Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Divergent behavior between regalloc_algorithm={backtracking,single_pass} #9980

Open
alexcrichton opened this issue Jan 10, 2025 · 3 comments
Open

Divergent behavior between regalloc_algorithm={backtracking,single_pass} #9980

alexcrichton opened this issue Jan 10, 2025 · 3 comments
Labels
fuzz-bug Bugs found by a fuzzer

Comments

@alexcrichton
Copy link
Member

Found via oss-fuzz in https://issues.oss-fuzz.com/issues/387110342 I've minimized this to:

(module
  (func (export "")
    call 1
    f64.const 0
    f64.const 0
    f64.ne
    if
    end
    call 0
  )

  (func
    f64.const nan
    f64.const 0
    f64.eq
    if
      loop
      end
    end
  )
)

which I can show different behavior with:

$ wasmtime run --invoke '' -W fuel=$((1<<62)) -C cranelift-regalloc-algorithm=backtracking foo.wat
Error: failed to run main module `foo.wat`

Caused by:
    0: failed to invoke ``
    1: error while executing at wasm backtrace:
           0: <unknown>!<wasm function 1>
           1:   0x1e - <unknown>!<wasm function 0>
           2:   0x36 - <unknown>!<wasm function 0>
...
         16365:   0x36 - <unknown>!<wasm function 0>
         16366:   0x36 - <unknown>!<wasm function 0>
    2: wasm trap: call stack exhausted

That's expected, this infinitely recurses. With single_pass though:

$ wasmtime run --invoke '' -W fuel=$((1<<62)) -C cranelift-regalloc-algorithm=single_pass foo.wat
Error: failed to run main module `foo.wat`

Caused by:
    0: failed to invoke ``
    1: error while executing at wasm backtrace:
           0:   0x1d - <unknown>!<wasm function 0>
           1:   0x36 - <unknown>!<wasm function 0>
    2: wasm trap: all fuel consumed by WebAssembly
@alexcrichton alexcrichton added the fuzz-bug Bugs found by a fuzzer label Jan 10, 2025
@cfallin
Copy link
Member

cfallin commented Jan 10, 2025

For context: Alex and I briefly discussed this offline and concluded this was not a security issue as backtracking (the production algorithm) is performing the correct behavior, and single-pass is off by default and not part of any support tier (or perhaps tier 3 by default).

@cfallin
Copy link
Member

cfallin commented Jan 10, 2025

Additional context: it seems this only reproduces with x86-64; cannot reproduce with aarch64 (also infinitely recurses correctly). Successfully reproduces on macOS/x86-64 (via Rosetta 2), though, in addition to Linux.

@primoly
Copy link
Contributor

primoly commented Jan 12, 2025
edited
Loading

The strange thing is that it seems to be caused by the NaN. If you replace that NaN with any other value (for example -12.345) single-pass recurses infinitely as well. If you look at the disassembly of both variants, nothing is different except that NaN constant in r15 (at address 0000024f). It doesn’t even change the address of any instruction. I have no idea why this would make a difference in fuel consumption. Mysterious.

single-pass and fuel with NaN 
Disassembly of function <function[0]>:

