Stream: git-wasmtime

Topic: wasmtime / issue #5792 Cranelift: `bugpoint` crash when r...

view this post on Zulip Wasmtime GitHub notifications bot (Feb 15 2023 at 18:32):

afonso360 opened issue #5792:

:wave: Hey,

I was trying to reduce a testcase that was generated by fuzzgen and got bugpoint to panic on an assert.

.clif Test Case

test compile
set opt_level=speed
set regalloc_checker=true
target x86_64

function %a() -> i8 system_v {
block0:
    v58 = f32const -0x1.696968p-22
    v59 = f32const -0x1.b16968p50
    v60 = f32const 0x0.0001a2p-126
    v61 = iconst.i16 81
    v62 = f64const 0x0.000000001d800p-1022
    v63 = iconst.i8 12
    v64 = iconst.i16 -105
    v65 = iconst.i64 0x9797_9797_9797_ffff
    v66 = iconst.i64 0x9797_8797_9797_9797
    v67 = iconst.i64 0x2a57_5757_5797_9797
    v68 = iconcat v67, v66  ; v67 = 0x2a57_5757_5797_9797, v66 = 0x9797_8797_9797_9797
    v69 = iconst.i32 0x4141_4141
    v70 = iconst.i8 0
    v71 = iconst.i16 0
    v72 = iconst.i32 0
    v73 = iconst.i64 0
    v74 = uextend.i128 v73  ; v73 = 0
    jump block1(v64, v62, v65, v62, v63, v65, v69, v68, v60, v68, v68, v68)  ; v64 = -105, v62 = 0x0.000000001d800p-1022, v65 = 0x9797_9797_9797_ffff, v62 = 0x0.000000001d800p-1022, v63 = 12, v65 = 0x9797_9797_9797_ffff, v69 = 0x4141_4141, v60 = 0x0.0001a2p-126

block1(v0: i16, v1: f64, v2: i64, v3: f64, v4: i8, v5: i64, v6: i32, v7: i128, v8: f32, v9: i128, v10: i128, v11: i128):
    brif v4, block2(v3, v3, v0, v3, v5, v3, v4, v5, v6, v11, v8, v11), block4(v11, v3, v0, v4, v8, v5, v6)

block2(v12: f64, v13: f64, v14: i16, v15: f64, v16: i64, v17: f64, v18: i8, v19: i64, v20: i32, v21: i128, v22: f32, v23: i128) cold:
    v76 -> v18
    v75 -> v23
    brif v18, block3(v19), block8(v23, v17, v14, v19, v18, v20, v22)

block3(v24: i64) cold:
    brif.i8 v76, block4(v75, v17, v14, v76, v22, v24, v20), block7(v75, v17, v14, v24, v76, v20, v22)

block4(v25: i128, v77: f64, v78: i16, v79: i8, v90: f32, v94: i64, v99: i32) cold:
    v80 -> v79
    v82 -> v90
    brif v79, block5(v77, v77, v77, v78, v77, v25, v77, v77, v77), block12(v25)

block5(v26: f64, v27: f64, v28: f64, v29: i16, v30: f64, v31: i128, v32: f64, v33: f64, v34: f64) cold:
    v81 = ushr.i8 v80, v31
    brif v81, block6(v81, v29, v34, v31, v82, v31), block9(v34, v29, v94, v81, v99, v31, v82)

block6(v35: i8, v36: i16, v37: f64, v38: i128, v39: f32, v40: i128) cold:
    brif v35, block7(v40, v37, v36, v94, v35, v99, v39), block7(v40, v37, v36, v94, v35, v99, v39)

block7(v41: i128, v91: f64, v93: i16, v96: i64, v98: i8, v101: i32, v103: f32) cold:
    jump block8(v41, v91, v93, v96, v98, v101, v103)

block8(v42: i128, v83: f64, v92: i16, v95: i64, v97: i8, v100: i32, v102: f32) cold:
    jump block9(v83, v92, v95, v97, v100, v42, v102)

block9(v43: f64, v84: i16, v85: i64, v86: i8, v87: i32, v88: i128, v89: f32) cold:
    jump block10(v84, v43, v85, v43, v86, v85, v87, v88, v89, v88, v88, v88)

block10(v44: i16, v45: f64, v46: i64, v47: f64, v48: i8, v49: i64, v50: i32, v51: i128, v52: f32, v53: i128, v54: i128, v55: i128):
    jump block11(v55)

block11(v56: i128) cold:
    jump block12(v56)

block12(v57: i128) cold:
    v111 = iconst.i8 0
    return v111
}

Steps to Reproduce

Expected Results

A reduced test case!

