Panic in Cranelift when compiling tail calls #8704
Labels
fuzz-bug
Bugs found by a fuzzer
Comments
|
It looks like this is invalid wasm: the function 3 tail calls to 1, but they differ in return type. Validating in the browser shows this as well: |
|
I have a fix incoming. |
fitzgen
added a commit
to fitzgen/wasm-tools
that referenced
this issue
May 29, 2024
We need to additionally check that the callee's results are an exact match of the caller's results. We were incorrectly allowing return calls that would push more values on the operand stack than would be returned. That is fine with a `call; return` sequence, where extra values on the stack are allowed to dangle, but not okay with a `return_call`. With a `return_call` it doesn't make sense because the callee might need a return pointer to put all its results into, but the caller can't supply one since its frame is going away, nor can the caller forward a return pointer that it received to the callee, since it might not return enough values to require a return pointer. This commit fixes the validation to match the spec and disallow `return_call`s that would leave dangling values on the operand stack. cc bytecodealliance/wasmtime#8704
fitzgen
added a commit
to fitzgen/wasm-tools
that referenced
this issue
May 29, 2024
We need to additionally check that the callee's results are an exact match of the caller's results. We were incorrectly allowing return calls that would push more values on the operand stack than would be returned. That is fine with a `call; return` sequence, where extra values on the stack are allowed to dangle, but not okay with a `return_call`. With a `return_call` it doesn't make sense because the callee might need a return pointer to put all its results into, but the caller can't supply one since its frame is going away, nor can the caller forward a return pointer that it received to the callee, since it might not return enough values to require a return pointer. This commit fixes the validation to match the spec and disallow `return_call`s that would leave dangling values on the operand stack. cc bytecodealliance/wasmtime#8704 Co-Authored-By: Trevor Elliott <[email protected]>
github-merge-queue bot
pushed a commit
to bytecodealliance/wasm-tools
that referenced
this issue
May 29, 2024
#1585) We need to additionally check that the callee's results are an exact match of the caller's results. We were incorrectly allowing return calls that would push more values on the operand stack than would be returned. That is fine with a `call; return` sequence, where extra values on the stack are allowed to dangle, but not okay with a `return_call`. With a `return_call` it doesn't make sense because the callee might need a return pointer to put all its results into, but the caller can't supply one since its frame is going away, nor can the caller forward a return pointer that it received to the callee, since it might not return enough values to require a return pointer. This commit fixes the validation to match the spec and disallow `return_call`s that would leave dangling values on the operand stack. cc bytecodealliance/wasmtime#8704 Co-authored-by: Trevor Elliott <[email protected]>
fitzgen
added a commit
to fitzgen/wasmtime
that referenced
this issue
May 29, 2024
fitzgen
added a commit
to fitzgen/wasmtime
that referenced
this issue
May 29, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This input:
foo.watFails with:
Local bisection points to #8389 as the cause, but the panic was added in that commit as well so it may not be the original source.
cc @fitzgen, @elliottt
The text was updated successfully, but these errors were encountered: