From a760ca0f2abd364806c6c74560a7e0736470fee9 Mon Sep 17 00:00:00 2001 From: Yi LIU Date: Wed, 25 Feb 2026 09:12:08 +0800 Subject: [PATCH] Fix sign extension of i32 addresses in interpreter memory access Use ptr.getUnsigned() to properly zero-extend i32 addresses to uint64_t in getFinalAddress and getFinalAddressWithoutOffset. Previously, geti32() returned a signed int32_t that sign-extended when assigned to uint64_t, producing incorrect addresses for values >= 0x80000000. --- src/wasm-interpreter.h | 4 ++-- test/lit/exec/simd-load-lane-oob.wast | 4 ++-- test/passes/fuzz-exec_O.txt | 8 ++++---- test/passes/fuzz-exec_all-features.txt | 4 ++-- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h index 5ae570437ed..259d4b0b1a1 100644 --- a/src/wasm-interpreter.h +++ b/src/wasm-interpreter.h @@ -5151,7 +5151,7 @@ class ModuleRunnerBase : public ExpressionRunner { Address getFinalAddress(LS* curr, Literal ptr, Index bytes, Address memorySize) { Address memorySizeBytes = memorySize * Memory::kPageSize; - uint64_t addr = ptr.type == Type::i32 ? ptr.geti32() : ptr.geti64(); + uint64_t addr = ptr.getUnsigned(); trapIfGt(curr->offset, memorySizeBytes, "offset > memory"); trapIfGt(addr, memorySizeBytes - curr->offset, "final > memory"); addr += curr->offset; @@ -5167,7 +5167,7 @@ class ModuleRunnerBase : public ExpressionRunner { Address getFinalAddressWithoutOffset(Literal ptr, Index bytes, Address memorySize) { - uint64_t addr = ptr.type == Type::i32 ? ptr.geti32() : ptr.geti64(); + uint64_t addr = ptr.getUnsigned(); checkLoadAddress(addr, bytes, memorySize); return addr; } diff --git a/test/lit/exec/simd-load-lane-oob.wast b/test/lit/exec/simd-load-lane-oob.wast index 2d0ed4d3af3..6227de060f9 100644 --- a/test/lit/exec/simd-load-lane-oob.wast +++ b/test/lit/exec/simd-load-lane-oob.wast @@ -10,7 +10,7 @@ (global $g (mut i32) (i32.const 0)) ;; CHECK: [fuzz-exec] calling oob - ;; CHECK-NEXT: [trap final > memory: 18446744073709551615 > 65536] + ;; CHECK-NEXT: [trap final > memory: 4294967295 > 65536] (func $oob (export "oob") (drop ;; This should trap, but not until after setting the global. @@ -34,7 +34,7 @@ ) ) ;; CHECK: [fuzz-exec] calling oob -;; CHECK-NEXT: [trap final > memory: 18446744073709551615 > 65536] +;; CHECK-NEXT: [trap final > memory: 4294967295 > 65536] ;; CHECK: [fuzz-exec] calling get ;; CHECK-NEXT: [fuzz-exec] note result: get => 1 diff --git a/test/passes/fuzz-exec_O.txt b/test/passes/fuzz-exec_O.txt index d636cc765ea..d9e1cf79115 100644 --- a/test/passes/fuzz-exec_O.txt +++ b/test/passes/fuzz-exec_O.txt @@ -1,7 +1,7 @@ [fuzz-exec] calling func_0 -[trap final > memory: 18446744073709551615 > 65514] +[trap final > memory: 4294967295 > 65514] [fuzz-exec] calling func_1 -[trap final > memory: 18446744073709551615 > 65514] +[trap final > memory: 4294967295 > 65514] (module (type $0 (func (result i64))) (type $1 (func (result i32))) @@ -25,9 +25,9 @@ ) ) [fuzz-exec] calling func_0 -[trap final > memory: 18446744073709551615 > 65514] +[trap final > memory: 4294967295 > 65514] [fuzz-exec] calling func_1 -[trap final > memory: 18446744073709551615 > 65514] +[trap final > memory: 4294967295 > 65514] [fuzz-exec] comparing func_0 [fuzz-exec] comparing func_1 [fuzz-exec] calling div diff --git a/test/passes/fuzz-exec_all-features.txt b/test/passes/fuzz-exec_all-features.txt index fcb8e8a3c6b..16588f7ada4 100644 --- a/test/passes/fuzz-exec_all-features.txt +++ b/test/passes/fuzz-exec_all-features.txt @@ -68,7 +68,7 @@ [fuzz-exec] calling wrap_cmpxchg [LoggingExternalInterface logging 42] [fuzz-exec] calling oob_notify -[trap final > memory: 18446744073709551512 > 65514] +[trap final > memory: 4294967192 > 65514] (module (type $0 (func (result i32))) (type $1 (func (param i32))) @@ -137,7 +137,7 @@ [fuzz-exec] calling wrap_cmpxchg [LoggingExternalInterface logging 42] [fuzz-exec] calling oob_notify -[trap final > memory: 18446744073709551512 > 65514] +[trap final > memory: 4294967192 > 65514] [fuzz-exec] comparing aligned_for_size [fuzz-exec] comparing oob_notify [fuzz-exec] comparing unaligned_load