winch: Fix memory.atomic.* with overflowing offsets (#12909)

alexcrichton · web-flow · commit c2e71eb12ff4 · 2026-03-31T18:26:01.000Z
* winch: Fix `memory.atomic.*` with overflowing offsets

This commit fixes a spec-compliance issue with `memory.atomic.*`
instructions using the Winch compiler. Specifically Winch previously
added the dynamic offset to the static offset when calculating the
effective address of the operation, but this addition was allowed to
overflow. This meant that an operation which should trap would continue
instead. The fix here is to use checked arithmetic at runtime to ensure
that the address computation does not overflow.

* Update test expectations
diff --git a/crates/test-util/src/wast.rs b/crates/test-util/src/wast.rs
@@ -478,6 +478,7 @@ impl WastTest {
                 "spec_testsuite/proposals/threads/atomic.wast",
                 "spec_testsuite/proposals/threads/exports.wast",
                 "spec_testsuite/proposals/threads/memory.wast",
+                "misc_testsuite/memory64/threads.wast",
             ];
 
             if unsupported.iter().any(|part| self.path.ends_with(part)) {
diff --git a/tests/disas/winch/x64/atomic/notify/notify_offset.wat b/tests/disas/winch/x64/atomic/notify/notify_offset.wat
@@ -12,27 +12,29 @@
 ;;       movq    0x18(%r11), %r11
 ;;       addq    $0x20, %r11
 ;;       cmpq    %rsp, %r11
-;;       ja      0x84
+;;       ja      0x8a
 ;;   1c: movq    %rdi, %r14
 ;;       subq    $0x10, %rsp
 ;;       movq    %rdi, 8(%rsp)
 ;;       movq    %rsi, (%rsp)
 ;;       movl    $0xa, %eax
 ;;       movl    $0, %ecx
 ;;       addq    $8, %rcx
-;;       pushq   %rcx
+;;       jb      0x8c
+;;   46: pushq   %rcx
 ;;       subq    $4, %rsp
 ;;       movl    %eax, (%rsp)
 ;;       subq    $4, %rsp
 ;;       movq    %r14, %rdi
 ;;       movl    $0, %esi
 ;;       movq    8(%rsp), %rdx
 ;;       movl    4(%rsp), %ecx
-;;       callq   0x175
+;;       callq   0x17d
 ;;       addq    $4, %rsp
 ;;       addq    $0xc, %rsp
 ;;       movq    8(%rsp), %r14
 ;;       addq    $0x10, %rsp
 ;;       popq    %rbp
 ;;       retq
-;;   84: ud2
+;;   8a: ud2
+;;   8c: ud2
diff --git a/tests/disas/winch/x64/atomic/wait/wait32_offset.wat b/tests/disas/winch/x64/atomic/wait/wait32_offset.wat
@@ -15,7 +15,7 @@
 ;;       movq    0x18(%r11), %r11
 ;;       addq    $0x30, %r11
 ;;       cmpq    %rsp, %r11
-;;       ja      0x91
+;;       ja      0x97
 ;;   1c: movq    %rdi, %r14
 ;;       subq    $0x10, %rsp
 ;;       movq    %rdi, 8(%rsp)
@@ -24,7 +24,8 @@
 ;;       movl    $0, %ecx
 ;;       movl    $4, %edx
 ;;       addq    $8, %rdx
-;;       pushq   %rdx
+;;       jb      0x99
+;;   4d: pushq   %rdx
 ;;       subq    $4, %rsp
 ;;       movl    %ecx, (%rsp)
 ;;       pushq   %rax
@@ -34,11 +35,12 @@
 ;;       movq    0x18(%rsp), %rdx
 ;;       movl    0x14(%rsp), %ecx
 ;;       movq    0xc(%rsp), %r8
-;;       callq   0x182
+;;       callq   0x18a
 ;;       addq    $0xc, %rsp
 ;;       addq    $0x14, %rsp
 ;;       movq    8(%rsp), %r14
 ;;       addq    $0x10, %rsp
 ;;       popq    %rbp
 ;;       retq
-;;   91: ud2
+;;   97: ud2
+;;   99: ud2
diff --git a/tests/disas/winch/x64/atomic/wait/wait64_offset.wat b/tests/disas/winch/x64/atomic/wait/wait64_offset.wat
@@ -15,7 +15,7 @@
 ;;       movq    0x18(%r11), %r11
 ;;       addq    $0x30, %r11
 ;;       cmpq    %rsp, %r11
-;;       ja      0x89
+;;       ja      0x8f
 ;;   1c: movq    %rdi, %r14
 ;;       subq    $0x10, %rsp
 ;;       movq    %rdi, 8(%rsp)
@@ -24,7 +24,8 @@
 ;;       movl    $0, %ecx
 ;;       movl    $4, %edx
 ;;       addq    $8, %rdx
-;;       pushq   %rdx
+;;       jb      0x91
+;;   4d: pushq   %rdx
 ;;       pushq   %rcx
 ;;       pushq   %rax
 ;;       subq    $8, %rsp
@@ -33,11 +34,12 @@
 ;;       movq    0x18(%rsp), %rdx
 ;;       movq    0x10(%rsp), %rcx
 ;;       movq    8(%rsp), %r8
-;;       callq   0x17a
+;;       callq   0x182
 ;;       addq    $8, %rsp
 ;;       addq    $0x18, %rsp
 ;;       movq    8(%rsp), %r14
 ;;       addq    $0x10, %rsp
 ;;       popq    %rbp
 ;;       retq
-;;   89: ud2
+;;   8f: ud2
+;;   91: ud2
diff --git a/tests/misc_testsuite/memory64/threads.wast b/tests/misc_testsuite/memory64/threads.wast
@@ -80,3 +80,31 @@
 )
 
