Stream: git-wasmtime

Topic: wasmtime / issue #10583 cranelift fuzzbug: difference in ...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 00:33):

abrown edited issue #10583:

I was messing around with the cranelift-fuzzgen target locally and after about 1M iterations ran into the following crash: cargo +nightly fuzz run --no-default-features --sanitizer=none cranelift-fuzzgen. I tried minimizing, no luck.

<!-- TODO: add link to an external bug report, if there is one, such as from OSS-Fuzz -->

<details>
<summary>Test case input</summary>

<!-- Please base64-encode the input that libFuzzer generated, and paste it in the code-block below. This is required for us to reproduce the issue. -->

MDAwMDAwMDA6IDIzMjUgNzgwMCA3ODc4IDc4MDAgMjUwMCAwMGUxIGUxZTEgZTFlMSAgIyV4Lnh4
eC4lLi4uLi4uLgowMDAwMDAxMDogZTFlMSBhMWUxIGUxZTEgZTFlMSAyNTI1IDI1MDAgZmYyNSAw
MDI1ICAuLi4uLi4uLiUlJS4uJS4lCjAwMDAwMDIwOiAyNDAwIGQ5MjUgMjUwMCAwMDAwIGExOGYg
YTFmZSA3ODc4IDc4NzggICQuLiUlLi4uLi4uLnh4eHgKMDAwMDAwMzA6IDAzMDMgMjUwMSBmZmZm
IGZmZTEgYTFhMSBhMTJmIDAzYTEgMDNhMSAgLi4lLi4uLi4uLi4vLi4uLgowMDAwMDA0MDogZmU3
OCA3ODc4IDc4MDAgMDAyNSAwMzAzIDAzMDMgNGMwMyAwMzAzICAueHh4eC4uJS4uLi5MLi4uCjAw
MDAwMDUwOiAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMyZCAwNThlIDVjMDMgIC4uLi4uLi4u
Li4uLS4uXC4KMDAwMDAwNjA6IDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDA3MDMgMDMw
MyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDA3MDogMDMwMyAwMzAzIDAzMDMgMDMwMSAwMDAwIDAw
MDAgMDAwZiBmYzAzICAuLi4uLi4uLi4uLi4uLi4uCjAwMDAwMDgwOiAwNzAzIDAzMDMgMDMwMyAw
MzAzIDAzMDMgMzQwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi40Li4uLi4KMDAwMDAwOTA6IDAwMDAg
MDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAgLi4uLi4uLi4uLi4uLi4uLgowMDAw
MDBhMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMSA0NzNjICAuLi4uLi4uLi4u
Li4uLkc8CjAwMDAwMGIwOiAxYWI2IDhhMDQgNzMwMyAwYjAxIGZmMzEgMDNhYiAyYjY0IDY0NjQg
IC4uLi5zLi4uLjEuLitkZGQKMDAwMDAwYzA6IDY0NjQgNjQ2NCAyNDY0IDY0MDAgNzg3OCA3ODAw
IDI1MDAgMDBlMSAgZGRkZCRkZC54eHguJS4uLgowMDAwMDBkMDogZTFlMSBlMWUxIGUxZTEgYTFl
MSBlMWUxIGUxZTEgMjUyNSAyNTAwICAuLi4uLi4uLi4uLi4lJSUuCjAwMDAwMGUwOiBmZjI1IDAw
MjUgMjQwMCBkOTI1IDI1MDAgMDAwMCBhMThmIGExZmUgIC4lLiUkLi4lJS4uLi4uLi4KMDAwMDAw
ZjA6IDc4NzggNzg3OCAwMzAzIDI1MDEgZmZmZiBmZmUxIGExYTEgYTEyZiAgeHh4eC4uJS4uLi4u
Li4uLwowMDAwMDEwMDogMDNhMSAwM2ExIGZlNzggNzg3OCA3ODAwIDAwMjUgMDMwMyAwMzAzICAu
Li4uLnh4eHguLiUuLi4uCjAwMDAwMTEwOiA0YzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMjUxMCAy
NTAwIGRjMDAgIEwuLi4uLi4uLi4lLiUuLi4KMDAwMDAxMjA6IDAwMjUgMjUyNSBkYjAwIGRjZGMg
MDEwMCAwMGZmIGZmZmYgMDYwMCAgLiUlJS4uLi4uLi4uLi4uLgowMDAwMDEzMDogMDAwMCAwMDAw
IDAwMDAgMDAwMCAwMDAwIDAwMzIgMDAwMCAwMDAwICAuLi4uLi4uLi4uLjIuLi4uCjAwMDAwMTQw
OiA3ZjAwIDAwMDAgMDAwMCAyNDAyIDc0MDQgOWE4MyAwNDAwIDAwMDAgIC4uLi4uLiQudC4uLi4u
Li4KMDAwMDAxNTA6IGZmZjQgZjRmNCAwMDAwIDAwNjQgZmZmZiBmZmZmIGZmOWEgOWE5YSAgLi4u
Li4uLmQuLi4uLi4uLgowMDAwMDE2MDogZmZmZiBmZmY3IGZmMTIgMDAwMCAwMDc0IDlhODMgMDNm
ZiA5YTlhICAuLi4uLi4uLi50Li4uLi4uCjAwMDAwMTcwOiA5YTlhIGZmZmYgZmFmOSBmOWY5IDA2
ZmYgZmZmZiBmZmZmIDAxMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAwMDAxODA6IDAwMDAgMDAwMCAw
MDA5IDlhM2IgMjcyNSAyNjI1IDI1MTAgMjUwMCAgLi4uLi4uLjsnJSYlJS4lLgowMDAwMDE5MDog
MDBhNiAyNTI1IDI3ZmYgMjUwMCA3NzdmIDc3NzcgZmYyNSA1ZWExICAuLiUlJy4lLncud3cuJV4u
CjAwMDAwMWEwOiAwMDAwIDAxMDAgMDBmZiBmZmZmIDA2MDAgMDAwMCAwMDAwIDAwMDAgIC4uLi4u
Li4uLi4uLi4uLi4KMDAwMDAxYjA6IDAwMDAgMDAwMCAwMDMyIDAwMDAgMDAwMCA3ZjAwIDAwMDAg
MDAwMCAgLi4uLi4yLi4uLi4uLi4uLgowMDAwMDFjMDogMjQwMiA3NDA0IDlhODMgMDQwMCAwMDAw
IGZmZjQgZjRmNCAwMDAwICAkLnQuLi4uLi4uLi4uLi4uCjAwMDAwMWQwOiAwMDY0IGZmZmYgZmZm
ZiBmZjlhIDAzMDMgMDMwMyAwMzJkIDA1OGUgIC5kLi4uLi4uLi4uLi4tLi4KMDAwMDAxZTA6IDVj
MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDcwMyAgXC4uLi4uLi4uLi4uLi4uLgow
MDAwMDFmMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAxIDAwMDAgMDAwMCAwMDBmICAuLi4uLi4u
Li4uLi4uLi4uCjAwMDAwMjAwOiBmYzAzIDA3MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAzNDAwIDAw
MDAgIC4uLi4uLi4uLi4uLjQuLi4KMDAwMDAyMTA6IDAwMDAgMDAwMCAwMzAzIDAzMDMgMDMwMyA5
YTlhIGZmZmYgZmZmNyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDIyMDogZmYxMiAwMDAwIDAwNzQg
OWE4MyAwM2ZmIDlhOWEgOWE5YSBmZmZmICAuLi4uLnQuLi4uLi4uLi4uCjAwMDAwMjMwOiBmYWY5
IGY5ZjkgMDZmZiBmZmZmIGZmZmYgMDEwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAw
MDAyNDA6IDAwMDkgOWEzYiAyNzI1IDI2MjUgMjUxMCAyNTAzIDAzMDMgMDMwMyAgLi4uOyclJiUl
LiUuLi4uLgowMDAwMDI1MDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAwMDAgYTYyNSAyNTI3
ICAuLi4uLi4uLi4uLi4uJSUnCjAwMDAwMjYwOiBmZiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIC4K