00000000    55                                push rbp
00000001    48 89 e5                          mov rbp, rsp
00000004    4c 8b 57 08                       mov r10, qword ptr [rdi + 8]
00000008    4d 8b 12                          mov r10, qword ptr [r10]
0000000b    49 81 c2 90 00 00 00              add r10, 0x90
00000012    49 39 e2                          cmp r10, rsp
00000015    0f 87 4a 01 00 00                 ja 0x165
0000001b    48 81 ec 80 00 00 00              sub rsp, 0x80
00000022    48 89 5c 24 50                    mov qword ptr [rsp + 0x50], rbx
00000027    4c 89 64 24 58                    mov qword ptr [rsp + 0x58], r12
0000002c    4c 89 6c 24 60                    mov qword ptr [rsp + 0x60], r13
00000031    4c 89 74 24 68                    mov qword ptr [rsp + 0x68], r14
00000036    4c 89 7c 24 70                    mov qword ptr [rsp + 0x70], r15
0000003b    48 89 7c 24 18                    mov qword ptr [rsp + 0x18], rdi
00000040    48 8b 44 24 18                    mov rax, qword ptr [rsp + 0x18]
00000045    48 8b 50 08                       mov rdx, qword ptr [rax + 8]
00000049    48 89 14 24                       mov qword ptr [rsp], rdx
0000004d    48 8b 0c 24                       mov rcx, qword ptr [rsp]
00000051    48 8b 71 08                       mov rsi, qword ptr [rcx + 8]
00000055    48 89 74 24 30                    mov qword ptr [rsp + 0x30], rsi
0000005a    4c 8b 44 24 30                    mov r8, qword ptr [rsp + 0x30]
0000005f    4d 8d 48 01                       lea r9, [r8 + 1]
00000063    4c 89 4c 24 40                    mov qword ptr [rsp + 0x40], r9
00000068    4c 8b 54 24 40                    mov r10, qword ptr [rsp + 0x40]
0000006d    48 8b 5c 24 40                    mov rbx, qword ptr [rsp + 0x40]
00000072    4c 85 d3                          test rbx, r10
00000075    48 8b 5c 24 40                    mov rbx, qword ptr [rsp + 0x40]
0000007a    48 89 5c 24 38                    mov qword ptr [rsp + 0x38], rbx
0000007f    0f 8d 0f 00 00 00                 jge 0x94
00000085    48 8b 5c 24 38                    mov rbx, qword ptr [rsp + 0x38]
0000008a    48 89 5c 24 20                    mov qword ptr [rsp + 0x20], rbx
0000008f    e9 33 00 00 00                    jmp 0xc7
00000094    4c 8b 5c 24 30                    mov r11, qword ptr [rsp + 0x30]
00000099    4d 8d 6b 01                       lea r13, [r11 + 1]
0000009d    4c 8b 24 24                       mov r12, qword ptr [rsp]
000000a1    4d 89 6c 24 08                    mov qword ptr [r12 + 8], r13
000000a6    48 8b 7c 24 18                    mov rdi, qword ptr [rsp + 0x18]
000000ab    e8 7e 03 00 00                    call 0x42e
000000b0    4c 8b 34 24                       mov r14, qword ptr [rsp]
000000b4    4d 8b 7e 08                       mov r15, qword ptr [r14 + 8]
000000b8    4c 89 7c 24 28                    mov qword ptr [rsp + 0x28], r15
000000bd    4c 8b 7c 24 28                    mov r15, qword ptr [rsp + 0x28]
000000c2    4c 89 7c 24 20                    mov qword ptr [rsp + 0x20], r15
000000c7    48 8b 44 24 20                    mov rax, qword ptr [rsp + 0x20]
000000cc    48 8d 50 01                       lea rdx, [rax + 1]
000000d0    48 8b 0c 24                       mov rcx, qword ptr [rsp]
000000d4    48 89 51 08                       mov qword ptr [rcx + 8], rdx
000000d8    48 8b 74 24 18                    mov rsi, qword ptr [rsp + 0x18]
000000dd    48 8b 7c 24 18                    mov rdi, qword ptr [rsp + 0x18]
000000e2    e8 99 00 00 00                    call 0x180
000000e7    4c 8b 04 24                       mov r8, qword ptr [rsp]
000000eb    4d 8b 48 08                       mov r9, qword ptr [r8 + 8]
000000ef    4c 89 4c 24 10                    mov qword ptr [rsp + 0x10], r9
000000f4    c4 41 09 57 fe                    vxorpd xmm15, xmm14, xmm14
000000f9    c5 79 2e 3d 6f 00 00 00           vucomisd xmm15, qword ptr [rip + 0x6f]
00000101    0f 8a 00 00 00 00                 jp 0x107
00000107    48 8b 7c 24 18                    mov rdi, qword ptr [rsp + 0x18]
0000010c    4c 8b 54 24 10                    mov r10, qword ptr [rsp + 0x10]
00000111    49 8d 5a 05                       lea rbx, [r10 + 5]
00000115    4c 8b 1c 24                       mov r11, qword ptr [rsp]
00000119    49 89 5b 08                       mov qword ptr [r11 + 8], rbx
0000011d    48 89 fe                          mov rsi, rdi
00000120    e8 db fe ff ff                    call 0
00000125    4c 8b 24 24                       mov r12, qword ptr [rsp]
00000129    4d 8b 6c 24 08                    mov r13, qword ptr [r12 + 8]
0000012e    4c 89 6c 24 08                    mov qword ptr [rsp + 8], r13
00000133    4c 8b 7c 24 08                    mov r15, qword ptr [rsp + 8]
00000138    4c 8b 34 24                       mov r14, qword ptr [rsp]
0000013c    4d 89 7e 08                       mov qword ptr [r14 + 8], r15
00000140    48 8b 5c 24 50                    mov rbx, qword ptr [rsp + 0x50]
00000145    4c 8b 64 24 58                    mov r12, qword ptr [rsp + 0x58]
0000014a    4c 8b 6c 24 60                    mov r13, qword ptr [rsp + 0x60]
0000014f    4c 8b 74 24 68                    mov r14, qword ptr [rsp + 0x68]
00000154    4c 8b 7c 24 70                    mov r15, qword ptr [rsp + 0x70]
00000159    48 81 c4 80 00 00 00              add rsp, 0x80
00000160    48 89 ec                          mov rsp, rbp
00000163    5d                                pop rbp
00000164    c3                                ret
00000165    0f 0b                             ud2
00000167    00 00                             add byte ptr [rax], al
00000169    00 00                             add byte ptr [rax], al
0000016b    00 00                             add byte ptr [rax], al
0000016d    00 00                             add byte ptr [rax], al
0000016f    00 00                             add byte ptr [rax], al
00000171    00 00                             add byte ptr [rax], al
00000173    00 00                             add byte ptr [rax], al
00000175    00 00                             add byte ptr [rax], al
00000177    00 00                             add byte ptr [rax], al
00000179    00 00                             add byte ptr [rax], al
0000017b    00 00                             add byte ptr [rax], al
0000017d    00 00                             add byte ptr [rax], al
0000017f    00                                .byte 0x00

