Fix memory.grow bounds and overflow checks for mem64

Previously the interpreter only executed overflow and bounds checks for memory.grow on 32-bit memories. Run the checks on 64-bit memories as well.
WebAssembly · Nov 25, 2024 · 640a101 · 640a101
1 parent ca61aee
commit 640a101
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
@@ -3836,10 +3836,14 @@ class ModuleRunnerBase : public ExpressionRunner<SubType> {
     auto fail = Literal::makeFromInt64(-1, memory->addressType);
     Flow ret = Literal::makeFromInt64(memorySize, addressType);
     uint64_t delta = flow.getSingleValue().getUnsigned();
-    if (delta > uint32_t(-1) / Memory::kPageSize && addressType == Type::i32) {
+    uint64_t maxAddr =
+      addressType == Type::i32 ? uint64_t(uint32_t(-1)) : uint64_t(-1);
+    if (delta > maxAddr / Memory::kPageSize) {
+      // Impossible to grow this much.
       return fail;
     }
-    if (memorySize >= uint32_t(-1) - delta && addressType == Type::i32) {
+    if (memorySize >= maxAddr - delta) {
+      // Overflow.
       return fail;
     }
     auto newSize = memorySize + delta;

diff --git a/test/lit/exec/memory64.wast b/test/lit/exec/memory64.wast
@@ -28,12 +28,24 @@
    (i32.const 10)
   )
  )
+
+ ;; CHECK:      [fuzz-exec] calling memory.grow.fail
+ ;; CHECK-NEXT: [fuzz-exec] note result: memory.grow.fail => -1
+ (func $memory.grow.fail (export "memory.grow.fail") (result i64)
+  (memory.grow
+   (i64.const -1)
+  )
+ )
 )
 
 ;; CHECK:      [fuzz-exec] calling memory.init.trap
 ;; CHECK-NEXT: [trap out of bounds segment access in memory.init]
 
 ;; CHECK:      [fuzz-exec] calling memory.init.trap2
 ;; CHECK-NEXT: [trap out of bounds segment access in memory.init]
+
+;; CHECK:      [fuzz-exec] calling memory.grow.fail
+;; CHECK-NEXT: [fuzz-exec] note result: memory.grow.fail => -1
+;; CHECK-NEXT: [fuzz-exec] comparing memory.grow.fail
 ;; CHECK-NEXT: [fuzz-exec] comparing memory.init.trap
 ;; CHECK-NEXT: [fuzz-exec] comparing memory.init.trap2