Wasmtime GitHub notifications bot (May 07 2025 at 10:24): Wasmtime GitHub notifications bot (May 07 2025 at 10:24):f52985 opened issue #10741:
Test Case
;; sample.wat (module (type $t (func (result i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 10 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 20 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 30 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 40 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 50 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 60 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 70 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 80 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 90 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 100 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 110 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 120 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 130 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 140 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 150 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 160 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 170 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 180 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 190 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 200 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 210 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 220 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 230 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 240 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 250 i32 i32 i32 i32 ;; 254 ) ) ) (export "f" (func $f)) (func $f (type $t) (unreachable)) )Steps to Reproduce
Execute the
watfile above using the following command:target/debug/wasmtime sample.watExpected Results
Terminates normally
Actual Results
Thread panic:
thread '<unnamed>' panicked at cranelift/codegen/src/isa/aarch64/inst/emit.rs:107:31: called `Option::unwrap()` on a `None` valueVersions and Environment
Wasmtime version or commit: wasmtime 34.0.0 (303b836a4 2025-05-06)
Operating system: MacOS (Sonoma, 14.5)
Architecture: arm64 (Apple Silicon, M3)
(Also confirmed at Ubuntu 20.04.6 LTS, x86_64)
Extra Info
Long result type with specific length (at least 254) and exporting the function with that type triggers this bug, even without calling the function.
Wasmtime GitHub notifications bot (May 07 2025 at 10:24):f52985 added the bug label to Issue #10741.
Wasmtime GitHub notifications bot (May 07 2025 at 14:57):alexcrichton commented on issue #10741:
Looks like this doesn't affect Wasmtime 32.0.0, but this does affect the (pending) release of Wasmtime 33.0.0 (as well as
main). Bisection points to https://github.com/bytecodealliance/wasmtime/pull/10502 as the regression point (cc @cfallin)Locally I'm able to reproduce this on x64 as well:
Running `target/x86_64-unknown-linux-gnu/debug/wasmtime compile foo.wat` thread '<unnamed>' panicked at cranelift/codegen/src/isa/x64/encoding/rex.rs:58:5: assertion failed: reg.is_real() note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Wasmtime GitHub notifications bot (May 07 2025 at 16:08):cfallin commented on issue #10741:
Taking a look!
Wasmtime GitHub notifications bot (May 07 2025 at 17:09):bjorn3 commented on issue #10741:
I'm guessing that moving the multiret lowering from the Cranelift backends to the clif ir producer (at least when there are more rets than return registers) would fix this.
Wasmtime GitHub notifications bot (May 07 2025 at 18:51):cfallin commented on issue #10741:
So this issue is occurring because in regalloc2, we use a u8 to refer to the "slot" (index) of an operand on an instruction, and prior to folding retval loads into callsites for try-calls, we never had a single instruction that had more than 255 operands. (Calls can have a large number of args and retvals but args are stored onto the stack with separate instructions, and previously retvals were loaded with separate instructions beyond the ABI-defined in-register locations for both.)
The use of a
u8there was carefully chosen to makeUseas small as possible, and IIRC I saw 1-2% perf regressions in compile time when it became larger with larger operands; but looking at it now, it already has a free byte of padding (OperandandProgPointare both packed 32-bit values, then we have theu16weight and theu8slot-index), so moving to au16should be free. Separately, RA2 should have validated this (sorry!) -- I suppose we were shielded by the Cranelift ABI strategy before.I'll update RA2 and bump it on
mainand backport to the release branch to fix.
Wasmtime GitHub notifications bot (May 07 2025 at 19:20):cfallin commented on issue #10741:
https://github.com/bytecodealliance/regalloc2/pull/226 plus a version bump should fix.
Wasmtime GitHub notifications bot (May 07 2025 at 21:38):alexcrichton closed issue #10741:
Test Case
;; sample.wat (module (type $t (func (result i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 10 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 20 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 30 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 40 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 50 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 60 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 70 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 80 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 90 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 100 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 110 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 120 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 130 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 140 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 150 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 160 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 170 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 180 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 190 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 200 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 210 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 220 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 230 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 240 i32 i32 i32 i32 i32 i32 i32 i32 i32 i32 ;; 250 i32 i32 i32 i32 ;; 254 ) ) ) (export "f" (func $f)) (func $f (type $t) (unreachable)) )Steps to Reproduce
Execute the
watfile above using the following command:target/debug/wasmtime sample.watExpected Results
Terminates normally
Actual Results
Thread panic:
thread '<unnamed>' panicked at cranelift/codegen/src/isa/aarch64/inst/emit.rs:107:31: called `Option::unwrap()` on a `None` valueVersions and Environment
Wasmtime version or commit: wasmtime 34.0.0 (303b836a4 2025-05-06)
Operating system: MacOS (Sonoma, 14.5)
Architecture: arm64 (Apple Silicon, M3)
(Also confirmed at Ubuntu 20.04.6 LTS, x86_64)
Extra Info
Long result type with specific length (at least 254) and exporting the function with that type triggers this bug, even without calling the function.
Last updated: Dec 06 2025 at 06:05 UTC