Disassembly of function <function[1]>:

00000180    55                                push rbp
00000181    48 89 e5                          mov rbp, rsp
00000184    4c 8b 57 08                       mov r10, qword ptr [rdi + 8]
00000188    4d 8b 12                          mov r10, qword ptr [r10]
0000018b    49 81 c2 b0 00 00 00              add r10, 0xb0
00000192    49 39 e2                          cmp r10, rsp
00000195    0f 87 b0 01 00 00                 ja 0x34b
0000019b    48 81 ec a0 00 00 00              sub rsp, 0xa0
000001a2    48 89 5c 24 70                    mov qword ptr [rsp + 0x70], rbx
000001a7    4c 89 64 24 78                    mov qword ptr [rsp + 0x78], r12
000001ac    4c 89 ac 24 80 00 00 00           mov qword ptr [rsp + 0x80], r13
000001b4    4c 89 b4 24 88 00 00 00           mov qword ptr [rsp + 0x88], r14
000001bc    4c 89 bc 24 90 00 00 00           mov qword ptr [rsp + 0x90], r15
000001c4    48 89 7c 24 28                    mov qword ptr [rsp + 0x28], rdi
000001c9    4c 8b 7c 24 28                    mov r15, qword ptr [rsp + 0x28]
000001ce    49 8b 77 08                       mov rsi, qword ptr [r15 + 8]
000001d2    48 89 34 24                       mov qword ptr [rsp], rsi
000001d6    48 8b 04 24                       mov rax, qword ptr [rsp]
000001da    48 8b 48 08                       mov rcx, qword ptr [rax + 8]
000001de    48 89 4c 24 58                    mov qword ptr [rsp + 0x58], rcx
000001e3    48 8b 54 24 58                    mov rdx, qword ptr [rsp + 0x58]
000001e8    4c 8d 42 01                       lea r8, [rdx + 1]
000001ec    4c 89 44 24 68                    mov qword ptr [rsp + 0x68], r8
000001f1    4c 8b 4c 24 68                    mov r9, qword ptr [rsp + 0x68]
000001f6    4c 8b 54 24 68                    mov r10, qword ptr [rsp + 0x68]
000001fb    4d 85 ca                          test r10, r9
000001fe    4c 8b 54 24 68                    mov r10, qword ptr [rsp + 0x68]
00000203    4c 89 54 24 60                    mov qword ptr [rsp + 0x60], r10
00000208    0f 8d 0f 00 00 00                 jge 0x21d
0000020e    4c 8b 54 24 60                    mov r10, qword ptr [rsp + 0x60]
00000213    4c 89 54 24 20                    mov qword ptr [rsp + 0x20], r10
00000218    e9 32 00 00 00                    jmp 0x24f
0000021d    48 8b 5c 24 58                    mov rbx, qword ptr [rsp + 0x58]
00000222    4c 8d 63 01                       lea r12, [rbx + 1]
00000226    4c 8b 1c 24                       mov r11, qword ptr [rsp]
0000022a    4d 89 63 08                       mov qword ptr [r11 + 8], r12
0000022e    48 8b 7c 24 28                    mov rdi, qword ptr [rsp + 0x28]
00000233    e8 f6 01 00 00                    call 0x42e
00000238    4c 8b 2c 24                       mov r13, qword ptr [rsp]
0000023c    4d 8b 75 08                       mov r14, qword ptr [r13 + 8]
00000240    4c 89 74 24 50                    mov qword ptr [rsp + 0x50], r14
00000245    4c 8b 74 24 50                    mov r14, qword ptr [rsp + 0x50]
0000024a    4c 89 74 24 20                    mov qword ptr [rsp + 0x20], r14
0000024f    49 bf 00 00 00 00 00 00 f8 7f     movabs r15, 0x7ff8000000000000
00000259    c4 41 f9 6e ff                    vmovq xmm15, r15
0000025e    48 8b 74 24 20                    mov rsi, qword ptr [rsp + 0x20]
00000263    48 8d 46 04                       lea rax, [rsi + 4]
00000267    48 89 44 24 48                    mov qword ptr [rsp + 0x48], rax
0000026c    c5 79 2e 3d dc 00 00 00           vucomisd xmm15, qword ptr [rip + 0xdc]
00000274    0f 8a 10 00 00 00                 jp 0x28a
0000027a    48 8b 44 24 48                    mov rax, qword ptr [rsp + 0x48]
0000027f    48 89 44 24 40                    mov qword ptr [rsp + 0x40], rax
