WAMR AOT and JIT modes output `out of bounds` exception

[teyahb8]

Subject of the issue

I generated a test case which I executed with different runtimes. Other runtimes like wasmtime, wasmer, and wasmedge (AOT) shows numeric outputs while wamr's both AOT and JIT modes show out of bounds exception.

Test case

(module
  (type (;0;) (func (param v128 v128 v128 v128 v128)))
  (type (;1;) (func (result v128 v128 v128 v128 v128 v128 v128)))
  (table (;0;) 200 200 funcref)
  (memory (;0;) 65536 65536)
  (global (;0;) (mut v128) v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000)
  (export "main" (func 1))
  (elem (;0;) (i32.const 1) func 0)
  (func (;0;) (type 0) (param v128 v128 v128 v128 v128)
    loop ;; label = @1
      local.get 4
      local.get 4
      v128.const i32x4 0x9e38be94 0x6d102318 0xa65b4709 0x209094c2
      i32x4.le_s
      v128.const i32x4 0xffffffff 0xffffffff 0xffffffff 0xffffffff
      f64x2.min
      i32x4.extract_lane 0
      v128.load32_splat offset=7101 align=1
      i32x4.extmul_low_i16x8_s
      local.set 4
      i32.const 0
      local.get 4
      v128.store16_lane offset=6501 align=1 1
      i32.const 0
      local.get 4
      v128.store16_lane offset=9890 align=1 1
      i32.const 0
      local.get 4
      v128.store32_lane offset=2378 align=1 1
      i32.const 1
      local.get 4
      v128.store offset=911 align=1
      i32.const 1
      if (result v128) ;; label = @2
        i32.const 1
        local.get 4
        v128.store8_lane offset=7931 0
        i32.const 0
        local.get 4
        v128.store8_lane offset=184 1
        i32.const 1
        local.get 4
        v128.store offset=9433 align=1
        i32.const 0
        local.get 4
        v128.store offset=8436 align=1
        i32.const 0
        local.get 4
        v128.store offset=3325 align=1
        i32.const 1
        local.get 4
        v128.store32_lane offset=6428 align=1 0
        nop
        local.get 4
      else
        local.get 4
        local.set 4
        local.get 4
      end
      local.set 4
      i32.const 1
      local.get 4
      v128.store offset=6826 align=1
      i32.const 0
      local.get 4
      v128.store offset=5998 align=1
      i32.const 0
      if ;; label = @2
        i32.const 0
        local.get 4
        v128.store16_lane offset=6802 align=1 1
      end
      i32.const 1
      if (result v128) ;; label = @2
        v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
      else
        local.get 4
      end
      local.set 4
      i32.const 0
      if ;; label = @2
        i32.const 0
        local.get 4
        v128.store16_lane offset=8395 align=1 0
        i32.const 0
        local.get 4
        v128.store8_lane offset=9180 1
        i32.const 0
        local.get 4
        v128.store64_lane offset=2479 align=1 0
        i32.const 0
        local.get 4
        v128.store64_lane offset=1324 align=1 1
        i32.const 1
        local.get 4
        v128.store8_lane offset=8894 1
        i32.const 0
        local.get 4
        v128.store64_lane offset=9543 align=1 1
        i32.const 1
        local.get 4
        v128.store16_lane offset=3455 align=1 1
        i32.const 0
        local.get 4
        v128.store8_lane offset=9809 1
      else
      end
      i32.const 0
      local.get 4
      v128.store offset=2826 align=1
      i32.const 0
      local.get 4
      v128.store16_lane offset=8221 align=1 0
      i32.const 1
      if ;; label = @2
      end
      i32.const 0
      i32.eqz
      if ;; label = @2
      else
      end
      i32.const 0
      if ;; label = @2
        br 1 (;@1;)
      end
    end
  )
  (func (;1;) (type 1) (result v128 v128 v128 v128 v128 v128 v128)
    (local v128)
    v128.const i32x4 0xffffffff 0xffffffff 0xffffffff 0xffffffff
    local.get 0
    local.get 0
    local.get 0
    local.get 0
    local.get 0
    i32.const 1
    call_indirect (type 0)
    v128.const i32x4 0x90832c80 0x00d590fe 0xef7ac849 0xe4f18dea
    local.get 0
    v128.const i32x4 0x9b7054c2 0x75fb2412 0xe571c236 0x4c4a8a98
    f64x2.lt
    v128.not
    local.get 0
    f32x4.demote_f64x2_zero
    v128.const i32x4 0x598cf8de 0x60f36ba2 0xc7e752dd 0xd0b7df8b
    v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
    v128.const i32x4 0x92667e9a 0x5532c5ae 0xfe174d66 0x58b18df6
    f32x4.nearest
    v128.andnot
    local.get 0
    v128.const i32x4 0x00000000 0x00000000 0x00000000 0x00000000
    v128.andnot
    global.set 0
    local.get 0
    local.get 0
    v128.const i32x4 0x9076ee6c 0x3c955e85 0x970c10f9 0xef06639e
    i8x16.sub_sat_s
    local.tee 0
    i32x4.le_u
    local.get 0
    i64x2.extmul_high_i32x4_s
    local.tee 0
    local.get 0
    i32.const 6418
    i16x8.shl
    local.get 0
    f32x4.min
    local.tee 0
    local.get 0
    local.get 0
    i8x16.lt_s
    local.tee 0
    drop
    i32.const 1
    select
    v128.const i32x4 0xf01b7c16 0xa55016e9 0x11036733 0x823ba059
    i32x4.lt_u
    i64.const 8214
    i64x2.replace_lane 1
    local.get 0
    local.get 0
    local.get 0
    drop
    i32.const 1
    select
    i32x4.lt_u
    i32.const 3866
    i8x16.shl
    i32.const 3482
    v128.const i32x4 0x39c4d45b 0x0a4f7b2e 0x3ca8fa2e 0x1f868b4b
    v128.load8_lane offset=1572 0
    v128.const i32x4 0x6e50b977 0x60e5e1ce 0x9a8b78f3 0x62f32f46
    i64x2.le_s
    local.get 0
    local.get 0
    local.get 0
    drop
    i32.const 1
    select
    f32x4.max
    local.tee 0
    i16x8.sub
    local.get 0
    v128.const i32x4 0x6a62ef5c 0xce832208 0xd7d5abc4 0x8cdf1f34
    i16x8.gt_u
    f64x2.sub
    local.get 0
    local.get 0
    local.get 0
    local.get 0
    local.get 0
    local.get 0
    local.get 0
    return
  )
)

