Skip to content

fix(ssa_fuzzer): fix panic if compiler removed return value#9216

Merged
TomAFrench merged 2 commits intomasterfrom
sn/fix_ssa_fuzzer_if_number_of_return_values_is_zero
Jul 16, 2025
Merged

fix(ssa_fuzzer): fix panic if compiler removed return value#9216
TomAFrench merged 2 commits intomasterfrom
sn/fix_ssa_fuzzer_if_number_of_return_values_is_zero

Conversation

@defkit
Copy link
Contributor

@defkit defkit commented Jul 16, 2025

Description

Problem*

The following SSA

acir(inline) fn main f0 {
  b0(v0: i32, v1: i32, v2: u64, v3: i32, v4: u1, v5: u1, v6: u1):
    jmp b1()
  b1():
    v7 = or v0, v3
    v9 = mod v7, i32 0
    v10 = cast v4 as u8
    return v10
}

compiles into

acir(inline) predicate_pure fn main f0 {
  b0(v0: i32, v1: i32, v2: u64, v3: i32, v4: u1, v5: u1, v6: u1):
    v7 = or v0, v3
    v9 = mod v7, i32 0
    constrain u1 0 == u1 1, "attempt to calculate the remainder with a divisor of zero"
    unreachable
}

so the number of return values is 0

Summary*

Additional Context

Documentation*

Check one:

  • No documentation needed.
  • Documentation included in this PR.
  • [For Experimental Features] Documentation to be submitted in a separate PR.

PR Checklist*

  • I have tested the changes locally.
  • I have formatted the changes with Prettier and/or cargo fmt on default settings.

@TomAFrench TomAFrench enabled auto-merge July 16, 2025 10:06
@defkit defkit disabled auto-merge July 16, 2025 10:20
@defkit
Copy link
Contributor Author

defkit commented Jul 16, 2025 

fn main f0 {
  b0(v0: u1, v1: u64, v2: Field, v3: u1, v4: i64, v5: u1, v6: u1):
    jmpif v6 then: b1, else: b2
  b1():
    v9 = div Field 0, Field 0
    jmp b4()
  b2():
    v8 = div Field 0, Field 0
    jmp b4()
  b3():
    return v2
  b4():
    jmp b3()
}

compiles into ACIR

acir(inline) predicate_pure fn main f0 {
  b0(v0: u1, v1: u64, v2: Field, v3: u1, v4: i64, v5: u1, v6: u1):
    enable_side_effects v6
    v8 = div Field 0, Field 0
    v9 = not v6
    enable_side_effects v9
    v10 = div Field 0, Field 0
    enable_side_effects u1 1
    return v2
}

and Brillig

brillig(inline) predicate_pure fn main f0 {
  b0(v0: u1, v1: u64, v2: Field, v3: u1, v4: i64, v5: u1, v6: u1):
    jmpif v6 then: b1, else: b2
  b1():
    v11 = div Field 0, Field 0
    constrain u1 0 == u1 1, "attempt to divide by zero"
    unreachable
  b2():
    v8 = div Field 0, Field 0
    constrain u1 0 == u1 1, "attempt to divide by zero"
    unreachable
}

So I need bigger fix

@TomAFrench
Copy link
Member

TomAFrench commented Jul 16, 2025
edited
Loading

This likely came in with #9211 so I'd imagine the best fix for this is to replace the an unreachable return terminator with a zeroed out terminator rather than unreachable. (edit: seems like not)

@defkit
Copy link
Contributor Author

defkit commented Jul 16, 2025

I no longer encounter panic on my corpus. @TomAFrench can I merge it?

@TomAFrench
Copy link
Member

TomAFrench commented Jul 16, 2025

Go for it!

@TomAFrench TomAFrench added this pull request to the merge queue Jul 16, 2025
Merged via the queue into master with commit e6ccc3e Jul 16, 2025
121 of 122 checks passed
@TomAFrench TomAFrench deleted the sn/fix_ssa_fuzzer_if_number_of_return_values_is_zero branch July 16, 2025 11:28
@noirwhal noirwhal mentioned this pull request Jul 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TomAFrench TomAFrench TomAFrench approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@defkit @TomAFrench