</details>

<details>
<summary>cargo +nightly fuzz fmt output</summary>

Running cargo +nightly fuzz fmt cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-9c0157c21569ca5c828e491b7cc701bcf9eac106 seemed to hang. But, before crashing, I did get code like the following (I changed the function name to %test):

;; Run test case

test interpret
test run
set opt_level=speed
set probestack_size_log2=6
set probestack_strategy=inline
set bb_padding_log2_minus_one=4
set enable_alias_analysis=false
set enable_llvm_abi_extensions=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_probestack=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt

function %test(i8 sext, i8, i8, i8x16, i64 sext, i64 sext, i64 sext, f32x4, i16 sext, i16x8, i16x8, i128, f32) -> f32, i16x8, i64 cold {
    ss0 = explicit_slot 3, align = 8
    ss1 = explicit_slot 76, align = 8
    ss2 = explicit_slot 3, align = 8
    ss3 = explicit_slot 1
    ss4 = explicit_slot 1
    ss5 = explicit_slot 8, align = 8
    ss6 = explicit_slot 8, align = 8
    ss7 = explicit_slot 2, align = 2
    ss8 = explicit_slot 16, align = 16
    ss9 = explicit_slot 16, align = 16
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = colocated %CeilF32 sig0
    fn1 = colocated %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0(v0: i8, v1: i8, v2: i8, v3: i8x16, v4: i64, v5: i64, v6: i64, v7: f32x4, v8: i16, v9: i16x8, v10: i16x8, v11: i128, v12: f32):
    v34 -> v0
    v36 -> v1
    v45 -> v2
    v56 -> v4
    v49 -> v5
    v31 -> v6
    v48 -> v8
    v55 -> v9
    v52 -> v11
    v38 -> v12
    stack_store v1, ss3
    stack_store v2, ss4
    stack_store v4, ss5
    stack_store v5, ss6
    stack_store v8, ss7
    stack_store v9, ss8
    stack_store v11, ss9
    v13 = iconst.i64 0x2d03_0303_0303_0303
    v32 -> v13
    v14 = f32const 0x1.06b91cp-121
    v15 = iconst.i64 0x0303_0303_0303_0303
    v16 = iconst.i8 0
    v17 = iconst.i16 0
    v18 = iconst.i32 0
    v19 = iconst.i64 0
    v20 = uextend.i128 v19  ; v19 = 0
    v21 = stack_addr.i64 ss0
    store notrap vmctx v17, v21  ; v17 = 0
    v22 = stack_addr.i64 ss0+2
    store notrap vmctx v16, v22  ; v16 = 0
    v23 = stack_addr.i64 ss2
    store notrap vmctx v17, v23  ; v17 = 0
    v24 = stack_addr.i64 ss2+2
    store notrap vmctx v16, v24  ; v16 = 0
    v25 = stack_addr.i64 ss1
    store notrap vmctx v20, v25
    v26 = stack_addr.i64 ss1+16
    store notrap vmctx v20, v26
    v27 = stack_addr.i64 ss1+32
    store notrap vmctx v20, v27
    v28 = stack_addr.i64 ss1+48
    store notrap vmctx v20, v28
    v29 = stack_addr.i64 ss1+64
    store notrap vmctx v19, v29  ; v19 = 0
    v30 = stack_addr.i64 ss1+72
    store notrap vmctx v18, v30  ; v18 = 0
    brif v0, block1, block1

