Sync with main branch (#4872)

* fix: improve test case handling in test_wamr.sh (#4708)

Correct the error introduced by de4b950.

* wamr/arm: Add CFI directives to Thumb VFP assembly for better debugging (#4697)

Add Call Frame Information (CFI) directives to invokeNative_thumb_vfp.s
to improve stack unwinding and debugging capabilities on ARM platforms.
This enables better backtrace generation and crash analysis.

Changes include:
- Add .cfi_startproc/.cfi_endproc directives for proper frame tracking
- Add .cfi_def_cfa_offset and .cfi_def_cfa to track stack pointer changes
- Add .cfi_offset directives to track saved register locations
- Convert local labels to use .L prefix following assembly conventions

These CFI directives allow debuggers and exception handlers to properly
unwind the stack through native function calls, improving the debugging
experience for WAMR applications on ARM targets.

Signed-off-by: Huang Qi <huangqi3@xiaomi.com>

* build(deps): Bump actions/upload-artifact from 4.6.2 to 5.0.0 (#4711)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4.6.2...v5)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump actions/checkout from 3 to 5 (#4710)

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v3...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump github/codeql-action from 3.29.1 to 4.31.3 (#4709)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.1 to 4.31.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v3.29.1...v4.31.3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Adding additional text around the resr requirement for code contributions to make supplying a test mandatory, except in exceptional situations. (#4713)

* Merge commit from fork

* Merge commit from fork

* fix: remove SIMD prefix handling from interpreter and update opcode definitions

* test: add case for classic interpreter handling of unsupported SIMD opcodes

* Fast-interp should report unsupported opcode (#4723)

when meeting simd opcode on non-posix platforms

* refactor: Improve debug experience with CFI directives and proper label naming in Thumb invokeNative (#4719)

This change enhances debugging support and improves assembly code quality:

1. Add CFI (Call Frame Information) directives (.cfi_startproc, .cfi_def_cfa_offset, .cfi_offset, .cfi_endproc) to provide proper call frame information for debuggers
2. Improve label naming by using dot-prefixed conventions (.Lreturn, .Lcall_func, etc.) following assembly best practices

These improvements enhance debugging capabilities and code maintainability while preserving functionality.

Signed-off-by: Huang Qi <huangqi3@xiaomi.com>

* chore: update NuttX version to 12.11 in CI workflows (#4720)

The NuttX project released version 12.11 with improvements and bug fixes.
Updating the CI workflows to use the latest stable version ensures that
WAMR testing and compilation verification runs against the most current
NuttX release.

Updated 4 repository references total across 2 workflow files to point to
the new release branch.

Signed-off-by: Huang Qi <huangqi3@xiaomi.com>

* ci: add raspberrypi-pico-2 to nuttx build matrix (#4721)

Add Raspberry Pi Pico 2 (Cortex-M33) board configuration to the NuttX CI build matrix to ensure WAMR compatibility testing covers the Cortex-M33 platform. The board configuration path "boards/arm/rp23xx/raspberrypi-pico-2/configs/nsh" is inserted after the cortex-m7 configuration to maintain logical architecture ordering.

* add a set of apis to configure wasi via InstantiationArgs2 (#4707)

* track if WASIArguments is configured by user

i plan to use this to decide which wasi arguments
(the one from module or the one from InstantiationArgs2)
to use.

* add WASIArguments to InstantiationArgs2

* use wasi configuration from InstantiationArgs2 if any

fallback to the via-module configuration for now.

* add a few api to configure wasi via InstantiationArgs2

* configure wasi via InstantiationArgs2 for platforms using libc_wasi.c

* rt-thread: migrate to libc_wasi_set_init_args

* common/libc_wasi.c: retire libc_wasi_init

* fix build without wasi

* Namespace generated headers with zephyr/ (#4670)

* Namespace generated headers with zephyr/

---------

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>

* build(deps): Bump github/codeql-action from 4.31.3 to 4.31.5 (#4727)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.3 to 4.31.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.3...v4.31.5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add support for esp32s2 target to idf_component.yml (#4728)

* build(deps): Bump actions/checkout from 5 to 6 (#4726)

Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Remove local fuzzing server (#4729)

The local fuzzing server is a feature that has not been used for a long
time and is currently unmaintained. Temporarily remove it from the
codebase, and restore it when needed.

