Skip to content

Simple C++ exceptions fuzzer#13485

Draft
kripken wants to merge 47 commits intomainfrom
fuzz-exceptions
Draft

Simple C++ exceptions fuzzer#13485
kripken wants to merge 47 commits intomainfrom
fuzz-exceptions

Conversation

@kripken
Copy link
Member

@kripken kripken commented Feb 12, 2021

This is a quick and simple fuzzer, but it should generate some interesting patterns. It should also allow for easy reduction of testcases (see comments in the source for the technique).

Example random output:

void func_34() {
  if (getBoolean()) {
    puts("log(17)");
  } else {
    try {
    } catch(...) {
    }
  }
  try {
  } catch(...) {
  }
  if (getBoolean()) {
    try {
      while (getBoolean()) {
        try {
          try {
            while (getBoolean()) {
              continue;
            }
          } catch(...) {
            if (getBoolean()) {
            }
          }
        } catch(...) {
        }
      }
    } catch(...) {
      while (getBoolean()) {
      }
    }
  }
  if (getBoolean()) {
  }
}

This is capable of crashing clang (on WebAssemblyCFGStackify) with -fwasm-exceptions. I assume it's too early to fuzz it?

cc @aheejin @tlively @dschuff

@kripken
Copy link
Member Author

kripken commented Feb 12, 2021

Added a simple reducer which seems to work well. It finds stuff like this:

void func_0() {
  puts("log(1)");
  try {
    try {
      throw 0;
    } catch(...) {
      try {
        while (getBoolean()) {
        }
      } catch(...) {
      }
    }
  } catch(...) {
  }
}

That crashes clang with

clang++: /b/s/w/ir/cache/builder/emscripten-releases/llvm-project/llvm/lib/Target/WebAssembly/WebAssemblyCFGStackify.cpp:1413: unsigned int (anonymous namespace)::WebAssemblyCFGStackify::getDepth(const SmallVectorImpl<const llvm::MachineBasicBlock *> &, const llvm::MachineBasicBlock *): Assertion `Depth < Stack.size() && "Branch destination should be in scope"' failed.

@kripken
Copy link
Member Author

kripken commented Feb 12, 2021

Can also find bugs in binaryen, this crashes with

wasm-emscripten-finalize: src/wasm/wasm-binary.cpp:1933: void wasm::WasmBinaryBuilder::readFunctions(): Assertion `delegateTargetNames.empty()' failed.

void func_0() {
  try {
    puts("log(1)");
  } catch(...) {
    while (getBoolean()) {
      throw 0;
    }
  }
}

I think this might be the rethrow bug that @aheejin mentions in WebAssembly/binaryen#3562 that will be fixed soon.

@aheejin
Copy link
Member

aheejin commented Feb 12, 2021
edited
Loading

Thanks, this is great! I'll check those crashing examples soon.

This was referenced Feb 18, 2021
Merged
Merged
@kripken kripken mentioned this pull request Feb 23, 2021
Merged
kripken added a commit to WebAssembly/binaryen that referenced this pull request Feb 23, 2021
@kripken
[Wasm Exceptions] Fix cfg-traversal on linking the basic block after …
b3b6a81 
…a call (#3594)

This was an unfortunate case of the order of execution of call
arguments. link(self->currBasicBlock, self->startBasicBlock()) would
run the call first, which sets currBasicBlock, so we'd end up with
the same value for both parameters.

Without this fix, the testcase would drop the result of the call,
as it thought it had no uses.

Also improve debug logging here a tiny bit.

Found by emscripten-core/emscripten#13485
This was referenced Feb 23, 2021
Closed
Merged
kripken added a commit to WebAssembly/binaryen that referenced this pull request Feb 23, 2021
@kripken
[Wasm Exceptions] Fix StackIR writing of nested delegates (#3599)
538fe22 
We were missing a pop of catchIndexStack at a Delegate. It ends the scope,
so it should do that, like TryEnd does.

Found by emscripten-core/emscripten#13485 on -O2.
This was referenced Feb 24, 2021
Merged
Closed
kripken added a commit to WebAssembly/binaryen that referenced this pull request Feb 24, 2021
@kripken
Fix hashing of a use of a name without the context/target for it (#3601)
6656dfa 
Before this we would assert on hashing e.g. (br $x) by itself, without the
context so we recognized the name $x. Somehow that was not an issue
until delegate, we just happened to not hash such things. I believe I remember
that @aheejin noticed this issue before, but given we didn't have a testcase,
we deferred fixing it - now is the time, I guess, as with delegate it is easy to
get e.g. CodeFolding to hash a Try with a delegate.

Issue found by emscripten-core/emscripten#13485
Base automatically changed from master to main March 8, 2021 23:49
@stale
Copy link

stale bot commented Apr 16, 2022

This issue has been automatically marked as stale because there has been no activity in the past year. It will be closed automatically if no further activity occurs in the next 30 days. Feel free to re-open at any time if this issue is still relevant.

@stale stale bot added the wontfix label Apr 16, 2022
@aheejin aheejin mentioned this pull request Feb 26, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tlively tlively tlively left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

wontfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kripken @aheejin @tlively