block1:
    v33 = umax.i64 v31, v32  ; v32 = 0x2d03_0303_0303_0303
    v35 = sshr.i8 v34, v34
    v37 = sshr.i8 v36, v35
    v39 = call fn0(v38), stack_map=[i8 @ ss3+0, i8 @ ss4+0, i64 @ ss5+0, i64 @ ss6+0, i16 @ ss7+0, i16x8 @ ss8+0, i128 @ ss9+0]
    v40 = sshr v37, v37
    v41 = sshr v40, v40
    v42 = sshr v41, v41
    v43 = sshr v42, v42
    v44 = sshr v43, v43
    v46 = sshr.i8 v36, v45
    v47 = bor v39, v39
    v50 = sshr.i16 v48, v49
    v57 = fdiv v47, v47
    v58 = f32const +NaN
    v59 = scalar_to_vector.f32x4 v58  ; v58 = +NaN
    v60 = scalar_to_vector.f32x4 v57
    v61 = fcmp uno v60, v60
    v62 = bitcast.f32x4 v61
    v63 = bitselect v62, v59, v60
    v51 = extractlane v63, 0
    v53 = iabs.i128 v52
    v54 = iabs v53
    return v39, v55, v56
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: %test(120, 0, 37, 0x25e1e1e1e1e1a1e1e1e1e1e1e1e10000, 2604488122695689509, -6845471432979916544, 250082238140424591, 0xfea103a1032fa1a1a1e1ffffff012503, 30840, 0x0303030303034c030303032500007878, 0xdc00db2525250000dc00251025030303, 504403153970528732, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(50, 0, 0, 0x0004839a0474022400000000007f0000, 269332919549952, -7277816997830761472, 1369085490627582618, 0xf9faffff9a9a9a9aff03839a74000000, -1543, 0x3b9a0900000000000001ffffffffff06, 0x0025ff272525a6000025102525262527, -20282408394714223036251008172169, 0x0.00000cp-126) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(0, 0, 0, 0x000000007f0000000032000000000000, 325272942017651712, 68949227404787712, -10223616, 0x0303030303035c8e052d03030303039a, 771, 0x03030303030303030303070303030303, 0x0303030303030703fc0f000000000001, 4003321963772105628865332499261358851, -sNaN:0x1a9a03) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(-1, -1, -9, 0xffff9a9a9a9aff03839a7400000012ff, -1069547914758, 131071, 2676867878952241408, 0x03030303030303030303030303251025, 771, 0x000000000000000000ff272525a60000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(0, 0, 0, 0x00000000000000000000000000000000, 0, 0, 0, 0x00000000000000000000000000000000, 0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]

</details>

<details>
<summary>Stack trace or other relevant details</summary>

<!-- If you can, please paste anything that looks relevant from the failure message in the code-block below. This will help reviewers more quickly triage this report. -->

What
[message truncated]

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 00:34):

abrown edited issue #10583:

I was messing around with the cranelift-fuzzgen target locally and after about 1M iterations ran into the following crash: cargo +nightly fuzz run --no-default-features --sanitizer=none cranelift-fuzzgen. I tried minimizing, no luck.

<!-- TODO: add link to an external bug report, if there is one, such as from OSS-Fuzz -->

<details>
<summary>Test case input</summary>

<!-- Please base64-encode the input that libFuzzer generated, and paste it in the code-block below. This is required for us to reproduce the issue. -->