* Update link to WASI Proposals.md (#4734)

* fix double promotion warning (#4731)

* chore: narrow CI workflow trigger scope for Zephyr compilation

Optimize GitHub Actions workflow execution by limiting triggers to only
changes in the compilation_on_zephyr.yml workflow file itself, reducing
unnecessary workflow runs when other .github files are modified.
* Update pull_request trigger paths to target specific workflow file
* Update push trigger paths to target specific workflow file
* Eliminates redundant CI runs for documentation and script changes

* build: disable CONFIG_RP23XX_UF2_BINARY in NuttX CI

Disable UF2 binary support for RP23XX boards in the compilation
workflow to resolve build issues and maintain consistency with
RP2040 board configuration.

* Added kconfig-tweak --disable CONFIG_RP23XX_UF2_BINARY
* Follows existing pattern for RP2040 boards
* Ensures successful compilation for rp23xx target

* Add missing functions from thumb arch (#4718)

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>

* ci: update nuttx and nuttx-apps commits to fix CI build (#4736)

Update NuttX and nuttx-apps repository references from release tags to
specific commit hashes to resolve CI build failures.

* Updated nuttx from releases/12.11 to 09a71ec7c16c43398d5acbdcbeee7b08736c3170
* Updated nuttx-apps from releases/12.11 to 6bd593459c4af3cef325c3d22bccd5537a8ed755
* Preserved xtensa-specific commit logic in spec_test_on_nuttx.yml
* Applied changes to both compilation and spec test workflows

Signed-off-by: Huang Qi <huangqi3@xiaomi.com>

* fix: enhance test case execution handling in test_wamr.sh (#4712)

* feat: add support for checking unsupported build configurations (#4690)

* feat: add support for checking unsupported build configurations
* docs: improve clarity and formatting in build_wamr.md
* feat: add check for unsupported SHARED_HEAP + FAST_JIT configuration and update documentation warning
* feat: disable default SIMD setting for 64-bit platform in CMake configuration
* feat: update Android and macOS workflows to handle SIMD support in classic interp mode
* feat: update SGX compilation workflow to handle unsupported FAST_JIT and classic interp mode without SIMD support
* feat: enhance check for unsupported CLASSIC_INTERP configurations
* feat: disable fast interpreter for shared heap tests and update unsupported features test library
* feat: enhance unsupported combination checks and update build configurations for JIT and SIMD
* In regression tests, use llvm-jit and fast-jit to replace multi-tier-jit + running mode. Multi-tier-jit contains both fast-jit and llvm-jit. Fast-jit doesn't support SIMD, but llvm-jit does. So, should multi-tier-jit support SIMD? My answer is NO.
  - The regular form of multi-tier-jit uses fast-jit as tier1 and llvm-jit as
    tier2. Therefore, if fast-jit doesn't support SIMD, the entire multi-tier
    doesn't support SIMD either.
  - `--fast-jit` and `--llvm-jit` of multi-tier-jit  should adhere to the global
    limitations of multi-tier-jit.
* Explicitly specify SIMD, MULTI_MODULE, and their unsupported running modes.
- SIMD and Ref. types are enabled by default on linux and darwin. So remove duplicate feature testing from CI
- Apply new configuration for wasm-c-api compilation commands

* build(deps): Bump actions/checkout from 5.0.1 to 6.0.0 (#4738)

Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.1 to 6.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v5.0.1...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump github/codeql-action from 4.31.5 to 4.31.6 (#4739)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.5 to 4.31.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.5...v4.31.6)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump actions/checkout from 6.0.0 to 6.0.1 (#4747)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v6...v6.0.1)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump github/codeql-action from 4.31.6 to 4.31.7 (#4746)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.6 to 4.31.7.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.6...v4.31.7)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* enable WAMR_BUILD_MULTI_MODULE to apply all wasm-vm unit tests (#4745)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* Add a runtime API for reset shared heap(chain) (#4740)

* add new runtime api for reset shared heap(chain)
* add new unit test case

* build(deps): Bump github/codeql-action from 4.31.7 to 4.31.8 (#4757)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.7 to 4.31.8.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.7...v4.31.8)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.8
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump actions/cache from 4 to 5 (#4755)

Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump actions/upload-artifact from 5.0.0 to 6.0.0 (#4756)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v5...v6)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add more unit test cases for interpreter (#4716)

Co-authored-by: ai-assistant

* feat: add documentation for the shared heap feature in WAMR (#4751)

