From f2ac7244d543721a68d5bd6661e22147b03375e1 Mon Sep 17 00:00:00 2001
From: Edoardo Vacchi <evacchi@users.noreply.github.com>
Date: Tue, 31 Oct 2023 19:02:09 +0100
Subject: [PATCH] wazevo: fuzz, fix ssa.OpcodeInsertlane

Signed-off-by: Edoardo Vacchi <evacchi@users.noreply.github.com>
---
 .../wazevo/backend/isa/arm64/lower_instr.go   |  32 +--
 .../fuzzcases/fuzzcases_test.go               |  16 ++
 .../fuzzcases/testdata/1825.wasm              | Bin 0 -> 680 bytes
 .../fuzzcases/testdata/1825.wat               | 189 ++++++++++++++++++
 4 files changed, 224 insertions(+), 13 deletions(-)
 create mode 100644 internal/integration_test/fuzzcases/testdata/1825.wasm
 create mode 100644 internal/integration_test/fuzzcases/testdata/1825.wat

diff --git a/internal/engine/wazevo/backend/isa/arm64/lower_instr.go b/internal/engine/wazevo/backend/isa/arm64/lower_instr.go
index 3f062e975e..16d8449dcb 100644
--- a/internal/engine/wazevo/backend/isa/arm64/lower_instr.go
+++ b/internal/engine/wazevo/backend/isa/arm64/lower_instr.go
@@ -630,30 +630,36 @@ func (m *machine) LowerInstr(instr *ssa.Instruction) {
 		rn := m.getOperand_NR(m.compiler.ValueDefinition(x), extModeNone)
 		rm := m.getOperand_NR(m.compiler.ValueDefinition(y), extModeNone)
 		rd := operandNR(m.compiler.VRegOf(instr.Return()))
+		tmpReg := operandNR(m.compiler.AllocateVReg(ssa.TypeV128))
 
-		// Initially mov rn to rd.
-		mov0 := m.allocateInstr()
-		mov0.asFpuMov128(rd.nr(), rn.nr())
-		m.insert(mov0)
+		// Initially mov rn to tmp.
+		mov1 := m.allocateInstr()
+		mov1.asFpuMov128(tmpReg.nr(), rn.nr())
+		m.insert(mov1)
 
 		// movToVec and vecMovElement do not clear the remaining bits to zero,
-		// thus, we can mov rm in-place to rd.
-		mov := m.allocateInstr()
+		// thus, we can mov rm in-place to tmp.
+		mov2 := m.allocateInstr()
 		switch lane {
 		case ssa.VecLaneI8x16:
-			mov.asMovToVec(rd, rm, vecArrangementB, vecIndex(index))
+			mov2.asMovToVec(tmpReg, rm, vecArrangementB, vecIndex(index))
 		case ssa.VecLaneI16x8:
-			mov.asMovToVec(rd, rm, vecArrangementH, vecIndex(index))
+			mov2.asMovToVec(tmpReg, rm, vecArrangementH, vecIndex(index))
 		case ssa.VecLaneI32x4:
-			mov.asMovToVec(rd, rm, vecArrangementS, vecIndex(index))
+			mov2.asMovToVec(tmpReg, rm, vecArrangementS, vecIndex(index))
 		case ssa.VecLaneI64x2:
-			mov.asMovToVec(rd, rm, vecArrangementD, vecIndex(index))
+			mov2.asMovToVec(tmpReg, rm, vecArrangementD, vecIndex(index))
 		case ssa.VecLaneF32x4:
-			mov.asVecMovElement(rd, rm, vecArrangementS, vecIndex(index), vecIndex(0))
+			mov2.asVecMovElement(tmpReg, rm, vecArrangementS, vecIndex(index), vecIndex(0))
 		case ssa.VecLaneF64x2:
-			mov.asVecMovElement(rd, rm, vecArrangementD, vecIndex(index), vecIndex(0))
+			mov2.asVecMovElement(tmpReg, rm, vecArrangementD, vecIndex(index), vecIndex(0))
 		}
-		m.insert(mov)
+		m.insert(mov2)
+
+		// Finally mov tmp to rd.
+		mov3 := m.allocateInstr()
+		mov3.asFpuMov128(rd.nr(), tmpReg.nr())
+		m.insert(mov3)
 
