Merge d285f76661 into 17be90d8f0

return the same value for max_info_size regardless of addr_info_size.

.github/codeql/codeql_config.yml

@@ -0,0 +1,46 @@
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+paths:
+  - .github
+  - core/iwasm
+  - core/shared/platform/common/
+  - core/shared/platform/include/
+  - core/shared/platform/linux/
+  - product-mini/platforms/common/
+  - product-mini/platforms/linux/
+  # TODO: add other platforms back if able to do cross-compilation
+  # - product-mini/platforms/
+  # TODO: add samples back after buildscript modification
+  # - need to ignore workloads and wasm-apps
+  # - samples
+  - wamr-compiler/
+paths-ignore:
+  # always ignore build
+  - '**/build/**'
+  - '**/test*/**'
+  - '**/wasm-app*/**'
+  - core/deps/
+  # platform specific
+  - core/iwasm/aot/arch/aot_reloc_aarch64.c
+  - core/iwasm/aot/arch/aot_reloc_arc.c
+  - core/iwasm/aot/arch/aot_reloc_arm.c
+  - core/iwasm/aot/arch/aot_reloc_dummy.c
+  - core/iwasm/aot/arch/aot_reloc_mips.c
+  - core/iwasm/aot/arch/aot_reloc_riscv.c
+  - core/iwasm/aot/arch/aot_reloc_thumb.c
+  - core/iwasm/aot/arch/aot_reloc_xtensa.c
+  - core/iwasm/libraries/lib-rats/
+  - core/iwasm/libraries/lib-socket/
+  - core/iwasm/libraries/lib-wasi-threads/*-test/
+  - core/shared/platform/common/freertos/
+  - core/shared/platform/common/math/
+  #TODO: add me back if lldb libraries installed
+  - core/iwasm/compilation/debug/
+  # spend disk space and slow
+  - core/iwasm/libraries/wasi-nn/src/wasi_nn_tflite*
+  #TODO: add me back if openvino installed
+  - core/iwasm/libraries/wasi-nn/src/wasi_nn_openvino*
+  # for wasm
+  - core/iwasm/libraries/wasi-nn/include/wasi_nn.h
+  # reference
+  - core/iwasm/common/arch/invokeNative_general.c

.github/scripts/codeql_buildscript.sh

@@ -5,308 +5,117 @@
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 #
 
-sudo apt update
+# This script is used to build the WAMR project for CodeQL analysis.
 
-sudo apt install -y build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build
+# Pre-requisites
+sudo apt -qq update
+sudo apt install -y -qq build-essential cmake g++-multilib libgcc-12-dev lib32gcc-12-dev ccache ninja-build
 
+LLVM_VER=18.1.8
+pushd /opt
+sudo wget --progress=dot:giga -O clang+llvm-x86_64-linux-gnu.tar.xz https://github.com/llvm/llvm-project/releases/download/llvmorg-${LLVM_VER}/clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04.tar.xz \
+  && tar -xf clang+llvm-x86_64-linux-gnu.tar.xz \
+  && mv clang+llvm-${LLVM_VER}-x86_64-linux-gnu-ubuntu-18.04 llvm-${LLVM_VER}
+popd
+
+# libtinfo.so.5 for /opt/llvm-18.1.8/lib/libomptarget.rtl.amdgpu.so.18.1
+sudo apt -qq update
+wget http://security.ubuntu.com/ubuntu/pool/universe/n/ncurses/libtinfo5_6.3-2ubuntu0.1_amd64.deb
+sudo apt install -y -qq ./libtinfo5_6.3-2ubuntu0.1_amd64.deb
+
+# Start the build process
 WAMR_DIR=${PWD}
+LLVM_DIR=/opt/llvm-${LLVM_VER}/lib/cmake/llvm
 
-# TODO: use pre-built llvm binary to build wamrc to
+# Function to build wamrc
-#       avoid static code analysing for llvm
+build_wamrc() {
-: '
+    local options="$1"
-# build wamrc
+    echo "Building wamrc with options: $options"
-cd ${WAMR_DIR}/wamr-compiler
-./build_llvm.sh
-rm -fr build && mkdir build && cd build
-cmake ..
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build wamrc!"
-    exit 1;
-fi
-'
 
