diff options
| -rw-r--r-- | src/wasm-interpreter.h | 13 | ||||
| -rw-r--r-- | test/lit/exec/table.fill.wast | 32 |
2 files changed, 36 insertions, 9 deletions
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h index f9b7e8c50..c12f9cc33 100644 --- a/src/wasm-interpreter.h +++ b/src/wasm-interpreter.h @@ -3137,21 +3137,16 @@ public: } auto info = getTableInstanceInfo(curr->table); - auto* table = self()->wasm.getTable(info.name); - Index dest = table->indexType == Type::i64 - ? destFlow.getSingleValue().geti64() - : destFlow.getSingleValue().geti32(); + auto dest = destFlow.getSingleValue().getUnsigned(); Literal value = valueFlow.getSingleValue(); - Index size = table->indexType == Type::i64 - ? sizeFlow.getSingleValue().geti64() - : sizeFlow.getSingleValue().geti32(); + auto size = sizeFlow.getSingleValue().getUnsigned(); - Index tableSize = info.interface()->tableSize(info.name); + auto tableSize = info.interface()->tableSize(info.name); if (dest + size > tableSize) { trap("out of bounds table access"); } - for (Index i = 0; i < size; ++i) { + for (uint64_t i = 0; i < size; i++) { info.interface()->tableStore(info.name, dest + i, value); } return Flow(); diff --git a/test/lit/exec/table.fill.wast b/test/lit/exec/table.fill.wast new file mode 100644 index 000000000..b2f092bc4 --- /dev/null +++ b/test/lit/exec/table.fill.wast @@ -0,0 +1,32 @@ +;; NOTE: Assertions have been generated by update_lit_checks.py --output=fuzz-exec and should not be edited. + +;; RUN: wasm-opt %s -all --fuzz-exec-before -q -o /dev/null 2>&1 | filecheck %s + +(module + (type $i32 (func (result i32))) + + (table $table 32 32 funcref) + + (func $i32 (type $i32) (result i32) + (i32.const 0) + ) + + ;; CHECK: [fuzz-exec] calling fill + ;; CHECK-NEXT: [trap out of bounds table access] + (func $fill (export "fill") + ;; This fill is out of bounds as the -1 is unsigned. Nothing will be written. + (table.fill $table + (i32.const 1) + (ref.func $i32) + (i32.const -1) + ) + ) + ;; CHECK: [fuzz-exec] calling call + ;; CHECK-NEXT: [trap uninitialized table element] + (func $call (export "call") (result i32) + ;; Nothing was written, so this traps. + (call_indirect $table (type $i32) + (i32.const 1) + ) + ) +) |