Actual Results

... A bunch of output


thread 'main' panicked at 'assertion failed: func.dfg.block_params(block).len() ==\n    func.dfg.inst_variable_args(pred.inst).len()', cranelift/src/bugpoint.rs:725:9

Versions and Environment

Cranelift version or commit: e10094dcd6d0354628255a6f2e69c1e4c327d6e7 (current main)
Operating system: Linux
Architecture: x86_64

Extra Info

This is the same test case as #5791

view this post on Zulip Wasmtime GitHub notifications bot (Feb 15 2023 at 18:32):

afonso360 labeled issue #5792:

:wave: Hey,

I was trying to reduce a testcase that was generated by fuzzgen and got bugpoint to panic on an assert.

.clif Test Case

test compile
set opt_level=speed
set regalloc_checker=true
target x86_64

function %a() -> i8 system_v {
block0:
    v58 = f32const -0x1.696968p-22
    v59 = f32const -0x1.b16968p50
    v60 = f32const 0x0.0001a2p-126
    v61 = iconst.i16 81
    v62 = f64const 0x0.000000001d800p-1022
    v63 = iconst.i8 12
    v64 = iconst.i16 -105
    v65 = iconst.i64 0x9797_9797_9797_ffff
    v66 = iconst.i64 0x9797_8797_9797_9797
    v67 = iconst.i64 0x2a57_5757_5797_9797
    v68 = iconcat v67, v66  ; v67 = 0x2a57_5757_5797_9797, v66 = 0x9797_8797_9797_9797
    v69 = iconst.i32 0x4141_4141
    v70 = iconst.i8 0
    v71 = iconst.i16 0
    v72 = iconst.i32 0
    v73 = iconst.i64 0
    v74 = uextend.i128 v73  ; v73 = 0
    jump block1(v64, v62, v65, v62, v63, v65, v69, v68, v60, v68, v68, v68)  ; v64 = -105, v62 = 0x0.000000001d800p-1022, v65 = 0x9797_9797_9797_ffff, v62 = 0x0.000000001d800p-1022, v63 = 12, v65 = 0x9797_9797_9797_ffff, v69 = 0x4141_4141, v60 = 0x0.0001a2p-126

block1(v0: i16, v1: f64, v2: i64, v3: f64, v4: i8, v5: i64, v6: i32, v7: i128, v8: f32, v9: i128, v10: i128, v11: i128):
    brif v4, block2(v3, v3, v0, v3, v5, v3, v4, v5, v6, v11, v8, v11), block4(v11, v3, v0, v4, v8, v5, v6)

block2(v12: f64, v13: f64, v14: i16, v15: f64, v16: i64, v17: f64, v18: i8, v19: i64, v20: i32, v21: i128, v22: f32, v23: i128) cold:
    v76 -> v18
    v75 -> v23
    brif v18, block3(v19), block8(v23, v17, v14, v19, v18, v20, v22)

block3(v24: i64) cold:
    brif.i8 v76, block4(v75, v17, v14, v76, v22, v24, v20), block7(v75, v17, v14, v24, v76, v20, v22)

block4(v25: i128, v77: f64, v78: i16, v79: i8, v90: f32, v94: i64, v99: i32) cold:
    v80 -> v79
    v82 -> v90
    brif v79, block5(v77, v77, v77, v78, v77, v25, v77, v77, v77), block12(v25)

block5(v26: f64, v27: f64, v28: f64, v29: i16, v30: f64, v31: i128, v32: f64, v33: f64, v34: f64) cold:
    v81 = ushr.i8 v80, v31
    brif v81, block6(v81, v29, v34, v31, v82, v31), block9(v34, v29, v94, v81, v99, v31, v82)

