Merge da9afc1d3a into 6c3f6fd017

Update note on WAMR_BUILD_LIBC_UVWASI for Windows (#4583 )
build(deps): Bump github/codeql-action from 3.29.10 to 3.29.11 (#4579 )
2025-09-04 00:43:57 +00:00 · 2025-08-31 16:42:22 +08:00 · 2025-08-27 13:57:30 +08:00 · 2025-08-27 07:31:06 +08:00 · 2025-08-04 15:54:28 +09:00
4 changed files with 21 additions and 5 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -53,7 +53,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.29.10
+      uses: github/codeql-action/init@v3.29.11
      with:
        languages: ${{ matrix.language }}

@ -70,7 +70,7 @@ jobs:
    - run: |
        ./.github/scripts/codeql_buildscript.sh
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.29.10
+      uses: github/codeql-action/analyze@v3.29.11
      with:
        category: "/language:${{matrix.language}}"
        upload: false
@ -99,7 +99,7 @@ jobs:
        output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif

    - name: Upload CodeQL results to code scanning
-      uses: github/codeql-action/upload-sarif@v3.29.10
+      uses: github/codeql-action/upload-sarif@v3.29.11
      with:
        sarif_file: ${{ steps.step1.outputs.sarif-output }}
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/supply_chain.yml
+++ b/.github/workflows/supply_chain.yml
@ -60,6 +60,6 @@ jobs:

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@e96e340c1e95e91449de06aabfa9525b7b98113f 
+        uses: github/codeql-action/upload-sarif@5b49155c7f37b5ec074ffd26b428e6b64b1bf412 
        with:
          sarif_file: results.sarif
--- a/core/iwasm/libraries/wasi-nn/src/wasi_nn.c
+++ b/core/iwasm/libraries/wasi-nn/src/wasi_nn.c
@ -795,6 +795,22 @@ wasi_nn_get_output(wasm_exec_env_t exec_env, graph_execution_context ctx,
    if (success != (res = is_model_initialized(wasi_nn_ctx)))
        goto fail;

+#if WASM_ENABLE_WASI_EPHEMERAL_NN != 0
+    if (!wasm_runtime_validate_native_addr(instance, output_tensor,
+                                           output_tensor_len)) {
+        NN_ERR_PRINTF("output_tensor is invalid");
+        res = invalid_argument;
+        goto fail;
+    }
+#else
+    if (!wasm_runtime_validate_native_addr(instance, output_tensor,
+                                           *output_tensor_size)) {
+        NN_ERR_PRINTF("output_tensor is invalid");
+        res = invalid_argument;
+        goto fail;
+    }
+#endif
+
    if (!wasm_runtime_validate_native_addr(instance, output_tensor_size,
                                           (uint64)sizeof(uint32_t))) {
        NN_ERR_PRINTF("output_tensor_size is invalid");
--- a/doc/build_wamr.md
+++ b/doc/build_wamr.md
@ -57,7 +57,7 @@ cmake -DWAMR_BUILD_PLATFORM=linux -DWAMR_BUILD_TARGET=ARM

 - **WAMR_BUILD_LIBC_UVWASI**=1/0 (Experiment), build the [WASI](https://github.com/WebAssembly/WASI) libc subset for WASM app based on [uvwasi](https://github.com/nodejs/uvwasi) implementation, default to disable if not set

-> Note: for platform which doesn't support **WAMR_BUILD_LIBC_WASI**, e.g. Windows, developer can try using **WAMR_BUILD_LIBC_UVWASI**.
+> Note: WAMR doesn't support a safe sandbox on all platforms. For platforms that do not support **WAMR_BUILD_LIBC_WASI**, e.g. Windows, developers can try using an unsafe uvwasi-based WASI implementation by using **WAMR_BUILD_LIBC_UVWASI**.