-# build iwasm with default features enabled
+    pushd ${WAMR_DIR}/wamr-compiler
-cd ${WAMR_DIR}/product-mini/platforms/linux
+    rm -rf build
-rm -fr build && mkdir build && cd build
+    cmake -S . -B build \
-cmake ..
+        -G Ninja \
-make -j
+        -DCMAKE_BUILD_TYPE=Debug \
+        -DWAMR_BUILD_WITH_CUSTOM_LLVM=1 -DLLVM_DIR=${LLVM_DIR} \
+        $options
+    cmake --build build --target wamrc --parallel
     if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with default features enabled!"
+        echo "Failed to build wamrc with options: $options"
-    exit 1;
+        exit 1
     fi
+    popd
+}
 
-# build iwasm with default features enabled on x86_32
+# Function to build iwasm
-cd ${WAMR_DIR}/product-mini/platforms/linux
+build_iwasm() {
-rm -fr build && mkdir build && cd build
+    local options="$1"
-cmake .. -DWAMR_BUILD_TARGET=X86_32
+    echo "Building iwasm with options: $options"
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with default features enabled on x86_32!"
-    exit 1;
-fi
 
-# build iwasm with classic interpreter enabled
+    pushd ${WAMR_DIR}/product-mini/platforms/linux
-cd ${WAMR_DIR}/product-mini/platforms/linux
+    rm -rf build
-rm -rf build && mkdir build && cd build
+    cmake -S . -B build \
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_INTERP=0
+        -G Ninja \
-make -j
+        -DCMAKE_BUILD_TYPE=Debug \
+        -DLLVM_DIR=${LLVM_DIR} \
+        $options
+    cmake --build build --target iwasm --parallel
     if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with classic interpreter enabled!"
+        echo "Failed to build iwasm with options: $options"
-    exit 1;
+        exit 1
     fi
+    popd
+}
 
-# build iwasm with extra features enabled
+# List of compilation options for wamrc
-cd ${WAMR_DIR}/product-mini/platforms/linux
+wamrc_options_list=(
-rm -fr build && mkdir build && cd build
+    #default
-cmake .. -DCMAKE_BUILD_TYPE=Debug \
+    ""
-    -DWAMR_BUILD_LIB_PTHREAD=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1 \
+)
-    -DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_SIMD=1 \
-    -DWAMR_BUILD_TAIL_CALL=1 -DWAMR_BUILD_REF_TYPES=1 \
-    -DWAMR_BUILD_CUSTOM_NAME_SECTION=1 -DWAMR_BUILD_MEMORY_PROFILING=1 \
-    -DWAMR_BUILD_PERF_PROFILING=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 \
-    -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build wamrc iwasm with extra features enabled!"
-    exit 1;
-fi
 
