Wasmtime GitHub notifications bot (Mar 17 2025 at 18:09): Wasmtime GitHub notifications bot (Mar 17 2025 at 18:09):fitzgen added the cranelift:area:clif label to Issue #10409.
Wasmtime GitHub notifications bot (Mar 17 2025 at 18:09):fitzgen added the fuzz-bug label to Issue #10409.
Wasmtime GitHub notifications bot (Mar 17 2025 at 18:09):fitzgen opened issue #10409:
Here is the (gzipped) raw fuzzer input: fuzz-input.gz
Here is the generated clif function:
function u0:0(f64, f64, f64, f64, i16x8, i16x8, i16x8, f32, f64, f64, i16, i8, i64x2, f64, f64) -> f64, f64, f64, f64, f64, f64, i64x2 system_v { sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: f64, v1: f64, v2: f64, v3: f64, v4: i16x8, v5: i16x8, v6: i16x8, v7: f32, v8: f64, v9: f64, v10: i16, v11: i8, v12: i64x2, v13: f64, v14: f64): v15 = iconst.i8 32 v16 = iconst.i8 96 v17 = iconst.i8 0 v18 = iconst.i16 0 v19 = iconst.i32 0 v20 = iconst.i64 0 v21 = uextend.i128 v20 ; v20 = 0 v22 = ishl v12, v16 ; v16 = 96 v23 = ushr v22, v16 ; v16 = 96 v24 = call fn0(v7) v25 = call fn0(v24) v26 = call fn0(v25) v27 = call fn0(v26) v28 = call fn0(v27) v29 = call fn0(v28) v30 = call fn0(v29) v31 = call fn0(v30) v32 = call fn0(v31) v33 = call fn0(v32) v34 = call fn0(v33) v35 = call fn0(v34) v36 = call fn0(v35) v37 = call fn0(v36) v38 = call fn0(v37) v39 = call fn0(v38) v40 = call fn0(v39) v41 = call fn0(v40) v42 = call fn0(v41) v43 = call fn0(v42) v44 = call fn0(v43) v45 = call fn0(v44) v46 = call fn0(v45) v47 = call fn0(v46) v48 = call fn0(v47) v49 = call fn0(v48) v50 = call fn0(v49) v51 = call fn0(v50) v52 = call fn0(v51) v53 = call fn0(v52) v54 = call fn0(v53) v55 = call fn0(v54) v56 = call fn0(v55) v57 = call fn0(v56) v58 = call fn0(v57) v59 = call fn0(v58) v60 = call fn0(v59) v61 = call fn0(v60) v62 = call fn0(v61) v63 = call fn0(v62) v64 = call fn0(v63) v65 = call fn0(v64) v66 = call fn0(v65) v67 = call fn0(v66) v68 = call fn0(v67) v69 = call fn0(v68) v70 = call fn0(v69) v71 = call fn0(v70) v72 = call fn0(v71) v73 = call fn0(v72) v74 = call fn0(v73) v75 = call fn0(v74) v76 = call fn0(v75) v77 = call fn0(v76) v78 = call fn0(v77) v79 = call fn0(v78) v80 = call fn0(v79) v81 = call fn0(v80) return v0, v0, v0, v0, v0, v0, v23 }This function fails CLIF verification due to
[2025-03-17T18:05:53Z TRACE cranelift_codegen::verifier] verifying inst70: v85 = uextend.i64x2 v84 thread '<unnamed>' panicked at cranelift/codegen/src/ir/instructions.rs:810:21: The Narrower constraint only operates on floats or ints, got types::I64X2
Wasmtime GitHub notifications bot (Mar 17 2025 at 18:12):fitzgen edited issue #10409:
Here is the (gzipped) raw fuzzer input (as of
1ea710d6): fuzz-input.gzHere is the generated clif function:
function u0:0(f64, f64, f64, f64, i16x8, i16x8, i16x8, f32, f64, f64, i16, i8, i64x2, f64, f64) -> f64, f64, f64, f64, f64, f64, i64x2 system_v { sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: f64, v1: f64, v2: f64, v3: f64, v4: i16x8, v5: i16x8, v6: i16x8, v7: f32, v8: f64, v9: f64, v10: i16, v11: i8, v12: i64x2, v13: f64, v14: f64): v15 = iconst.i8 32 v16 = iconst.i8 96 v17 = iconst.i8 0 v18 = iconst.i16 0 v19 = iconst.i32 0 v20 = iconst.i64 0 v21 = uextend.i128 v20 ; v20 = 0 v22 = ishl v12, v16 ; v16 = 96 v23 = ushr v22, v16 ; v16 = 96 v24 = call fn0(v7) v25 = call