binaryen icon indicating copy to clipboard operation
binaryen copied to clipboard
verified publisher icon WebAssembly

Branch hints fuzz bug

Open tlively opened this issue 3 months ago • 3 comments

Unfortunately this cannot be automatically reduced.

At commit 3f3ed7f6f491bdfab906ea4b8bd24b087f900560, fuzz with seed 5310903701077197356

tlively avatar Sep 25 '25 00:09 tlively

fyi, this does reduce, but you need --text in the reduction.

kripken avatar Sep 25 '25 15:09 kripken

Investigating this, this is a case where OptimizeInstructions removes a ref.as_non_null,

  (func $18 (type $0)
   (local $0 (ref null $11))
-  (local $scratch (ref $11))
+  (local $scratch (ref null $11))
   (local $2 i32)
   (struct.set $11 1
-   (block (result (ref $11))
+   (block (result (ref null $11))
     (local.set $scratch
-     (ref.as_non_null
       (local.get $0)
      )
-    )
     (drop
      (i32.load
       (i32.const 4)
      )
     )
     (local.get $scratch)
    )
    (@metadata.code.branch_hint "\01")
    (if (result f64)
     (block (result i32)

It removes it since the struct.set will trap anyhow. But then we defer the trap to later, past the branch hint, and branch hints are not an effect the optimizer cares about, so it starts to happen, and the fuzzer errors.

We've decided to follow LLVM's lead here and not be super-careful in updating branch hints (i.e. tolerating a small amount of bad hints in return for better/simpler opts). Perhaps we should turn down the branch hint fuzzer?

kripken avatar Sep 25 '25 17:09 kripken

That could make sense. I'm not seeing very many occurrences of branch hint bugs, so keeping it enabled doesn't seem too disruptive, either.

tlively avatar Sep 25 '25 17:09 tlively