-# build iwasm with global heap pool enabled
+# List of compilation options for iwasm
-cd ${WAMR_DIR}/product-mini/platforms/linux
+iwasm_options_list=(
-rm -fr build && mkdir build && cd build
+    #default
-cmake .. -DCMAKE_BUILD_TYPE=Debug \
+    ""
-    -DWAMR_BUILD_ALLOC_WITH_USER_DATA=1 \
+    # +classic interp
-    -DWAMR_DISABLE_STACK_HW_BOUND_CHECK=1 \
+    "-DWAMR_BUILD_FAST_INTERP=0"
-    -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 \
+    # +llvm jit + fast jit
-    -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072
+    "-DWAMR_BUILD_JIT=1 -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1"
-make -j
+    #
-if [[ $? != 0 ]]; then
+    "-DWAMR_BUILD_TARGET=X86_32"
-    echo "Failed to build iwasm with global heap pool enabled!"
+    #
-    exit 1;
+    # libraries
-fi
+    "-DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_UVWASI=1 -DWAMR_BUILD_LIBC_EMCC=1"
+    "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_PTHREAD=1      -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
+    "-DWAMR_BUILD_THREAD_MGR=1 -DWAMR_BUILD_LIB_WASI_THREADS=1 -DWAMR_BUILD_SHARED_MEMORY=1 -DWAMR_BUILD_LIB_PTHREAD_SEMAPHORE=1"
+    "-DWAMR_BUILD_WASI_NN=1 -DWAMR_BUILD_WASI_NN_LLAMACPP=1"
+    #
+    # Wasm specs
+    "-DWAMR_BUILD_GC=1 -DWAMR_BUILD_EXCE_HANDLING=1 -DWAMR_BUILD_STRINGREF=1 -DWAMR_STRINGREF_IMPL_SOURCE=STUB"
+    "-DWAMR_BUILD_MEMORY64=1 -DWAMR_BUILD_MULTI_MEMORY=1"
+    #
+    # WARM features
+    "-DWAMR_BUILD_MULTI_MODULE=1 -DWAMR_BUILD_MINI_LOADER=1 -DWAMR_BUILD_SHARED_HEAP=1"
+    "-DWAMR_DISABLE_HW_BOUND_CHECK=1"
+    "-DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1"
+    # - Debug
+    "-DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1 -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1"
+    # - developer options
+    "-DWAMR_BUILD_CUSTOM_NAME_SECTION=1  -DWAMR_BUILD_LOAD_CUSTOM_SECTION=1 -DWAMR_BUILD_DUMP_CALL_STACK=1 -DWAMR_BUILD_LINUX_PERF=1 -DWAMR_BUILD_AOT_VALIDATOR=1 -DWAMR_BUILD_MEMORY_PROFILING=1 -DWAMR_BUILD_PERF_PROFILING=1"
+    # - global heap
+    "-DWAMR_BUILD_ALLOC_WITH_USER_DATA=1  -DWAMR_BUILD_GLOBAL_HEAP_POOL=1 -DWAMR_BUILD_GLOBAL_HEAP_SIZE=131072"
+    "-DWAMR_BUILD_QUICK_AOT_ENTRY=0 -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1 -DWAMR_BUILD_MODULE_INST_CONTEXT=0"
+    # - pgo
+    "-DWAMR_BUILD_STATIC_PGO=1"
+    # TODO: SGX specifics.
+)
 
-# build iwasm with wasi-threads enabled
+# Loop through all iwasm options and build
-cd ${WAMR_DIR}/product-mini/platforms/linux
+for options in "${iwasm_options_list[@]}"; do
-rm -fr build && mkdir build && cd build
+    build_iwasm "$options"
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIB_WASI_THREADS=1
+done
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with wasi-threads enabled!"
-    exit 1;
-fi
 
