Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzzer failure in fuzz_simplify #7811

Open
steven-johnson opened this issue Aug 28, 2023 · 2 comments · May be fixed by #7813
Open

Fuzzer failure in fuzz_simplify #7811

steven-johnson opened this issue Aug 28, 2023 · 2 comments · May be fixed by #7813
Assignees
@abadams

Comments

@steven-johnson
Copy link
Contributor

Running fuzz_simplify on the enclosed file produces a failure:

$ ./build/linux-x64-fuzzer/test/fuzz/fuzz_simplify /tmp/testcase-5562105212239872 
Simplified Expr is not equal() to Original Expr!
Var a = -128
Var b = -128
Var c = -128
Var d = -128
Var e = -128
Original Expr is: (max(int32(select((uint32)3980344417 == uint32((int0)a), uint32((int0)a) - uint32((int0)a), (uint32)2147483648)), -128) - int32((int0)c))
Simplified Expr is: (int32(select(uint32((int0)a) == (uint32)3980344417, (uint32)0, (uint32)2147483648)) - int32((int0)c))
In vector lane 0, original -> simplified:
   (max(int32(select((uint32)3980344417 == uint32((int0)a), uint32((int0)a) - uint32((int0)a), (uint32)2147483648)), -128) - int32((int0)c)) -> 0
   (int32(select(uint32((int0)a) == (uint32)3980344417, (uint32)0, (uint32)2147483648)) - int32((int0)c)) -> -2147483520
fuzz_simplify: /usr/local/google/home/srj/GitHub/Halide/test/fuzz/simplify.cpp:359: int LLVMFuzzerTestOneInput(const uint8_t *, size_t): Assertion `test_expression(fdp, test, samples)' failed.
==747475== ERROR: libFuzzer: deadly signal
    #0 0x555f442592c4  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x39ae2c4)
    #1 0x555f441d8eb8  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x392deb8)
    #2 0x555f441bb3f3  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x39103f3)
    #3 0x7f3de617b53f  (/lib/x86_64-linux-gnu/libc.so.6+0x3c53f) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #4 0x7f3de61c912b  (/lib/x86_64-linux-gnu/libc.so.6+0x8a12b) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #5 0x7f3de617b4a1  (/lib/x86_64-linux-gnu/libc.so.6+0x3c4a1) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #6 0x7f3de61654b1  (/lib/x86_64-linux-gnu/libc.so.6+0x264b1) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #7 0x7f3de61653d4  (/lib/x86_64-linux-gnu/libc.so.6+0x263d4) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #8 0x7f3de61743a1  (/lib/x86_64-linux-gnu/libc.so.6+0x353a1) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #9 0x555f4425b314  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x39b0314)
    #10 0x555f441bc970  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x3911970)
    #11 0x555f441a6134  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x38fb134)
    #12 0x555f441abd02  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x3900d02)
    #13 0x555f441d9722  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x392e722)
    #14 0x7f3de61666c9  (/lib/x86_64-linux-gnu/libc.so.6+0x276c9) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #15 0x7f3de6166784  (/lib/x86_64-linux-gnu/libc.so.6+0x27784) (BuildId: f4017039b18cb668db130b83647b6a0dbefd4414)
    #16 0x555f4419cb20  (/usr/local/google/home/srj/GitHub/Halide/build/linux-x64-fuzzer/test/fuzz/fuzz_simplify+0x38f1b20)

testcase-5562105212239872.zip
@steven-johnson
Copy link
Contributor Author

Initially assigning to @abadams for triage

@steven-johnson steven-johnson mentioned this issue Aug 28, 2023
Merged
@abadams
Copy link
Member

abadams commented Aug 28, 2023

This one's definitely caused by defining uint32 -> int32 to wrap. max(i32(some_u32), -128) is being simplified to i32(some_u32) because something is assuming a uint32 cast to an int32 could never be negative. Just need to find what.

abadams added a commit that referenced this issue Aug 28, 2023
@abadams
Don't track bounds through wrapping casts in simplifier
051855b 
Fixes #7811
@abadams abadams linked a pull request Aug 28, 2023 that will close this issue
Open
abadams added a commit that referenced this issue Aug 28, 2023
@abadams
Fix bounds inference for uint -> int casts
05ba843 
Fixes #7807
Fixes #7811
@abadams abadams mentioned this issue Aug 28, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@abadams abadams

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't track bounds through wrapping casts in simplifier halide/Halide
2 participants
@steven-johnson @abadams