Skip to content

[40.0] Backport Cranelift: x64: fix incorrect load-sinking in copysign operator. #12437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cfallin merged 3 commits into from
Jan 26, 2026
Merged

[40.0] Backport Cranelift: x64: fix incorrect load-sinking in copysign operator. #12437

cfallin merged 3 commits into from
Jan 26, 2026
+109 −30

Conversation

@cfallin
Copy link
Member

@cfallin cfallin commented Jan 26, 2026

No description provided.

@cfallin
Cranelift: x64: do not incorrectly widen loads sunk into fcopysign.
402e2fa 
The implementation of the `fcopysign` operator uses vector bitwise AND
instructions on the floating-point/vector registers containing the
inputs to the operator. This is a reasonable implementation as the
instruction set does not have scalar (single-lane) bitwise
operators. However, when load-sinking automatically kicks in for an
operand to an `andps`, it can turn a 64-bit load (`f64.load`) into a
128-bit load incorrectly.

This load-widening can cause out-of-bounds accesses where they were
not expected. When dynamic bounds checks are enabled, we compile
assuming the correct load-operator width is codegen'd; a too-wide load
could read beyond the checked bound, either into unmapped
memory (crashing the process) or, worse, valid data outside the
sandbox. In the case of `fcopysign` the result of that read is not
directly available, because it will go into the high (unused)
lane, but the out-of-bounds read itself is a problem.

Thanks to louismerlin for reporting!
@cfallin
Re-bless Cranelift filetests.
67d6889
@cfallin
Update release notes.
2ce4d93
@cfallin cfallin requested review from a team as code owners January 26, 2026 19:20
@cfallin cfallin requested review from alexcrichton and removed request for a team January 26, 2026 19:20
@fitzgen fitzgen closed this Jan 26, 2026
@fitzgen fitzgen reopened this Jan 26, 2026
@cfallin cfallin closed this Jan 26, 2026
@cfallin cfallin reopened this Jan 26, 2026
@cfallin cfallin merged commit 728fa07 into bytecodealliance:release-40.0.0 Jan 26, 2026
565 of 688 checks passed
@cfallin cfallin deleted the release-40 branch January 26, 2026 21:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fitzgen fitzgen fitzgen approved these changes

@alexcrichton alexcrichton Awaiting requested review from alexcrichton alexcrichton is a code owner automatically assigned from bytecodealliance/wasmtime-compiler-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cfallin @fitzgen