Cranelift: Make heap_addr return calculated base + index + offset (#5231)

* Cranelift: Make `heap_addr` return calculated `base + index + offset`

Rather than return just the `base + index`.

(Note: I've chosen to use the nomenclature "index" for the dynamic operand and
"offset" for the static immediate.)

This move the addition of the `offset` into `heap_addr`, instead of leaving it
for the subsequent memory operation, so that we can Spectre-guard the full
address, and not allow speculative execution to read the first 4GiB of memory.

Before this commit, we were effectively doing

    load(spectre_guard(base + index) + offset)

Now we are effectively doing

    load(spectre_guard(base + index + offset))

Finally, this also corrects `heap_addr`'s documented semantics to say that it
returns an address that will trap on access if `index + offset + access_size` is
out of bounds for the given heap, rather than saying that the `heap_addr` itself
will trap. This matches the implemented behavior for static memories, and after
https://github.com/bytecodealliance/wasmtime/pull/5190 lands (which is blocked
on this commit) will also match the implemented behavior for dynamic memories.

* Update heap_addr docs

* Factor out `offset + size` to a helper

cranelift/interpreter/src/interpreter.rs

@@ -1011,7 +1011,7 @@ mod tests {
         block0(v0: i64):
             v1 = iconst.i64 0
             v2 = iconst.i64 123
-            v3 = heap_addr.i64 heap0, v1, 8
+            v3 = heap_addr.i64 heap0, v1, 0, 8
             store.i64 v2, v3
             v4 = load.i64 v3
             v5 = icmp eq v2, v4

cranelift/interpreter/src/step.rs

@@ -119,10 +119,6 @@ where
             }
             // 32-bit
             InstructionData::UnaryIeee32 { imm, .. } => DataValue::from(imm),
-            InstructionData::HeapAddr { imm, .. } => {
-                let imm: u32 = imm.into();
-                DataValue::from(imm as i32) // Note the switch from unsigned to signed.
-            }
             InstructionData::Load { offset, .. }
             | InstructionData::Store { offset, .. }
             | InstructionData::StackLoad { offset, .. }
@@ -489,19 +485,27 @@ where
         Opcode::SymbolValue => unimplemented!("SymbolValue"),
         Opcode::TlsValue => unimplemented!("TlsValue"),
         Opcode::HeapAddr => {
-            if let InstructionData::HeapAddr { heap, .. } = inst {
+            if let InstructionData::HeapAddr {
+                heap,
+                offset: imm_offset,
+                size,
+                ..
+            } = inst
+            {
                 let addr_ty = inst_context.controlling_type().unwrap();
-                let offset = arg(0)?.into_int()? as u64;
-                let load_size = imm().into_int()? as u64;
+                let dyn_offset = arg(0)?.into_int()? as u64;
                 assign_or_memtrap({
                     AddressSize::try_from(addr_ty).and_then(|addr_size| {
                         // Attempt to build an address at the maximum possible offset
                         // for this load. If address generation fails we know it's out of bounds.
-                        let bound_offset = (offset + load_size).saturating_sub(1);
+                        let bound_offset =
+                            (dyn_offset + u64::from(u32::from(imm_offset)) + u64::from(size))
+                                .saturating_sub(1);
                         state.heap_address(addr_size, heap, bound_offset)?;
 
                         // Build the actual address
-                        let addr = state.heap_address(addr_size, heap, offset)?;
+                        let mut addr = state.heap_address(addr_size, heap, dyn_offset)?;
+                        addr.offset += u64::from(u32::from(imm_offset));
                         let dv = DataValue::try_from(addr)?;
                         Ok(dv.into())
                     })