00000284    0f 84 0f 00 00 00                 je 0x299
0000028a    48 8b 44 24 40                    mov rax, qword ptr [rsp + 0x40]
0000028f    48 89 44 24 08                    mov qword ptr [rsp + 8], rax
00000294    e9 77 00 00 00                    jmp 0x310
00000299    48 8b 4c 24 20                    mov rcx, qword ptr [rsp + 0x20]
0000029e    48 8d 51 04                       lea rdx, [rcx + 4]
000002a2    48 89 54 24 38                    mov qword ptr [rsp + 0x38], rdx
000002a7    4c 8b 44 24 38                    mov r8, qword ptr [rsp + 0x38]
000002ac    4c 8b 4c 24 38                    mov r9, qword ptr [rsp + 0x38]
000002b1    4d 85 c1                          test r9, r8
000002b4    4c 8b 4c 24 38                    mov r9, qword ptr [rsp + 0x38]
000002b9    4c 89 4c 24 30                    mov qword ptr [rsp + 0x30], r9
000002be    0f 8d 0f 00 00 00                 jge 0x2d3
000002c4    4c 8b 4c 24 30                    mov r9, qword ptr [rsp + 0x30]
000002c9    4c 89 4c 24 10                    mov qword ptr [rsp + 0x10], r9
000002ce    e9 33 00 00 00                    jmp 0x306
000002d3    48 8b 7c 24 28                    mov rdi, qword ptr [rsp + 0x28]
000002d8    4c 8b 54 24 20                    mov r10, qword ptr [rsp + 0x20]
000002dd    49 8d 5a 04                       lea rbx, [r10 + 4]
000002e1    4c 8b 1c 24                       mov r11, qword ptr [rsp]
000002e5    49 89 5b 08                       mov qword ptr [r11 + 8], rbx
000002e9    e8 40 01 00 00                    call 0x42e
000002ee    4c 8b 24 24                       mov r12, qword ptr [rsp]
000002f2    4d 8b 6c 24 08                    mov r13, qword ptr [r12 + 8]
000002f7    4c 89 6c 24 18                    mov qword ptr [rsp + 0x18], r13
000002fc    4c 8b 6c 24 18                    mov r13, qword ptr [rsp + 0x18]
00000301    4c 89 6c 24 10                    mov qword ptr [rsp + 0x10], r13
00000306    4c 8b 6c 24 10                    mov r13, qword ptr [rsp + 0x10]
0000030b    4c 89 6c 24 08                    mov qword ptr [rsp + 8], r13
00000310    4c 8b 7c 24 08                    mov r15, qword ptr [rsp + 8]
00000315    4c 8b 34 24                       mov r14, qword ptr [rsp]
00000319    4d 89 7e 08                       mov qword ptr [r14 + 8], r15
0000031d    48 8b 5c 24 70                    mov rbx, qword ptr [rsp + 0x70]
00000322    4c 8b 64 24 78                    mov r12, qword ptr [rsp + 0x78]
00000327    4c 8b ac 24 80 00 00 00           mov r13, qword ptr [rsp + 0x80]
0000032f    4c 8b b4 24 88 00 00 00           mov r14, qword ptr [rsp + 0x88]
00000337    4c 8b bc 24 90 00 00 00           mov r15, qword ptr [rsp + 0x90]
0000033f    48 81 c4 a0 00 00 00              add rsp, 0xa0
00000346    48 89 ec                          mov rsp, rbp
00000349    5d                                pop rbp
0000034a    c3                                ret
0000034b    0f 0b                             ud2
0000034d    00 00                             add byte ptr [rax], al
0000034f    00 00                             add byte ptr [rax], al
00000351    00 00                             add byte ptr [rax], al
00000353    00 00                             add byte ptr [rax], al
00000355    00 00                             add byte ptr [rax], al
00000357    00 00                             add byte ptr [rax], al
00000359    00 00                             add byte ptr [rax], al
0000035b    00 00                             add byte ptr [rax], al
0000035d    00 00                             add byte ptr [rax], al
0000035f    00                                .byte 0x00
single-pass and fuel with -12.345 instead of NaN 
Disassembly of function <function[0]>:

00000000    55                                push rbp
00000001    48 89 e5                          mov rbp, rsp
00000004    4c 8b 57 08                       mov r10, qword ptr [rdi + 8]
00000008    4d 8b 12                          mov r10, qword ptr [r10]
0000000b    49 81 c2 90 00 00 00              add r10, 0x90
00000012    49 39 e2                          cmp r10, rsp
00000015    0f 87 4a 01 00 00                 ja 0x165
0000001b    48 81 ec 80 00 00 00              sub rsp, 0x80
00000022    48 89 5c 24 50                    mov qword ptr [rsp + 0x50], rbx
00000027    4c 89 64 24 58                    mov qword ptr [rsp + 0x58], r12
0000002c    4c 89 6c 24 60                    mov qword ptr [rsp + 0x60], r13
00000031    4c 89 74 24 68                    mov qword ptr [rsp + 0x68], r14
00000036    4c 89 7c 24 70                    mov qword ptr [rsp + 0x70], r15
0000003b    48 89 7c 24 18                    mov qword ptr [rsp + 0x18], rdi
00000040    48 8b 44 24 18                    mov rax, qword ptr [rsp + 0x18]
00000045    48 8b 50 08                       mov rdx, qword ptr [rax + 8]
00000049    48 89 14 24                       mov qword ptr [rsp], rdx
0000004d    48 8b 0c 24                       mov rcx, qword ptr [rsp]
00000051    48 8b 71 08                       mov rsi, qword ptr [rcx + 8]
00000055    48 89 74 24 30                    mov qword ptr [rsp + 0x30], rsi
0000005a    4c 8b 44 24 30                    mov r8, qword ptr [rsp + 0x30]
0000005f    4d 8d 48 01                       lea r9, [r8 + 1]
00000063    4c 89 4c 24 40                    mov qword ptr [rsp + 0x40], r9
00000068    4c 8b 54 24 40                    mov r10, qword ptr [rsp + 0x40]
0000006d    48 8b 5c 24 40                    mov rbx, qword ptr [rsp + 0x40]
00000072    4c 85 d3                          test rbx, r10
00000075    48 8b 5c 24 40                    mov rbx, qword ptr [rsp + 0x40]
0000007a    48 89 5c 24 38                    mov qword ptr [rsp + 0x38], rbx
0000007f    0f 8d 0f 00 00 00                 jge 0x94
00000085    48 8b 5c 24 38                    mov rbx, qword ptr [rsp + 0x38]
0000008a    48 89 5c 24 20                    mov qword ptr [rsp + 0x20], rbx
0000008f    e9 33 00 00 00                    jmp 0xc7
00000094    4c 8b 5c 24 30                    mov r11, qword ptr [rsp + 0x30]
00000099    4d 8d 6b 01                       lea r13, [r11 + 1]
0000009d    4c 8b 24 24                       mov r12, qword ptr [rsp]
000000a1    4d 89 6c 24 08                    mov qword ptr [r12 + 8], r13
000000a6    48 8b 7c 24 18                    mov rdi, qword ptr [rsp + 0x18]
000000ab    e8 7e 03 00 00                    call 0x42e
000000b0    4c 8b 34 24                       mov r14, qword ptr [rsp]
000000b4    4d 8b 7e 08                       mov r15, qword ptr [r14 + 8]
000000b8    4c 89 7c 24 28                    mov qword ptr [rsp + 0x28], r15
000000bd    4c 8b 7c 24 28                    mov r15, qword ptr [rsp + 0x28]
000000c2    4c 89 7c 24 20                    mov qword ptr [rsp + 0x20], r15
000000c7    48 8b 44 24 20                    mov rax, qword ptr [rsp + 0x20]
000000cc    48 8d 50 01                       lea rdx, [rax + 1]