Your environment

• Host OS (Ubuntu)
• WAMR version (2.3.1), platform (Linux), cpu architecture (x86_64), running mode (AOT/JIT), etc.

Steps to reproduce

1. Convert the wat code to wasm
2. For AOT mode:
   a. run wamrc --bounds-checks=1 -o shrunken_test1582904.aot shrunken_test1582904.wasm
   b. run iwasm --heap-size=0 -f main shrunken_test1582904.aot
3. For JIT mode:
   a. run iwasm --heap-size=0 --llvm-jit -f main shrunken_test1582904.wasm

Expected behavior

Output should be a list of 7 numbers.

Actual behavior

Exception: out of bounds memory access

Extra Info

Can you please confirm? Thanks in advance.

[TianyouLi]

Will this issue exist in interpreter mode?

[teyahb8]

This test case has SIMD instructions. Is SIMD now supported on the interpreter mode?

[TianyouLi]

Reproduced but core dump at the end.

main branch with commit tag: b322e29

[TianyouLi]

@teyahb8 I tried "wasm-interp ./shrunken_test.wasm", empty output. Will it be expected?

[yamt]

@teyahb8 I tried "wasm-interp ./shrunken_test.wasm", empty output. Will it be expected?

i guess you need -r.

spacetanuki% wasm-interp a.wasm -r main         
main() => v128 i32x4:0x7fc00000 0x7fc00000 0x7fc00000 0x7fc00000, v128 i32x4:0x7fc00000 0x7fc00000 0x7fc00000 0x7fc00000, v128 i32x4:0x7fc00000 0x7fc00000 0x7fc00000 0x7fc00000, v128 i32x4:0x7fc00000 0x7fc00000 0x7fc00000 0x7fc00000, v128 i32x4:0x7fc00000 0x7fc00000 0x7fc00000 0x7fc00000, v128 i32x4:0x7fc00000 0x7fc00000 0x7fc00000 0x7fc00000, v128 i32x4:0x7fc00000 0x7fc00000 0x7fc00000 0x7fc00000
spacetanuki% toywasm --load a.wasm --invoke main
Result: 7fc000007fc000007fc000007fc00000:v128, 7fc000007fc000007fc000007fc00000:v128, 7fc000007fc000007fc000007fc00000:v128, 7fc000007fc000007fc000007fc00000:v128, 7fc000007fc000007fc000007fc00000:v128, 7fc000007fc000007fc000007fc00000:v128, 7fc000007fc000007fc000007fc00000:v128
spacetanuki% wasmedge a.wasm main
[2025-08-12 17:20:29.523] [error] execution failed: out of bounds memory access, Code: 0x88
[2025-08-12 17:20:29.524] [error]     Accessing offset from: 0x100001bbc to: 0x100001bbf , Out of boundary: 0xffffffff
[2025-08-12 17:20:29.524] [error]     In instruction: v128.load32_splat (0xfd 0x09) , Bytecode offset: 0x00000099
[2025-08-12 17:20:29.524] [error]     When executing function name: "main"
spacetanuki% wasmtime run --invoke main a.wasm
warning: using `--invoke` with a function that returns values is experimental and may break in the future
339950060001143025775386386672551723008
339950060001143025775386386672551723008
339950060001143025775386386672551723008
339950060001143025775386386672551723008
339950060001143025775386386672551723008
339950060001143025775386386672551723008
339950060001143025775386386672551723008
spacetanuki% wasmer run --invoke main a.wasm  
339950060001143025775386386672551723008 339950060001143025775386386672551723008 339950060001143025775386386672551723008 339950060001143025775386386672551723008 339950060001143025775386386672551723008 339950060001143025775386386672551723008 339950060001143025775386386672551723008
spacetanuki% 

339950060001143025775386386672551723008 == 0xffc00000ffc00000ffc00000ffc00000

[teyahb8]

Thanks @yamt for sharing the outputs. @TianyouLi I am also getting these 7 numbers as output.