Stream: git-wasmtime

Topic: wasmtime / issue #12399 Panic in x64 backend with Craneli...

view this post on Zulip Wasmtime GitHub notifications bot (Jan 23 2026 at 02:41):

alexcrichton opened issue #12399:

This input:

;; Run test case

test interpret
test run
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_nan_canonicalization=true
set enable_llvm_abi_extensions=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt

function %my_f(i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext) -> i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext preserve_all {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = %CeilF32 sig0
    fn1 = %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0(v0: i8, v1: i8, v2: i8, v3: i8, v4: i8, v5: i8, v6: i8, v7: i8, v8: i8, v9: i8, v10: i8, v11: i8, v12: i8, v13: i8, v14: i8):
    v15 = iconst.i8 0
    v16 = iconst.i16 0
    v17 = iconst.i32 0
    v18 = iconst.i64 0
    v19 = uextend.i128 v18  ; v18 = 0
    return v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0
}

; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: %my_f(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) == [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

fails with:

$ cargo run test ../foo.clif
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.07s
     Running `/home/alex/code/wasmtime/target/debug/clif-util test ../foo.clif`

thread 'worker #9' (2412184) panicked at cranelift/codegen/src/machinst/abi.rs:2504:9:
assertion failed: self.defs.is_empty() ||
    M::get_regs_clobbered_by_call(self.callee_conv,
            self.try_call_info.is_some()).contains(PReg::from(temp.to_reg().to_real_reg().unwrap()))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
[2026-01-23T02:40:53Z ERROR cranelift_filetests::concurrent] FAIL: panicked in worker #9: assertion failed: self.defs.is_empty() ||
        M::get_regs_clobbered_by_call(self.callee_conv,
                self.try_call_info.is_some()).contains(PReg::from(temp.to_reg().to_real_reg().unwrap()))
FAIL ../foo.clif: panicked in worker #9: assertion failed: self.defs.is_empty() ||
    M::get_regs_clobbered_by_call(self.callee_conv,
            self.try_call_info.is_some()).contains(PReg::from(temp.to_reg().to_real_reg().unwrap()))
1 tests
Error: 1 failure

cc @cfallin, bisection points to #12160

view this post on Zulip Wasmtime GitHub notifications bot (Jan 23 2026 at 02:41):

alexcrichton added the fuzz-bug label to Issue #12399.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 23 2026 at 02:43):

alexcrichton commented on issue #12399:

Another longer, probably duplicate, but separate oss-fuzz bug:

<details>

test compile
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_nan_canonicalization=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target riscv64 has_zfhmin has_zfh has_zcb has_zbs has_zicond has_zvl2048b has_zvl4096b has_zvl8192b has_zvl16384b has_zvl65536b

function u1:0(f64, i128, i128, i128, f64) -> i128, i128, i128, i128, i128 fast {
    sig0 = (f64, f64, f64) -> f64 preserve_all
    sig1 = (f32) -> f32 system_v
    sig2 = (f64) -> f64 system_v
    sig3 = (f32) -> f32 system_v
    sig4 = (f64) -> f64 system_v
    sig5 = (f32) -> f32 system_v
    sig6 = (f64) -> f64 system_v
    sig7 = (f32) -> f32 system_v
    sig8 = (f64) -> f64 system_v
    sig9 = (f32, f32, f32) -> f32 system_v
    sig10 = (f64, f64, f64) -> f64 system_v
    fn0 = u2:0 sig0
    fn1 = %CeilF32 sig1
    fn2 = %CeilF64 sig2
    fn3 = %FloorF32 sig3
    fn4 = %FloorF64 sig4
    fn5 = %TruncF32 sig5
    fn6 = %TruncF64 sig6
    fn7 = %NearestF32 sig7
    fn8 = %NearestF64 sig8
    fn9 = %FmaF32 sig9
    fn10 = %FmaF64 sig10

