Winch: Assertion failure with saturating conversion instructions #8848

alexcrichton · 2024-06-20T15:01:16Z

Given this input:

(module
  (func (param f64 f64 f64 f64) (result f32 f64)
    f64.const 0
    local.get 0
    i64.const 0
    f64.const 0
    i64.const 0
    local.get 0
    f64.const 0
    i64.const 1
    i32.const 1
    i64.const 1
    f32.const 0
    local.get 0

    i32.const 0
    br_if 0

    drop
    drop
    drop
    drop
    drop
    drop
    i64.reinterpret_f64
    i64.const 0
    i64.xor
    drop
    drop
    drop
    drop
    drop
    drop
    f32.const 0
    f64.const 0
  )
)

since the implementation of saturating conversion instructions in #7909 this has panicked

$ cargo run --features winch --no-default-features --features compile compile -C compiler=winch ./testcase1.wasm -o /dev/null
...
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.06s
     Running `target/debug/wasmtime compile -C compiler=winch -o /dev/null ./foo.wat`
thread 'main' panicked at winch/codegen/src/codegen/context.rs:165:13:
assertion `left == right` failed
  left: 64
 right: 48
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

cc @saulecabrera

The text was updated successfully, but these errors were encountered:

github-actions · 2024-06-20T15:02:02Z

Subscribe to Label Action

cc @saulecabrera

This issue or pull request has been labeled: "winch"

Thus the following users have been cc'd because of the following labels:

saulecabrera: winch

To subscribe or unsubscribe from this label, edit the .github/subscribe-to-label.json configuration file.

Learn more.

saulecabrera · 2024-06-21T16:32:19Z

Thanks for catching this one Alex. I'll take a look.

Fixes: bytecodealliance#8848 Similar to all the control instructions, any state must be explicitly saved before emitting the code for `br_if`. This commit ensures that live locals and registers are explicilty saved before emitting the code for `br_if`. Prior to this commit, live locals and registers were not saved every time causing incorrect behavior in cases where the calculation of the conditional argument didn't trigger a spill. This change introduces the explicit spill after calculating the branch condition argument to minimize memory traffic in case the conditional is already in a register.

Fixes: #8848 Similar to all the control instructions, any state must be explicitly saved before emitting the code for `br_if`. This commit ensures that live locals and registers are explicilty saved before emitting the code for `br_if`. Prior to this commit, live locals and registers were not saved every time causing incorrect behavior in cases where the calculation of the conditional argument didn't trigger a spill. This change introduces the explicit spill after calculating the branch condition argument to minimize memory traffic in case the conditional is already in a register.

alexcrichton added fuzz-bug Bugs found by a fuzzer winch Winch issues or pull requests labels Jun 20, 2024

alexcrichton mentioned this issue Jun 24, 2024

shrink: Ineffective on non-tree-like expressions (?) bytecodealliance/wasm-tools#1633

Open

saulecabrera mentioned this issue Jun 28, 2024

winch: Save state before emitting br_if #8886

Merged

fitzgen closed this as completed in #8886 Jun 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Winch: Assertion failure with saturating conversion instructions #8848

Winch: Assertion failure with saturating conversion instructions #8848

alexcrichton commented Jun 20, 2024

github-actions bot commented Jun 20, 2024

saulecabrera commented Jun 21, 2024

Winch: Assertion failure with saturating conversion instructions #8848

Winch: Assertion failure with saturating conversion instructions #8848

Comments

alexcrichton commented Jun 20, 2024

github-actions bot commented Jun 20, 2024

Subscribe to Label Action

saulecabrera commented Jun 21, 2024