 	case ssa.OpcodeSwizzle:
 		x, y, lane := instr.Arg2WithLane()
diff --git a/internal/integration_test/fuzzcases/fuzzcases_test.go b/internal/integration_test/fuzzcases/fuzzcases_test.go
index df4a3ce397..53ad512c28 100644
--- a/internal/integration_test/fuzzcases/fuzzcases_test.go
+++ b/internal/integration_test/fuzzcases/fuzzcases_test.go
@@ -699,3 +699,19 @@ func Test1823(t *testing.T) {
 		require.Equal(t, uint64(4671060543367625455), m.Globals[0].ValHi)
 	})
 }
+
+// Test1825 tests that OpcodeInsertlane allocates correctly the temporary registers.
+func Test1825(t *testing.T) {
+	if !platform.CompilerSupported() {
+		return
+	}
+	run(t, func(t *testing.T, r wazero.Runtime) {
+		mod, err := r.Instantiate(ctx, getWasmBinary(t, "1825"))
+		require.NoError(t, err)
+		m := mod.(*wasm.ModuleInstance)
+		_, err = m.ExportedFunction("").Call(ctx)
+		require.NoError(t, err)
+		require.Equal(t, uint64(1099511627775), m.Globals[6].Val)
+		require.Equal(t, uint64(18446744073709551615), m.Globals[6].ValHi)
+	})
+}
diff --git a/internal/integration_test/fuzzcases/testdata/1825.wasm b/internal/integration_test/fuzzcases/testdata/1825.wasm
new file mode 100644
index 0000000000000000000000000000000000000000..2e10dd19b87a6e3633d5e91b1cca979555bd3e15
GIT binary patch
literal 680
zcmZQbEY4+QU|?XBVoqQXs6hh>3=BZT%*@2Vz{1Ov&-jA<1$#c@6ZR+UtSpR-3~X#Z
z9QBNjFE1@U&Bk58c!`0#hSB9e2$cQ)4`%~S=dNRPV&DcUW#F!6{L2FrK>;9{7wp{Z
zEI^kqa!qDon#9NeF$ZWAA%;2-xPS-{fHM9wxWFuM0lJeR9AS<+rh#8wzCd(Cw1eCa
zvJ}}sb#?APObmZ{67=-+F8%+{08#@25XS-S`m4ks!0=b(uQbDjd;x~N$}FuaEK(4P
fx}=mcYq1I|b<IRJO_}X)pb8rz_~79<pbTyRub#*-

literal 0
HcmV?d00001

diff --git a/internal/integration_test/fuzzcases/testdata/1825.wat b/internal/integration_test/fuzzcases/testdata/1825.wat
new file mode 100644
index 0000000000..b1d2ac121d
--- /dev/null
+++ b/internal/integration_test/fuzzcases/testdata/1825.wat
@@ -0,0 +1,189 @@
+(module
+  (type (;0;) (func (result f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64)))
+  (type (;1;) (func))
+  (type (;2;) (func))
+  (func (;0;) (type 0) (result f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64)
+    f64.const -nan:0xfffffffffffff (;=NaN;)
+    f64.const -nan:0xfffffffffffff (;=NaN;)
+    f64.const -nan:0xfffffffffffff (;=NaN;)
+    f64.const -nan:0xfffffffffffff (;=NaN;)
+    f64.const 0x1.72727ffffffffp-397 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004483097142929414;)
+    f64.const 0x1.7272727272727p-397 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004483094640249093;)
+    f64.const 0x1.f272727272727p-1008 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007098121730803434;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const -nan:0xfff5700000101 (;=NaN;)
+    f64.const -0x1.7ffffffffffffp+1011 (;=-32916744412762127000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
+    f64.const -nan:0xfffffffffffff (;=NaN;)
+    f64.const -0x1.fffffffffffffp+864 (;=-246006311446272400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000;)
+    f64.const 0x1.72727272727f4p-397 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004483094640249234;)
+    f64.const -nan:0xfffff27272727 (;=NaN;)
+    f64.const 0x1.7272727ffffffp-397 (;=0.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000044830946500251875;)
+    f64.const 0x1.7272727272727p-397 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004483094640249093;)
+  )
+  (func (;2;) (type 0) (result f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64 f64)
+    v128.const i32x4 0x2e2e2e60 0x00ffffd2 0xffffffff 0xffffffff
+    f64.const 0x1.fffffffffep-1035
+    f64x2.replace_lane 0
+    call 0
+    f64x2.splat
+    i32x4.extract_lane 0
+    ref.null extern
+    call 0
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    drop
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    drop
+    global.get 5
+    i32.xor
+    global.set 5
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    i64.reinterpret_f64
+    global.get 4
+    i64.xor
+    global.set 4
+    global.get 6
+    v128.xor
+    global.set 6
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+    f64.const 0x0p+0 (;=0;)
+  )
+  (table (;0;) 1000 1000 externref)
+  (table (;1;) 996 996 externref)
+  (memory (;0;) 0 6)
+  (global (;0;) (mut i32) i32.const 1768515945)
+  (global (;1;) (mut funcref) ref.func 0)
+  (global (;2;) (mut f64) f64.const -nan:0xb76ffffffffff (;=NaN;))
+  (global (;3;) (mut f64) f64.const 0x1.fffffffffep-1035 (;=0.000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005432309224866;))
+  (global (;4;) (mut i64) i64.const 0)
+  (global (;5;) (mut i32) i32.const 0)
+  (global (;6;) (mut v128) v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000)
+  (global (;7;) (mut i32) i32.const 1000)
+  (export "" (func 1))
+)