x64: Fix panic compiling 16-bit multiply-with-immediate

alexcrichton · alexcrichton · commit b226c23094a2 · 2025-05-20T12:33:31.000-07:00
This commit fixes a minor regression from bytecodealliance#10782 found via fuzzing. The regression is 16-bit immediates were forced to fit from an `i32` value into a `u16` for 16-bit multiplication. This meant though that negative numbers failed this conversion which meant that ISLE would panic due to the value not being matched. This fixes the logic to first fit the i32 into an i16 and then cast that to a u16 where the first phase should hit all the constants that are possible in Cranelift.
diff --git a/cranelift/codegen/src/isa/x64/inst.isle b/cranelift/codegen/src/isa/x64/inst.isle
@@ -2884,9 +2884,9 @@
 (rule 2 (x64_imul_imm $I16 src1 (i8_try_from_i32 src2))  (x64_imulw_rmi_sxb src1 src2))
 (rule 2 (x64_imul_imm $I32 src1 (i8_try_from_i32 src2))  (x64_imull_rmi_sxb src1 src2))
 (rule 2 (x64_imul_imm $I64 src1 (i8_try_from_i32 src2))  (x64_imulq_rmi_sxb src1 src2))
-(rule 1 (x64_imul_imm $I16 src1 (u16_try_from_i32 src2)) (x64_imulw_rmi src1 src2))
-(rule 1 (x64_imul_imm $I32 src1 (i32_as_u32 src2))       (x64_imull_rmi src1 src2))
-(rule 1 (x64_imul_imm $I64 src1 src2)                    (x64_imulq_rmi_sxl src1 src2))
+(rule 1 (x64_imul_imm $I16 src1 (i16_try_from_i32 src2)) (x64_imulw_rmi src1 (i16_as_u16 src2)))
+(rule 1 (x64_imul_imm $I32 src1 src2) (x64_imull_rmi src1 (i32_as_u32 src2)))
+(rule 1 (x64_imul_imm $I64 src1 src2) (x64_imulq_rmi_sxl src1 src2))
 
 ;; Helper for creating `mul` instructions or `imul` instructions (depending
 ;; on `signed`) for 8-bit operands.
diff --git a/cranelift/codegen/src/isle_prelude.rs b/cranelift/codegen/src/isle_prelude.rs
@@ -59,8 +59,8 @@ macro_rules! isle_common_prelude_methods {
         }
 
         #[inline]
-        fn i32_as_u32(&mut self, x: i32) -> Option<u32> {
-            Some(x as u32)
+        fn i32_as_u32(&mut self, x: i32) -> u32 {
+            x as u32
         }
 
         #[inline]
@@ -958,6 +958,14 @@ macro_rules! isle_common_prelude_methods {
             i8::try_from(val).ok()
         }
 
+        fn i16_as_u16(&mut self, val: i16) -> u16 {
+            val as u16
+        }
+
+        fn i16_try_from_i32(&mut self, val: i32) -> Option<i16> {
+            i16::try_from(val).ok()
+        }
+
         fn i16_try_from_u64(&mut self, val: u64) -> Option<i16> {
             i16::try_from(val).ok()
         }
diff --git a/cranelift/codegen/src/prelude.isle b/cranelift/codegen/src/prelude.isle
@@ -142,18 +142,24 @@
 (decl pure partial i8_try_from_u64 (u64) i8)
 (extern constructor i8_try_from_u64 i8_try_from_u64)
 
+(decl pure i16_as_u16 (i16) u16)
+(extern constructor i16_as_u16 i16_as_u16)
+
 (decl pure partial i16_try_from_u64 (u64) i16)
 (extern constructor i16_try_from_u64 i16_try_from_u64)
 
+(decl pure partial i16_try_from_i32 (i16) i32)
+(extern extractor i16_try_from_i32 i16_try_from_i32)
+
 (decl pure partial i32_try_from_u64 (u64) i32)
 (extern constructor i32_try_from_u64 i32_try_from_u64)
 
 (decl pure u32_as_u64 (u32) u64)
 (extern constructor u32_as_u64 u32_as_u64)
 (convert u32 u64 u32_as_u64)
 
-(decl i32_as_u32 (u32) i32)
-(extern extractor i32_as_u32 i32_as_u32)
+(decl i32_as_u32 (i32) u32)
+(extern constructor i32_as_u32 i32_as_u32)
 
 (decl pure i32_as_i64 (i32) i64)
 (extern constructor i32_as_i64 i32_as_i64)
diff --git a/tests/disas/x64-mul16-negative.wat b/tests/disas/x64-mul16-negative.wat
@@ -0,0 +1,19 @@
+;;! target = 'x86_64'
+;;! test = 'compile'
+
+(module
+  (func (export "mul16") (param i32) (result i32)
+    local.get 0
+    i32.const -7937
+    i32.mul
+    i32.extend16_s
+  )
+)
+;; wasm[0]::function[0]:
+;;       pushq   %rbp
+;;       movq    %rsp, %rbp
+;;       imulw   $0xe0ff, %dx, %dx
+;;       movswl  %dx, %eax
+;;       movq    %rbp, %rsp
+;;       popq    %rbp
+;;       retq
diff --git a/tests/misc_testsuite/mul16-negative.wast b/tests/misc_testsuite/mul16-negative.wast
@@ -0,0 +1,10 @@
+(module
+  (func (export "mul16") (param i32) (result i32)
+    local.get 0
+    i32.const -7937
+    i32.mul
+    i32.extend16_s
+  )
+)
+
+(assert_return (invoke "mul16" (i32.const 100)) (i32.const -7268))

Original file line number	Diff line number	Diff line change
`@@ -59,8 +59,8 @@ macro_rules! isle_common_prelude_methods {`
`59`	`59`	`}`
`60`	`60`
`61`	`61`	`#[inline]`
`62`		`- fn i32_as_u32(&mut self, x: i32) -> Option<u32> {`
`63`		`- Some(x as u32)`
	`62`	`+ fn i32_as_u32(&mut self, x: i32) -> u32 {`
	`63`	`+ x as u32`
`64`	`64`	`}`
`65`	`65`
`66`	`66`	`#[inline]`
`@@ -958,6 +958,14 @@ macro_rules! isle_common_prelude_methods {`
`958`	`958`	`i8::try_from(val).ok()`
`959`	`959`	`}`
`960`	`960`
	`961`	`+ fn i16_as_u16(&mut self, val: i16) -> u16 {`
	`962`	`+ val as u16`
	`963`	`+ }`
	`964`	`+`
	`965`	`+ fn i16_try_from_i32(&mut self, val: i32) -> Option<i16> {`
	`966`	`+ i16::try_from(val).ok()`
	`967`	`+ }`
	`968`	`+`
`961`	`969`	`fn i16_try_from_u64(&mut self, val: u64) -> Option<i16> {`
`962`	`970`	`i16::try_from(val).ok()`
`963`	`971`	`}`