block6(v35: i8, v36: i16, v37: f64, v38: i128, v39: f32, v40: i128) cold:
    brif v35, block7(v40, v37, v36, v94, v35, v99, v39), block7(v40, v37, v36, v94, v35, v99, v39)

block7(v41: i128, v91: f64, v93: i16, v96: i64, v98: i8, v101: i32, v103: f32) cold:
    jump block8(v41, v91, v93, v96, v98, v101, v103)

block8(v42: i128, v83: f64, v92: i16, v95: i64, v97: i8, v100: i32, v102: f32) cold:
    jump block9(v83, v92, v95, v97, v100, v42, v102)

block9(v43: f64, v84: i16, v85: i64, v86: i8, v87: i32, v88: i128, v89: f32) cold:
    jump block10(v84, v43, v85, v43, v86, v85, v87, v88, v89, v88, v88, v88)

block10(v44: i16, v45: f64, v46: i64, v47: f64, v48: i8, v49: i64, v50: i32, v51: i128, v52: f32, v53: i128, v54: i128, v55: i128):
    jump block11(v55)

block11(v56: i128) cold:
    jump block12(v56)

block12(v57: i128) cold:
    v111 = iconst.i8 0
    return v111
}

Steps to Reproduce

Expected Results

A reduced test case!

Actual Results

... A bunch of output


thread 'main' panicked at 'assertion failed: func.dfg.block_params(block).len() ==\n    func.dfg.inst_variable_args(pred.inst).len()', cranelift/src/bugpoint.rs:725:9

Versions and Environment

Cranelift version or commit: e10094dcd6d0354628255a6f2e69c1e4c327d6e7 (current main)
Operating system: Linux
Architecture: x86_64

Extra Info

This is the same test case as #5791

view this post on Zulip Wasmtime GitHub notifications bot (Feb 15 2023 at 18:32):

afonso360 labeled issue #5792:

:wave: Hey,

I was trying to reduce a testcase that was generated by fuzzgen and got bugpoint to panic on an assert.

.clif Test Case

test compile
set opt_level=speed
set regalloc_checker=true
target x86_64

function %a() -> i8 system_v {
block0:
    v58 = f32const -0x1.696968p-22
    v59 = f32const -0x1.b16968p50
    v60 = f32const 0x0.0001a2p-126
    v61 = iconst.i16 81
    v62 = f64const 0x0.000000001d800p-1022
    v63 = iconst.i8 12
    v64 = iconst.i16 -105
    v65 = iconst.i64 0x9797_9797_9797_ffff
    v66 = iconst.i64 0x9797_8797_9797_9797
    v67 = iconst.i64 0x2a57_5757_5797_9797
    v68 = iconcat v67, v66  ; v67 = 0x2a57_5757_5797_9797, v66 = 0x9797_8797_9797_9797
    v69 = iconst.i32 0x4141_4141
    v70 = iconst.i8 0
    v71 = iconst.i16 0
    v72 = iconst.i32 0
    v73 = iconst.i64 0
    v74 = uextend.i128 v73  ; v73 = 0
    jump block1(v64, v62, v65, v62, v63, v65, v69, v68, v60, v68, v68, v68)  ; v64 = -105, v62 = 0x0.000000001d800p-1022, v65 = 0x9797_9797_9797_ffff, v62 = 0x0.000000001d800p-1022, v63 = 12, v65 = 0x9797_9797_9797_ffff, v69 = 0x4141_4141, v60 = 0x0.0001a2p-126

block1(v0: i16, v1: f64, v2: i64, v3: f64, v4: i8, v5: i64, v6: i32, v7: i128, v8: f32, v9: i128, v10: i128, v11: i128):
    brif v4, block2(v3, v3, v0, v3, v5, v3, v4, v5, v6, v11, v8, v11), block4(v11, v3, v0, v4, v8, v5, v6)