-# build iwasm with GC enabled
+# Loop through all wamrc options and build
-cd ${WAMR_DIR}/product-mini/platforms/linux
+for options in "${wamrc_options_list[@]}"; do
-rm -rf build && mkdir build && cd build
+    build_wamrc "$options"
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_GC=1
+done
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with GC enabled!"
-    exit 1;
-fi
-
-# build iwasm with exception handling enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_EXCE_HANDLING=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with exception handling enabled!"
-    exit 1;
-fi
-
-# build iwasm with memory64 enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MEMORY64=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with memory64 enabled!"
-    exit 1;
-fi
-
-# build iwasm with multi-memory enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MULTI_MEMORY=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with multi-memory enabled!"
-    exit 1;
-fi
-
-# build iwasm with hardware boundary check disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_HW_BOUND_CHECK=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with hardware boundary check disabled!"
-    exit 1;
-fi
-
-# build iwasm with quick AOT entry disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_QUICK_AOT_ENTRY=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with quick AOT entry disabled!"
-    exit 1;
-fi
-
-# build iwasm with wakeup of blocking operations disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_DISABLE_WAKEUP_BLOCKING_OP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with wakeup of blocking operations disabled!"
-    exit 1;
-fi
-
-# build iwasm with module instance context disabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MODULE_INST_CONTEXT=0 \
-         -DWAMR_BUILD_LIBC_BUILTIN=0 -DWAMR_BUILD_LIBC_WASI=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with module instance context disabled!"
-    exit 1;
-fi
-
-# build iwasm with libc-uvwasi enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -fr build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LIBC_UVWASI=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with libc-uvwasi enabled!"
-    exit 1;
-fi
-
-# build iwasm with fast jit lazy mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with fast jit lazy mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with fast jit eager mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with fast jit eager mode enabled!"
-    exit 1;
-fi
-
-# TODO: use pre-built llvm binary to build llvm-jit and multi-tier-jit
-: '
-# build iwasm with llvm jit lazy mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build llvm jit lazy mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with llvm jit eager mode enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build llvm jit eager mode enabled!"
-    exit 1;
-fi
-
-# build iwasm with multi-tier jit enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_FAST_JIT=1 -DWAMR_BUILD_JIT=1 \
-                                    -DWAMR_BUILD_FAST_JIT_DUMP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with multi-tier jit enabled!"
-    exit 1;
-fi
-'
-
-# build iwasm with wasm mini-loader enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_MINI_LOADER=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build with wasm mini-loader enabled!"
-    exit 1;
-fi
-
-# build iwasm with source debugging enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DEBUG_INTERP=1 -DWAMR_BUILD_DEBUG_AOT=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with source debugging enabled!"
-    exit 1;
-fi
-
-# build iwasm with AOT static PGO enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_STATIC_PGO=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with AOT static PGO enabled!"
-    exit 1;
-fi
-
-# build iwasm with configurable bounds checks enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_CONFIGURABLE_BOUNDS_CHECKS=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with configurable bounds checks enabled!"
-    exit 1;
-fi
-
-# build iwasm with linux perf support enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux/
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_LINUX_PERF=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with linux perf support enabled!"
-    exit 1;
-fi
-
-# build iwasm with shared heap enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_SHARED_HEAP=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm with shared heap enabled!"
-    exit 1;
-fi
-
-# build iwasm with dynamic aot debug enabled
-cd ${WAMR_DIR}/product-mini/platforms/linux
-rm -rf build && mkdir build && cd build
-cmake .. -DCMAKE_BUILD_TYPE=Debug -DWAMR_BUILD_DYNAMIC_AOT_DEBUG=1
-make -j
-if [[ $? != 0 ]]; then
-    echo "Failed to build iwasm dynamic aot debug enabled!"
-    exit 1;
-fi

.github/workflows/codeql.yml

@@ -1,29 +1,24 @@
-# For most projects, this workflow file will not need changing; you simply need
+# Copyright (C) 2019 Intel Corporation.  All rights reserved.
-# to commit it to your repository.
+# SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
-#
+
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
 name: "CodeQL"
 
 on:
-  #pull_request:
+  # run on every push to the feature-development branch
-  #  types:
+  # the main branch is covered by below cron plan
-  #    - opened
+  push:
-  #  branches: '*'
+    branches:
-  #push:
+      - dev/**
-  #   branches: [ "main" ]
+  # midnight UTC on the latest commit on the main branch
-  # midnight UTC
   schedule:
-    - cron: '0 0 * * *'
+    - cron: "0 0 * * *"
   # allow to be triggered manually
   workflow_dispatch:
 
-permissions:
-  contents: read
-
 jobs:
   analyze:
+    # only run this job if the repository is not a fork
+    # if want to run this job on a fork, please remove the if condition
     if: github.repository == 'bytecodealliance/wasm-micro-runtime'
     name: Analyze
     # Runner size impacts CodeQL analysis time. To learn more, please see:
@@ -31,14 +26,15 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners
     # Consider using larger runners for possible analysis time improvements.
-    runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }}
+    # But it is not free, so please be aware of the cost.
-    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    runs-on: ubuntu-22.04
+    timeout-minutes: 360
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'cpp' ]
+        #TODO: add actions
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        language: ["cpp"]
 
     permissions:
       contents: read
@@ -53,53 +49,72 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3.29.1
+        uses: github/codeql-action/init@v3.29.2
         with:
           languages: ${{ matrix.language }}
-
           # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
           # queries: security-extended,security-and-quality
           queries: security-and-quality
-
+          config-file: ./.github/codeql/codeql_config.yml
-    # Command-line programs to run using the OS shell.
-    # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
       - run: |
           ./.github/scripts/codeql_buildscript.sh
+
       - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3.29.1
+        uses: github/codeql-action/analyze@v3.29.2
         with:
           category: "/language:${{matrix.language}}"
           upload: false
         id: step1
 