000000d0    48 8b 0c 24                       mov rcx, qword ptr [rsp]
000000d4    48 89 51 08                       mov qword ptr [rcx + 8], rdx
000000d8    48 8b 74 24 18                    mov rsi, qword ptr [rsp + 0x18]
000000dd    48 8b 7c 24 18                    mov rdi, qword ptr [rsp + 0x18]
000000e2    e8 99 00 00 00                    call 0x180
000000e7    4c 8b 04 24                       mov r8, qword ptr [rsp]
000000eb    4d 8b 48 08                       mov r9, qword ptr [r8 + 8]
000000ef    4c 89 4c 24 10                    mov qword ptr [rsp + 0x10], r9
000000f4    c4 41 09 57 fe                    vxorpd xmm15, xmm14, xmm14
000000f9    c5 79 2e 3d 6f 00 00 00           vucomisd xmm15, qword ptr [rip + 0x6f]
00000101    0f 8a 00 00 00 00                 jp 0x107
00000107    48 8b 7c 24 18                    mov rdi, qword ptr [rsp + 0x18]
0000010c    4c 8b 54 24 10                    mov r10, qword ptr [rsp + 0x10]
00000111    49 8d 5a 05                       lea rbx, [r10 + 5]
00000115    4c 8b 1c 24                       mov r11, qword ptr [rsp]
00000119    49 89 5b 08                       mov qword ptr [r11 + 8], rbx
0000011d    48 89 fe                          mov rsi, rdi
00000120    e8 db fe ff ff                    call 0
00000125    4c 8b 24 24                       mov r12, qword ptr [rsp]
00000129    4d 8b 6c 24 08                    mov r13, qword ptr [r12 + 8]
0000012e    4c 89 6c 24 08                    mov qword ptr [rsp + 8], r13
00000133    4c 8b 7c 24 08                    mov r15, qword ptr [rsp + 8]
00000138    4c 8b 34 24                       mov r14, qword ptr [rsp]
0000013c    4d 89 7e 08                       mov qword ptr [r14 + 8], r15
00000140    48 8b 5c 24 50                    mov rbx, qword ptr [rsp + 0x50]
00000145    4c 8b 64 24 58                    mov r12, qword ptr [rsp + 0x58]
0000014a    4c 8b 6c 24 60                    mov r13, qword ptr [rsp + 0x60]
0000014f    4c 8b 74 24 68                    mov r14, qword ptr [rsp + 0x68]
00000154    4c 8b 7c 24 70                    mov r15, qword ptr [rsp + 0x70]
00000159    48 81 c4 80 00 00 00              add rsp, 0x80
00000160    48 89 ec                          mov rsp, rbp
00000163    5d                                pop rbp
00000164    c3                                ret
00000165    0f 0b                             ud2
00000167    00 00                             add byte ptr [rax], al
00000169    00 00                             add byte ptr [rax], al
0000016b    00 00                             add byte ptr [rax], al
0000016d    00 00                             add byte ptr [rax], al
0000016f    00 00                             add byte ptr [rax], al
00000171    00 00                             add byte ptr [rax], al
00000173    00 00                             add byte ptr [rax], al
00000175    00 00                             add byte ptr [rax], al
00000177    00 00                             add byte ptr [rax], al
00000179    00 00                             add byte ptr [rax], al
0000017b    00 00                             add byte ptr [rax], al
0000017d    00 00                             add byte ptr [rax], al
0000017f    00                                .byte 0x00

