Assertion failure in ProgramBuilder.swift:2003 when fuzzing SpiderMonkeyΒ #533
Description
Summary
After approximately 24β48 hours of fuzzing SpiderMonkey using Fuzzilli, the fuzzer crashes due to an internal assertion failure in ProgramBuilder.handleInputTypeFailure(). Backtrace and crash context indicate an assertion failure triggered in ProgramBuilder.emit(_:withInputs:types:), propagating from a type mismatch during execution.
Environment
- Fuzzilli version: 1e0aadb
- Target: SpiderMonkey build (
obj-fuzzbuild/dist/bin/js) - Platform: Ubuntu 24.04.3 LTS x86_64
- Runtime:
6.2 (swift-6.2-RELEASE)
Command used
swift run FuzzilliCli --resume --jobs=40 \
--profile=spidermonkey \
--wasm \
--storagePath=/home/fuzz/spidermonkey-output \
/home/fuzz/gecko-dev/obj-fuzzbuild/dist/bin/jsAnalysis
- The crash originates from a failed assertion validating input types during the emission of a
WasmJsCall. - The failing input combines
.object()and.function()type unions in a configuration not expected by the builder. - The issue likely results from mismatched inferred types during Wasm code generation (see
WasmJsCallandWasmCodeGenerators.swift:893).
Full crash log
Fuzzilli/ProgramBuilder.swift:2003: Assertion failed: Invalid input 1 v3 with type .object() + .function() | .function() + .constructor(), expected .object() | .function() 10:52:47
π£ Program crashed: Illegal instruction at 0x00007f9e3d2e26b8
Platform: x86_64 Linux (Ubuntu 24.04.3 LTS)
Thread 20 crashed:
0 0x00007f9e3d2e26b8 _assertionFailure(_:_:file:line:flags:) + 264 in libswiftCore.so
1 ProgramBuilder.handleInputTypeFailure(_:) + 1017 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:2003:9
2001β }
2002β // Fail on debug builds.
2003β assert(false, message)
β β²
2004β }
2005β
2 closure #1 in ProgramBuilder.emit(_:withInputs:types:) + 1206 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:2026:21
2024β let actualType = self.type(of: input)
2025β if !actualType.Is(type) {
2026β handleInputTypeFailure("Invalid input \(n + 1) \(input) with type \(actualType), expected \(type)")
β β²
2027β }
2028β }
3 0x00007f9e3d32ef1d Sequence.forEach(_:) + 412 in libswiftCore.so
4 ProgramBuilder.emit(_:withInputs:types:) + 1860 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:2022:53
2020β handleInputTypeFailure("expected \(expectedTypes.count) inputs, actual \(inputs.count)")
2021β }
2022β zip(inputs, expectedTypes).enumerated().forEach { n, pair in
β β²
2023β let (input, type) = pair
2024β let actualType = self.type(of: input)
5 ProgramBuilder.WasmFunction.wasmJsCall(function:withArgs:withWasmSignature:) + 931 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:3360:27
3358β @discardableResult
3359β public func wasmJsCall(function: Variable, withArgs args: [Variable], withWasmSignature signature: WasmSignature) -> Variable? {
3360β let instr = b.emit(WasmJsCall(signature: signature), withInputs: [function] + args,
β β²
3361β types: [.function() | .object(ofGroup: "WasmSuspendingObject")] + signature.parameterTypes)
3362β if signature.outputTypes.isEmpty {
6 closure #91 in variable initialization expression of WasmCodeGenerators + 382 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/CodeGen/WasmCodeGenerators.swift:893:22
891β let function = b.currentWasmModule.currentWasmFunction
892β if let (wasmSignature, arguments) = b.randomWasmArguments(forCallingJsFunction: callable) {
893β function.wasmJsCall(function: callable, withArgs: arguments, withWasmSignature: wasmSignature)
β β²
894β }
895β },
7 GeneratorAdapter1Arg.run(in:with:) + 296 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/CodeGen/CodeGenerator.swift:46:9
