Wasmtime GitHub notifications bot (May 29 2024 at 15:50): Wasmtime GitHub notifications bot (May 29 2024 at 15:50):alexcrichton added the fuzz-bug label to Issue #8704.
Wasmtime GitHub notifications bot (May 29 2024 at 15:50):alexcrichton opened issue #8704:
This input:
<details>
<summary><code>foo.wat</code></summary>
(module (type (;0;) (func (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32))) (type (;1;) (func (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32))) (type (;2;) (func (result f32 f32 f32 f32))) (func (;0;) (type 1) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) unreachable ) (func (;1;) (type 1) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) unreachable ) (func (;2;) (type 1) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) unreachable ) (func (;3;) (type 2) (result f32 f32 f32 f32) global.get 0 block (type 0) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) ;; label = @1 call 0 f32.ne f32.load align=1 f32.lt f32.load align=1 f32.lt f32.load align=1 f32.lt f32.load align=1 f32.ne f64.const 0x1.55f3436665f63p-504 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025503814566781667;) f64.ceil i32.trunc_sat_f64_u f32.convert_i32_s f32.ceil f32.ceil f32.ceil f32.ceil f32.floor f32.ceil f32.floor i64.trunc_sat_f32_s global.get 1 i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load16_s align=1 i32.clz f32.const 0x1.eabe68p-63 (;=0.00000000000000000020783807;) f32.floor i64.trunc_sat_f32_s global.get 1 i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.ctz f32.const 0x1.e8c2e6p+63 (;=17609482000000000000;) f32.floor call 2 f32.lt f32.const 0x1.40e8e6p-31 (;=0.00000000058373145;) f32.floor f32.const 0x1.5c686cp+71 (;=3213495700000000000000;) f32.copysign f32.const 0x1.606a68p-31 (;=0.00000000064104033;) f32.gt i64.load16_u align=1 f64.const 0x1.030303030303p-252 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000001398043286095289;) f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f32.const 0x1.5c686cp+105 (;=55207435000000000000000000000000;) global.get 0 i64.trunc_sat_f64_s call 2 f32.gt memory.grow f64.const 0x1.030303030302p-252 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000001398043286095284;) f64.neg f64.neg f64.neg f64.neg f64.neg f64.neg drop drop drop drop drop drop drop drop drop drop drop drop return_call 1 drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop f32.const 0x1.60606p-31 (;=0.00000000064096906;) f32.const 0x1.d2406p-19 (;=0.0000034738441;) f32.const 0x1.e85c68p+101 (;=4836492700000000000000000000000;) f32.const 0x1.c6dceap+63 (;=16388165000000000000;) f32.const 0x1.686cccp+63 (;=12985679000000000000;) f32.const 0x1.cc40eap-19 (;=0.0000034291563;) end drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop f32.const 0x1.dcdec6p+103 (;=18890775000000000000000000000000;) f32.const 0x1.6040e8p-31 (;=0.00000000064074546;) f32.const 0x1.60606p-25 (;=0.00000004102202;) f32.const 0x1.60606p-31 (;=0.00000000064096906;) ) (memory (;0;) 0) (global (;0;) f64 f64.const 0x1.b0a2b292b292bp-365 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000022487118447499093;)) (global (;1;) (mut i32) i32.const 0) )</details>
Fails with:
$ cargo run -q compile ~/Downloads/clusterfuzz-testcase-minimized-compile-4912239181103104 thread '<unnamed>' panicked at cranelift/codegen/src/machinst/abi.rs:2281:55: if the tail callee has a return pointer, then the tail caller must as well note: run with `RUST_BACKTRACE=1` environment variable to display a backtraceLocal bisection points to https://github.com/bytecodealliance/wasmtime/pull/8389 as the cause, but the panic was added in that commit as well so it may not be the original source.
cc @fitzgen, @elliottt
Wasmtime GitHub notifications bot (May 29 2024 at 16:05):alexcrichton commented on issue #8704:
My local bisection pointing to https://github.com/bytecodealliance/wasmtime/pull/8389 was done with the arm64 backend. Doing another bisection with the x64 backend points to https://github.com/bytecodealliance/wasmtime/pull/6774 so I don't think this is a regression, it's just been a bug all along.
