Winch/x64/simd segfault via fuzzing (probably multi-value + v128 return) #10301
Description
OSS-Fuzz is coming in with a few crashes from enabling fuzzing yesterday. cc @jeffcharles @saulecabrera
(module
(func (export "") (result v128 v128)
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
)
)$ cargo run run -Ccompiler=winch testcase0.wat
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
Running `target/x86_64-unknown-linux-gnu/debug/wasmtime run -Ccompiler=winch testcase0.wat`
zsh: segmentation fault (core dumped) cargo run run -Ccompiler=winch testcase0.wat
(this one is shrunk via wasm-tools shrink)
(module
(type (;0;) (func (result v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128)))
(export "" (func 0))
(func (;0;) (type 0) (result v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128 v128)
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
)
)$ cargo run run -Ccompiler=winch testcase0.wat
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.11s
Running `target/x86_64-unknown-linux-gnu/debug/wasmtime run -Ccompiler=winch testcase0.wat`
zsh: segmentation fault (core dumped) cargo run run -Ccompiler=winch testcase0.wat
(this one didn't shrink much)
non-shrunken test case
(module
(type (;0;) (func (result v128 i32 i32 v128)))
(memory (;0;) 1)
(global (;0;) (mut i64) i64.const 0)
(global (;1;) (mut i32) i32.const 0)
(global (;2;) (mut i32) i32.const 0)
(export "" (func 0))
(func (;0;) (type 0) (result v128 i32 i32 v128)
(local i32 f32 f64 i32 i64 f64 i32 i64)
loop ;; label = @1
block ;; label = @2
f32.const 0x1.e12a36p+24 (;=31533622;)
f32.const -0x1.fffffep+96 (;=-158456320000000000000000000000;)
local.tee 1
local.get 1
f32.ne
local.get 1
f32.const inf (;=inf;)
f32.eq
local.get 1
f32.const -inf (;=-inf;)
f32.eq
i32.or
i32.or
if ;; label = @3
f32.const 0x0p+0 (;=0;)
local.set 1
end
local.get 1
f32.const 0x0p+0 (;=0;)
f32.lt
if ;; label = @3
f32.const 0x0p+0 (;=0;)
local.set 1
end
local.get 1
f32.const 0x1.fffffep+30 (;=2147483500;)
f32.gt
if ;; label = @3
f32.const 0x1.fffffep+30 (;=2147483500;)
local.set 1
end
local.get 1
i32.trunc_f32_u
i32.const -67108864
i32.shr_u
i32.const -67108864
i32.clz
i32.le_u
memory.grow
loop ;; label = @3
block ;; label = @4
f64.const -0x1.bebebebeae9e8p+703 (;=-73435622781783640000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
f64.sqrt
local.tee 2
local.get 2
f64.ne
i32.const -1685235965
i32.or
if ;; label = @5
f64.const 0x0p+0 (;=0;)
local.set 2
end
local.get 2
f64.const -0x1p+31 (;=-2147483648;)
f64.lt
if ;; label = @5
nop
end
local.get 2
f64.const 0x1.fffffffcp+30 (;=2147483647;)
f64.gt
if ;; label = @5
f64.const 0x1.fffffffcp+30 (;=2147483647;)
local.set 2
end
local.get 2
i32.trunc_f64_s
local.set 3
block ;; label = @5
block ;; label = @6
memory.size
i32.const 0
i32.mul
local.get 3
i32.le_u
br_if 0 (;@6;)
local.get 3
i32.const 0
i32.le_s
br_if 0 (;@6;)
local.get 3
i64.load8_u offset=16896
local.set 4
br 1 (;@5;)
end
nop
end
local.get 4
f64.convert_i64_s
local.get 5
f64.ne
local.get 5
f64.const inf (;=inf;)
f64.eq
i32.const 659065550
i32.or
i32.or
if ;; label = @5
f64.const 0x0p+0 (;=0;)
local.set 5
end
local.get 5
f64.const -0x1p+31 (;=-2147483648;)
f64.lt
if ;; label = @5
f64.const -0x1p+31 (;=-2147483648;)
local.set 5
end
local.get 5
f64.const 0x1.fffffffcp+30 (;=2147483647;)
f64.gt
if ;; label = @5
f64.const 0x1.fffffffcp+30 (;=2147483647;)
local.set 5
end
local.get 5
i32.trunc_f64_s
local.set 6
block ;; label = @5
block ;; label = @6
memory.size
i32.const 65536
i32.mul
i32.const 16904
local.get 6
i32.add
i32.le_u
br_if 0 (;@6;)
local.get 6
i32.const 0
i32.le_s
br_if 0 (;@6;)
local.get 6
i64.load8_u offset=16896
local.set 7
br 1 (;@5;)
end
nop
end
local.get 7
global.set 0
end
end
global.get 1
i32.xor
global.set 1
i32.reinterpret_f32
global.get 2
i32.xor
global.set 2
end
end
v128.const i32x4 0x42424242 0x42424242 0xe6e6fffe 0xe6e6e6e6
i32.const -421071898
i32.const -421075226
v128.const i32x4 0xfff80000 0xffffffff 0xf0000000 0xffffffff
)
)
$ cargo run run -Ccompiler=winch testcase0.shrunken.wat
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.10s
Running `target/x86_64-unknown-linux-gnu/debug/wasmtime run -Ccompiler=winch testcase0.shrunken.wat`
zsh: bus error (core dumped) cargo run run -Ccompiler=winch testcase0.shrunken.wat