Redundant `local.tee` instruction with overwriting semantics causes miscompilation about wasmi HOT 13 CLOSED

@Robbepop Thanks for the quick turnaround! 0.32.2 looks good so far.

from wasmi.

@kaiavintr Thank you for the confirmation that v0.32.2 is fine. :) And thank you again for reporting these bugs!

from wasmi.

@Robbepop I found a slightly more complicated case. Returns 2, should return 1:

(module
  (type (;0;) (func (result i32)))
  (func (;0;) (type 0) (result i32)
    (local i32 i32)

    i32.const 0
    local.set 0

    i32.const 1
    local.set 1
  
    local.get 1
    local.get 0
    
    i32.const 0
    local.set 0
    
    local.tee 1
    
    i32.add
    )
  (export "main_function" (func 0)))

from wasmi.

@kaiavintr Thanks again for the reported issue.

I have created #1057 to fix this.
The issue this time was because of re-use of local preservation slots. The issue was fixed by more explicitly separate out GC of preservation slots marked for removal and re-use of preservation slots.

from wasmi.

No, sorry, I don't have the code in a public repository yet. It might be a while.

By the way, I did some experiments today testing Wasmi more directly, by searching a space of instruction sequences that includes the latter two cases above. I haven't found any issues with the fixed code. I think I have exhaustively tested all valid sequences up to length 9, with i32.const, i32.add, local.get, local.set, local.tee, and three local variables, and all length 10 sequences with the constraint that variables are explicitly initialized.

@kaiavintr Thanks a lot for the info, it is relieving to know that Wasmi translation seems to be somewhat stable now. I will make another release including the last fix soon. Thank you for your work that also led to a better Wasmi for everyone! :)

from wasmi.

@kaiavintr Thanks a lot for the bug report!

I have fixed this in #1052.
I wonder why our fuzzing infrastructure did not find this bug. Time for investigation!

from wasmi.

@kaiavintr I just released Wasmi v0.32.1 which includes the fix.

from wasmi.

With the fix, it still happens if the local.get is from a different variable. The following code returns 0, should return 2:

(module
  (type (;0;) (func (result i32)))
  (func (;0;) (type 0) (result i32)
    (local i32 i32 i32) 

    i32.const 0
    local.set 0
    i32.const 1
    local.set 1
    i32.const 2
    local.set 2
  
    local.get 2
    local.tee 0
    local.tee 1
    )
  (export "main_function" (func 0)))

from wasmi.

@Robbepop sorry, I forgot to mention you in the above comment, and I don't know if you get notifications for comments on closed issues. Also, sorry to do this to you on a Monday :)

from wasmi.

@kaiavintr Thank you for re-opening, I clearly oversaw some more general solution to the problem last time.
This PR fixes all the cases: #1054

from wasmi.

@Robbepop The fix looks good so far. I'm using wasmi for randomized testing of a code generator, and perhaps it is seeing some types of instruction sequences that LLVM and Binaryen would never output.

from wasmi.

@Robbepop The fix looks good so far. I'm using wasmi for randomized testing of a code generator, and perhaps it is seeing some types of instruction sequences that LLVM and Binaryen would never output.

Great work so far from the perspective of Wasmi, thanks a lot for the bug reports! :D
Is there a public repo of your work?

from wasmi.

Great work so far from the perspective of Wasmi, thanks a lot for the bug reports! :D Is there a public repo of your work?

No, sorry, I don't have the code in a public repository yet. It might be a while.

By the way, I did some experiments today testing Wasmi more directly, by searching a space of instruction sequences that includes the latter two cases above. I haven't found any issues with the fixed code. I think I have exhaustively tested all valid sequences up to length 9, with i32.const, i32.add, local.get, local.set, local.tee, and three local variables, and all length 10 sequences with the constraint that variables are explicitly initialized.

from wasmi.