fn0(v24) v26 = call fn0(v25) v27 = call fn0(v26) v28 = call fn0(v27) v29 = call fn0(v28) v30 = call fn0(v29) v31 = call fn0(v30) v32 = call fn0(v31) v33 = call fn0(v32) v34 = call fn0(v33) v35 = call fn0(v34) v36 = call fn0(v35) v37 = call fn0(v36) v38 = call fn0(v37) v39 = call fn0(v38) v40 = call fn0(v39) v41 = call fn0(v40) v42 = call fn0(v41) v43 = call fn0(v42) v44 = call fn0(v43) v45 = call fn0(v44) v46 = call fn0(v45) v47 = call fn0(v46) v48 = call fn0(v47) v49 = call fn0(v48) v50 = call fn0(v49) v51 = call fn0(v50) v52 = call fn0(v51) v53 = call fn0(v52) v54 = call fn0(v53) v55 = call fn0(v54) v56 = call fn0(v55) v57 = call fn0(v56) v58 = call fn0(v57) v59 = call fn0(v58) v60 = call fn0(v59) v61 = call fn0(v60) v62 = call fn0(v61) v63 = call fn0(v62) v64 = call fn0(v63) v65 = call fn0(v64) v66 = call fn0(v65) v67 = call fn0(v66) v68 = call fn0(v67) v69 = call fn0(v68) v70 = call fn0(v69) v71 = call fn0(v70) v72 = call fn0(v71) v73 = call fn0(v72) v74 = call fn0(v73) v75 = call fn0(v74) v76 = call fn0(v75) v77 = call fn0(v76) v78 = call fn0(v77) v79 = call fn0(v78) v80 = call fn0(v79) v81 = call fn0(v80) return v0, v0, v0, v0, v0, v0, v23 }This function fails CLIF verification due to
[2025-03-17T18:05:53Z TRACE cranelift_codegen::verifier] verifying inst70: v85 = uextend.i64x2 v84 thread '<unnamed>' panicked at cranelift/codegen/src/ir/instructions.rs:810:21: The Narrower constraint only operates on floats or ints, got types::I64X2
Wasmtime GitHub notifications bot (Mar 17 2025 at 18:12):fitzgen edited issue #10409:
Here is the (gzipped) raw fuzzer input (as of commit
1ea710d6onmain): fuzz-input.gzHere is the generated clif function:
function u0:0(f64, f64, f64, f64, i16x8, i16x8, i16x8, f32, f64, f64, i16, i8, i64x2, f64, f64) -> f64, f64, f64, f64, f64, f64, i64x2 system_v { sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: f64, v1: f64, v2: f64, v3: f64, v4: i16x8, v5: i16x8, v6: i16x8, v7: f32, v8: f64, v9: f64, v10: i16, v11: i8, v12: i64x2, v13: f64, v14: f64): v15 = iconst.i8 32 v16 = iconst.i8 96 v17 = iconst.i8 0 v18 = iconst.i16 0 v19 = iconst.i32 0 v20 = iconst.i64 0 v21 = uextend.i128 v20 ; v20 = 0 v22 = ishl v12, v16 ; v16 = 96 v23 = ushr v22, v16 ; v16 = 96 v24 = call fn0(v7) v25 = call fn0(v24) v26 = call fn0(v25) v27 = call fn0(v26) v28 = call fn0(v27) v29 = call fn0(v28) v30 = call fn0(v29) v31 = call fn0(v30) v32 = call fn0(v31) v33 = call fn0(v32) v34 = call fn0(v33) v35 = call fn0(v34) v36 = call fn0(v35) v37 = call fn0(v36) v38 = call fn0(v37) v39 = call fn0(v38) v40 = call fn0(v39) v41 = call fn0(v40) v42 = call fn0(v41) v43 = call fn0(v42) v44 = call fn0(v43) v45 = call fn0(v44) v46 = call fn0(v45) v47 = call fn0(v46) v48 = call fn0(v47) v49 = call fn0(v48) v50 = call fn0(v49) v51 = call fn0(v50) v52 = call fn0(v51) v53 = call fn0(v52) v54 = call fn0(v53) v55 = call fn0(v54) v56 = call fn0(v55) v57 = call fn0(v56) v58 = call fn0(v57) v59 = call fn0(v58) v60 = call fn0(v59) v61 = call fn0(v60) v62 = call fn0(v61) v63 = call fn0(v62) v64 = call fn0(v63) v65 = call fn0(v64) v66 = call fn0(v65) v67 = call fn0(v66) v68 = call fn0(v67) v69 = call fn0(v68) v70 = call fn0(v69) v71 = call fn0(v70) v72 = call fn0(v71) v73 = call fn0(v72) v74 = call fn0(v73) v75 = call fn0(v74) v76 = call fn0(v75) v77 = call fn0(v76) v78 = call fn0(v77) v79 = call fn0(v78) v80 = call fn0(v79) v81 = call fn0(v80) return v0, v0, v0, v0, v0, v0, v23 }This function fails CLIF verification due to