Disassembly of function <function[1]>:

00000180    55                                push rbp
00000181    48 89 e5                          mov rbp, rsp
00000184    4c 8b 57 08                       mov r10, qword ptr [rdi + 8]
00000188    4d 8b 12                          mov r10, qword ptr [r10]
0000018b    49 81 c2 b0 00 00 00              add r10, 0xb0
00000192    49 39 e2                          cmp r10, rsp
00000195    0f 87 b0 01 00 00                 ja 0x34b
0000019b    48 81 ec a0 00 00 00              sub rsp, 0xa0
000001a2    48 89 5c 24 70                    mov qword ptr [rsp + 0x70], rbx
000001a7    4c 89 64 24 78                    mov qword ptr [rsp + 0x78], r12
000001ac    4c 89 ac 24 80 00 00 00           mov qword ptr [rsp + 0x80], r13
000001b4    4c 89 b4 24 88 00 00 00           mov qword ptr [rsp + 0x88], r14
000001bc    4c 89 bc 24 90 00 00 00           mov qword ptr [rsp + 0x90], r15
000001c4    48 89 7c 24 28                    mov qword ptr [rsp + 0x28], rdi
000001c9    4c 8b 7c 24 28                    mov r15, qword ptr [rsp + 0x28]
000001ce    49 8b 77 08                       mov rsi, qword ptr [r15 + 8]
000001d2    48 89 34 24                       mov qword ptr [rsp], rsi
000001d6    48 8b 04 24                       mov rax, qword ptr [rsp]
000001da    48 8b 48 08                       mov rcx, qword ptr [rax + 8]
000001de    48 89 4c 24 58                    mov qword ptr [rsp + 0x58], rcx
000001e3    48 8b 54 24 58                    mov rdx, qword ptr [rsp + 0x58]
000001e8    4c 8d 42 01                       lea r8, [rdx + 1]
000001ec    4c 89 44 24 68                    mov qword ptr [rsp + 0x68], r8
000001f1    4c 8b 4c 24 68                    mov r9, qword ptr [rsp + 0x68]
000001f6    4c 8b 54 24 68                    mov r10, qword ptr [rsp + 0x68]
000001fb    4d 85 ca                          test r10, r9
000001fe    4c 8b 54 24 68                    mov r10, qword ptr [rsp + 0x68]
00000203    4c 89 54 24 60                    mov qword ptr [rsp + 0x60], r10
00000208    0f 8d 0f 00 00 00                 jge 0x21d
0000020e    4c 8b 54 24 60                    mov r10, qword ptr [rsp + 0x60]
00000213    4c 89 54 24 20                    mov qword ptr [rsp + 0x20], r10
00000218    e9 32 00 00 00                    jmp 0x24f
0000021d    48 8b 5c 24 58                    mov rbx, qword ptr [rsp + 0x58]
00000222    4c 8d 63 01                       lea r12, [rbx + 1]
00000226    4c 8b 1c 24                       mov r11, qword ptr [rsp]
0000022a    4d 89 63 08                       mov qword ptr [r11 + 8], r12
0000022e    48 8b 7c 24 28                    mov rdi, qword ptr [rsp + 0x28]
00000233    e8 f6 01 00 00                    call 0x42e
00000238    4c 8b 2c 24                       mov r13, qword ptr [rsp]
0000023c    4d 8b 75 08                       mov r14, qword ptr [r13 + 8]
00000240    4c 89 74 24 50                    mov qword ptr [rsp + 0x50], r14
00000245    4c 8b 74 24 50                    mov r14, qword ptr [rsp + 0x50]
0000024a    4c 89 74 24 20                    mov qword ptr [rsp + 0x20], r14
0000024f    49 bf 71 3d 0a d7 a3 b0 28 c0     movabs r15, 0xc028b0a3d70a3d71
00000259    c4 41 f9 6e ff                    vmovq xmm15, r15
0000025e    48 8b 74 24 20                    mov rsi, qword ptr [rsp + 0x20]
00000263    48 8d 46 04                       lea rax, [rsi + 4]
00000267    48 89 44 24 48                    mov qword ptr [rsp + 0x48], rax
0000026c    c5 79 2e 3d dc 00 00 00           vucomisd xmm15, qword ptr [rip + 0xdc]
00000274    0f 8a 10 00 00 00                 jp 0x28a
0000027a    48 8b 44 24 48                    mov rax, qword ptr [rsp + 0x48]
0000027f    48 89 44 24 40                    mov qword ptr [rsp + 0x40], rax
00000284    0f 84 0f 00 00 00                 je 0x299