* Ensure --addr-pool mask accepts numbers only (#4619)

* Ensure --addr-pool mask accepts numbers only
* Add mask validation
* Replace mask assignment position
* Use a thread-safe function and free allocated memory

Co-authored-by: liang.he <liang.he@intel.com>

* Fix nightly workflow matrix include duplication (#4761)

* build(deps): Bump github/codeql-action from 4.31.8 to 4.31.9 (#4767)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.8 to 4.31.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.8...v4.31.9)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Upgrade macos runner of CIs to 15 (#4770)

* fix: update macOS workflow configurations to use macos-15 and macos-15-intel
* fix: remove unsupported build options for macOS workflows

* Implicitly disable the SIMD flag for classic-interp and fast-jit (#4768)

* aot: avoid forcing mmap low addresses on NuttX (#4776)

Signed-off-by: Huang Qi <huangqi3@xiaomi.com>

* fix: update CODEOWNERS to refine reviewer assignments (#4754)

* update wasm-tool smith generation parameters for improved testing (#4779)

* fix: Wrong compiler parameter on MSVC (#4778)

* fix: Wrong compiler parameter on MSVC
* refactor: Move gcc flags to common build script.
* refactor: Add both C/CXX flags

* update Dockerfile and devcontainer configuration (#4773)

The goal is to keep the devcontainer image minimal and its build time as fast as possible.
- Remove all rarely used tools.
- Change the base image to the latest template.
- Synchronize the WASI-SDK and WABT versions with those used by the CI.

Add libzstd for LLVM linking

* Improve tiered support system and compilation flags introduction. (#4750)

* docs: update tiered support documentation with detailed tier definitions and feature classifications and improved compilation flags and links for clarity
* update tiered support documentation to clarify feature support levels and enhance readability
  - Revised descriptions for Tier A to specify that features have been used in products.
  - Reformatted notes on testing, maintenance, and support definitions for better clarity.
  - Added a new section for privileged features with detailed explanations.
  - Updated tables for Tier A, Tier B, and Tier C to include additional targets and compilation flags.

* fix: clear exec_env_tls when destroying exec_env (#4774)

* fix: clear exec_env_tls when destroying exec_env

When an exec_env is destroyed, check if it matches the current thread's
exec_env_tls and clear it to avoid dangling pointer issues.

Without this fix, in daemon-style execution where the same thread runs
multiple WASM modules sequentially (like Cloudflare Workers), the
exec_env_tls can point to freed memory after an exec_env is destroyed,
causing crashes on subsequent executions when the signal handler tries
to access it.

This is critical for AOT mode with hardware bounds checking enabled,
where signal handlers rely on exec_env_tls to handle SIGSEGV properly.

* test(exec_env): add reproducer for exec_env_tls dangling pointer bug

Add test case that reproduces the bug where exec_env_tls is not cleared
on early return paths in invoke_native_with_hw_bound_check.

The test triggers native stack overflow check failure, which causes
wasm_runtime_call_wasm to return early after setting exec_env_tls but
without clearing it. This leaves exec_env_tls pointing to a destroyed
exec_env, causing subsequent calls to fail with "invalid exec env".

Test confirms the fix in wasm_exec_env_destroy correctly clears
exec_env_tls when destroying the exec_env it points to.

* fix(runtime): clear exec_env_tls on early return from stack overflow check

Move the fix to clear exec_env_tls at the source - in the early return
path of invoke_native_with_hw_bound_check when native stack overflow
check fails.

* fix(aot): reserve x18 register on macOS ARM64 (#4775)

* fix(aot): reserve x18 register on macOS ARM64

Apple reserves CPU register x18 for TLS on ARM64. When generating AOT
code for aarch64 on macOS, LLVM may use x18, causing crashes when the
AOT code runs on macOS ARM64 (M1/M2/M3).

This patch:
1. Detects darwin/macho ABI and sets correct vendor string
2. Detects darwin/apple in default triple for platform detection
3. Adds +reserve-x18 to LLVM target features for aarch64 on macOS

The fix only applies when compiling on macOS ARM64 hosts, ensuring
generated AOT code is compatible with Apple's platform requirements.

* test(aot): add x18 register reservation test for macOS ARM64

Add a standalone test to verify that the +reserve-x18 LLVM flag is
correctly applied when compiling AOT for macOS ARM64.

