cranelift-fuzzgen: Instruction format doesn't have a designated operand, bad opcode

[alexcrichton]

Found on oss-fuzz with this input: input.gz

$ cargo +nightly fuzz run --strip-dead-code --no-default-features -s none cranelift-fuzzgen ./input
    Finished release [optimized] target(s) in 0.12s
    Finished release [optimized] target(s) in 0.12s
     Running `target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen -artifact_prefix=/home/acrichto/code/wasmtime/fuzz/artifacts/cranelift-fuzzgen/ ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368`
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 1634239619
INFO: Loaded 1 modules   (123805 inline 8-bit counters): 123805 [0xaaaae7df0fd8, 0xaaaae7e0f375),
INFO: Loaded 1 PC tables (123805 PCs): 123805 [0xaaaae7e0f378,0xaaaae7ff2d48),
target/aarch64-unknown-linux-gnu/release/cranelift-fuzzgen: Running 1 inputs 1 time(s) each.
Running: ./clusterfuzz-testcase-minimized-cranelift-fuzzgen-4619879352762368
thread '<unnamed>' panicked at 'Instruction format doesn't have a designated operand, bad opcode.', cranelift/codegen/src/ir/dfg.rs:865:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==2894== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
────────────────────────────────────────────────────────────────────────────────

Error: Fuzz target exited with exit status: 77

[alexcrichton]

cc @afonso360

[jameysharp]

This panic is occurring when trying to generate an error context for an "instruction opcode doesn't match instruction format" error in instruction_integrity in cranelift's verifier, after doing the canonicalize_nans pass.

I patched this panic message to give more detail:

Instruction format for MultiAry { opcode: Iconcat, args: EntityList { index: 25, unused: PhantomData } } doesn't have a designated operand

So at least that tells us what's failing.

[jameysharp]

Looks like my suggestion a while back to use MultiAry for all opcodes is biting us here. The instruction format for Iconcat is Binary, which returns its first operand for typevar_operand. But MultiAry returns None from that function.

Apparently, this hasn't been an issue before because many of the instructions that use the Binary format have requires_typevar_operand=false. But Isplit and Iconcat are exceptions, and there are quite a few other more obscure instructions where we'll have the same problem.