fix: false OOB in array.fill for interp (#4645)

* cherry-pick gc spec test case * Fix false OOB in array.fill
2025-10-24 09:51:17 +00:00 · 2025-10-23 13:15:42 +08:00 · 2025-10-23 13:15:42 +08:00 · 4c371e655a
commit 4c371e655a
parent 25c5d575a1
4 changed files with 30 additions and 2 deletions
--- a/core/iwasm/interpreter/wasm_interp_classic.c
+++ b/core/iwasm/interpreter/wasm_interp_classic.c
@ -3165,7 +3165,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,

                        if (len > 0) {
                            if ((uint64)start_offset + len
-                                >= wasm_array_obj_length(array_obj)) {
+                                > wasm_array_obj_length(array_obj)) {
                                wasm_set_exception(
                                    module, "out of bounds array access");
                                goto got_exception;
--- a/core/iwasm/interpreter/wasm_interp_fast.c
+++ b/core/iwasm/interpreter/wasm_interp_fast.c
@ -2562,7 +2562,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,

                        if (len > 0) {
                            if ((uint64)start_offset + len
-                                >= wasm_array_obj_length(array_obj)) {
+                                > wasm_array_obj_length(array_obj)) {
                                wasm_set_exception(
                                    module, "out of bounds array access");
                                goto got_exception;
--- a/tests/wamr-test-suites/spec-test-script/gc_array_fill_cases.patch
+++ b/tests/wamr-test-suites/spec-test-script/gc_array_fill_cases.patch
@ -0,0 +1,27 @@
+diff --git a/test/core/gc/array_fill.wast b/test/core/gc/array_fill.wast
+index 0379ad53..73122178 100644
+--- a/test/core/gc/array_fill.wast
+++ b/test/core/gc/array_fill.wast
+@@ -79,3 +79,22 @@
+ (assert_return (invoke "array_get_nth" (i32.const 2)) (i32.const 11))
+ (assert_return (invoke "array_get_nth" (i32.const 3)) (i32.const 11))
+ (assert_return (invoke "array_get_nth" (i32.const 4)) (i32.const 0))
+
+;; fill the whole array
+(assert_return (invoke "array_fill" (i32.const 0) (i32.const 42) (i32.const 12)))
+(assert_return (invoke "array_get_nth" (i32.const 0)) (i32.const 42))
+(assert_return (invoke "array_get_nth" (i32.const 2)) (i32.const 42))
+(assert_return (invoke "array_get_nth" (i32.const 5)) (i32.const 42))
+(assert_return (invoke "array_get_nth" (i32.const 11)) (i32.const 42))
+
+;; fill the first element
+(assert_return (invoke "array_fill" (i32.const 0) (i32.const 7) (i32.const 1)))
+(assert_return (invoke "array_get_nth" (i32.const 0)) (i32.const 7))
+(assert_return (invoke "array_get_nth" (i32.const 1)) (i32.const 42))
+(assert_return (invoke "array_get_nth" (i32.const 11)) (i32.const 42))
+
+;; fill the last 2 elements
+(assert_return (invoke "array_fill" (i32.const 10) (i32.const 9) (i32.const 2)))
+(assert_return (invoke "array_get_nth" (i32.const 9)) (i32.const 42))
+(assert_return (invoke "array_get_nth" (i32.const 10)) (i32.const 9))
+(assert_return (invoke "array_get_nth" (i32.const 11)) (i32.const 9))
--- a/tests/wamr-test-suites/test_wamr.sh
+++ b/tests/wamr-test-suites/test_wamr.sh
@ -478,6 +478,7 @@ function spec_test()
        #  Dec 9, 2024. Merge branch 'funcref'
        git reset --hard 756060f5816c7e2159f4817fbdee76cf52f9c923
        git apply --ignore-whitespace ../../spec-test-script/gc_ignore_cases.patch || exit 1
+        git apply --ignore-whitespace ../../spec-test-script/gc_array_fill_cases.patch || exit 1

        if [[ ${ENABLE_QEMU} == 1 ]]; then
            # Decrease the recursive count for tail call cases as nuttx qemu's