winch: Fix a host panic when executing table.fill (#13010)

alexcrichton · web-flow · commit f89d910b4a24 · 2026-04-09T19:03:51.000Z
This commit fixes a possible panic when a Winch-compiled module executes the `table.fill` instruction. Refactoring in #11254 updated Cranelift but forgot to update Winch meaning that Winch's indices were still using the module-level indices instead of the `DefinedTableIndex` space. This adds some tests and updates Winch's translation to use preexisting helpers.
diff --git a/tests/misc_testsuite/winch/table_fill.wast b/tests/misc_testsuite/winch/table_fill.wast
@@ -65,3 +65,39 @@
   (invoke "fill" (i32.const 8) (i32.const 0) (i32.const 3))
   "out of bounds table access"
 )
+
+(module $t
+  (table (export "t") 1 funcref)
+)
+
+(module
+  (import "t" "t" (table $t1 1 funcref))
+  (table $t2 2 funcref)
+
+  (func (export "fill1") (param i32 funcref i32)
+    local.get 0
+    local.get 1
+    local.get 2
+    table.fill $t1)
+
+  (func (export "fill2") (param i32 funcref i32)
+    local.get 0
+    local.get 1
+    local.get 2
+    table.fill $t2)
+)
+
+(assert_return (invoke "fill1" (i32.const 0) (ref.null func) (i32.const 0)))
+(assert_return (invoke "fill1" (i32.const 0) (ref.null func) (i32.const 1)))
+(assert_return (invoke "fill1" (i32.const 1) (ref.null func) (i32.const 0)))
+(assert_trap (invoke "fill1" (i32.const 2) (ref.null func) (i32.const 0))
+  "out of bounds table access")
+
+(assert_return (invoke "fill2" (i32.const 0) (ref.null func) (i32.const 0)))
+(assert_return (invoke "fill2" (i32.const 0) (ref.null func) (i32.const 1)))
+(assert_return (invoke "fill2" (i32.const 0) (ref.null func) (i32.const 2)))
+(assert_return (invoke "fill2" (i32.const 1) (ref.null func) (i32.const 0)))
+(assert_return (invoke "fill2" (i32.const 1) (ref.null func) (i32.const 1)))
+(assert_return (invoke "fill2" (i32.const 2) (ref.null func) (i32.const 0)))
+(assert_trap (invoke "fill2" (i32.const 3) (ref.null func) (i32.const 0))
+  "out of bounds table access")
diff --git a/winch/codegen/src/visitor.rs b/winch/codegen/src/visitor.rs
@@ -1805,13 +1805,9 @@ where
 
         let at = self.context.stack.ensure_index_at(3)?;
 
-        self.context.stack.insert_many(at, &[table.try_into()?]);
-        FnCall::emit::<M>(
-            &mut self.env,
-            self.masm,
-            &mut self.context,
-            Callee::Builtin(builtin.clone()),
-        )?;
+        let callee = self.prepare_builtin_defined_table_arg(table_index, at, builtin)?;
+        FnCall::emit::<M>(&mut self.env, self.masm, &mut self.context, callee)?;
+
         self.context.pop_and_free(self.masm)
     }
 
