No available generator when generating WASM code

[nbars]

The current head (f31876fff984ef7050adcdbe7f4c8bb3255ed8d0) crashes with the assertion below after some time into fuzzing V8 using --wasm. The crash is caused by

fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift

Lines 1615 to 1618 in f31876f

	if state.mode != .splicing {
	availableGenerators = fuzzer.codeGenerators.filter({ $0.requiredContext.isSubset(of: origContext) })
	assert(!availableGenerators.isEmpty)
	}

not yielding any generators (i.e., availableGenerators being empty). I obseerved origContext beeing wasmFunction, wasm or wasmBlock | wasmFunction when the crash happens.

 0 [inlined] [system]      0x000055cce3a631dc specialized WeightedList.randomElement() in FuzzilliCli at //<compiler-generated>
 1 [inlined]               0x000055cce3a631dc specialized static FixedWidthInteger.random(in:) in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Base/ProgramBuilder.swift:1677:53
 2                         0x000055cce3a631dc ProgramBuilder.buildInternal(initialBuildingBudget:mode:) + 3340 in FuzzilliCli at Sources/Fuzzilli/Util/WeightedList.swift:54:21
 3 [ra] [inlined]          0x000055cce3940819 ProgramBuilder.build(n:by:) in FuzzilliCli at Sources/Fuzzilli/Base/ProgramBuilder.swift:1555:9
 4 [ra]                    0x000055cce3940819 CodeGenMutator.mutate(_:_:) + 184 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Mutators/CodeGenMutator.swift:42:11
 5 [ra]                    0x000055cce3936684 closure #1 in BaseInstructionMutator.mutate(_:using:for:) + 163 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift:46:21
 6 [ra]                    0x000055cce3a85255 specialized ProgramBuilder.adopting(from:_:) + 164 in FuzzilliCli
 7 [ra] [inlined] [system] 0x000055cce3936523 specialized ProgramBuilder.adopting(from:_:) in FuzzilliCli at //<compiler-generated>
 8 [ra]                    0x000055cce3936523 BaseInstructionMutator.mutate(_:using:for:) + 770 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Mutators/BaseInstructionMutator.swift:43:11
 9 [ra] [inlined]          0x000055cce3a42a32 Mutator.mutate(_:for:) in FuzzilliCli at Sources/Fuzzilli/Mutators/Mutator.swift:26:23
10 [ra]                    0x000055cce3a42a32 MutationEngine.fuzzOne(_:) + 769 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Engines/MutationEngine.swift:56:41
11 [ra]                    0x000055cce39b7547 Fuzzer.fuzzOne() + 342 in FuzzilliCli at /home/user/fuzzilli-ng/fuzzilli/Sources/Fuzzilli/Fuzzer.swift:842:20
12 [ra]                    0x000055cce3adcaf9 thunk for @escaping @callee_guaranteed () -> () + 24 in FuzzilliCli

[Liedtke]

Could you share which parameters you passed to Fuzzilli exactly?
With --wasm all wasm code generators should be included, so fuzzer.codeGenerators shouldn't be empty when filtering for .wasmFunction?

Did you modify the V8Profile, e.g. adding entries to the disabledCodeGenerators?

To be in the .wasmFunction context one would need to emit a BeginWasmFunction operation and that should only be available with the wasm code generators and thus there should also be code generators available to generate the instructions inside the wasm function, so I'm not quite sure what would be causing this.

Other than the MapTransitionFuzzer there doesn't seem to be any code overwriting the list of generators and that one shouldn't endup trying to emit something in the middle of a .wasmFunction context (and your stack trace indicates that this isn't it given that it's the mutator that is running here.)

[nbars]

Ahh, well, I found the mistake. I started all instances except the root/leader with --wasm :) Thanks for the hint. However, I still wondering whether this should be the observable behavior.

[novafacing]

This also happens if you run Fuzzilli with --wasm for a while, then resume from the same corpus without passing --wasm. It might be more user friendly to detect the missing code generator when the corpus gets loaded.