On macOS ARM64, x18 is reserved by Apple for TLS (Thread Local Storage).
Without the +reserve-x18 flag, LLVM may generate code that uses x18,
causing random SIGSEGV crashes (~80% crash rate in testing).

The test:
- Creates a WASM module with 24 local variables to stress register allocation
- Compiles to AOT with -O3 optimization (which would use x18 without the fix)
- Runs 1000 iterations to verify no crashes occur
- Only runs on macOS ARM64 (skipped on other platforms)

Test results:
- Without fix: 82/100 crash rate
- With fix: 0/100 crash rate (1000 iterations verified)

* fix: correct boundary check in dynamic_offset check (#4788)

correct boundary check in check_dynamic_offset_pop when dynamic_offset is 0. When dynamic_offset = 0, check_dynamic_offset_pop will always return true, which may wrongly update dynamic_offset.
also include a typo fix in SET_OPERAND_REF

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* Add bh_strtok_r function (#4790)

* Fix alignment calculation for large offsets (#4791)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* build(deps): Bump github/codeql-action from 4.31.9 to 4.31.10 (#4794)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.9 to 4.31.10.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.9...v4.31.10)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix potential memory leak  when discarding FreeMachineFunction (#4796)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* fix: disable unsigned integer overflow sanitization (#4785)

* fix: disable unsigned integer overflow sanitization in build configurations

FYI: from https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html

`-fsanitize=unsigned-integer-overflow`: Unsigned integer overflow, where the result of an unsigned integer computation cannot be represented in its type. Unlike signed integer overflow, this is not undefined behavior, but it is often unintentional. This sanitizer does not check for lossy implicit conversions performed before such a computation.

It brings a more common question: which is better, pre-additional-check or post-additional-check to fix a potential unsigned integer overflow? A pre-additional-check involves using a check to prevent integer overflow from the very beginning. A post-additional-check involves using a check after addition to see if there is an overflow.

In this project, post-additional-checking is widely used. let's follow the routine.

for performance sensitive logic, use __builtin_add_overflow etc. provide something like https://github.com/yamt/toywasm/blob/9a5622791e99395e26e6e96cef830af3d91a1685/lib/platform.h#L176-L191 and encourage the use of them.

ref. #4549 (comment)

* fix: ensure proper definition checks for build options in CMakeLists of wasm-mutator
* optimize how to involve sanitizer flags
* fix: update LLVM branch and refine sanitizer flags in CMake configurations
* fix: add requests package to development requirements

* [devcontainer] install ocmal stuff (#4798)

For gc proposal spec test

* Fix memory leak in GC when rootset enumeration fails (#4793)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* Fix memcpy overlap issue in RECOVER_BR_INFO for i64/v128 copy (#4797)

When copying single i64 or V128 values in RECOVER_BR_INFO, source and
destination memory regions may overlap, causing memcpy-param-overlap errors

Use temporary variables to separate read and write operations, preventing
the overlap issue.

This fix references the approach used in the other path (when arity != 1), which calls copy_stack_values, that function explicitly handles memcpy overlap.

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* language-bindings/go: upgrade yaml.v3 (#4799)

Upgrade github.com/stretchr/testify from v1.7.0 to v1.11.1,
and upgrade gopkg.in/yaml.v3 to v3.0.1

This fixes CVE-2022-28948 in yaml v3.0.0

Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>

* fix code and comment typo (#4802)

* Correct some error handling path in libc_emcc (#4803)

* build(deps): Bump github/codeql-action from 4.31.10 to 4.31.11 (#4810)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.10 to 4.31.11.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.10...v4.31.11)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump actions/checkout from 6.0.1 to 6.0.2 (#4809)

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](actions/checkout@v6.0.1...v6.0.2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* gc: complete common heap type coverage in wasm_is_refheaptype_common() (#4801)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* refactor: update clang-tidy configuration for improved checks and error handling (#4811)

* Collective fix (#4808)

* fix a bug in zephyr platform file api
* fix a bug in bh queue
* fix a bug in shared heap malloc when it's memory64

* fix some typo in wamrc (#4807)

* build(deps): Bump github/codeql-action from 4.31.11 to 4.32.0 (#4823)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.11 to 4.32.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.31.11...v4.32.0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* ci: allow .clang-tidy and fix exception type in guidelines check (#4818)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* Fix a compilation error about calling os_atomic_cmpxchg (#4822)

```
/workspaces/wasm-micro-runtime/core/iwasm/aot/aot_runtime.c:4701:30: error: expected expression
return os_atomic_cmpxchg(_Atomic(void *)ptr, &old_val, new_val);
^
/workspaces/wasm-micro-runtime/core/shared/utils/../platform/include/platform_api_extension.h:135:27: note: expanded from macro 'os_atomic_cmpxchg'
```

