cranelift / Issue #1219 Verifier(?) bug in divert-heavy f... · git-cranelift

; guest_func_73448
function u0:73448(i64 vmctx, i32, i32) -> i32 system_v {
    gv0 = vmctx
    heap0 = static gv0, min 0x0052_0000, bound 0x0052_0000, offset_guard 0x0040_0000, index_type i32

                                ebb0(v0: i64, v1: i32, v2: i32):
                                    v14 -> v1
                                    v22 -> v2
@15eb1d7                            v12 = iconst.i32 0
@15eb1db                            v13 = iconst.i32 0
@15eb1df                            jump ebb11(v12, v13)

                                ebb11(v25: i32, v110: i32):
@15eb2c3                            v102 = iconst.i32 12
@15eb2c5                            v103 = sdiv v110, v102
@15eb2ce                            brnz v25, ebb2
@15eb2d4                            brnz v110, ebb13
@15eb2d8                            v108 = iconst.i32 4
@15eb2da                            v109 = iadd v25, v108
@15eb2df                            v111 = iconst.i32 1
@15eb2e1                            v112 = iadd v110, v111
@15eb2e6                            v113 = heap_addr.i64 heap0, v22, 1
@15eb2e6                            v114 = load.i32 v113+4
@15eb2e9                            v115 = icmp sge v112, v114
@15eb2e9                            v116 = bint.i32 v115
@15eb2ea                            brnz v116, ebb10(v14)
@15eb2ec                            jump ebb11(v109, v112)

                                ebb13:
@15eb30b                            trap unreachable

                                ebb10(v121: i32):
@15eb315                            return v121

                                ebb2:
@15eb3fd                            trap unreachable
}

when built through clif-util, like: ./target/debug/clif-util compile --target x86_64 -D the_file.clif, this produces a verifier error as a result of what looks like a regalloc bug.

     Running `target/debug/clif-util compile --target x86_64 -D ../yosys-lucetc-issue_0.4.1_guest_func_73448.clif`
function u0:73448(i64 vmctx [%rdi], i32 [%rsi], i32 [%rdx]) -> i32 [%rax] system_v {
    gv0 = vmctx
    heap0 = static gv0, min 0x0052_0000, bound 0x0052_0000, offset_guard 0x0040_0000, index_type i32

                                ebb0(v0: i64 [%rdi], v1: i32 [%rsi], v2: i32 [%rdx]):
                                    v126 -> v0
                                    v14 -> v1
                                    v22 -> v2
@15eb1d7 [RexOp1pu_id#b8,%rax]      v12 = iconst.i32 0
@15eb1db [RexOp1pu_id#b8,%rcx]      v13 = iconst.i32 0
@15eb1df [Op1jmpb#eb]               jump ebb11(v12, v13)

                                ebb11(v25: i32 [%rax], v110: i32 [%rcx]):
@15eb2c3 [RexOp1pu_id#b8,%rbx]      v102 = iconst.i32 12
@15eb2c5 [RexOp1umr#89,%r8]         v127 = copy v110
@15eb2c5 [RexOp1r_ib#70c1,%r8]      v122 = sshr_imm v127, 31
@15eb2c5 [RexOp1umr#89,%r9]         v128 = copy v110
@15eb2c5 [RexOp1rmov#89]            regmove.i32 v2, %rdx -> %r10
@15eb2c5 [RexOp1rmov#89]            regmove v122, %r8 -> %rdx
@15eb2c5 [RexOp1rmov#89]            regmove.i32 v2, %r10 -> %r8
@15eb2c5 [RexOp1rmov#89]            regmove v25, %rax -> %r10
@15eb2c5 [RexOp1rmov#89]            regmove v128, %r9 -> %rax
@15eb2c5 [RexOp1rmov#89]            regmove v25, %r10 -> %r9
@15eb2c5 [RexOp1div#70f7,%rax,%rdx] v103, v123 = x86_sdivmodx v128, v122, v102
@15eb2ce [RexOp1tjccb#75]           brnz v25, ebb2
@15eb2d4 [RexOp1tjccb#75]           brnz v110, ebb13
@15eb2d8 [RexOp1pu_id#b8,%rax]      v108 = iconst.i32 4
@15eb2da [RexOp1rmov#89]            regmove v25, %r9 -> %rbx
;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; error: inst37: inconsistent with global location %rax (regmove.i32 v25, %9 -> %3)

@15eb2da [RexOp1rr#01,%rbx]         v109 = iadd v25, v108
@15eb2df [RexOp1pu_id#b8,%rax]      v111 = iconst.i32 1
@15eb2e1 [RexOp1rr#01,%rcx]         v112 = iadd v110, v111
@15eb2e6 [RexOp1icscc_id#7081,%rax] v124 = icmp_imm.i32 uge v2, 0x0051_fffe
@15eb2e6 [RexOp1rmov#89]            regmove.i32 v2, %r8 -> %rdx
@15eb2e6 [RexOp1t8jccb#74]          brz v124, ebb15
@15eb2e6 [Op1jmpb#eb]               jump ebb14

                                ebb14:
@15eb2e6 [Op2trap#40b]              trap heap_oob

                                ebb15:
@15eb2e6 [RexOp1umr#89,%rax]        v125 = uextend.i64 v2
@15eb2e6 [RexOp1umr#8089,%r8]       v129 = copy.i64 v0
@15eb2e6 [RexOp1rr#8001,%r8]        v113 = iadd v129, v125
@15eb2e6 [RexOp1ldDisp8#8b,%rax]    v114 = load.i32 v113+4
@15eb2e9 [RexOp1icscc#39,%rax]      v115 = icmp.i32 sge v112, v114
@15eb2e9 [RexOp2urm_noflags#4b6,%rax] v116 = bint.i32 v115
@15eb2ea [RexOp1tjccb#75]           brnz v116, ebb10(v1)
@15eb2ec [RexOp1rmov#89]            regmove.i32 v109, %rbx -> %rax
@15eb2ec [Op1jmpb#eb]               jump ebb11(v109, v112)

                                ebb13:
@15eb30b [Op2trap#40b]              trap unreachable

                                ebb10(v121: i32 [%rsi]):
@15eb315 [RexOp1rmov#89]            regmove v121, %rsi -> %rax
@15eb315 [Op1ret#c3]                return v121

                                ebb2:
@15eb3fd [Op2trap#40b]              trap unreachable
}

; 1 verifier error detected (see above). Compilation aborted.

This is a minimization of a bug reported in lucet, https://github.com/fastly/lucet/issues/361 - I've only tried this with a few cranelift versions (0.46.1, 0.43.0, plus another older one which I don't recall).

The important pieces here are, I think, the sdivmulx on a basic block parameter, which is fairly constrained and forces several values to move around, and a subsequent regmove:

@15eb2da [RexOp1rmov#89]            regmove v25, %r9 -> %rbx
;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
; error: inst37: inconsistent with global location %rax (regmove.i32 v25, %9 -> %3)

It looks like the verifier is expecting v25 to end up in rax after the last assignment in the basic block, but it's in rbx instead, resulting in the error.

Stream: git-cranelift

Topic: cranelift / Issue #1219 Verifier(?) bug in divert-heavy f...

GitHub (Jan 24 2020 at 19:26):

GitHub (Jan 24 2020 at 19:26):