Cranelift verifier errors on v128.store codegen with b8x16 input

[alexcrichton]

Given this input:

(module
  (memory 0)
  (func (param v128 i32)
    local.get 1
    local.get 0
    local.get 0
    i8x16.eq
    v128.store)
)

wasmtime yields:

$ wasmtime bar.wat --enable-simd --enable-cranelift-debug-verifier
Error: failed to run main module `bar.wat`

Caused by:
    0: WebAssembly failed to compile
    1: Compilation error: function u0:0(i64 vmctx, i64, i8x16, i32) fast {
           gv0 = vmctx
           gv1 = load.i64 notrap aligned readonly gv0
           gv2 = load.i64 notrap aligned gv1
           gv3 = vmctx
           gv4 = load.i64 notrap aligned readonly gv3+36
           heap0 = static gv4, min 0, bound 0x0001_0000_0000, offset_guard 0x8000_0000, index_type i32
           stack_limit = gv2

                                       block0(v0: i64, v1: i64, v2: i8x16, v3: i32):
       @0024                               v4 = icmp eq v2, v2
       @0026                               v5 = heap_addr.i64 heap0, v3, 1
       @0026                               store little v4, v5
       ;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
       ; error: inst2 (store.b8x16 little v4, v5): has an invalid controlling type b8x16

       @002a                               jump block1

                                       block1:
       @002a                               return
       }

       ; 1 verifier error detected (see above). Compilation aborted.

[abrown]

I haven't dug into this but I think it may be related to #1147: due to not having a generic v128 type in CLIF we are forced to raw_bitcast to and from a default vector type, i8x16. Perhaps the stores need to have raw_bitcasts before them in code_translator.rs?

[alexcrichton]

The fuzzers have rediscovered this today with:

(module
  (type (;0;) (func (param funcref funcref funcref f64 f64)))
  (func (;0;) (type 0) (param funcref funcref funcref f64 f64)
    i32.const 8
    v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
    v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
    i16x8.le_u
    v128.store offset=3)
  (memory (;0;) 3426 12143))

[alexcrichton]

Another fuzz bug came in today about this, so to confirm this affects all lane widths of boolean vectors, not just b8x16 but also b16x8, b32x4, and b64x2 produced by all the other forms of comparison instructions.