MDAwMDAwMDA6IDIzMjUgNzgwMCA3ODc4IDc4MDAgMjUwMCAwMGUxIGUxZTEgZTFlMSAgIyV4Lnh4
eC4lLi4uLi4uLgowMDAwMDAxMDogZTFlMSBhMWUxIGUxZTEgZTFlMSAyNTI1IDI1MDAgZmYyNSAw
MDI1ICAuLi4uLi4uLiUlJS4uJS4lCjAwMDAwMDIwOiAyNDAwIGQ5MjUgMjUwMCAwMDAwIGExOGYg
YTFmZSA3ODc4IDc4NzggICQuLiUlLi4uLi4uLnh4eHgKMDAwMDAwMzA6IDAzMDMgMjUwMSBmZmZm
IGZmZTEgYTFhMSBhMTJmIDAzYTEgMDNhMSAgLi4lLi4uLi4uLi4vLi4uLgowMDAwMDA0MDogZmU3
OCA3ODc4IDc4MDAgMDAyNSAwMzAzIDAzMDMgNGMwMyAwMzAzICAueHh4eC4uJS4uLi5MLi4uCjAw
MDAwMDUwOiAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMyZCAwNThlIDVjMDMgIC4uLi4uLi4u
Li4uLS4uXC4KMDAwMDAwNjA6IDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDA3MDMgMDMw
MyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDA3MDogMDMwMyAwMzAzIDAzMDMgMDMwMSAwMDAwIDAw
MDAgMDAwZiBmYzAzICAuLi4uLi4uLi4uLi4uLi4uCjAwMDAwMDgwOiAwNzAzIDAzMDMgMDMwMyAw
MzAzIDAzMDMgMzQwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi40Li4uLi4KMDAwMDAwOTA6IDAwMDAg
MDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAgLi4uLi4uLi4uLi4uLi4uLgowMDAw
MDBhMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMSA0NzNjICAuLi4uLi4uLi4u
Li4uLkc8CjAwMDAwMGIwOiAxYWI2IDhhMDQgNzMwMyAwYjAxIGZmMzEgMDNhYiAyYjY0IDY0NjQg
IC4uLi5zLi4uLjEuLitkZGQKMDAwMDAwYzA6IDY0NjQgNjQ2NCAyNDY0IDY0MDAgNzg3OCA3ODAw
IDI1MDAgMDBlMSAgZGRkZCRkZC54eHguJS4uLgowMDAwMDBkMDogZTFlMSBlMWUxIGUxZTEgYTFl
MSBlMWUxIGUxZTEgMjUyNSAyNTAwICAuLi4uLi4uLi4uLi4lJSUuCjAwMDAwMGUwOiBmZjI1IDAw
MjUgMjQwMCBkOTI1IDI1MDAgMDAwMCBhMThmIGExZmUgIC4lLiUkLi4lJS4uLi4uLi4KMDAwMDAw
ZjA6IDc4NzggNzg3OCAwMzAzIDI1MDEgZmZmZiBmZmUxIGExYTEgYTEyZiAgeHh4eC4uJS4uLi4u
Li4uLwowMDAwMDEwMDogMDNhMSAwM2ExIGZlNzggNzg3OCA3ODAwIDAwMjUgMDMwMyAwMzAzICAu
Li4uLnh4eHguLiUuLi4uCjAwMDAwMTEwOiA0YzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMjUxMCAy
NTAwIGRjMDAgIEwuLi4uLi4uLi4lLiUuLi4KMDAwMDAxMjA6IDAwMjUgMjUyNSBkYjAwIGRjZGMg
MDEwMCAwMGZmIGZmZmYgMDYwMCAgLiUlJS4uLi4uLi4uLi4uLgowMDAwMDEzMDogMDAwMCAwMDAw
IDAwMDAgMDAwMCAwMDAwIDAwMzIgMDAwMCAwMDAwICAuLi4uLi4uLi4uLjIuLi4uCjAwMDAwMTQw
OiA3ZjAwIDAwMDAgMDAwMCAyNDAyIDc0MDQgOWE4MyAwNDAwIDAwMDAgIC4uLi4uLiQudC4uLi4u
Li4KMDAwMDAxNTA6IGZmZjQgZjRmNCAwMDAwIDAwNjQgZmZmZiBmZmZmIGZmOWEgOWE5YSAgLi4u
Li4uLmQuLi4uLi4uLgowMDAwMDE2MDogZmZmZiBmZmY3IGZmMTIgMDAwMCAwMDc0IDlhODMgMDNm
ZiA5YTlhICAuLi4uLi4uLi50Li4uLi4uCjAwMDAwMTcwOiA5YTlhIGZmZmYgZmFmOSBmOWY5IDA2
ZmYgZmZmZiBmZmZmIDAxMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAwMDAxODA6IDAwMDAgMDAwMCAw
MDA5IDlhM2IgMjcyNSAyNjI1IDI1MTAgMjUwMCAgLi4uLi4uLjsnJSYlJS4lLgowMDAwMDE5MDog
MDBhNiAyNTI1IDI3ZmYgMjUwMCA3NzdmIDc3NzcgZmYyNSA1ZWExICAuLiUlJy4lLncud3cuJV4u
CjAwMDAwMWEwOiAwMDAwIDAxMDAgMDBmZiBmZmZmIDA2MDAgMDAwMCAwMDAwIDAwMDAgIC4uLi4u
Li4uLi4uLi4uLi4KMDAwMDAxYjA6IDAwMDAgMDAwMCAwMDMyIDAwMDAgMDAwMCA3ZjAwIDAwMDAg
MDAwMCAgLi4uLi4yLi4uLi4uLi4uLgowMDAwMDFjMDogMjQwMiA3NDA0IDlhODMgMDQwMCAwMDAw
IGZmZjQgZjRmNCAwMDAwICAkLnQuLi4uLi4uLi4uLi4uCjAwMDAwMWQwOiAwMDY0IGZmZmYgZmZm
ZiBmZjlhIDAzMDMgMDMwMyAwMzJkIDA1OGUgIC5kLi4uLi4uLi4uLi4tLi4KMDAwMDAxZTA6IDVj
MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDcwMyAgXC4uLi4uLi4uLi4uLi4uLgow
MDAwMDFmMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAxIDAwMDAgMDAwMCAwMDBmICAuLi4uLi4u
Li4uLi4uLi4uCjAwMDAwMjAwOiBmYzAzIDA3MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAzNDAwIDAw
MDAgIC4uLi4uLi4uLi4uLjQuLi4KMDAwMDAyMTA6IDAwMDAgMDAwMCAwMzAzIDAzMDMgMDMwMyA5
YTlhIGZmZmYgZmZmNyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDIyMDogZmYxMiAwMDAwIDAwNzQg
OWE4MyAwM2ZmIDlhOWEgOWE5YSBmZmZmICAuLi4uLnQuLi4uLi4uLi4uCjAwMDAwMjMwOiBmYWY5
IGY5ZjkgMDZmZiBmZmZmIGZmZmYgMDEwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAw
MDAyNDA6IDAwMDkgOWEzYiAyNzI1IDI2MjUgMjUxMCAyNTAzIDAzMDMgMDMwMyAgLi4uOyclJiUl
LiUuLi4uLgowMDAwMDI1MDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAwMDAgYTYyNSAyNTI3
ICAuLi4uLi4uLi4uLi4uJSUnCjAwMDAwMjYwOiBmZiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIC4K

</details>

<details>
<summary>cargo +nightly fuzz fmt output</summary>

Running cargo +nightly fuzz fmt cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-9c0157c21569ca5c828e491b7cc701bcf9eac106 seemed to hang. But, before the original crash in fuzz run, I did get code like the following (I changed the function name to %test):

;; Run test case

test interpret
test run
set opt_level=speed
set probestack_size_log2=6
set probestack_strategy=inline
set bb_padding_log2_minus_one=4
set enable_alias_analysis=false
set enable_llvm_abi_extensions=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_probestack=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt

