Stream: git-wasmtime

Topic: wasmtime / issue #10407 [GC] `global.set` or `table.set` ...

view this post on Zulip Wasmtime GitHub notifications bot (Mar 17 2025 at 09:07):

f52985 added the bug label to Issue #10407.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 17 2025 at 09:07):

f52985 opened issue #10407:

Test Case

;; global.wast
(module
  (global $g (mut anyref) ;; or eqref
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
  )
  (func (export "f")
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
    (global.set $g)
  )
)
(assert_return (invoke "f"))

;; table.wast
(module
  (table $t i32 1 anyref ;; or eqref
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
  )
  (func (export "f")
    (i32.const 0)
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
    (table.set $t)
  )
)
(assert_return (invoke "f"))

Steps to Reproduce

wasmtime wast -W gc=y global.wast
wasmtime wast -W gc=y -W function-references=y table.wast

Expected Results

Ternimates normally

Actual Results

[1] 57797 illegal hardware instruction wasmtime wast -W gc=y global.wast
[1] 57844 illegal hardware instruction wasmtime wast -W gc=y -W function-references=y table.wast

Versions and Environment

Wasmtime version or commit: wasmtime 30.0.2 (398694a59 2025-02-25)

Operating system: MacOS Sonoma 14.5(23F79) (Also confirmed on Ubuntu 20.04.6 LTS)

Architecture: Apple M3

Extra Info

There are some specific requirements for triggering this bug:

  1. global.set or table.set is required. The bug is not triggered for global.get or table.get.
  2. There are two ref.i31 values for each module: the initializer value, and the new value being set. At least one number that goes into the ref.i31 should be larger than or equal to 262,136 (Perhaps it has something to do with the fact that 2^18 == 262,144?)
  3. The global type or table type must be anyref or eqref. The bug is not triggered for non-nullable references (ref any, ref eq), or i31 references (i31ref)

These might be helpful for localizing the root cause.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 17 2025 at 14:15):

alexcrichton added the fuzz-bug label to Issue #10407.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 17 2025 at 14:15):

alexcrichton assigned fitzgen to issue #10407.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 17 2025 at 15:55):

fitzgen commented on issue #10407:

Thanks for filing, the reduced test case, and the extra info!

view this post on Zulip Wasmtime GitHub notifications bot (Mar 18 2025 at 00:49):

fitzgen commented on issue #10407:

Hm, I'm not able to reproduce on main at commit 1ea710d60a with either test case.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 18 2025 at 00:49):

fitzgen commented on issue #10407:

FWIW, I am on x86_64, not aarch64, but I really wouldn't expect that to make a difference here.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 18 2025 at 05:19):

f52985 closed issue #10407:

Test Case

;; global.wast
(module
  (global $g (mut anyref) ;; or eqref
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
  )
  (func (export "f")
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
    (global.set $g)
  )
)
(assert_return (invoke "f"))

;; table.wast
(module
  (table $t i32 1 anyref ;; or eqref
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
  )
  (func (export "f")
    (i32.const 0)
    ;;(i32.const 262_135) ;; OK
    (i32.const 262_136)
    (ref.i31)
    (table.set $t)
  )
)
(assert_return (invoke "f"))

Steps to Reproduce

wasmtime wast -W gc=y global.wast
wasmtime wast -W gc=y -W function-references=y table.wast

Expected Results

Ternimates normally

Actual Results

[1] 57797 illegal hardware instruction wasmtime wast -W gc=y global.wast
[1] 57844 illegal hardware instruction wasmtime wast -W gc=y -W function-references=y table.wast

Versions and Environment

Wasmtime version or commit: wasmtime 30.0.2 (398694a59 2025-02-25)

Operating system: MacOS Sonoma 14.5(23F79) (Also confirmed on Ubuntu 20.04.6 LTS)

Architecture: Apple M3

Extra Info

There are some specific requirements for triggering this bug:

  1. global.set or table.set is required. The bug is not triggered for global.get or table.get.
  2. There are two ref.i31 values for each module: the initializer value, and the new value being set. At least one number that goes into the ref.i31 should be larger than or equal to 262,136 (Perhaps it has something to do with the fact that 2^18 == 262,144?)
  3. The global type or table type must be anyref or eqref. The bug is not triggered for non-nullable references (ref any, ref eq), or i31 references (i31ref)

These might be helpful for localizing the root cause.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 18 2025 at 05:19):

f52985 commented on issue #10407:

Thanks for checking! I also tested again on the commit (1ea710d60a) and can confirm that the issue is no longer reproducible. It looks like it was fixed somewhere along the way. I'll go ahead and close the issue.

view this post on Zulip Wasmtime GitHub notifications bot (Mar 18 2025 at 15:15):

alexcrichton commented on issue #10407:

Bisection shows this was fixed in #10221

Last updated: Apr 18 2025 at 22:03 UTC