From c90629809b047912aa1b3e039400dcf6e2b2a59f Mon Sep 17 00:00:00 2001
From: Yi LIU <yi@quantstamp.com>
Date: Sat, 21 Feb 2026 10:16:00 +0800
Subject: [PATCH] Fix sign extension of i32 addresses in interpreter's
 getFinalAddress

ptr.geti32() returns int32_t, which gets sign-extended to int64_t via
C++ ternary promotion rules before being stored as uint64_t. For i32
addresses >= 0x80000000, this produces incorrect 64-bit addresses
(e.g., 0xFFFFFFFF80000000 instead of 0x80000000), causing spurious
out-of-bounds traps.

Fix by casting through uint32_t first to zero-extend instead of
sign-extend. Update expected test outputs that contained the old
sign-extended trap values.
---
 src/wasm-interpreter.h                 | 6 ++++--
 test/lit/exec/simd-load-lane-oob.wast  | 4 ++--
 test/passes/fuzz-exec_O.txt            | 8 ++++----
 test/passes/fuzz-exec_all-features.txt | 4 ++--
 4 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/wasm-interpreter.h b/src/wasm-interpreter.h
index 5ae570437ed..df8c9c05c9e 100644
--- a/src/wasm-interpreter.h
+++ b/src/wasm-interpreter.h
@@ -5151,7 +5151,8 @@ class ModuleRunnerBase : public ExpressionRunner<SubType> {
   Address
   getFinalAddress(LS* curr, Literal ptr, Index bytes, Address memorySize) {
     Address memorySizeBytes = memorySize * Memory::kPageSize;
-    uint64_t addr = ptr.type == Type::i32 ? ptr.geti32() : ptr.geti64();
+    uint64_t addr = ptr.type == Type::i32 ? (uint64_t)(uint32_t)ptr.geti32()
+                                          : (uint64_t)ptr.geti64();
     trapIfGt(curr->offset, memorySizeBytes, "offset > memory");
     trapIfGt(addr, memorySizeBytes - curr->offset, "final > memory");
     addr += curr->offset;
@@ -5167,7 +5168,8 @@ class ModuleRunnerBase : public ExpressionRunner<SubType> {
 
   Address
   getFinalAddressWithoutOffset(Literal ptr, Index bytes, Address memorySize) {
-    uint64_t addr = ptr.type == Type::i32 ? ptr.geti32() : ptr.geti64();
+    uint64_t addr = ptr.type == Type::i32 ? (uint64_t)(uint32_t)ptr.geti32()
+                                          : (uint64_t)ptr.geti64();
     checkLoadAddress(addr, bytes, memorySize);
     return addr;
   }
diff --git a/test/lit/exec/simd-load-lane-oob.wast b/test/lit/exec/simd-load-lane-oob.wast
index 2d0ed4d3af3..6227de060f9 100644
--- a/test/lit/exec/simd-load-lane-oob.wast
+++ b/test/lit/exec/simd-load-lane-oob.wast
@@ -10,7 +10,7 @@
   (global $g (mut i32) (i32.const 0))
 
   ;; CHECK:      [fuzz-exec] calling oob
-  ;; CHECK-NEXT: [trap final > memory: 18446744073709551615 > 65536]
+  ;; CHECK-NEXT: [trap final > memory: 4294967295 > 65536]
   (func $oob (export "oob")
     (drop
       ;; This should trap, but not until after setting the global.
@@ -34,7 +34,7 @@
   )
 )
 ;; CHECK:      [fuzz-exec] calling oob
-;; CHECK-NEXT: [trap final > memory: 18446744073709551615 > 65536]
+;; CHECK-NEXT: [trap final > memory: 4294967295 > 65536]
 
 ;; CHECK:      [fuzz-exec] calling get
 ;; CHECK-NEXT: [fuzz-exec] note result: get => 1
diff --git a/test/passes/fuzz-exec_O.txt b/test/passes/fuzz-exec_O.txt
index d636cc765ea..d9e1cf79115 100644
--- a/test/passes/fuzz-exec_O.txt
+++ b/test/passes/fuzz-exec_O.txt
@@ -1,7 +1,7 @@
 [fuzz-exec] calling func_0
-[trap final > memory: 18446744073709551615 > 65514]
+[trap final > memory: 4294967295 > 65514]
 [fuzz-exec] calling func_1
-[trap final > memory: 18446744073709551615 > 65514]
+[trap final > memory: 4294967295 > 65514]
 (module
  (type $0 (func (result i64)))
  (type $1 (func (result i32)))
@@ -25,9 +25,9 @@
  )
 )
 [fuzz-exec] calling func_0
-[trap final > memory: 18446744073709551615 > 65514]
+[trap final > memory: 4294967295 > 65514]
 [fuzz-exec] calling func_1
-[trap final > memory: 18446744073709551615 > 65514]
+[trap final > memory: 4294967295 > 65514]
 [fuzz-exec] comparing func_0
 [fuzz-exec] comparing func_1
 [fuzz-exec] calling div
diff --git a/test/passes/fuzz-exec_all-features.txt b/test/passes/fuzz-exec_all-features.txt
index fcb8e8a3c6b..16588f7ada4 100644
--- a/test/passes/fuzz-exec_all-features.txt
+++ b/test/passes/fuzz-exec_all-features.txt
@@ -68,7 +68,7 @@
 [fuzz-exec] calling wrap_cmpxchg
 [LoggingExternalInterface logging 42]
 [fuzz-exec] calling oob_notify
-[trap final > memory: 18446744073709551512 > 65514]
+[trap final > memory: 4294967192 > 65514]
 (module
  (type $0 (func (result i32)))
  (type $1 (func (param i32)))
@@ -137,7 +137,7 @@
 [fuzz-exec] calling wrap_cmpxchg
 [LoggingExternalInterface logging 42]
 [fuzz-exec] calling oob_notify
-[trap final > memory: 18446744073709551512 > 65514]
+[trap final > memory: 4294967192 > 65514]
 [fuzz-exec] comparing aligned_for_size
 [fuzz-exec] comparing oob_notify
 [fuzz-exec] comparing unaligned_load