[2025-03-17T18:05:53Z TRACE cranelift_codegen::verifier] verifying inst70: v85 = uextend.i64x2 v84 thread '<unnamed>' panicked at cranelift/codegen/src/ir/instructions.rs:810:21: The Narrower constraint only operates on floats or ints, got types::I64X2
Wasmtime GitHub notifications bot (Mar 17 2025 at 18:14):fitzgen edited issue #10409:
Here is the (gzipped) raw fuzzer input (as of commit
1ea710d6onmain): fuzz-input.gzHere is the generated clif function:
function u0:0(f64, f64, f64, f64, i16x8, i16x8, i16x8, f32, f64, f64, i16, i8, i64x2, f64, f64) -> f64, f64, f64, f64, f64, f64, i64x2 system_v { sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: f64, v1: f64, v2: f64, v3: f64, v4: i16x8, v5: i16x8, v6: i16x8, v7: f32, v8: f64, v9: f64, v10: i16, v11: i8, v12: i64x2, v13: f64, v14: f64): v15 = iconst.i8 32 v16 = iconst.i8 96 v17 = iconst.i8 0 v18 = iconst.i16 0 v19 = iconst.i32 0 v20 = iconst.i64 0 v21 = uextend.i128 v20 ; v20 = 0 v22 = ishl v12, v16 ; v16 = 96 v23 = ushr v22, v16 ; v16 = 96 v24 = call fn0(v7) v25 = call fn0(v24) v26 = call fn0(v25) v27 = call fn0(v26) v28 = call fn0(v27) v29 = call fn0(v28) v30 = call fn0(v29) v31 = call fn0(v30) v32 = call fn0(v31) v33 = call fn0(v32) v34 = call fn0(v33) v35 = call fn0(v34) v36 = call fn0(v35) v37 = call fn0(v36) v38 = call fn0(v37) v39 = call fn0(v38) v40 = call fn0(v39) v41 = call fn0(v40) v42 = call fn0(v41) v43 = call fn0(v42) v44 = call fn0(v43) v45 = call fn0(v44) v46 = call fn0(v45) v47 = call fn0(v46) v48 = call fn0(v47) v49 = call fn0(v48) v50 = call fn0(v49) v51 = call fn0(v50) v52 = call fn0(v51) v53 = call fn0(v52) v54 = call fn0(v53) v55 = call fn0(v54) v56 = call fn0(v55) v57 = call fn0(v56) v58 = call fn0(v57) v59 = call fn0(v58) v60 = call fn0(v59) v61 = call fn0(v60) v62 = call fn0(v61) v63 = call fn0(v62) v64 = call fn0(v63) v65 = call fn0(v64) v66 = call fn0(v65) v67 = call fn0(v66) v68 = call fn0(v67) v69 = call fn0(v68) v70 = call fn0(v69) v71 = call fn0(v70) v72 = call fn0(v71) v73 = call fn0(v72) v74 = call fn0(v73) v75 = call fn0(v74) v76 = call fn0(v75) v77 = call fn0(v76) v78 = call fn0(v77) v79 = call fn0(v78) v80 = call fn0(v79) v81 = call fn0(v80) return v0, v0, v0, v0, v0, v0, v23 }This function fails CLIF verification due to
$ RUST_LOG=trace cargo fuzz run -s none --no-default-features cranelift-fuzzgen path/to/fuzz-input ... [2025-03-17T18:05:53Z TRACE cranelift_codegen::verifier] verifying inst70: v85 = uextend.i64x2 v84 thread '<unnamed>' panicked at cranelift/codegen/src/ir/instructions.rs:810:21: The Narrower constraint only operates on floats or ints, got types::I64X2
Wasmtime GitHub notifications bot (Mar 17 2025 at 18:20):fitzgen commented on issue #10409:
This is the offending code, inserted just before the
return, after all thecalls:v84 = ireduce.i32 v12 v85 = uextend.i64x2 v84It looks like it was inserted by the egraph pass, which suggests a bug in a rewrite rule.
v12is a function parameter of typei64x2so I'm not sure why we areireduce.i32ing it either, although that doesn't seem to be the instruction that is triggering the verifier panic.