44β func run(in b: ProgramBuilder, with inputs: [Variable]) {
45β assert(inputs.count == 1)
46β f(b, inputs[0])
β β²
47β }
48β }
8 CodeGenerator.run(in:with:) + 252 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/CodeGen/CodeGenerator.swift:194:17
192β public func run(in b: ProgramBuilder, with inputs: [Variable]) -> Int {
193β let codeSizeBeforeGeneration = b.indexOfNextInstruction()
194β adapter.run(in: b, with: inputs)
β β²
195β self.invoked()
196β let codeSizeAfterGeneration = b.indexOfNextInstruction()
9 ProgramBuilder.run(_:) + 1369 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:1973:50
1971β }
1972β }
1973β let numGeneratedInstructions = generator.run(in: self, with: inputs)
β β²
1974β trace("Code generator finished")
1975β
10 ProgramBuilder.buildInternal(initialBuildingBudget:mode:) + 3085 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:1824:17
1822β let generator = availableGenerators.randomElement()
1823β buildLog?.startAction(generator.name)
1824β run(generator)
β β²
1825β
1826β case .splicing:
11 ProgramBuilder.build(n:by:) + 299 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:1700:9
1698β public func build(n: Int = 1, by mode: BuildingMode = .generatingAndSplicing) {
1699β assert(buildStack.isEmpty)
1700β buildInternal(initialBuildingBudget: n, mode: mode)
β β²
1701β assert(buildStack.isEmpty)
1702β }
12 CodeGenMutator.mutate(_:_:) + 649 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Mutators/CodeGenMutator.swift:53:15
51β b.adopt(instr)
52β assert(b.numberOfVisibleVariables >= minVisibleVariables)
53β b.build(n: defaultCodeGenerationAmount, by: .generating)
β β²
54β }
55β }
13 closure #1 in BaseInstructionMutator.mutate(_:using:for:) + 709 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift:46:21
44β for instr in program.code {
45β if toMutate.contains(instr.index) {
46β mutate(instr, b)
β β²
47β } else {
48β b.adopt(instr)
14 ProgramBuilder.adopting(from:_:) + 83 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:1297:9
1295β public func adopting(from program: Program, _ block: () -> Void) {
1296β beginAdoption(from: program)
1297β block()
β β²
1298β endAdoption()
1299β }
15 BaseInstructionMutator.mutate(_:using:for:) + 1486 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift:43:11
41β }
42β
43β b.adopting(from: program) {
β β²
44β for instr in program.code {
45β if toMutate.contains(instr.index) {
16 Mutator.mutate(_:for:) + 315 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Mutators/Mutator.swift:26:23
24β let b = fuzzer.makeBuilder(forMutating: program)
25β b.traceHeader("Mutating \(program.id) with \(name)")
26β let program = mutate(program, using: b, for: fuzzer)
β β²
27β program?.contributors.insert(self)
28β return program
17 MutationEngine.fuzzOne(_:) + 1310 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Engines/MutationEngine.swift:56:41
54β var mutatedProgram: Program? = nil
55β for _ in 0..<maxAttempts {
56β if let result = mutator.mutate(parent, for: fuzzer) {
β β²
57β // Success!
56β if let result = mutator.mutate(parent, for: fuzzer) {
β β²
57β // Success!
58β result.contributors.formUnion(parent.contributors)
18 Fuzzer.fuzzOne() + 12496 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Fuzzer.swift:894:20
892β case .fuzzing:
893β iterations += 1
894β engine.fuzzOne(fuzzGroup)
β β²
895β }
896β
19 closure #1 in Fuzzer.fuzzOne() + 26 in FuzzilliCli at /home/fuzz/fuzzilli/Sources/Fuzzilli/Fuzzer.swift:899:18
897β // Perform the next iteration as soon as all tasks related to the current iteration are finished.
898β fuzzGroup.notify(queue: queue) {
899β self.fuzzOne()
β β²
900β }
901β }
...
Backtrace took 14.56s