function %test(i8 sext, i8, i8, i8x16, i64 sext, i64 sext, i64 sext, f32x4, i16 sext, i16x8, i16x8, i128, f32) -> f32, i16x8, i64 cold {
    ss0 = explicit_slot 3, align = 8
    ss1 = explicit_slot 76, align = 8
    ss2 = explicit_slot 3, align = 8
    ss3 = explicit_slot 1
    ss4 = explicit_slot 1
    ss5 = explicit_slot 8, align = 8
    ss6 = explicit_slot 8, align = 8
    ss7 = explicit_slot 2, align = 2
    ss8 = explicit_slot 16, align = 16
    ss9 = explicit_slot 16, align = 16
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = colocated %CeilF32 sig0
    fn1 = colocated %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0(v0: i8, v1: i8, v2: i8, v3: i8x16, v4: i64, v5: i64, v6: i64, v7: f32x4, v8: i16, v9: i16x8, v10: i16x8, v11: i128, v12: f32):
    v34 -> v0
    v36 -> v1
    v45 -> v2
    v56 -> v4
    v49 -> v5
    v31 -> v6
    v48 -> v8
    v55 -> v9
    v52 -> v11
    v38 -> v12
    stack_store v1, ss3
    stack_store v2, ss4
    stack_store v4, ss5
    stack_store v5, ss6
    stack_store v8, ss7
    stack_store v9, ss8
    stack_store v11, ss9
    v13 = iconst.i64 0x2d03_0303_0303_0303
    v32 -> v13
    v14 = f32const 0x1.06b91cp-121
    v15 = iconst.i64 0x0303_0303_0303_0303
    v16 = iconst.i8 0
    v17 = iconst.i16 0
    v18 = iconst.i32 0
    v19 = iconst.i64 0
    v20 = uextend.i128 v19  ; v19 = 0
    v21 = stack_addr.i64 ss0
    store notrap vmctx v17, v21  ; v17 = 0
    v22 = stack_addr.i64 ss0+2
    store notrap vmctx v16, v22  ; v16 = 0
    v23 = stack_addr.i64 ss2
    store notrap vmctx v17, v23  ; v17 = 0
    v24 = stack_addr.i64 ss2+2
    store notrap vmctx v16, v24  ; v16 = 0
    v25 = stack_addr.i64 ss1
    store notrap vmctx v20, v25
    v26 = stack_addr.i64 ss1+16
    store notrap vmctx v20, v26
    v27 = stack_addr.i64 ss1+32
    store notrap vmctx v20, v27
    v28 = stack_addr.i64 ss1+48
    store notrap vmctx v20, v28
    v29 = stack_addr.i64 ss1+64
    store notrap vmctx v19, v29  ; v19 = 0
    v30 = stack_addr.i64 ss1+72
    store notrap vmctx v18, v30  ; v18 = 0
    brif v0, block1, block1

block1:
    v33 = umax.i64 v31, v32  ; v32 = 0x2d03_0303_0303_0303
    v35 = sshr.i8 v34, v34
    v37 = sshr.i8 v36, v35
    v39 = call fn0(v38), stack_map=[i8 @ ss3+0, i8 @ ss4+0, i64 @ ss5+0, i64 @ ss6+0, i16 @ ss7+0, i16x8 @ ss8+0, i128 @ ss9+0]
    v40 = sshr v37, v37
    v41 = sshr v40, v40
    v42 = sshr v41, v41
    v43 = sshr v42, v42
    v44 = sshr v43, v43
    v46 = sshr.i8 v36, v45
    v47 = bor v39, v39
    v50 = sshr.i16 v48, v49
    v57 = fdiv v47, v47
    v58 = f32const +NaN
    v59 = scalar_to_vector.f32x4 v58  ; v58 = +NaN
    v60 = scalar_to_vector.f32x4 v57
    v61 = fcmp uno v60, v60
    v62 = bitcast.f32x4 v61
    v63 = bitselect v62, v59, v60
    v51 = extractlane v63, 0
    v53 = iabs.i128 v52
    v54 = iabs v53
    return v39, v55, v56
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: %test(120, 0, 37, 0x25e1e1e1e1e1a1e1e1e1e1e1e1e10000, 2604488122695689509, -6845471432979916544, 250082238140424591, 0xfea103a1032fa1a1a1e1ffffff012503, 30840, 0x0303030303034c030303032500007878, 0xdc00db2525250000dc00251025030303, 504403153970528732, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(50, 0, 0, 0x0004839a0474022400000000007f0000, 269332919549952, -7277816997830761472, 1369085490627582618, 0xf9faffff9a9a9a9aff03839a74000000, -1543, 0x3b9a0900000000000001ffffffffff06, 0x0025ff272525a6000025102525262527, -20282408394714223036251008172169, 0x0.00000cp-126) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(0, 0, 0, 0x000000007f0000000032000000000000, 325272942017651712, 68949227404787712, -10223616, 0x0303030303035c8e052d03030303039a, 771, 0x03030303030303030303070303030303, 0x0303030303030703fc0f000000000001, 4003321963772105628865332499261358851, -sNaN:0x1a9a03) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(-1, -1, -9, 0xffff9a9a9a9aff03839a7400000012ff, -1069547914758, 131071, 2676867878952241408, 0x03030303030303030303030303251025, 771, 0x000000000000000000ff272525a60000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(0, 0, 0, 0x00000000000000000000000000000000, 0, 0, 0, 0x00000000000000000000000000000000, 0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]

</details>

<details>
<summary>Stack trace or other relevant details</summary>

<!-- If you can, please paste anything that looks relevant from the failure message in the code-block below. This will help reviewers more quickly triage
[message truncated]

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 15:08):

alexcrichton commented on issue #10583:

Does this reproduce on main for you? I can't reproduce with the above. Running the fuzz case directly passes for me, as does running the clif test case.

What I see when I run the test with cargo +nightly run --package cranelift-tools -- test scratch.clif

This has to do with the comment at the bottom, the *.clif file generated has dummy results filled in that you have to fill in manually. I copied in the interpreter results and the x64 backend produced the same results.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 16:23):

abrown commented on issue #10583:

I started to get worried that somehow some part of an old branch was affecting results but no:

$ cargo clean
$ cargo +nightly fuzz run cranelift-fuzzgen --no-default-features fuzz/artifacts/cranelift-fuzzgen/crash-9c0157c21569ca5c828e491b7cc701bcf9eac106
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 45627356
INFO: Loaded 1 modules   (1472019 inline 8-bit counters): 1472019 [0x56199be4b610, 0x56199bfb2c23),
INFO: Loaded 1 PC tables (1472019 PCs): 1472019 [0x56199bfb2c28,0x56199d628d58),
target/x86_64-unknown-linux-gnu/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: fuzz/artifacts/cranelift-fuzzgen/crash-9c0157c21569ca5c828e491b7cc701bcf9eac106

thread '<unnamed>' panicked at fuzz/fuzz_targets/cranelift-fuzzgen.rs:374:9:
assertion `left == right` failed
  left: Success([F32(Ieee32 { bits: 4288322051 }), V128([3, 3, 3, 3, 3, 7, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3]), I64(325272942017651712)])
 right: Success([F32(Ieee32 { bits: 4292516355 }), V128([3, 3, 3, 3, 3, 7, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3]), I64(325272942017651712)])
...