-    # Filter out rules with low severity or high false positve rate
+      # - cpp/alloca-in-loop is about touch_pages() which is intended to
-    # Also filter out warnings in third-party code
+      # - cpp/command-line-injection is about bh_system() which is used to
+      # - cpp/path-injection is used in bh_read_file_to_buffer() to load a .wasm.
+      #   or operate a stack usage file which is not sensitive or generate a .aot
+      # - cpp/suspicious-pointer-scaling
+      #   - wasm_runtime_invoke_native() used to trivial registers
+      # - cpp/uncontrolled-process-operation is about dlopen() which is used by
+      #   native libraries registrations.
+      # - cpp/world-writable-file-creation is about fopen() a temporary file
+      #   for perf-PID.map or .aot(wamrc). The permission isn't sensitive.
+      #   file.
+      #
+      # execute customized compiler
       - name: Filter out unwanted errors and warnings
         uses: advanced-security/filter-sarif@v1
         with:
           patterns: |
-          -**:cpp/path-injection
+            ## Exclude files and directories
-          -**:cpp/world-writable-file-creation
+            -**/build/**
-          -**:cpp/poorly-documented-function
+            -**/core/deps/**
-          -**:cpp/potentially-dangerous-function
-          -**:cpp/use-of-goto
-          -**:cpp/integer-multiplication-cast-to-long
-          -**:cpp/comparison-with-wider-type
-          -**:cpp/leap-year/*
-          -**:cpp/ambiguously-signed-bit-field
-          -**:cpp/suspicious-pointer-scaling
-          -**:cpp/suspicious-pointer-scaling-void
-          -**:cpp/unsigned-comparison-zero
             -**/cmake*/Modules/**
+            -**/test*/**
+            -**/wasm-app*/**
+            ## Exclude rules 1. Related to formatting, style
+            -**:cpp/commented-out-code
+            -**:cpp/complex-condition
+            -**:cpp/empty-if
+            -**:cpp/fixme-comment
+            -**:cpp/include-non-header
+            -**:cpp/long-switch
+            -**:cpp/poorly-documented-function
+            -**:cpp/trivial-switch
+            -**:cpp/unused-local-variable
+            -**:cpp/unused-static-function
+            -**:cpp/unused-static-variable
+            -**:cpp/use-of-goto 
+            ## Exclude rules 2. Related to special usage of APIs
+            -**:cpp/alloca-in-loop
+            -**:cpp/command-line-injection
+            -**:cpp/path-injection
+            -core/iwasm/common/wasm_runtime_common.c:cpp/suspicious-pointer-scaling
+            -**:cpp/uncontrolled-process-operation
+            -**:cpp/world-writable-file-creation
           input: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
           output: ${{ steps.step1.outputs.sarif-output }}/cpp.sarif
 
       - name: Upload CodeQL results to code scanning
-      uses: github/codeql-action/upload-sarif@v3.29.1
+        uses: github/codeql-action/upload-sarif@v3.29.2
         with:
           sarif_file: ${{ steps.step1.outputs.sarif-output }}
           category: "/language:${{matrix.language}}"

.github/workflows/supply_chain.yml

@@ -60,6 +60,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@4c57370d0304fbff638216539f81d9163f77712a 
+        uses: github/codeql-action/upload-sarif@b69421388d5449cc5a5e1ca344d71926bda69e07 
         with:
           sarif_file: results.sarif