 (assert_return (invoke "run"))
+
+(module
+  (memory i64 1 1 shared)
+
+  (func (export "notify_oob") (param i64) (result i32)
+    local.get 0
+    i32.const 1
+    memory.atomic.notify offset=0x200
+  )
+  (func (export "wait32_oob") (param i64) (result i32)
+    local.get 0
+    i32.const 1
+    i64.const -1
+    memory.atomic.wait32 offset=0x200
+  )
+  (func (export "wait64_oob") (param i64) (result i32)
+    local.get 0
+    i64.const 1
+    i64.const -1
+    memory.atomic.wait64 offset=0x200
+  )
+)
+(assert_trap (invoke "notify_oob" (i64.const 0xFFFF_FFFF_FFFF_FF00))
+  "out of bounds memory access")
+(assert_trap (invoke "wait32_oob" (i64.const 0xFFFF_FFFF_FFFF_FF00))
+  "out of bounds memory access")
+(assert_trap (invoke "wait64_oob" (i64.const 0xFFFF_FFFF_FFFF_FF00))
+  "out of bounds memory access")
diff --git a/winch/codegen/src/codegen/mod.rs b/winch/codegen/src/codegen/mod.rs
@@ -1478,11 +1478,12 @@ where
         )?;
 
         if arg.offset != 0 {
-            self.masm.add(
+            self.masm.checked_uadd(
                 writable!(addr.reg),
                 addr.reg,
                 RegImm::i64(arg.offset as i64),
                 OperandSize::S64,
+                TrapCode::HEAP_OUT_OF_BOUNDS,
             )?;
         }
 
@@ -1528,11 +1529,12 @@ where
         )?;
 
         if arg.offset != 0 {
-            self.masm.add(
+            self.masm.checked_uadd(
                 writable!(addr.reg),
                 addr.reg,
                 RegImm::i64(arg.offset as i64),
                 OperandSize::S64,
+                TrapCode::HEAP_OUT_OF_BOUNDS,
             )?;
         }
 