And:

$ cargo +nightly run --package cranelift-tools -- test scratch.clif
 ERROR cranelift_filetests::concurrent > FAIL: interpret
FAIL scratch.clif: interpret

Caused by:
    Failed test: run: %test(120, 0, 37, 0x25e1e1e1e1e1a1e1e1e1e1e1e1e10000, 2604488122695689509, -6845471432979916544, 250082238140424591, 0xfea103a1032fa1a1a1e1ffffff012503, 30840, 0x0303030303034c030303032500007878, 0xdc00db2525250000dc00251025030303, 504403153970528732, 0.0) == [0.0, 0x00000000000000000000000000000000, 0], actual: [0.0, 0x0303030303034c030303032500007878, 2604488122695689509]
1 tests
Error: 1 failure

Not sure what is going on....

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 16:28):

abrown commented on issue #10583:

And that was all on this commit from main:

$ git log --oneline
6ba842deda (HEAD -> main, origin/main, origin/HEAD) doc: fixup `Pollable` example (#10586)
d69ef83e81 asm: move assembler operand matchers (#10581)
4d0a43fd07 wasmtime-wit-bindgen: nonfunctional changes to internals (#10578)
6ba6e13bb0 c-api: Compile a component (#10566)

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 16:28):

abrown edited a comment on issue #10583:

And that was all on this commit from main:

$ git log --oneline
6ba842deda (HEAD -> main, origin/main, origin/HEAD) doc: fixup `Pollable` example (#10586)
d69ef83e81 asm: move assembler operand matchers (#10581)
4d0a43fd07 wasmtime-wit-bindgen: nonfunctional changes to internals (#10578)
6ba6e13bb0 c-api: Compile a component (#10566)
...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 16:32):

alexcrichton commented on issue #10583:

The second failure, cargo +nightly run --package cranelift-tools -- test scratch.clif, is expected. That's because the expectations of the test case are all dummy/default values. The fuzz test failing itself is what I can't reproduce.

Can you upload the actual fuzz test case itself? (probably gz-compressed) I don't have confidence in my ability to go from base64 to binary.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 16:40):

alexcrichton commented on issue #10583:

Ah yep I didn't know how to decode base64, I got this reproduce now and it's just NaN behavior, nothing major.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 16:45):

abrown commented on issue #10583:

Isn't there some Cranelift flag I can add that will make these non-deterministic then? Also, do we not run cranelift-fuzzgen in OSSFuzz? I would assume we'd run across something like this pretty quickly...

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 17:01):

alexcrichton commented on issue #10583:

No flags, I'm just trying to juggle things on my end and not doing well.

I reproduced the fuzz failure with cargo +nightly fuzz, but I failed to reproduce the clif test case failure with cargo run test .... I can indeed reproduce the clif failure with cargo +nightly run test ....

You reproduced the fuzz failure but got lost in the clif test case failure. If you copy the interpreter results into the ; run: ... comments you should see the clif test case fail as well.

Rust nightly changed how float things are implemented, and this is basically https://github.com/bytecodealliance/wasmtime/pull/10534 hitting Cranelift now. I also see that in the cranelift directory cargo +nightly run test filetests also fails. Lots to dig out of.

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 19:26):

alexcrichton commented on issue #10583:

After trying a few different avenues for this I think https://github.com/bytecodealliance/wasmtime/pull/10588 is the best solution

view this post on Zulip Wasmtime GitHub notifications bot (Apr 15 2025 at 20:02):

fitzgen closed issue #10583:

I was messing around with the cranelift-fuzzgen target locally and after about 1M iterations ran into the following crash: cargo +nightly fuzz run --no-default-features --sanitizer=none cranelift-fuzzgen. I tried minimizing, no luck.

<!-- TODO: add link to an external bug report, if there is one, such as from OSS-Fuzz -->

<details>
<summary>Test case input</summary>

<!-- Please base64-encode the input that libFuzzer generated, and paste it in the code-block below. This is required for us to reproduce the issue. -->

