Fix bug in SIMDLoadStoreLane interpretation (WebAssembly#7237)

tlively · web-flow · commit ff423ae11293 · 2025-01-23T15:22:45.000-08:00
The interpreter incorrectly trapped on OOB addresses before evaluating
the vector operand. This bug became visible when the vector operand had
side effects. Reorder the code to fix the problem.
diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
@@ -3812,20 +3812,20 @@ class ModuleRunnerBase : public ExpressionRunner<SubType> {
   }
   Flow visitSIMDLoadStoreLane(SIMDLoadStoreLane* curr) {
     NOTE_ENTER("SIMDLoadStoreLane");
-    Flow flow = self()->visit(curr->ptr);
-    if (flow.breaking()) {
-      return flow;
+    Flow ptrFlow = self()->visit(curr->ptr);
+    if (ptrFlow.breaking()) {
+      return ptrFlow;
     }
     NOTE_EVAL1(flow);
+    Flow vecFlow = self()->visit(curr->vec);
+    if (vecFlow.breaking()) {
+      return vecFlow;
+    }
     auto info = getMemoryInstanceInfo(curr->memory);
     auto memorySize = info.instance->getMemorySize(info.name);
     Address addr = info.instance->getFinalAddress(
-      curr, flow.getSingleValue(), curr->getMemBytes(), memorySize);
-    flow = self()->visit(curr->vec);
-    if (flow.breaking()) {
-      return flow;
-    }
-    Literal vec = flow.getSingleValue();
+      curr, ptrFlow.getSingleValue(), curr->getMemBytes(), memorySize);
+    Literal vec = vecFlow.getSingleValue();
     switch (curr->op) {
       case Load8LaneVec128:
       case Store8LaneVec128: {
diff --git a/test/lit/exec/simd-load-lane-oob.wast b/test/lit/exec/simd-load-lane-oob.wast
@@ -0,0 +1,42 @@
+;; NOTE: Assertions have been generated by update_lit_checks.py --output=fuzz-exec and should not be edited.
+
+;; RUN: wasm-opt %s -all --fuzz-exec -q -o /dev/null 2>&1 | filecheck %s
+
+;; Regression test for a bug where the vector operand to SIMDLoadStoreLane was
+;; not evaluated if the preceding ptr operand was OOB.
+
+(module
+  (memory $mem 1 1)
+  (global $g (mut i32) (i32.const 0))
+
+  ;; CHECK:      [fuzz-exec] calling oob
+  ;; CHECK-NEXT: [trap final > memory: 18446744073709551615 > 65536]
+  (func $oob (export "oob")
+    (drop
+      ;; This should trap, but not until after setting the global.
+      (v128.load64_lane 0
+        (i32.const -1)
+        (block (result v128)
+          (global.set $g
+            (i32.const 1)
+          )
+          (v128.const i32x4 0 0 0 0)
+        )
+      )
+    )
+  )
+
+  ;; CHECK:      [fuzz-exec] calling get
+  ;; CHECK-NEXT: [fuzz-exec] note result: get => 1
+  (func $get (export "get") (result i32)
+    ;; This should be 1
+    (global.get $g)
+  )
+)
+;; CHECK:      [fuzz-exec] calling oob
+;; CHECK-NEXT: [trap final > memory: 18446744073709551615 > 65536]
+
+;; CHECK:      [fuzz-exec] calling get
+;; CHECK-NEXT: [fuzz-exec] note result: get => 1
+;; CHECK-NEXT: [fuzz-exec] comparing get
+;; CHECK-NEXT: [fuzz-exec] comparing oob
