From be924ef533ad27e48f3e08b88345c6fb874b86ba Mon Sep 17 00:00:00 2001 From: Alex Crichton Date: Wed, 20 Jul 2022 13:21:39 -0700 Subject: [PATCH 1/3] Fix panics in s390x codegen related to aliases This commit fixes an issue introduced as part of the fix for GHSA-5fhj-g3p3-pq9g. The `reftyped_vregs` list given to `regalloc2` is not allowed to have duplicates in it and while the list originally doesn't have duplicates once aliases are applied the list may have duplicates. The fix here is to perform another pass to remove duplicates after the aliases have been processed. --- cranelift/codegen/src/machinst/vcode.rs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cranelift/codegen/src/machinst/vcode.rs b/cranelift/codegen/src/machinst/vcode.rs index 3b713b638f9..0cac37d5765 100644 --- a/cranelift/codegen/src/machinst/vcode.rs +++ b/cranelift/codegen/src/machinst/vcode.rs @@ -598,9 +598,14 @@ impl VCodeBuilder { // will be returned directly to `regalloc2` eventually and all // operands/results of instructions will use the alias-resolved vregs // from `regalloc2`'s perspective. + // + // Also note that `reftyped_vregs` can't have duplicates, so after the + // aliases are applied duplicates are removed. for reg in self.vcode.reftyped_vregs.iter_mut() { *reg = Self::resolve_vreg_alias_impl(&self.vcode.vreg_aliases, *reg); } + self.vcode.reftyped_vregs.sort(); + self.vcode.reftyped_vregs.dedup(); self.compute_preds_from_succs(); self.vcode.debug_value_labels.sort_unstable(); From 55c584a4d5a6b27d3065a6b7fc53e379ea8874ff Mon Sep 17 00:00:00 2001 From: Alex Crichton Date: Wed, 20 Jul 2022 13:30:34 -0700 Subject: [PATCH 2/3] Fix a miscompile for s390x with constants This carries over a narrow fix from #4427 to prior release branches. The patch here was created by `@uweigand` during the investigation for #4487. --- cranelift/codegen/src/isa/s390x/lower/isle.rs | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/cranelift/codegen/src/isa/s390x/lower/isle.rs b/cranelift/codegen/src/isa/s390x/lower/isle.rs index ec775e0b411..f67202c96b5 100644 --- a/cranelift/codegen/src/isa/s390x/lower/isle.rs +++ b/cranelift/codegen/src/isa/s390x/lower/isle.rs @@ -262,7 +262,8 @@ where fn u64_from_value(&mut self, val: Value) -> Option { let inst = self.lower_ctx.dfg().value_def(val).inst()?; let constant = self.lower_ctx.get_constant(inst)?; - Some(constant) + let ty = self.lower_ctx.output_ty(inst, 0); + Some(zero_extend_to_u64(constant, self.ty_bits(ty).unwrap())) } #[inline] @@ -597,6 +598,17 @@ where } } +/// Zero-extend the low `from_bits` bits of `value` to a full u64. +#[inline] +fn zero_extend_to_u64(value: u64, from_bits: u8) -> u64 { + assert!(from_bits <= 64); + if from_bits >= 64 { + value + } else { + value & ((1u64 << from_bits) - 1) + } +} + /// Sign-extend the low `from_bits` bits of `value` to a full u64. #[inline] fn sign_extend_to_u64(value: u64, from_bits: u8) -> u64 { From d382e85b8faf9350d6783f7fd631cf99e82418d6 Mon Sep 17 00:00:00 2001 From: Alex Crichton Date: Wed, 20 Jul 2022 13:41:55 -0700 Subject: [PATCH 3/3] Add release notes --- RELEASES.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/RELEASES.md b/RELEASES.md index 8b939f70dfd..a104f2035c0 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -1,5 +1,17 @@ -------------------------------------------------------------------------------- +## 0.39.1 + +Released 2022-07-20. + +### Fixed + +* An s390x-specific codegen bug in addition to a mistake introduced in the fix + of CVE-2022-31146 were fixed. + [#4490](https://github.com/bytecodealliance/wasmtime/pull/4490) + +-------------------------------------------------------------------------------- + ## 0.39.0 Released 2022-07-20.