 ### **Enable Multi-Module feature**
Author	SHA1	Message	Date
YAMAMOTO Takashi	a4250dc730	Merge `da9afc1d3a` into `6c3f6fd017`	2025-08-31 16:42:22 +08:00
Oscar Spencer	6c3f6fd017	Update note on WAMR_BUILD_LIBC_UVWASI for Windows (#4583 )	2025-08-27 13:57:30 +08:00
dependabot[bot]	42851ca821	build(deps): Bump github/codeql-action from 3.29.10 to 3.29.11 (#4579 ) Some checks failed compilation on macos / build_iwasm (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, -DWAMR_DISABLE_HW_BOUND_CHECK=1, $FAST_INTERP_BUILD_OPTIONS, macos-13, darwin) (push) Has been cancelled Details compilation on macos / build_iwasm (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, -DWAMR_DISABLE_HW_BOUND_CHECK=1, $LLVM_EAGER_JIT_BUILD_OPTIONS, macos-13, darwin) (push) Has been cancelled Details compilation on macos / build_iwasm (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, -DWAMR_DISABLE_HW_BOUND_CHECK=1, $LLVM_LAZY_JIT_BUILD_OPTIONS, macos-13, darwin) (push) Has been cancelled Details compilation on macos / build_samples_wasm_c_api (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, $AOT_BUILD_OPTIONS, macos-13) (push) Has been cancelled Details compilation on macos / build_samples_wasm_c_api (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, $CLASSIC_INTERP_BUILD_OPTIONS, macos-13) (push) Has been cancelled Details compilation on macos / build_samples_wasm_c_api (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, $FAST_INTERP_BUILD_OPTIONS, macos-13) (push) Has been cancelled Details compilation on macos / build_samples_wasm_c_api (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, $FAST_JIT_BUILD_OPTIONS, macos-13) (push) Has been cancelled Details compilation on macos / build_samples_wasm_c_api (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, $LLVM_EAGER_JIT_BUILD_OPTIONS, macos-13) (push) Has been cancelled Details compilation on macos / build_samples_wasm_c_api (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, $LLVM_LAZY_JIT_BUILD_OPTIONS, macos-13) (push) Has been cancelled Details compilation on macos / build_samples_wasm_c_api (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, $MULTI_TIER_JIT_BUILD_OPTIONS, macos-13) (push) Has been cancelled Details compilation on macos / build_samples_others (${{ needs.build_llvm_libraries_on_arm_macos.outputs.cache_key }}, macos-14) (push) Has been cancelled Details compilation on macos / build_samples_others (${{ needs.build_llvm_libraries_on_intel_macos.outputs.cache_key }}, macos-13) (push) Has been cancelled Details compilation on SGX / run_samples_file (-DWAMR_BUILD_SGX_IPFS=1, $AOT_BUILD_OPTIONS, ${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, linux-sgx) (push) Has been cancelled Details compilation on SGX / run_samples_file (-DWAMR_BUILD_SGX_IPFS=1, $CLASSIC_INTERP_BUILD_OPTIONS, ${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, linux-sgx) (push) Has been cancelled Details compilation on SGX / run_samples_file (-DWAMR_BUILD_SGX_IPFS=1, $FAST_INTERP_BUILD_OPTIONS, ${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, linux-sgx) (push) Has been cancelled Details compilation on SGX / run_samples_file (-DWAMR_BUILD_SGX_IPFS=1, $FAST_JIT_BUILD_OPTIONS, ${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, linux-sgx) (push) Has been cancelled Details compilation on SGX / spec_test_default (${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, aot, $DEFAULT_TEST_OPTIONS) (push) Has been cancelled Details compilation on SGX / spec_test_default (${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, aot, $SIMD_TEST_OPTIONS) (push) Has been cancelled Details compilation on SGX / spec_test_default (${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, aot, $XIP_TEST_OPTIONS) (push) Has been cancelled Details compilation on SGX / spec_test_default (${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, classic-interp, $DEFAULT_TEST_OPTIONS) (push) Has been cancelled Details compilation on SGX / spec_test_default (${{ needs.build_llvm_libraries.outputs.cache_key }}, ubuntu-22.04, fast-jit, $DEFAULT_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / build_wamrc (${{ needs.build_llvm_libraries_on_windows.outputs.cache_key }}, windows-latest) (push) Has been cancelled Details compilation on windows-latest / test (classic-interp, $DEFAULT_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / test (classic-interp, $MULTI_MODULES_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / test (classic-interp, $THREADS_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / test (classic-interp, $WASI_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / test (fast-interp, $DEFAULT_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / test (fast-interp, $MULTI_MODULES_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / test (fast-interp, $THREADS_TEST_OPTIONS) (push) Has been cancelled Details compilation on windows-latest / test (fast-interp, $WASI_TEST_OPTIONS) (push) Has been cancelled Details Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.10 to 3.29.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Commits](https://github.com/github/codeql-action/compare/v3.29.10...v3.29.11) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.29.11 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-08-27 07:31:06 +08:00
YAMAMOTO Takashi	da9afc1d3a	wasi-nn: add a missing address validation for get_output cf. https://github.com/bytecodealliance/wasm-micro-runtime/issues/4533	2025-08-04 15:54:28 +09:00