Fix some SIMD bugs found by fuzzing (#1429)

Robbepop · web-flow · commit 79490633e248 · 2025-03-27T01:09:51.000+01:00
* fix panic in i8x16.shuffle translation

This missed a trivial check if the current code path is reachable.

* fix encoding bug in v128.storeN_lane instructions

This only affected instructions with offsets that could not be 8-bit encoded.

* fix bug in v128.shift translation and immediate `rhs`

The error was that in case of an immediate `rhs` shift amount the translation pushed a result and `lhs` back to the stack instead of just `lhs`.
diff --git a/crates/wasmi/src/engine/translator/simd/mod.rs b/crates/wasmi/src/engine/translator/simd/mod.rs
@@ -22,7 +22,7 @@ use crate::{
 use wasmparser::MemArg;
 
 trait IntoLane {
-    type LaneType: TryFrom<u8> + Into<u8>;
+    type LaneType: Copy + TryFrom<u8> + Into<u8>;
 }
 
 macro_rules! impl_into_lane_for {
@@ -170,19 +170,21 @@ impl FuncTranslator {
             return Ok(());
         }
         let lhs = self.alloc.stack.provider2reg(&lhs)?;
-        let result = self.alloc.stack.push_dynamic()?;
-        let instr = match rhs {
-            Provider::Register(rhs) => make_instr(result, lhs, rhs),
+        let rhs = match rhs {
+            Provider::Register(rhs) => rhs,
             Provider::Const(rhs) => {
                 let Some(rhs) = T::into_shift_amount(rhs.into()) else {
                     // Case: the shift operation is a no-op
                     self.alloc.stack.push_register(lhs)?;
                     return Ok(());
                 };
-                make_instr_imm(result, lhs, rhs)
+                let result = self.alloc.stack.push_dynamic()?;
+                self.push_fueled_instr(make_instr_imm(result, lhs, rhs), FuelCosts::base)?;
+                return Ok(());
             }
         };
-        self.push_fueled_instr(instr, FuelCosts::base)?;
+        let result = self.alloc.stack.push_dynamic()?;
+        self.push_fueled_instr(make_instr(result, lhs, rhs), FuelCosts::base)?;
         Ok(())
     }
 
@@ -295,12 +297,10 @@ impl FuncTranslator {
         let (offset_hi, offset_lo) = Offset64::split(offset);
         let instr = make_instr(ptr, offset_lo);
         let param = Instruction::register_and_offset_hi(v128, offset_hi);
-        let memidx = Instruction::memory_index(memory);
+        let param2 = Instruction::lane_and_memory_index(lane, memory);
         self.push_fueled_instr(instr, FuelCosts::store)?;
         self.append_instr(param)?;
-        if !memory.is_default() {
-            self.append_instr(memidx)?;
-        }
+        self.append_instr(param2)?;
         Ok(())
     }
 
diff --git a/crates/wasmi/src/engine/translator/simd/visit.rs b/crates/wasmi/src/engine/translator/simd/visit.rs
@@ -297,6 +297,7 @@ impl VisitSimdOperator<'_> for FuncTranslator {
     }
 
     fn visit_i8x16_shuffle(&mut self, lanes: [u8; 16]) -> Self::Output {
+        bail_unreachable!(self);
         let selector: [ImmLaneIdx32; 16] = array::from_fn(|i| {
             let Ok(lane) = ImmLaneIdx32::try_from(lanes[i]) else {
                 panic!("encountered out of bounds lane at index {i}: {}", lanes[i])

Original file line number	Diff line number	Diff line change
`@@ -297,6 +297,7 @@ impl VisitSimdOperator<'_> for FuncTranslator {`
`297`	`297`	`}`
`298`	`298`
`299`	`299`	`fn visit_i8x16_shuffle(&mut self, lanes: [u8; 16]) -> Self::Output {`
	`300`	`+ bail_unreachable!(self);`
`300`	`301`	`let selector: [ImmLaneIdx32; 16] = array::from_fn(\|i\| {`
`301`	`302`	`let Ok(lane) = ImmLaneIdx32::try_from(lanes[i]) else {`
`302`	`303`	`panic!("encountered out of bounds lane at index {i}: {}", lanes[i])`