panicked at 'assertion failed: `(left < right)`, crates/debug/src/transform/expression.rs:111:13' #694

fitzgen · 2019-12-10T23:21:12Z

Steps to Reproduce

Note that the test below uses oracles/generators defined in #685

Test case

#[test]
fn debug_transform_assertion_failure() {
    use wasmtime_fuzzing::generators::{
        api::{ApiCall::*, ApiCalls},
        WasmOptTtf,
    };
    crate::oracles::make_api_calls(ApiCalls {
        calls: vec![
            ConfigNew,
            ConfigDebugInfo(
                true,
            ),
            EngineNew,
            StoreNew,
            ModuleNew {
                id: 4,
                wasm: WasmOptTtf { wasm: wat::parse_str(r###"
                (module
                  (type (;0;) (func (result i32)))
                  (type (;1;) (func (param i32)))
                  (type (;2;) (func (param i64)))
                  (type (;3;) (func (param f32)))
                  (type (;4;) (func (param f64)))
                  (type (;5;) (func (result f32)))
                  (type (;6;) (func))
                  (import "fuzzing-support" "log-i32" (func (;0;) (type 1)))
                  (import "fuzzing-support" "log-i64" (func (;1;) (type 2)))
                  (import "fuzzing-support" "log-f32" (func (;2;) (type 3)))
                  (import "fuzzing-support" "log-f64" (func (;3;) (type 4)))
                  (func (;4;) (type 0) (result i32)
                    (local i32)
                    i32.const 5381
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=1
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=2
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=3
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=4
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=5
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=6
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=7
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=8
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=9
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=10
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=11
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=12
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=13
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=14
                    i32.xor
                    local.set 0
                    local.get 0
                    i32.const 5
                    i32.shl
                    local.get 0
                    i32.add
                    i32.const 0
                    i32.load8_u offset=15
                    i32.xor
                    local.set 0
                    local.get 0)
                  (func (;5;) (type 5) (result f32)
                    (local i32 i32 i32 i64 i64 i64 i64 i64 f32 f32 f32 f32 f32 f32 f64 f64 f64)
                    block  ;; label = @1
                      global.get 4
                      i32.eqz
                      if  ;; label = @2
                        f32.const -0x1p+32 (;=-4294967300;)
                        return
                      end
                      global.get 4
                      i32.const 1
                      i32.sub
                      global.set 4
                    end
                    block (result f32)  ;; label = @1
                      nop
                      loop (result f32)  ;; label = @2
                        block  ;; label = @3
                          global.get 4
                          i32.eqz
                          if  ;; label = @4
                            f32.const -0x1p+63 (;=-9223372000000000000;)
                            return
                          end
                          global.get 4
                          i32.const 1
                          i32.sub
                          global.set 4
                        end
                        block (result f32)  ;; label = @3
                          block  ;; label = @4
                            local.get 0
                            if (result f64)  ;; label = @5
                              call 4
                              call 0
                              f64.const -nan:0xfffffffffff87 (;=NaN;)
                            else
                              local.get 2
                              if (result f64)  ;; label = @6
                                f64.const 0x1p+64 (;=18446744073709552000;)
                              else
                                local.get 14
                              end
                            end
                            local.tee 15
                            call 3
                            nop
                          end
                          local.get 0
                          i32.eqz
                          br_if 1 (;@2;)
                          f32.const 0x1p+26 (;=67108864;)
                        end
                      end
                      local.tee 12
                    end)
                  (func (;6;) (type 6)
                    i32.const 10
                    global.set 4)
                  (table (;0;) 0 funcref)
                  (memory (;0;) 1 1)
                  (global (;0;) (mut i32) (i32.const -58))
                  (global (;1;) (mut i32) (i32.const 1))
                  (global (;2;) (mut f64) (f64.const -nan:0xfffffffff9422 (;=NaN;)))
                  (global (;3;) (mut f64) (f64.const 0x1p+31 (;=2147483648;)))
                  (global (;4;) (mut i32) (i32.const 10))
                  (export "hashMemory" (func 4))
                  (export "hangLimitInitializer" (func 6))
                  (elem (;0;) (i32.const 0))
                  (data (;0;) (i32.const 0) ")\00\1c\0e\00\00c\00<\00P\00\00f\00\00\00\00\00\00\1ci\00>\09\00"))
                "###).unwrap() },
            },
            InstanceNew {
                id: 5,
                module: 4,
            },
        ],
    });
}

