"unknown successor value" assertion in DFA::refinePartitions

WebAssembly / binaryen

Optimizer and compiler/toolchain library for WebAssembly

Apache License 2.0

7.49k stars 741 forks source link

"unknown successor value" assertion in DFA::refinePartitions #7023

Open kripken opened 5 days ago

kripken commented 5 days ago

Testcase is based off of fuzzing the testcase from https://github.com/WebAssembly/binaryen/issues/7015, reduced.

$ bin/wasm-opt a.wat -all --type-merging --closed-world
wasm-opt: src/support/dfa_minimization.h:75: std::vector<std::vector<T> > wasm::DFA::refinePartitions(const std::vector<std::vector<State<T> > >&) [with T = wasm::HeapType]: Assertion `it != indices.end() && "unknown successor value"' failed.
Aborted

Looks like a DFA minimization issue. @tlively

a.wat.gz

kripken commented 2 days ago

Reduced testcase:

(module
 (type $5 (array funcref))
 (type $6 (func (result (ref $5))))

 (export "new-huge" (func $0))
 (export "func_28_invoker" (func $4))

 (func $0 (result (ref $5))
  (unreachable)
 )

 (func $3 (param $5 (ref null $6))
 )

 (func $4
 )
)

$ bin/wasm-opt b.wat -all --closed-world --type-merging
wasm-opt: src/support/dfa_minimization.h:75: std::vector<std::vector<T> > wasm::DFA::refinePartitions(const std::vector<std::vector<State<T> > >&) [with T = wasm::HeapType]: Assertion `it != indices.end() && "unknown successor value"' failed.
Aborted

tlively commented 1 day ago

I started looking into this and thankfully it looks like the code made assumptions about public types that are no longer true rather than there being a bug in the DFA minimization algorithm itself. I'll finish investigating and fixing as soon as I can.