From d9a57f8bac6e8dfd366a12f5ff97f58ceb242b91 Mon Sep 17 00:00:00 2001
From: Alon Zakai <azakai@google.com>
Date: Mon, 3 Oct 2022 12:41:35 -0700
Subject: Fix ordering of visit() in MemoryGrow interpretation (#5108)

This is a pretty subtle point that was missed in #4811 - we need to first visit the
child, then compute the size, as the child may alter that size.

Found by the fuzzer.
---
 test/lit/exec/memory.grow.wast | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 test/lit/exec/memory.grow.wast

(limited to 'test/lit/exec')

diff --git a/test/lit/exec/memory.grow.wast b/test/lit/exec/memory.grow.wast
new file mode 100644
index 000000000..64d88bfc7
--- /dev/null
+++ b/test/lit/exec/memory.grow.wast
@@ -0,0 +1,26 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py --output=fuzz-exec and should not be edited.
+
+;; RUN: wasm-opt %s -all --fuzz-exec-before -q -o /dev/null 2>&1 | filecheck %s
+
+(module
+  (memory $0 1)
+
+  ;; CHECK:      [fuzz-exec] calling grow_twice
+  ;; CHECK-NEXT: [fuzz-exec] note result: grow_twice => 3
+  (func "grow_twice" (result i32)
+    ;; The nested grow will increase the size from 1 to 3, and return the old
+    ;; size, 1. Then the outer grow will grow by that amount 1, from 3 to 4.
+    (memory.grow
+      (memory.grow
+        (i32.const 2)
+      )
+    )
+  )
+
+  ;; CHECK:      [fuzz-exec] calling measure
+  ;; CHECK-NEXT: [fuzz-exec] note result: measure => 4
+  (func "measure" (export "measure") (result i32)
+    ;; This should return the final size, 4.
+    (memory.size)
+  )
+)
-- 
cgit v1.2.3