README.md

@@ -48,6 +48,7 @@ WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm)
 - [Reference Types](https://github.com/WebAssembly/reference-types), ref to [document](doc/ref_types.md) and [sample](samples/ref-types)
 - [Bulk memory operations](https://github.com/WebAssembly/bulk-memory-operations), [Shared memory](https://github.com/WebAssembly/threads/blob/main/proposals/threads/Overview.md#shared-linear-memory), [Memory64](https://github.com/WebAssembly/memory64)
 - [Tail-call](https://github.com/WebAssembly/tail-call), [Garbage Collection](https://github.com/WebAssembly/gc), [Exception Handling](https://github.com/WebAssembly/exception-handling)
+- [Extended Constant Expressions](https://github.com/WebAssembly/extended-const)
 
 ### Supported architectures and platforms
 The WAMR VMcore supports the following architectures:

core/iwasm/aot/aot_loader.c

@@ -4711,7 +4711,7 @@ aot_unload(AOTModule *module)
 }
 
 uint32
-aot_get_plt_table_size()
+aot_get_plt_table_size(void)
 {
     return get_plt_table_size();
 }

core/iwasm/compilation/aot.c

@@ -8,7 +8,7 @@
 static char aot_error[128];
 
 char *
-aot_get_last_error()
+aot_get_last_error(void)
 {
     return aot_error[0] == '\0' ? "" : aot_error;
 }

core/iwasm/compilation/aot_emit_aot_file.c

@@ -1905,7 +1905,7 @@ aot_emit_init_expr(uint8 *buf, uint8 *buf_end, uint32 *p_offset,
         {
             WASMArrayType *array_type = NULL;
 
-            bh_assert(expr->u.array_new_default.type_index
+            bh_assert(expr->u.unary.v.array_new_default.type_index
                       < module->type_count);
             array_type =
                 (WASMArrayType *)

core/iwasm/include/aot_export.h

@@ -98,10 +98,10 @@ void
 aot_destroy_aot_file(uint8_t *aot_file);
 
 char *
-aot_get_last_error();
+aot_get_last_error(void);
 
 uint32_t
-aot_get_plt_table_size();
+aot_get_plt_table_size(void);
 
 #ifdef __cplusplus
 }

core/iwasm/interpreter/wasm_loader.c

@@ -999,12 +999,10 @@ load_init_expr(WASMModule *module, const uint8 **p_buf, const uint8 *buf_end,
             /* ref.null */
             case INIT_EXPR_TYPE_REFNULL_CONST:
             {
-                uint8 type1;
-
 #if WASM_ENABLE_GC == 0
+                uint8 type1;
                 CHECK_BUF(p, p_end, 1);
                 type1 = read_uint8(p);
-
                 cur_value.ref_index = NULL_REF;
                 if (!push_const_expr_stack(&const_expr_ctx, flag, type1,
                                            &cur_value,
@@ -1014,23 +1012,34 @@ load_init_expr(WASMModule *module, const uint8 **p_buf, const uint8 *buf_end,
                                            error_buf, error_buf_size))
                     goto fail;
 #else
+                /*
+                 * According to the current GC SPEC rules, the heap_type must be
+                 * validated when ref.null is used. It can be an absheaptype,
+                 * or the type C.types[type_idx] must be defined in the context.
+                 */
                 int32 heap_type;
                 read_leb_int32(p, p_end, heap_type);
-                type1 = (uint8)((int32)0x80 + heap_type);
-
                 cur_value.gc_obj = NULL_REF;
 
-                if (!is_byte_a_type(type1)
+                /*
-                    || !wasm_is_valid_heap_type(heap_type)
+                 * The current check of heap_type can deterministically infer
-                    || wasm_is_type_multi_byte_type(type1)) {
+                 * the result of the previous condition
-                    p--;
+                 * `(!is_byte_a_type(type1) ||
-                    read_leb_uint32(p, p_end, type_idx);
+                 * wasm_is_type_multi_byte_type(type1))`. Therefore, the
-                    if (!check_type_index(module, module->type_count, type_idx,
+                 * original condition is redundant and has been removed.
-                                          error_buf, error_buf_size))
+                 *
-                        goto fail;
+                 * This logic is consistent with the implementation of the
+                 * `WASM_OP_REF_NULL` case in the `wasm_loader_prepare_bytecode`
+                 * function.
+                 */
 