* disable the misc-no-recursion checker (#4821)

* Fixed build of Go language bindings (#4825)

* Reduce warnings relevant to Zephyr platform (#4658)

This PR is intended to remove following warnings, when build in Zephyr application:

wasm-micro-runtime/core/shared/platform/zephyr/platform_internal.h:293: warning: "CLOCK_MONOTONIC" redefined
  293 | #define CLOCK_MONOTONIC 4
wasm-micro-runtime/core/shared/platform/zephyr/zephyr_file.c: In function 'zephyr_fs_alloc_obj':
wasm-micro-runtime/core/shared/platform/zephyr/zephyr_file.c:123:25: warning: implicit declaration of function 'bh_strdup' [-Wimplicit-function-declaration]
  123 |             ptr->path = bh_strdup(path);
      |                         ^~~~~~~~~
wasm-micro-runtime/core/shared/platform/zephyr/zephyr_file.c:123:23: warning: assignment to 'char *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
  123 |             ptr->path = bh_strdup(path);
      |                       ^
wasm-micro-runtime/core/shared/platform/zephyr/zephyr_file.c: In function 'os_renameat':
wasm-micro-runtime/core/shared/platform/zephyr/zephyr_file.c:853:35: warning: initialization of 'char *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
  853 |             char *new_path_copy = bh_strdup(new_path);
      |                                   ^~~~~~~~~
[45/462] Building C object CMakeFiles/app.dir/wasm-micro-runtime/core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c.obj
wasm-micro-runtime/core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c: In function 'wasmtime_ssp_poll_oneoff':
wasm-micro-runtime/core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c:2216:42: warning: initialization of 'os_file_handle' {aka 'struct zephyr_handle *'} from 'int' makes pointer from integer without a cast [-Wint-conversion]
 2216 |                     os_file_handle tfd = fos[i]->file_handle->fd;
      |                                          ^~~
wasm-micro-runtime/core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c:2222:31: warning: initialization of 'int' from 'os_file_handle' {aka 'struct zephyr_handle *'} makes integer from pointer without a cast [-Wint-conversion]
 2222 |                         .fd = tfd,
      |                               ^~~
wasm-micro-runtime/core/iwasm/libraries/libc-wasi/sandboxed-system-primitives/src/posix.c:2222:31: note: (near initialization for '(anonymous).fd')

---------

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>

* Fix compilation error when MSVC is not set to C11 standard (#4588)

* Fix compilation error when MSVC is not set to C11 standard

* align quick_aot_entry invoke_* signatures with call sites (#4829)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* build(deps): Bump github/codeql-action from 4.32.0 to 4.32.2 (#4831)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.0 to 4.32.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.32.0...v4.32.2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix off-by-one in AOT func_index bounds checks (#4836)

The AOT relocation loader validates func_index using:
  (func_index = (uint32)atoi(p)) > module->func_count

Since func_ptrs is an array of func_count elements (indices 0 to
func_count-1), func_index == func_count is out of bounds. The check
must use >= instead of > to reject this boundary case.

Fix all 4 affected locations in aot_loader.c.

* Improve shared_heap test cases. (#4834)

Aligned allocation size can be significantly greater than the original size,
and page size varies across platforms.

> macOS on M1 (Apple Silicon) uses a memory page size of 16,384 bytes (16 KB).
> This differs from the traditional 4 KB page size used on Intel Macs and many
> other ARM64 systems, and is designed to improve performance by reducing page
> table overhead and allowing for better cache utilization.

* build(deps): Bump github/codeql-action from 4.32.2 to 4.32.3 (#4838)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.2 to 4.32.3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.32.2...v4.32.3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Fix typo in README from WARM to WAMR (#4843)

Guessing this was supposed to WAMR not WARM

* build(deps): Bump github/codeql-action from 4.32.3 to 4.32.4 (#4840)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.3 to 4.32.4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.32.3...v4.32.4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Improve zephyr's networking code (#4839)

* fix: zephyr sockets: fix get/set sockopt usages.

