fuzzilli icon indicating copy to clipboard operation
fuzzilli copied to clipboard
verified publisher icon googleprojectzero

No available generator when generating WASM code

Open nbars opened this issue 10 months ago • 3 comments

The current head (f31876fff984ef7050adcdbe7f4c8bb3255ed8d0) crashes with the assertion below after some time into fuzzing V8 using --wasm. The crash is caused by https://github.com/googleprojectzero/fuzzilli/blob/f31876fff984ef7050adcdbe7f4c8bb3255ed8d0/Sources/Fuzzilli/Base/ProgramBuilder.swift#L1615-L1618 not yielding any generators (i.e., availableGenerators being empty). I obseerved origContext beeing wasmFunction, wasm or wasmBlock | wasmFunction when the crash happens.

 0 [inlined] [system]      0x000055cce3a631dc specialized WeightedList.randomElement() in FuzzilliCli at //<compiler-generated>
 1 [inlined]               0x000055cce3a631dc specialized static FixedWidthInteger.random(in:) in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:1677:53
 2                         0x000055cce3a631dc ProgramBuilder.buildInternal(initialBuildingBudget:mode:) + 3340 in FuzzilliCli at Sources/Fuzzilli/Util/WeightedList.swift:54:21
 3 [ra] [inlined]          0x000055cce3940819 ProgramBuilder.build(n:by:) in FuzzilliCli at Sources/Fuzzilli/Base/ProgramBuilder.swift:1555:9
 4 [ra]                    0x000055cce3940819 CodeGenMutator.mutate(_:_:) + 184 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Mutators/CodeGenMutator.swift:42:11
 5 [ra]                    0x000055cce3936684 closure #1 in BaseInstructionMutator.mutate(_:using:for:) + 163 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift:46:21
 6 [ra]                    0x000055cce3a85255 specialized ProgramBuilder.adopting(from:_:) + 164 in FuzzilliCli
 7 [ra] [inlined] [system] 0x000055cce3936523 specialized ProgramBuilder.adopting(from:_:) in FuzzilliCli at //<compiler-generated>
 8 [ra]                    0x000055cce3936523 BaseInstructionMutator.mutate(_:using:for:) + 770 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift:43:11
 9 [ra] [inlined]          0x000055cce3a42a32 Mutator.mutate(_:for:) in FuzzilliCli at Sources/Fuzzilli/Mutators/Mutator.swift:26:23
10 [ra]                    0x000055cce3a42a32 MutationEngine.fuzzOne(_:) + 769 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Engines/MutationEngine.swift:56:41
11 [ra]                    0x000055cce39b7547 Fuzzer.fuzzOne() + 342 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Fuzzer.swift:842:20
12 [ra]                    0x000055cce3adcaf9 thunk for @escaping @callee_guaranteed () -> () + 24 in FuzzilliCli

nbars avatar Feb 17 '25 13:02 nbars

Could you share which parameters you passed to Fuzzilli exactly? With --wasm all wasm code generators should be included, so fuzzer.codeGenerators shouldn't be empty when filtering for .wasmFunction?

Did you modify the V8Profile, e.g. adding entries to the disabledCodeGenerators?

To be in the .wasmFunction context one would need to emit a BeginWasmFunction operation and that should only be available with the wasm code generators and thus there should also be code generators available to generate the instructions inside the wasm function, so I'm not quite sure what would be causing this.

Other than the MapTransitionFuzzer there doesn't seem to be any code overwriting the list of generators and that one shouldn't endup trying to emit something in the middle of a .wasmFunction context (and your stack trace indicates that this isn't it given that it's the mutator that is running here.)

Liedtke avatar Feb 17 '25 15:02 Liedtke

Ahh, well, I found the mistake. I started all instances except the root/leader with --wasm :) Thanks for the hint. However, I still wondering whether this should be the observable behavior.

nbars avatar Feb 17 '25 15:02 nbars

This also happens if you run Fuzzilli with --wasm for a while, then resume from the same corpus without passing --wasm. It might be more user friendly to detect the missing code generator when the corpus gets loaded.

novafacing avatar Mar 03 '25 21:03 novafacing

These issues have been addressed now with commits https://github.com/googleprojectzero/fuzzilli/commit/1df538dfdb3015204ca17337cfd439ce01f0c39c and https://github.com/googleprojectzero/fuzzilli/commit/6cec589a40da63f1867be615becfce32b65422ce:

  1. With distributed fuzzing Fuzzilli reports an error if the nodes run with inconsistent --wasm flags

Inconsistent state between distributed nodes: The parent has wasm enabled while the current fuzzer has wasm disabled!"

  1. If a corpus was created with wasm enabled and fuzzing is resumed with wasm disabled, all cases requiring wasm will be skipped at import, printing an info line like

[Fuzzer] 74/390 programs require Wasm which is disabled

  1. In case of skipped wasm programs during import, these will be stored in a subdirecty excluded_wasm_programs within the provided --storagePath. They will not be imported from there if the fuzzer is called again with --wasm.

Liedtke avatar Jul 30 '25 09:07 Liedtke