0000028a    48 8b 44 24 40                    mov rax, qword ptr [rsp + 0x40]
0000028f    48 89 44 24 08                    mov qword ptr [rsp + 8], rax
00000294    e9 77 00 00 00                    jmp 0x310
00000299    48 8b 4c 24 20                    mov rcx, qword ptr [rsp + 0x20]
0000029e    48 8d 51 04                       lea rdx, [rcx + 4]
000002a2    48 89 54 24 38                    mov qword ptr [rsp + 0x38], rdx
000002a7    4c 8b 44 24 38                    mov r8, qword ptr [rsp + 0x38]
000002ac    4c 8b 4c 24 38                    mov r9, qword ptr [rsp + 0x38]
000002b1    4d 85 c1                          test r9, r8
000002b4    4c 8b 4c 24 38                    mov r9, qword ptr [rsp + 0x38]
000002b9    4c 89 4c 24 30                    mov qword ptr [rsp + 0x30], r9
000002be    0f 8d 0f 00 00 00                 jge 0x2d3
000002c4    4c 8b 4c 24 30                    mov r9, qword ptr [rsp + 0x30]
000002c9    4c 89 4c 24 10                    mov qword ptr [rsp + 0x10], r9
000002ce    e9 33 00 00 00                    jmp 0x306
000002d3    48 8b 7c 24 28                    mov rdi, qword ptr [rsp + 0x28]
000002d8    4c 8b 54 24 20                    mov r10, qword ptr [rsp + 0x20]
000002dd    49 8d 5a 04                       lea rbx, [r10 + 4]
000002e1    4c 8b 1c 24                       mov r11, qword ptr [rsp]
000002e5    49 89 5b 08                       mov qword ptr [r11 + 8], rbx
000002e9    e8 40 01 00 00                    call 0x42e
000002ee    4c 8b 24 24                       mov r12, qword ptr [rsp]
000002f2    4d 8b 6c 24 08                    mov r13, qword ptr [r12 + 8]
000002f7    4c 89 6c 24 18                    mov qword ptr [rsp + 0x18], r13
000002fc    4c 8b 6c 24 18                    mov r13, qword ptr [rsp + 0x18]
00000301    4c 89 6c 24 10                    mov qword ptr [rsp + 0x10], r13
00000306    4c 8b 6c 24 10                    mov r13, qword ptr [rsp + 0x10]
0000030b    4c 89 6c 24 08                    mov qword ptr [rsp + 8], r13
00000310    4c 8b 7c 24 08                    mov r15, qword ptr [rsp + 8]
00000315    4c 8b 34 24                       mov r14, qword ptr [rsp]
00000319    4d 89 7e 08                       mov qword ptr [r14 + 8], r15
0000031d    48 8b 5c 24 70                    mov rbx, qword ptr [rsp + 0x70]
00000322    4c 8b 64 24 78                    mov r12, qword ptr [rsp + 0x78]
00000327    4c 8b ac 24 80 00 00 00           mov r13, qword ptr [rsp + 0x80]
0000032f    4c 8b b4 24 88 00 00 00           mov r14, qword ptr [rsp + 0x88]
00000337    4c 8b bc 24 90 00 00 00           mov r15, qword ptr [rsp + 0x90]
0000033f    48 81 c4 a0 00 00 00              add rsp, 0xa0
00000346    48 89 ec                          mov rsp, rbp
00000349    5d                                pop rbp
0000034a    c3                                ret
0000034b    0f 0b                             ud2
0000034d    00 00                             add byte ptr [rax], al
0000034f    00 00                             add byte ptr [rax], al
00000351    00 00                             add byte ptr [rax], al
00000353    00 00                             add byte ptr [rax], al
00000355    00 00                             add byte ptr [rax], al
00000357    00 00                             add byte ptr [rax], al
00000359    00 00                             add byte ptr [rax], al
0000035b    00 00                             add byte ptr [rax], al
0000035d    00 00                             add byte ptr [rax], al
0000035f    00                                .byte 0x00

@alexcrichton alexcrichton mentioned this issue Jan 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fuzz-bug Bugs found by a fuzzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexcrichton @cfallin @primoly