fix(tracer): use wrapping_add in alignment assertions#1492
Merged
Conversation
`VirtualAssertWordAlignment` and `VirtualAssertHalfwordAlignment` compute the effective address via `cpu.x[rs1] + imm`. Both operands are `i64`, so the bare `+` panics in debug builds whenever the signed sum falls outside `[i64::MIN, i64::MAX]`, e.g. `rs1 = i64::MAX, imm = 1`. The panic surfaces as `attempt to add with overflow` from inside the tracer's `execute`, aborting the trace before the actual alignment check runs. RV64 specifies effective addresses as `rs1 + sign_ext(imm)` mod 2^64, and every other memory-touching tracer instruction (LB/LBU/LH/LHU/ LW/LWU/LD, SB/SH/SW/SD, VirtualLW/VirtualSW, AMO*) computes the address via `wrapping_add`. These two assertions are the only outliers. Switch them to `wrapping_add` so: - debug builds match release behavior (release silently wraps `+`), - the alignment check operates on the correctly-wrapped low bits, - the convention is consistent across the tracer. Adds a regression test in each file pinning the wrapping behavior (rs1 = i64::MAX, imm = 1 produces an aligned wrapped address and must execute without panicking). No release-mode behavior change: signed overflow already wraps in release, and the alignment check operates on the same low bits in both forms.
wstran
force-pushed
the
fix-align-wrapping-add
branch
from
2a8a526 to
e9536ab
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
VirtualAssertWordAlignment::execandVirtualAssertHalfwordAlignment::execcompute the effective address via
cpu.x[rs1] + imm. Both operands arei64, so the bare+panics in debug builds when the signed sum fallsoutside
[i64::MIN, i64::MAX]. The other 30+ memory-touching tracerinstructions (LB/LBU/LH/LHU/LW/LWU/LD, SB/SH/SW/SD, VirtualLW/VirtualSW,
AMO*) all use
wrapping_add; these two are the only outliers.Reproducer
Why this is correct
rs1 + sign_ext(imm)mod 2^64(per the audit Finding 1 framing in Fix audit findings from 2026-04-15 report #1442).
uses
wrapping_addfor the same operation. Verified viagrep -rn 'as usize\] +' tracer/src/instruction/— only these twofiles match before this fix.
+already wraps in release, andthe alignment check operates on the same low bits in both forms. The
fix only stops the spurious debug-build panic on overflow.
Test plan
cargo fmt -qcargo clippy -p jolt-core --features host --message-format=short -q --all-targets -- -D warningscargo clippy -p jolt-core --features host,zk --message-format=short -q --all-targets -- -D warningscargo nextest run -p tracer— 114/114 pass (includes 2 new regression tests, both red on the un-fixed code)cargo nextest run -p jolt-core muldiv --cargo-quiet --features host— passcargo nextest run -p jolt-core muldiv --cargo-quiet --features host,zk— pass