MDAwMDAwMDA6IDIzMjUgNzgwMCA3ODc4IDc4MDAgMjUwMCAwMGUxIGUxZTEgZTFlMSAgIyV4Lnh4
eC4lLi4uLi4uLgowMDAwMDAxMDogZTFlMSBhMWUxIGUxZTEgZTFlMSAyNTI1IDI1MDAgZmYyNSAw
MDI1ICAuLi4uLi4uLiUlJS4uJS4lCjAwMDAwMDIwOiAyNDAwIGQ5MjUgMjUwMCAwMDAwIGExOGYg
YTFmZSA3ODc4IDc4NzggICQuLiUlLi4uLi4uLnh4eHgKMDAwMDAwMzA6IDAzMDMgMjUwMSBmZmZm
IGZmZTEgYTFhMSBhMTJmIDAzYTEgMDNhMSAgLi4lLi4uLi4uLi4vLi4uLgowMDAwMDA0MDogZmU3
OCA3ODc4IDc4MDAgMDAyNSAwMzAzIDAzMDMgNGMwMyAwMzAzICAueHh4eC4uJS4uLi5MLi4uCjAw
MDAwMDUwOiAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMyZCAwNThlIDVjMDMgIC4uLi4uLi4u
Li4uLS4uXC4KMDAwMDAwNjA6IDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDA3MDMgMDMw
MyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDA3MDogMDMwMyAwMzAzIDAzMDMgMDMwMSAwMDAwIDAw
MDAgMDAwZiBmYzAzICAuLi4uLi4uLi4uLi4uLi4uCjAwMDAwMDgwOiAwNzAzIDAzMDMgMDMwMyAw
MzAzIDAzMDMgMzQwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi40Li4uLi4KMDAwMDAwOTA6IDAwMDAg
MDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAgLi4uLi4uLi4uLi4uLi4uLgowMDAw
MDBhMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDMwMSA0NzNjICAuLi4uLi4uLi4u
Li4uLkc8CjAwMDAwMGIwOiAxYWI2IDhhMDQgNzMwMyAwYjAxIGZmMzEgMDNhYiAyYjY0IDY0NjQg
IC4uLi5zLi4uLjEuLitkZGQKMDAwMDAwYzA6IDY0NjQgNjQ2NCAyNDY0IDY0MDAgNzg3OCA3ODAw
IDI1MDAgMDBlMSAgZGRkZCRkZC54eHguJS4uLgowMDAwMDBkMDogZTFlMSBlMWUxIGUxZTEgYTFl
MSBlMWUxIGUxZTEgMjUyNSAyNTAwICAuLi4uLi4uLi4uLi4lJSUuCjAwMDAwMGUwOiBmZjI1IDAw
MjUgMjQwMCBkOTI1IDI1MDAgMDAwMCBhMThmIGExZmUgIC4lLiUkLi4lJS4uLi4uLi4KMDAwMDAw
ZjA6IDc4NzggNzg3OCAwMzAzIDI1MDEgZmZmZiBmZmUxIGExYTEgYTEyZiAgeHh4eC4uJS4uLi4u
Li4uLwowMDAwMDEwMDogMDNhMSAwM2ExIGZlNzggNzg3OCA3ODAwIDAwMjUgMDMwMyAwMzAzICAu
Li4uLnh4eHguLiUuLi4uCjAwMDAwMTEwOiA0YzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMjUxMCAy
NTAwIGRjMDAgIEwuLi4uLi4uLi4lLiUuLi4KMDAwMDAxMjA6IDAwMjUgMjUyNSBkYjAwIGRjZGMg
MDEwMCAwMGZmIGZmZmYgMDYwMCAgLiUlJS4uLi4uLi4uLi4uLgowMDAwMDEzMDogMDAwMCAwMDAw
IDAwMDAgMDAwMCAwMDAwIDAwMzIgMDAwMCAwMDAwICAuLi4uLi4uLi4uLjIuLi4uCjAwMDAwMTQw
OiA3ZjAwIDAwMDAgMDAwMCAyNDAyIDc0MDQgOWE4MyAwNDAwIDAwMDAgIC4uLi4uLiQudC4uLi4u
Li4KMDAwMDAxNTA6IGZmZjQgZjRmNCAwMDAwIDAwNjQgZmZmZiBmZmZmIGZmOWEgOWE5YSAgLi4u
Li4uLmQuLi4uLi4uLgowMDAwMDE2MDogZmZmZiBmZmY3IGZmMTIgMDAwMCAwMDc0IDlhODMgMDNm
ZiA5YTlhICAuLi4uLi4uLi50Li4uLi4uCjAwMDAwMTcwOiA5YTlhIGZmZmYgZmFmOSBmOWY5IDA2
ZmYgZmZmZiBmZmZmIDAxMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAwMDAxODA6IDAwMDAgMDAwMCAw
MDA5IDlhM2IgMjcyNSAyNjI1IDI1MTAgMjUwMCAgLi4uLi4uLjsnJSYlJS4lLgowMDAwMDE5MDog
MDBhNiAyNTI1IDI3ZmYgMjUwMCA3NzdmIDc3NzcgZmYyNSA1ZWExICAuLiUlJy4lLncud3cuJV4u
CjAwMDAwMWEwOiAwMDAwIDAxMDAgMDBmZiBmZmZmIDA2MDAgMDAwMCAwMDAwIDAwMDAgIC4uLi4u
Li4uLi4uLi4uLi4KMDAwMDAxYjA6IDAwMDAgMDAwMCAwMDMyIDAwMDAgMDAwMCA3ZjAwIDAwMDAg
MDAwMCAgLi4uLi4yLi4uLi4uLi4uLgowMDAwMDFjMDogMjQwMiA3NDA0IDlhODMgMDQwMCAwMDAw
IGZmZjQgZjRmNCAwMDAwICAkLnQuLi4uLi4uLi4uLi4uCjAwMDAwMWQwOiAwMDY0IGZmZmYgZmZm
ZiBmZjlhIDAzMDMgMDMwMyAwMzJkIDA1OGUgIC5kLi4uLi4uLi4uLi4tLi4KMDAwMDAxZTA6IDVj
MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAzMDMgMDcwMyAgXC4uLi4uLi4uLi4uLi4uLgow
MDAwMDFmMDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAxIDAwMDAgMDAwMCAwMDBmICAuLi4uLi4u
Li4uLi4uLi4uCjAwMDAwMjAwOiBmYzAzIDA3MDMgMDMwMyAwMzAzIDAzMDMgMDMwMyAzNDAwIDAw
MDAgIC4uLi4uLi4uLi4uLjQuLi4KMDAwMDAyMTA6IDAwMDAgMDAwMCAwMzAzIDAzMDMgMDMwMyA5
YTlhIGZmZmYgZmZmNyAgLi4uLi4uLi4uLi4uLi4uLgowMDAwMDIyMDogZmYxMiAwMDAwIDAwNzQg
OWE4MyAwM2ZmIDlhOWEgOWE5YSBmZmZmICAuLi4uLnQuLi4uLi4uLi4uCjAwMDAwMjMwOiBmYWY5
IGY5ZjkgMDZmZiBmZmZmIGZmZmYgMDEwMCAwMDAwIDAwMDAgIC4uLi4uLi4uLi4uLi4uLi4KMDAw
MDAyNDA6IDAwMDkgOWEzYiAyNzI1IDI2MjUgMjUxMCAyNTAzIDAzMDMgMDMwMyAgLi4uOyclJiUl
LiUuLi4uLgowMDAwMDI1MDogMDMwMyAwMzAzIDAzMDMgMDMwMyAwMzAzIDAwMDAgYTYyNSAyNTI3
ICAuLi4uLi4uLi4uLi4uJSUnCjAwMDAwMjYwOiBmZiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIC4K

</details>

<details>
<summary>cargo +nightly fuzz fmt output</summary>

Running cargo +nightly fuzz fmt cranelift-fuzzgen fuzz/artifacts/cranelift-fuzzgen/crash-9c0157c21569ca5c828e491b7cc701bcf9eac106 seemed to hang. But, before the original crash in fuzz run, I did get code like the following (I changed the function name to %test):

