MemoryPacking changes d8 results

[aheejin]

The original file, a.wasm, when run with d8,

d8 --experimental-wasm-eh --experimental-wasm-mv --experimental-wasm-sat-f2i-conversions --experimental-wasm-se --experimental-wasm-threads --experimental-wasm-simd --experimental-wasm-anyref --experimental-wasm-bulk-memory --experimental-wasm-return-call a.js -- a.wasm

prints this:

[fuzz-exec] calling $hashMemory
[fuzz-exec] note result: $hashMemory => i32.const -873354128
[fuzz-exec] calling $memory
exception!
[fuzz-exec] calling $func_5_invoker
[LoggingExternalInterface logging i32.const -873354128]
[fuzz-exec] calling $func_8
[fuzz-exec] note result: $func_8 => i32.const -56
[fuzz-exec] calling $func_9_invoker
[fuzz-exec] calling $func_11
[LoggingExternalInterface logging f64.const -1.1754943508222875e-38]
[LoggingExternalInterface logging i32.const -1073741824]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[fuzz-exec] note result: $func_11 => i32.const -32768
[fuzz-exec] calling $func_11_invoker
[LoggingExternalInterface logging f64.const -1.1754943508222875e-38]
[LoggingExternalInterface logging i32.const -1073741824]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[LoggingExternalInterface logging i32.const -873354128]
[fuzz-exec] calling $hangLimitInitializer

But if we run --memory-packing on this,

wasm-opt -all --memory-packing a.wasm -o b.wasm

and run d8 on it:

d8 --experimental-wasm-eh --experimental-wasm-mv --experimental-wasm-sat-f2i-conversions --experimental-wasm-se --experimental-wasm-threads --experimental-wasm-simd --experimental-wasm-anyref --experimental-wasm-bulk-memory --experimental-wasm-return-call a.js -- b.wasm

The result changes:

[fuzz-exec] calling $hashMemory
[fuzz-exec] note result: $hashMemory => i32.const -873354128
[fuzz-exec] calling $memory
exception!
[fuzz-exec] calling $func_5_invoker
[LoggingExternalInterface logging i32.const -873354128]
[fuzz-exec] calling $func_8
[fuzz-exec] note result: $func_8 => i32.const -56
[fuzz-exec] calling $func_9_invoker
[fuzz-exec] calling $func_11
[LoggingExternalInterface logging f64.const -1.1754943508222875e-38]
exception!
[fuzz-exec] calling $func_11_invoker
[LoggingExternalInterface logging f64.const -1.1754943508222875e-38]
exception!
[fuzz-exec] calling $hangLimitInitializer

I attached a.wasm and a.js here.
a.wasm.tar.gz
a.js.tar.gz

[aheejin]

Turned out this is not a Binaryen bug but a V8 bug. V8 does not trap when dropping an active segment, when it is supposed to. It also doesn't trap when it drops a segment twice. I filed a bug in V8.

[conrad-watt]

I believe this is an intended behaviour on V8's part. The drop operation was recently changed to behave as you describe (repeated dropping is a no-op). (WebAssembly/bulk-memory-operations#126)

Maybe @tlively has insight, since that spec change PR as a whole was intended to facilitate memory-packing optimisations. (WebAssembly/bulk-memory-operations#124)

[aheejin]

Thanks! I didn't know about the recent spec changes. I'll fix Binaryen interpreter to match the V8's behavior.