+                if (heap_type >= 0) {
+                    if (!check_type_index(module, module->type_count, heap_type,
+                                          error_buf, error_buf_size)) {
+                        goto fail;
+                    }
                     wasm_set_refheaptype_typeidx(&cur_ref_type.ref_ht_typeidx,
-                                                 true, type_idx);
+                                                 true, heap_type);
                     if (!push_const_expr_stack(&const_expr_ctx, flag,
                                                cur_ref_type.ref_type,
                                                &cur_ref_type, 0, &cur_value,
@@ -1041,8 +1050,16 @@ load_init_expr(WASMModule *module, const uint8 **p_buf, const uint8 *buf_end,
                         goto fail;
                 }
                 else {
-                    if (!push_const_expr_stack(&const_expr_ctx, flag, type1,
+                    if (!wasm_is_valid_heap_type(heap_type)) {
-                                               NULL, 0, &cur_value,
+                        set_error_buf_v(error_buf, error_buf_size,
+                                        "unknown type %d", heap_type);
+                        goto fail;
+                    }
+                    cur_ref_type.ref_ht_common.ref_type =
+                        (uint8)((int32)0x80 + heap_type);
+                    if (!push_const_expr_stack(&const_expr_ctx, flag,
+                                               cur_ref_type.ref_type, NULL, 0,
+                                               &cur_value,
 #if WASM_ENABLE_EXTENDED_CONST_EXPR != 0
                                                NULL,
 #endif

core/iwasm/libraries/wasi-nn/src/wasi_nn_llamacpp.c

@@ -17,6 +17,10 @@ extern char const *LLAMA_COMMIT;
 extern char const *LLAMA_COMPILER;
 extern char const *LLAMA_BUILD_TARGET;
 
+#if WASM_ENABLE_WASI_EPHEMERAL_NN == 0
+#error This backend doesn't support legacy "wasi_nn" abi. Please enable WASM_ENABLE_WASI_EPHEMERAL_NN.
+#endif
+
 // compatible with WasmEdge
 // https://github.com/second-state/WasmEdge-WASINN-examples/blob/master/wasmedge-ggml/README.md#parameters
 // https://github.com/WasmEdge/WasmEdge/blob/master/plugins/wasi_nn/ggml.cpp

core/iwasm/libraries/wasi-nn/src/wasi_nn_openvino.c

@@ -9,6 +9,10 @@
 
 #include "openvino/c/openvino.h"
 
+#if WASM_ENABLE_WASI_EPHEMERAL_NN == 0
+#error This backend doesn't support legacy "wasi_nn" abi. Please enable WASM_ENABLE_WASI_EPHEMERAL_NN.
+#endif
+
 /*
  * refer to
  * https://docs.openvino.ai/2024/openvino-workflow/running-inference/integrate-openvino-with-your-application.html

core/shared/platform/common/posix/posix_socket.c

@@ -406,12 +406,11 @@ os_socket_addr_resolve(const char *host, const char *service,
 
     res = result;
     while (res) {
-        if (addr_info_size > pos) {
         if (!is_addrinfo_supported(res)) {
             res = res->ai_next;
             continue;
         }
-
+        if (addr_info_size > pos) {
             ret =
                 sockaddr_to_bh_sockaddr(res->ai_addr, &addr_info[pos].sockaddr);
 

tests/fuzz/wasm-mutator-fuzz/aot-compiler/aot_compiler_fuzz.cc

@@ -58,6 +58,7 @@ LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
     option.enable_simd = true;
     option.enable_ref_types = true;
     option.enable_gc = true;
+    option.aux_stack_frame_type = AOT_STACK_FRAME_TYPE_STANDARD;
 
     comp_data =
         aot_create_comp_data(module, option.target_arch, option.enable_gc);