block2(v12: f64, v13: f64, v14: i16, v15: f64, v16: i64, v17: f64, v18: i8, v19: i64, v20: i32, v21: i128, v22: f32, v23: i128) cold:
    v76 -> v18
    v75 -> v23
    brif v18, block3(v19), block8(v23, v17, v14, v19, v18, v20, v22)

block3(v24: i64) cold:
    brif.i8 v76, block4(v75, v17, v14, v76, v22, v24, v20), block7(v75, v17, v14, v24, v76, v20, v22)

block4(v25: i128, v77: f64, v78: i16, v79: i8, v90: f32, v94: i64, v99: i32) cold:
    v80 -> v79
    v82 -> v90
    brif v79, block5(v77, v77, v77, v78, v77, v25, v77, v77, v77), block12(v25)

block5(v26: f64, v27: f64, v28: f64, v29: i16, v30: f64, v31: i128, v32: f64, v33: f64, v34: f64) cold:
    v81 = ushr.i8 v80, v31
    brif v81, block6(v81, v29, v34, v31, v82, v31), block9(v34, v29, v94, v81, v99, v31, v82)

block6(v35: i8, v36: i16, v37: f64, v38: i128, v39: f32, v40: i128) cold:
    brif v35, block7(v40, v37, v36, v94, v35, v99, v39), block7(v40, v37, v36, v94, v35, v99, v39)

block7(v41: i128, v91: f64, v93: i16, v96: i64, v98: i8, v101: i32, v103: f32) cold:
    jump block8(v41, v91, v93, v96, v98, v101, v103)

block8(v42: i128, v83: f64, v92: i16, v95: i64, v97: i8, v100: i32, v102: f32) cold:
    jump block9(v83, v92, v95, v97, v100, v42, v102)

block9(v43: f64, v84: i16, v85: i64, v86: i8, v87: i32, v88: i128, v89: f32) cold:
    jump block10(v84, v43, v85, v43, v86, v85, v87, v88, v89, v88, v88, v88)

block10(v44: i16, v45: f64, v46: i64, v47: f64, v48: i8, v49: i64, v50: i32, v51: i128, v52: f32, v53: i128, v54: i128, v55: i128):
    jump block11(v55)

block11(v56: i128) cold:
    jump block12(v56)

block12(v57: i128) cold:
    v111 = iconst.i8 0
    return v111
}

Steps to Reproduce

Expected Results

A reduced test case!

Actual Results

... A bunch of output


thread 'main' panicked at 'assertion failed: func.dfg.block_params(block).len() ==\n    func.dfg.inst_variable_args(pred.inst).len()', cranelift/src/bugpoint.rs:725:9

Versions and Environment

Cranelift version or commit: e10094dcd6d0354628255a6f2e69c1e4c327d6e7 (current main)
Operating system: Linux
Architecture: x86_64

Extra Info

This is the same test case as #5791

view this post on Zulip Wasmtime GitHub notifications bot (Feb 15 2023 at 19:29):

bjorn3 commented on issue #5792:

https://github.com/bytecodealliance/wasmtime/blob/f0137c2618812666b5495ed20d1bb24b0397485b/cranelift/src/bugpoint.rs#L725-L741 is no longer correct due to brif taking two branch destinations with associated block arguments.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 15 2023 at 19:56):

elliottt commented on issue #5792:

Thanks for catching this @afonso360 , and for the analysis @bjorn3! I'll put together a PR.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 15 2023 at 23:07):

elliottt closed issue #5792:

:wave: Hey,

I was trying to reduce a testcase that was generated by fuzzgen and got bugpoint to panic on an assert.

