Merge commit from fork

kylo5aby · web-flow · commit ea7ac262a362 · 2025-11-24T14:23:05.000+08:00
diff --git a/core/iwasm/interpreter/wasm_loader.c b/core/iwasm/interpreter/wasm_loader.c
@@ -9572,6 +9572,16 @@ preserve_local_for_block(WASMLoaderContext *loader_ctx, uint8 opcode,
 
     /* preserve locals before blocks to ensure that "tee/set_local" inside
         blocks will not influence the value of these locals */
+    uint32 frame_offset_cell =
+        (uint32)(loader_ctx->frame_offset - loader_ctx->frame_offset_bottom);
+    uint32 frame_ref_cell =
+        (uint32)(loader_ctx->frame_ref - loader_ctx->frame_ref_bottom);
+    if (frame_offset_cell < loader_ctx->stack_cell_num
+        || frame_ref_cell < loader_ctx->stack_cell_num) {
+        set_error_buf(error_buf, error_buf_size, "stack cell num error");
+        return false;
+    }
+
     while (i < loader_ctx->stack_cell_num) {
         int16 cur_offset = loader_ctx->frame_offset_bottom[i];
         uint8 cur_type = loader_ctx->frame_ref_bottom[i];
@@ -11928,13 +11938,19 @@ wasm_loader_prepare_bytecode(WASMModule *module, WASMFunction *func,
                             break;
                         }
 
+                        uint8 *frame_ref_before_pop = loader_ctx->frame_ref;
                         POP_TYPE(
                             wasm_type->types[wasm_type->param_count - i - 1]);
 #if WASM_ENABLE_FAST_INTERP != 0
                         /* decrease the frame_offset pointer accordingly to keep
-                         * consistent with frame_ref stack */
-                        cell_num = wasm_value_type_cell_num(
-                            wasm_type->types[wasm_type->param_count - i - 1]);
+                         * consistent with frame_ref stack. Use the actual
+                         * popped cell count instead of
+                         * wasm_value_type_cell_num() because when the stack top
+                         * is VALUE_TYPE_ANY, wasm_loader_pop_frame_ref always
+                         * pops exactly 1 cell regardless of the expected type
+                         */
+                        cell_num = (uint32)(frame_ref_before_pop
+                                            - loader_ctx->frame_ref);
                         loader_ctx->frame_offset -= cell_num;
 
                         if (loader_ctx->frame_offset
diff --git a/tests/regression/ba-issues/issues/issue-980000/frame_offset_overflow.wasm b/tests/regression/ba-issues/issues/issue-980000/frame_offset_overflow.wasm
diff --git a/tests/regression/ba-issues/issues/issue-980000/frame_offset_overflow.wat b/tests/regression/ba-issues/issues/issue-980000/frame_offset_overflow.wat
@@ -0,0 +1,70 @@
+(module
+  (global $g0 (mut i32) (i32.const 0))
+  (global $g1 (mut i32) (i32.const 0))
+  (global $g2 (mut i32) (i32.const 0))
+  (global $g3 (mut i32) (i32.const 0))
+  (global $g4 (mut i32) (i32.const 0))
+  (global $g5 (mut i32) (i32.const 0))
+  (global $g6 (mut i32) (i32.const 0))
+  (global $g7 (mut i32) (i32.const 0))
+
+  (export "test" (func $0))
+  (func $0
+    (local i32)
+
+    global.get $g0
+    global.get $g1
+    global.get $g2
+    global.get $g3
+    global.get $g4
+    global.get $g5
+    global.get $g6
+    global.get $g7
+    global.get $g0
+    global.get $g1
+    global.get $g2
+    global.get $g3
+    global.get $g4
+    global.get $g5
+    global.get $g6
+    global.get $g7
+    global.get $g0
+    global.get $g1
+    global.get $g2
+    global.get $g3
+    global.get $g4
+    global.get $g4
+    global.get $g4
+    global.get $g4
+    global.get $g4
+    global.get $g4
+    global.get $g4
+    global.get $g4
+    global.get $g4
+    global.get $g0
+
+    ;; has consumed 30 elements, left 2 elements on stack
+    block
+     block
+        f64.const 3.14
+        ;; RESET current block stack and mark polymorphic
+        unreachable
+        ;; PUSH ANY
+        select
+
+        loop (param i64) (result i32)
+          ;; NOW, unmatched stacks. Enlarge frame_ref stack. Keep frame_offset stack unchanged.
+          global.get $g0
+          i32.eqz
+          ;; OUT-OF-BOUNDS
+          if
+            unreachable
+          end
+          i32.wrap_i64
+        end
+        local.set 0
+      end
+    end 
+    unreachable
+  )
+)
diff --git a/tests/regression/ba-issues/running_config.json b/tests/regression/ba-issues/running_config.json
@@ -1754,6 +1754,22 @@
                 "stdout content": "",
                 "description": "no sanitizer 'heap-buffer-overflow'"
             }
+        },
+        {
+            "deprecated": false,
+            "ids": [
+                980000
+            ],
+            "runtime": "iwasm-default",
+            "file": "frame_offset_overflow.wasm",
+            "mode": "fast-interp",
+            "options": "-f test",
+            "argument": "",
+            "expected return": {
+                "ret code": 1,
+                "stdout content": "Exception: unreachable",
+                "description": "no 'frame offset overflow'"
+            }
         }
     ]
 }

Original file line number	Diff line number	Diff line change
`@@ -1754,6 +1754,22 @@`
`1754`	`1754`	`"stdout content": "",`
`1755`	`1755`	`"description": "no sanitizer 'heap-buffer-overflow'"`
`1756`	`1756`	`}`
	`1757`	`+ },`
	`1758`	`+ {`
	`1759`	`+ "deprecated": false,`
	`1760`	`+ "ids": [`
	`1761`	`+ 980000`
	`1762`	`+ ],`
	`1763`	`+ "runtime": "iwasm-default",`
	`1764`	`+ "file": "frame_offset_overflow.wasm",`
	`1765`	`+ "mode": "fast-interp",`
	`1766`	`+ "options": "-f test",`
	`1767`	`+ "argument": "",`
	`1768`	`+ "expected return": {`
	`1769`	`+ "ret code": 1,`
	`1770`	`+ "stdout content": "Exception: unreachable",`
	`1771`	`+ "description": "no 'frame offset overflow'"`
	`1772`	`+ }`
`1757`	`1773`	`}`
`1758`	`1774`	`]`
`1759`	`1775`	`}`