Panic message and backtrace

thread 'debug_transform_assertion_failure' panicked at 'assertion failed: `(left < right)`
  left: `32`,
 right: `32`', crates/debug/src/transform/expression.rs:111:13
stack backtrace:
   0: backtrace::backtrace::libunwind::trace
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/libunwind.rs:88
   1: backtrace::backtrace::trace_unsynchronized
             at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.40/src/backtrace/mod.rs:66
   2: std::sys_common::backtrace::_print_fmt
             at src/libstd/sys_common/backtrace.rs:84
   3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt
             at src/libstd/sys_common/backtrace.rs:61
   4: core::fmt::write
             at src/libcore/fmt/mod.rs:1025
   5: std::io::Write::write_fmt
             at /rustc/59947fcae6a40df12e33af8c8c7291014b7603e0/src/libstd/io/mod.rs:1426
   6: std::io::impls::<impl std::io::Write for alloc::boxed::Box<W>>::write_fmt
             at src/libstd/io/impls.rs:156
   7: std::sys_common::backtrace::_print
             at src/libstd/sys_common/backtrace.rs:65
   8: std::sys_common::backtrace::print
             at src/libstd/sys_common/backtrace.rs:50
   9: std::panicking::default_hook::{{closure}}
             at src/libstd/panicking.rs:193
  10: std::panicking::default_hook
             at src/libstd/panicking.rs:207
  11: std::panicking::rust_panic_with_hook
             at src/libstd/panicking.rs:471
  12: rust_begin_unwind
             at src/libstd/panicking.rs:375
  13: std::panicking::begin_panic_fmt
             at src/libstd/panicking.rs:326
  14: wasmtime_debug::transform::expression::translate_loc
             at crates/debug/src/transform/expression.rs:111
  15: wasmtime_debug::transform::expression::CompiledExpression::build_with_locals
             at crates/debug/src/transform/expression.rs:250
  16: wasmtime_debug::transform::simulate::generate_vars
             at crates/debug/src/transform/simulate.rs:209
  17: wasmtime_debug::transform::simulate::generate_simulated_dwarf
             at crates/debug/src/transform/simulate.rs:354
  18: wasmtime_debug::transform::transform_dwarf
             at crates/debug/src/transform/mod.rs:97
  19: wasmtime_debug::emit_debugsections_image
             at crates/debug/src/lib.rs:69
  20: wasmtime_jit::compiler::Compiler::compile
             at crates/jit/src/compiler.rs:176
  21: wasmtime_jit::instantiate::RawCompiledModule::new
             at crates/jit/src/instantiate.rs:78
  22: wasmtime_jit::instantiate::instantiate
             at crates/jit/src/instantiate.rs:264
  23: wasmtime::instance::instantiate_in_context
             at crates/api/src/instance.rs:38
  24: wasmtime::instance::Instance::new
             at crates/api/src/instance.rs:81
  25: wasmtime_fuzzing::oracles::make_api_calls
             at crates/fuzzing/src/oracles.rs:154
  26: regressions::debug_transform_assertion_failure
             at crates/fuzzing/tests/regressions.rs:22
  27: regressions::debug_transform_assertion_failure::{{closure}}
             at crates/fuzzing/tests/regressions.rs:17
  28: core::ops::function::FnOnce::call_once
             at /rustc/59947fcae6a40df12e33af8c8c7291014b7603e0/src/libcore/ops/function.rs:232
  29: <alloc::boxed::Box<F> as core::ops::function::FnOnce<A>>::call_once
             at /rustc/59947fcae6a40df12e33af8c8c7291014b7603e0/src/liballoc/boxed.rs:969
  30: __rust_maybe_catch_panic
             at src/libpanic_unwind/lib.rs:78
  31: std::panicking::try
             at /rustc/59947fcae6a40df12e33af8c8c7291014b7603e0/src/libstd/panicking.rs:270
  32: std::panic::catch_unwind
             at /rustc/59947fcae6a40df12e33af8c8c7291014b7603e0/src/libstd/panic.rs:394
  33: test::run_test_in_process
             at src/libtest/lib.rs:567
  34: test::run_test::run_test_inner::{{closure}}
             at src/libtest/lib.rs:474

The text was updated successfully, but these errors were encountered:

alexcrichton · 2020-02-01T15:33:27Z

For a slightly more minimal example:

(module
  (type (;0;) (func))
  (type (;1;) (func (param i64)))
  (func (;0;) (type 0))
  (func (;1;) (type 0))
  (func (;2;) (type 0))
  (func (;3;) (type 0))
  (func (;4;) (type 1) (param i64)
    (local f32 f32 f32)
    loop (result i64)  ;; label = @1
      global.get 0
      if  ;; label = @2
        local.get 1
        return
      end
      block (result i64)  ;; label = @2
        loop  ;; label = @3
          block  ;; label = @4
            global.get 0
            if  ;; label = @5
              i32.const 5
              if (result f32)  ;; label = @6
                block (result f32)  ;; label = @7
                  call 0
                  i32.const 7
                  if (result f32)  ;; label = @8
                    local.get 2
                  else
                    f32.const 0x1p+0 (;=1;)
                  end
                end
              else
                f32.const 0x1p+0 (;=1;)
              end
              local.tee 1
              local.set 3
            end
          end
        end
        i32.const 8
        br_if 1 (;@1;)
        i64.const 4
      end
    end
    return)
  (memory (;0;) 1)
  (global (;0;) i32 (i32.const 0)))

fails with:

$ wasmtime -g foo.wat
thread 'main' panicked at 'assertion failed: `(left < right)`
  left: `32`,
 right: `32`', crates/debug/src/transform/expression.rs:111:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

fitzgen added the fuzz-bug Bugs found by a fuzzer label Dec 10, 2019

yurydelendik self-assigned this Dec 18, 2019

yurydelendik mentioned this issue Feb 4, 2020

Implement FIXME in debug/src/expression.rs #902

Merged

alexcrichton closed this as completed in #902 Feb 5, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

panicked at 'assertion failed: `(left < right)`, crates/debug/src/transform/expression.rs:111:13' #694

panicked at 'assertion failed: `(left < right)`, crates/debug/src/transform/expression.rs:111:13' #694

fitzgen commented Dec 10, 2019

alexcrichton commented Feb 1, 2020

panicked at 'assertion failed: (left < right), crates/debug/src/transform/expression.rs:111:13' #694

panicked at 'assertion failed: (left < right), crates/debug/src/transform/expression.rs:111:13' #694

Comments

fitzgen commented Dec 10, 2019

Steps to Reproduce

alexcrichton commented Feb 1, 2020

panicked at 'assertion failed: `(left < right)`, crates/debug/src/transform/expression.rs:111:13' #694

panicked at 'assertion failed: `(left < right)`, crates/debug/src/transform/expression.rs:111:13' #694