.clif Test Case

test compile
set opt_level=speed
set regalloc_checker=true
target x86_64

function %a() -> i8 system_v {
block0:
    v58 = f32const -0x1.696968p-22
    v59 = f32const -0x1.b16968p50
    v60 = f32const 0x0.0001a2p-126
    v61 = iconst.i16 81
    v62 = f64const 0x0.000000001d800p-1022
    v63 = iconst.i8 12
    v64 = iconst.i16 -105
    v65 = iconst.i64 0x9797_9797_9797_ffff
    v66 = iconst.i64 0x9797_8797_9797_9797
    v67 = iconst.i64 0x2a57_5757_5797_9797
    v68 = iconcat v67, v66  ; v67 = 0x2a57_5757_5797_9797, v66 = 0x9797_8797_9797_9797
    v69 = iconst.i32 0x4141_4141
    v70 = iconst.i8 0
    v71 = iconst.i16 0
    v72 = iconst.i32 0
    v73 = iconst.i64 0
    v74 = uextend.i128 v73  ; v73 = 0
    jump block1(v64, v62, v65, v62, v63, v65, v69, v68, v60, v68, v68, v68)  ; v64 = -105, v62 = 0x0.000000001d800p-1022, v65 = 0x9797_9797_9797_ffff, v62 = 0x0.000000001d800p-1022, v63 = 12, v65 = 0x9797_9797_9797_ffff, v69 = 0x4141_4141, v60 = 0x0.0001a2p-126

block1(v0: i16, v1: f64, v2: i64, v3: f64, v4: i8, v5: i64, v6: i32, v7: i128, v8: f32, v9: i128, v10: i128, v11: i128):
    brif v4, block2(v3, v3, v0, v3, v5, v3, v4, v5, v6, v11, v8, v11), block4(v11, v3, v0, v4, v8, v5, v6)

block2(v12: f64, v13: f64, v14: i16, v15: f64, v16: i64, v17: f64, v18: i8, v19: i64, v20: i32, v21: i128, v22: f32, v23: i128) cold:
    v76 -> v18
    v75 -> v23
    brif v18, block3(v19), block8(v23, v17, v14, v19, v18, v20, v22)

block3(v24: i64) cold:
    brif.i8 v76, block4(v75, v17, v14, v76, v22, v24, v20), block7(v75, v17, v14, v24, v76, v20, v22)

block4(v25: i128, v77: f64, v78: i16, v79: i8, v90: f32, v94: i64, v99: i32) cold:
    v80 -> v79
    v82 -> v90
    brif v79, block5(v77, v77, v77, v78, v77, v25, v77, v77, v77), block12(v25)

block5(v26: f64, v27: f64, v28: f64, v29: i16, v30: f64, v31: i128, v32: f64, v33: f64, v34: f64) cold:
    v81 = ushr.i8 v80, v31
    brif v81, block6(v81, v29, v34, v31, v82, v31), block9(v34, v29, v94, v81, v99, v31, v82)

block6(v35: i8, v36: i16, v37: f64, v38: i128, v39: f32, v40: i128) cold:
    brif v35, block7(v40, v37, v36, v94, v35, v99, v39), block7(v40, v37, v36, v94, v35, v99, v39)

block7(v41: i128, v91: f64, v93: i16, v96: i64, v98: i8, v101: i32, v103: f32) cold:
    jump block8(v41, v91, v93, v96, v98, v101, v103)

block8(v42: i128, v83: f64, v92: i16, v95: i64, v97: i8, v100: i32, v102: f32) cold:
    jump block9(v83, v92, v95, v97, v100, v42, v102)

block9(v43: f64, v84: i16, v85: i64, v86: i8, v87: i32, v88: i128, v89: f32) cold:
    jump block10(v84, v43, v85, v43, v86, v85, v87, v88, v89, v88, v88, v88)

block10(v44: i16, v45: f64, v46: i64, v47: f64, v48: i8, v49: i64, v50: i32, v51: i128, v52: f32, v53: i128, v54: i128, v55: i128):
    jump block11(v55)

block11(v56: i128) cold:
    jump block12(v56)

block12(v57: i128) cold:
    v111 = iconst.i8 0
    return v111
}

Steps to Reproduce

Expected Results

A reduced test case!

Actual Results

... A bunch of output


thread 'main' panicked at 'assertion failed: func.dfg.block_params(block).len() ==\n    func.dfg.inst_variable_args(pred.inst).len()', cranelift/src/bugpoint.rs:725:9

Versions and Environment

Cranelift version or commit: e10094dcd6d0354628255a6f2e69c1e4c327d6e7 (current main)
Operating system: Linux
Architecture: x86_64

Extra Info

This is the same test case as #5791

Last updated: Nov 22 2024 at 16:03 UTC