;; Run test case

test interpret
test run
set opt_level=speed
set probestack_size_log2=6
set probestack_strategy=inline
set bb_padding_log2_minus_one=4
set enable_alias_analysis=false
set enable_llvm_abi_extensions=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_probestack=true
set enable_jump_tables=false
set enable_heap_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt

function %test(i8 sext, i8, i8, i8x16, i64 sext, i64 sext, i64 sext, f32x4, i16 sext, i16x8, i16x8, i128, f32) -> f32, i16x8, i64 cold {
    ss0 = explicit_slot 3, align = 8
    ss1 = explicit_slot 76, align = 8
    ss2 = explicit_slot 3, align = 8
    ss3 = explicit_slot 1
    ss4 = explicit_slot 1
    ss5 = explicit_slot 8, align = 8
    ss6 = explicit_slot 8, align = 8
    ss7 = explicit_slot 2, align = 2
    ss8 = explicit_slot 16, align = 16
    ss9 = explicit_slot 16, align = 16
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = colocated %CeilF32 sig0
    fn1 = colocated %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0(v0: i8, v1: i8, v2: i8, v3: i8x16, v4: i64, v5: i64, v6: i64, v7: f32x4, v8: i16, v9: i16x8, v10: i16x8, v11: i128, v12: f32):
    v34 -> v0
    v36 -> v1
    v45 -> v2
    v56 -> v4
    v49 -> v5
    v31 -> v6
    v48 -> v8
    v55 -> v9
    v52 -> v11
    v38 -> v12
    stack_store v1, ss3
    stack_store v2, ss4
    stack_store v4, ss5
    stack_store v5, ss6
    stack_store v8, ss7
    stack_store v9, ss8
    stack_store v11, ss9
    v13 = iconst.i64 0x2d03_0303_0303_0303
    v32 -> v13
    v14 = f32const 0x1.06b91cp-121
    v15 = iconst.i64 0x0303_0303_0303_0303
    v16 = iconst.i8 0
    v17 = iconst.i16 0
    v18 = iconst.i32 0
    v19 = iconst.i64 0
    v20 = uextend.i128 v19  ; v19 = 0
    v21 = stack_addr.i64 ss0
    store notrap vmctx v17, v21  ; v17 = 0
    v22 = stack_addr.i64 ss0+2
    store notrap vmctx v16, v22  ; v16 = 0
    v23 = stack_addr.i64 ss2
    store notrap vmctx v17, v23  ; v17 = 0
    v24 = stack_addr.i64 ss2+2
    store notrap vmctx v16, v24  ; v16 = 0
    v25 = stack_addr.i64 ss1
    store notrap vmctx v20, v25
    v26 = stack_addr.i64 ss1+16
    store notrap vmctx v20, v26
    v27 = stack_addr.i64 ss1+32
    store notrap vmctx v20, v27
    v28 = stack_addr.i64 ss1+48
    store notrap vmctx v20, v28
    v29 = stack_addr.i64 ss1+64
    store notrap vmctx v19, v29  ; v19 = 0
    v30 = stack_addr.i64 ss1+72
    store notrap vmctx v18, v30  ; v18 = 0
    brif v0, block1, block1

block1:
    v33 = umax.i64 v31, v32  ; v32 = 0x2d03_0303_0303_0303
    v35 = sshr.i8 v34, v34
    v37 = sshr.i8 v36, v35
    v39 = call fn0(v38), stack_map=[i8 @ ss3+0, i8 @ ss4+0, i64 @ ss5+0, i64 @ ss6+0, i16 @ ss7+0, i16x8 @ ss8+0, i128 @ ss9+0]
    v40 = sshr v37, v37
    v41 = sshr v40, v40
    v42 = sshr v41, v41
    v43 = sshr v42, v42
    v44 = sshr v43, v43
    v46 = sshr.i8 v36, v45
    v47 = bor v39, v39
    v50 = sshr.i16 v48, v49
    v57 = fdiv v47, v47
    v58 = f32const +NaN
    v59 = scalar_to_vector.f32x4 v58  ; v58 = +NaN
    v60 = scalar_to_vector.f32x4 v57
    v61 = fcmp uno v60, v60
    v62 = bitcast.f32x4 v61
    v63 = bitselect v62, v59, v60
    v51 = extractlane v63, 0
    v53 = iabs.i128 v52
    v54 = iabs v53
    return v39, v55, v56
}


; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: %test(120, 0, 37, 0x25e1e1e1e1e1a1e1e1e1e1e1e1e10000, 2604488122695689509, -6845471432979916544, 250082238140424591, 0xfea103a1032fa1a1a1e1ffffff012503, 30840, 0x0303030303034c030303032500007878, 0xdc00db2525250000dc00251025030303, 504403153970528732, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(50, 0, 0, 0x0004839a0474022400000000007f0000, 269332919549952, -7277816997830761472, 1369085490627582618, 0xf9faffff9a9a9a9aff03839a74000000, -1543, 0x3b9a0900000000000001ffffffffff06, 0x0025ff272525a6000025102525262527, -20282408394714223036251008172169, 0x0.00000cp-126) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(0, 0, 0, 0x000000007f0000000032000000000000, 325272942017651712, 68949227404787712, -10223616, 0x0303030303035c8e052d03030303039a, 771, 0x03030303030303030303070303030303, 0x0303030303030703fc0f000000000001, 4003321963772105628865332499261358851, -sNaN:0x1a9a03) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(-1, -1, -9, 0xffff9a9a9a9aff03839a7400000012ff, -1069547914758, 131071, 2676867878952241408, 0x03030303030303030303030303251025, 771, 0x000000000000000000ff272525a60000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]
; run: %test(0, 0, 0, 0x00000000000000000000000000000000, 0, 0, 0, 0x00000000000000000000000000000000, 0, 0x00000000000000000000000000000000, 0x00000000000000000000000000000000, 0, 0.0) == [0.0, 0x00000000000000000000000000000000, 0]

</details>

<details>
<summary>Stack trace or other relevant details</summary>

<!-- If you can, please paste anything that looks relevant from the failure message in the code-block below. This will help reviewers more quickly triag
[message truncated]

Last updated: Dec 06 2025 at 06:05 UTC