Wasmtime GitHub notifications bot (May 29 2024 at 16:24):elliottt commented on issue #8704:
It looks like this is invalid wasm: the function 3 tail calls to 1, but they differ in return type. Validating in the browser shows this as well:
CompileError: WebAssembly.Module(): Compiling function #3 failed: return_call: tail call type error @+366 at wasm (<anonymous>:7:10) at <anonymous>:1:1
Wasmtime GitHub notifications bot (May 29 2024 at 17:23):fitzgen commented on issue #8704:
I have a fix incoming.
Wasmtime GitHub notifications bot (May 29 2024 at 21:25):fitzgen closed issue #8704:
This input:
<details>
<summary><code>foo.wat</code></summary>
(module (type (;0;) (func (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32))) (type (;1;) (func (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32))) (type (;2;) (func (result f32 f32 f32 f32))) (func (;0;) (type 1) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) unreachable ) (func (;1;) (type 1) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) unreachable ) (func (;2;) (type 1) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) unreachable ) (func (;3;) (type 2) (result f32 f32 f32 f32) global.get 0 block (type 0) (result f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32 f32) ;; label = @1 call 0 f32.ne f32.load align=1 f32.lt f32.load align=1 f32.lt f32.load align=1 f32.lt f32.load align=1 f32.ne f64.const 0x1.55f3436665f63p-504 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000025503814566781667;) f64.ceil i32.trunc_sat_f64_u f32.convert_i32_s f32.ceil f32.ceil f32.ceil f32.ceil f32.floor f32.ceil f32.floor i64.trunc_sat_f32_s global.get 1 i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load16_s align=1 i32.clz f32.const 0x1.eabe68p-63 (;=0.00000000000000000020783807;) f32.floor i64.trunc_sat_f32_s global.get 1 i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.load8_u i32.ctz f32.const 0x1.e8c2e6p+63 (;=17609482000000000000;) f32.floor call 2 f32.lt f32.const 0x1.40e8e6p-31 (;=0.00000000058373145;) f32.floor f32.const 0x1.5c686cp+71 (;=3213495700000000000000;) f32.copysign f32.const 0x1.606a68p-31 (;=0.00000000064104033;) f32.gt i64.load16_u align=1 f64.const 0x1.030303030303p-252 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000001398043286095289;) f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f64.ceil f32.const 0x1.5c686cp+105 (;=55207435000000000000000000000000;) global.get 0 i64.trunc_sat_f64_s call 2 f32.gt memory.grow f64.const 0x1.030303030302p-252 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000001398043286095284;) f64.neg f64.neg f64.neg f64.neg f64.neg f64.neg drop drop drop drop drop drop drop drop drop drop drop drop return_call 1 drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop f32.const 0x1.60606p-31 (;=0.00000000064096906;) f32.const 0x1.d2406p-19 (;=0.0000034738441;) f32.const 0x1.e85c68p+101 (;=4836492700000000000000000000000;) f32.const 0x1.c6dceap+63 (;=16388165000000000000;) f32.const 0x1.686cccp+63 (;=12985679000000000000;) f32.const 0x1.cc40eap-19 (;=0.0000034291563;) end drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop drop f32.const 0x1.dcdec6p+103 (;=18890775000000000000000000000000;) f32.const 0x1.6040e8p-31 (;=0.00000000064074546;) f32.const 0x1.60606p-25 (;=0.00000004102202;) f32.const 0x1.60606p-31 (;=0.00000000064096906;) ) (memory (;0;) 0) (global (;0;) f64 f64.const 0x1.b0a2b292b292bp-365 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000022487118447499093;)) (global (;1;) (mut i32) i32.const 0) )</details>
Fails with:
$ cargo run -q compile ~/Downloads/clusterfuzz-testcase-minimized-compile-4912239181103104 thread '<unnamed>' panicked at cranelift/codegen/src/machinst/abi.rs:2281:55: if the tail callee has a return pointer, then the tail caller must as well note: run with `RUST_BACKTRACE=1` environment variable to display a backtraceLocal bisection points to https://github.com/bytecodealliance/wasmtime/pull/8389 as the cause, but the panic was added in that commit as well so it may not be the original source.
cc @fitzgen, @elliottt
Last updated: Nov 22 2024 at 16:03 UTC