Wasmtime GitHub notifications bot (Mar 17 2025 at 18:40):cfallin commented on issue #10409:
That would almost certainly be one of the rules in shifts.isle; probably these? I suspect we need a stricter type guard than
ty_bitsthere.
Wasmtime GitHub notifications bot (Mar 17 2025 at 20:15):fitzgen closed issue #10409:
Here is the (gzipped) raw fuzzer input (as of commit
1ea710d6onmain): fuzz-input.gzHere is the generated clif function:
function u0:0(f64, f64, f64, f64, i16x8, i16x8, i16x8, f32, f64, f64, i16, i8, i64x2, f64, f64) -> f64, f64, f64, f64, f64, f64, i64x2 system_v { sig0 = (f32) -> f32 system_v sig1 = (f64) -> f64 system_v sig2 = (f32) -> f32 system_v sig3 = (f64) -> f64 system_v sig4 = (f32) -> f32 system_v sig5 = (f64) -> f64 system_v fn0 = %CeilF32 sig0 fn1 = %CeilF64 sig1 fn2 = %FloorF32 sig2 fn3 = %FloorF64 sig3 fn4 = %TruncF32 sig4 fn5 = %TruncF64 sig5 block0(v0: f64, v1: f64, v2: f64, v3: f64, v4: i16x8, v5: i16x8, v6: i16x8, v7: f32, v8: f64, v9: f64, v10: i16, v11: i8, v12: i64x2, v13: f64, v14: f64): v15 = iconst.i8 32 v16 = iconst.i8 96 v17 = iconst.i8 0 v18 = iconst.i16 0 v19 = iconst.i32 0 v20 = iconst.i64 0 v21 = uextend.i128 v20 ; v20 = 0 v22 = ishl v12, v16 ; v16 = 96 v23 = ushr v22, v16 ; v16 = 96 v24 = call fn0(v7) v25 = call fn0(v24) v26 = call fn0(v25) v27 = call fn0(v26) v28 = call fn0(v27) v29 = call fn0(v28) v30 = call fn0(v29) v31 = call fn0(v30) v32 = call fn0(v31) v33 = call fn0(v32) v34 = call fn0(v33) v35 = call fn0(v34) v36 = call fn0(v35) v37 = call fn0(v36) v38 = call fn0(v37) v39 = call fn0(v38) v40 = call fn0(v39) v41 = call fn0(v40) v42 = call fn0(v41) v43 = call fn0(v42) v44 = call fn0(v43) v45 = call fn0(v44) v46 = call fn0(v45) v47 = call fn0(v46) v48 = call fn0(v47) v49 = call fn0(v48) v50 = call fn0(v49) v51 = call fn0(v50) v52 = call fn0(v51) v53 = call fn0(v52) v54 = call fn0(v53) v55 = call fn0(v54) v56 = call fn0(v55) v57 = call fn0(v56) v58 = call fn0(v57) v59 = call fn0(v58) v60 = call fn0(v59) v61 = call fn0(v60) v62 = call fn0(v61) v63 = call fn0(v62) v64 = call fn0(v63) v65 = call fn0(v64) v66 = call fn0(v65) v67 = call fn0(v66) v68 = call fn0(v67) v69 = call fn0(v68) v70 = call fn0(v69) v71 = call fn0(v70) v72 = call fn0(v71) v73 = call fn0(v72) v74 = call fn0(v73) v75 = call fn0(v74) v76 = call fn0(v75) v77 = call fn0(v76) v78 = call fn0(v77) v79 = call fn0(v78) v80 = call fn0(v79) v81 = call fn0(v80) return v0, v0, v0, v0, v0, v0, v23 }This function fails CLIF verification due to
$ RUST_LOG=trace cargo fuzz run -s none --no-default-features cranelift-fuzzgen path/to/fuzz-input ... [2025-03-17T18:05:53Z TRACE cranelift_codegen::verifier] verifying inst70: v85 = uextend.i64x2 v84 thread '<unnamed>' panicked at cranelift/codegen/src/ir/instructions.rs:810:21: The Narrower constraint only operates on floats or ints, got types::I64X2
Last updated: Apr 17 2025 at 20:03 UTC