fix: false OOB in array.fill for interp (#4645)

* cherry-pick gc spec test case

* Fix false OOB in array.fill

Author: XeniaLu

core/iwasm/interpreter/wasm_interp_classic.c

@@ -3165,7 +3165,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
 
                         if (len > 0) {
                             if ((uint64)start_offset + len
-                                >= wasm_array_obj_length(array_obj)) {
+                                > wasm_array_obj_length(array_obj)) {
                                 wasm_set_exception(
                                     module, "out of bounds array access");
                                 goto got_exception;

core/iwasm/interpreter/wasm_interp_fast.c

@@ -2562,7 +2562,7 @@ wasm_interp_call_func_bytecode(WASMModuleInstance *module,
 
                         if (len > 0) {
                             if ((uint64)start_offset + len
-                                >= wasm_array_obj_length(array_obj)) {
+                                > wasm_array_obj_length(array_obj)) {
                                 wasm_set_exception(
                                     module, "out of bounds array access");
                                 goto got_exception;

tests/wamr-test-suites/spec-test-script/gc_array_fill_cases.patch

@@ -0,0 +1,27 @@
+diff --git a/test/core/gc/array_fill.wast b/test/core/gc/array_fill.wast
+index 0379ad53..73122178 100644
+--- a/test/core/gc/array_fill.wast
++++ b/test/core/gc/array_fill.wast
+@@ -79,3 +79,22 @@
+ (assert_return (invoke "array_get_nth" (i32.const 2)) (i32.const 11))
+ (assert_return (invoke "array_get_nth" (i32.const 3)) (i32.const 11))
+ (assert_return (invoke "array_get_nth" (i32.const 4)) (i32.const 0))
++
++;; fill the whole array
++(assert_return (invoke "array_fill" (i32.const 0) (i32.const 42) (i32.const 12)))
++(assert_return (invoke "array_get_nth" (i32.const 0)) (i32.const 42))
++(assert_return (invoke "array_get_nth" (i32.const 2)) (i32.const 42))
++(assert_return (invoke "array_get_nth" (i32.const 5)) (i32.const 42))
++(assert_return (invoke "array_get_nth" (i32.const 11)) (i32.const 42))
++
++;; fill the first element
++(assert_return (invoke "array_fill" (i32.const 0) (i32.const 7) (i32.const 1)))
++(assert_return (invoke "array_get_nth" (i32.const 0)) (i32.const 7))
++(assert_return (invoke "array_get_nth" (i32.const 1)) (i32.const 42))
++(assert_return (invoke "array_get_nth" (i32.const 11)) (i32.const 42))
++
++;; fill the last 2 elements
++(assert_return (invoke "array_fill" (i32.const 10) (i32.const 9) (i32.const 2)))
++(assert_return (invoke "array_get_nth" (i32.const 9)) (i32.const 42))
++(assert_return (invoke "array_get_nth" (i32.const 10)) (i32.const 9))
++(assert_return (invoke "array_get_nth" (i32.const 11)) (i32.const 9))

tests/wamr-test-suites/test_wamr.sh

@@ -478,6 +478,7 @@ function spec_test()
         #  Dec 9, 2024. Merge branch 'funcref'
         git reset --hard 756060f5816c7e2159f4817fbdee76cf52f9c923
         git apply --ignore-whitespace ../../spec-test-script/gc_ignore_cases.patch || exit 1
+        git apply --ignore-whitespace ../../spec-test-script/gc_array_fill_cases.patch || exit 1
 
         if [[ ${ENABLE_QEMU} == 1 ]]; then
             # Decrease the recursive count for tail call cases as nuttx qemu's