_blob::CompiledBlob::perform_relocations::h02988f21133ad98f wasmtime/cranelift/jit/src/compiled_blob.rs:41:32
0x5615862181f8 in cranelift_jit::backend::JITModule::finalize_definitions::h914dc1ce0866901e wasmtime/cranelift/jit/src/backend.rs:433:13
0x561585fff42f in cranelift_filetests::function_runner::SingleFunctionCompiler::compile::hd1a840d57445ec31 wasmtime/cranelift/filetests/src/function_runner.rs:102:9