block0(v0: f64, v1: i128, v2: i128, v3: i128, v4: f64):
    v5 = iconst.i8 0
    v6 = iconst.i16 0
    v7 = iconst.i32 0
    v8 = iconst.i64 0
    v9 = uextend.i128 v8  ; v8 = 0
    v10 = call fn0(v0, v0, v0)
    v11 = call fn0(v10, v10, v10)
    v12 = call fn0(v11, v11, v11)
    v13 = call fn0(v12, v12, v12)
    v14 = call fn0(v13, v13, v13)
    v15 = call fn0(v14, v14, v14)
    v16 = call fn0(v15, v15, v15)
    v17 = call fn0(v16, v16, v16)
    v18 = call fn0(v17, v17, v17)
    v19 = call fn0(v18, v18, v18)
    v20 = call fn0(v19, v19, v19)
    v21 = call fn0(v20, v20, v20)
    v22 = call fn0(v21, v21, v21)
    v23 = call fn0(v22, v22, v22)
    v24 = call fn0(v23, v23, v23)
    v25 = call fn0(v24, v24, v24)
    v26 = call fn0(v25, v25, v25)
    v27 = call fn0(v26, v26, v26)
    v28 = call fn0(v27, v27, v27)
    v29 = call fn0(v28, v28, v28)
    v30 = call fn0(v29, v29, v29)
    v31 = call fn0(v30, v30, v30)
    v32 = call fn0(v31, v31, v31)
    v33 = call fn0(v32, v32, v32)
    v34 = call fn0(v33, v33, v33)
    v35 = call fn0(v34, v34, v34)
    v36 = call fn0(v35, v35, v35)
    v37 = call fn0(v36, v36, v36)
    v38 = call fn0(v37, v37, v37)
    v39 = call fn0(v38, v38, v38)
    v40 = call fn0(v39, v39, v39)
    v41 = call fn0(v40, v40, v40)
    return v1, v1, v1, v1, v1
}

</details>

view this post on Zulip Wasmtime GitHub notifications bot (Jan 24 2026 at 00:33):

cfallin commented on issue #12399:

Ran out of time today but acknowledging this bug report and I'll try to get to it Monday. Thanks!

view this post on Zulip Wasmtime GitHub notifications bot (Jan 24 2026 at 00:33):

cfallin assigned cfallin to issue #12399.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 27 2026 at 19:34):

cfallin closed issue #12399:

This input:

;; Run test case

test interpret
test run
set opt_level=speed_and_size
set bb_padding_log2_minus_one=6
set enable_alias_analysis=false
set enable_nan_canonicalization=true
set enable_llvm_abi_extensions=true
set enable_multi_ret_implicit_sret=true
set unwind_info=false
set machine_code_cfg_info=true
set enable_heap_access_spectre_mitigation=false
set enable_table_access_spectre_mitigation=false
target x86_64 has_sse3 has_ssse3 has_cmpxchg16b has_sse41 has_sse42 has_avx has_avx2 has_fma has_popcnt has_bmi1 has_bmi2 has_lzcnt

function %my_f(i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext) -> i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext, i8 sext preserve_all {
    sig0 = (f32) -> f32 system_v
    sig1 = (f64) -> f64 system_v
    sig2 = (f32) -> f32 system_v
    sig3 = (f64) -> f64 system_v
    sig4 = (f32) -> f32 system_v
    sig5 = (f64) -> f64 system_v
    fn0 = %CeilF32 sig0
    fn1 = %CeilF64 sig1
    fn2 = %FloorF32 sig2
    fn3 = %FloorF64 sig3
    fn4 = %TruncF32 sig4
    fn5 = %TruncF64 sig5

block0(v0: i8, v1: i8, v2: i8, v3: i8, v4: i8, v5: i8, v6: i8, v7: i8, v8: i8, v9: i8, v10: i8, v11: i8, v12: i8, v13: i8, v14: i8):
    v15 = iconst.i8 0
    v16 = iconst.i16 0
    v17 = iconst.i32 0
    v18 = iconst.i64 0
    v19 = uextend.i128 v18  ; v18 = 0
    return v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0, v0
}

; Note: the results in the below test cases are simply a placeholder and probably will be wrong

; run: %my_f(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) == [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]

fails with:

$ cargo run test ../foo.clif
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.07s
     Running `/home/alex/code/wasmtime/target/debug/clif-util test ../foo.clif`

thread 'worker #9' (2412184) panicked at cranelift/codegen/src/machinst/abi.rs:2504:9:
assertion failed: self.defs.is_empty() ||
    M::get_regs_clobbered_by_call(self.callee_conv,
            self.try_call_info.is_some()).contains(PReg::from(temp.to_reg().to_real_reg().unwrap()))
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
[2026-01-23T02:40:53Z ERROR cranelift_filetests::concurrent] FAIL: panicked in worker #9: assertion failed: self.defs.is_empty() ||
        M::get_regs_clobbered_by_call(self.callee_conv,
                self.try_call_info.is_some()).contains(PReg::from(temp.to_reg().to_real_reg().unwrap()))
FAIL ../foo.clif: panicked in worker #9: assertion failed: self.defs.is_empty() ||
    M::get_regs_clobbered_by_call(self.callee_conv,
            self.try_call_info.is_some()).contains(PReg::from(temp.to_reg().to_real_reg().unwrap()))
1 tests
Error: 1 failure

cc @cfallin, bisection points to #12160

Last updated: Jan 29 2026 at 13:25 UTC