In multiple places, setsockopt is used when getsockopt shall be used, and vice-versa.
Additionally, pointer isn't checked correctly in two places, this commit fixes those as well.
Per man(7), most socket-level options utilize an int argument for optval. Use those for ttl.

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>

* feat: zephyr sockets: implement missing networking functions

Some of the optvals are implemented by zephyr, some are missing.
Call the appropriate function and let set the retval based on that.

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>

* fix: WASM_API_EXTERN should get visibility("default") on gcc and clang (#4851)

This allows the wasm_c_api to work in shared libraries on non-Windows
platforms.

* Fix sock_connect using wrong rights constant (#4849)

wasi_ssp_sock_connect checks __WASI_RIGHT_SOCK_BIND instead of
__WASI_RIGHT_SOCK_CONNECT when validating file descriptor rights.
This was a copy-paste error from wasi_ssp_sock_bind. As a result,
connect operations check the wrong capability.

* windows: fix vectored exception handler lifecycle for repeated thread env init/destroy (#4842)

* Fix Windows VEH registration/removal lifecycle
* Remove redundant OS_THREAD_MUTEX_INITIALIZER guards

Since the code is already inside #ifdef BH_PLATFORM_WINDOWS,
the macro is always defined. Use NULL directly for clarity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* build(deps): Bump actions/upload-artifact from 6.0.0 to 7.0.0 (#4859)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v6...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): Bump github/codeql-action from 4.32.4 to 4.32.5 (#4858)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.32.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.32.4...v4.32.5)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add bounds checking for output tensor buffer in wasi-nn llama.cpp (#4847)

* Add bounds checking for output tensor buffer in wasi-nn llama.cpp

The get_output function copies LLM output into output_tensor->buf
without checking against output_tensor->size, allowing writes
past the buffer when the model generates output longer than the
caller-provided buffer. Add size checks for both the metadata
path and the token output loop.

Instead of silently truncating output when the buffer is too small,
return the too_large error with a diagnostic message. This makes the
behavior consistent with the OpenVINO backend's get_output and allows
callers to distinguish between successful completion and insufficient
buffer size.

* Fix a compilation error by clang-17 (#4812)

* Fix a compilation error by clang-17

```
variable-sized object may not be initialized
```

clang-17 is the default version on MacOS Tahoe(26.2) on AppleM1

* fix: update shared_heap_test to use os_getpagesize for memory size calculations (#4852)

* workaround: prevent usage of anyref in struct fields and array elements (#4819)

Disable corresponding cases in spec test

* Fix off-by-one in aot_alloc_tiny_frame overflow check (#4845)

* Fix off-by-one in aot_alloc_tiny_frame overflow check

The boundary check in aot_alloc_tiny_frame only verifies that
new_frame itself doesn't exceed top_boundary, but doesn't account
for the sizeof(AOTTinyFrame) bytes that are about to be written.
When new_frame equals top_boundary exactly, the check passes but
the subsequent write to new_frame->func_index goes past the
boundary. This matches the correct pattern used in
aot_alloc_frame (line 4086) which includes the frame size.

* clean(zephyr): reduce warnings on zephyr platform (#4860)

* clean(warnings): fix [-Wsign-compare] in zephyr_file

buf_len is a long unsigned int, while bytes_* can be negative due to error values.
We don't need to check bytes_* for negative value, as it was done during read/write op.

* clean(warnings): fix "MIN" redefined warning

Some platforms, like Zephyr, already define MIN and definition in WAMR cause
`warning: "MIN" redefined` warning.
Check if it was defined before, and do not redefine it.

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>

* fix(ems): avoid abort in gc_migrate when heap metadata is corrupted (#4862)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

* Refactoring enclave sample (#4828)

* refactor(ci): production-ready SGX install script with logging and idempotency

- Add comprehensive logging infrastructure to /tmp/install_sgx.log
- Implement idempotency checks for SGX packages and SDK
- Modularize into functions: platform_detect, install_packages, validate_installation, cleanup
- Add strict error handling with set -euo pipefail and error traps
- Replace FIXME with proper environment sourcing documentation
- Add dynamic platform detection for Ubuntu 20+/Debian 11/12
- Ensure minimal console output (final status only) with all details in log
- Verify all acceptance scenarios pass with comprehensive testing

* Refactoring enclave-sample aligning sgx BKM.

- Buffer interface redesign to separate input and output
- prevent untrusted pointer
- add module and instance handle release functions for better resource management

* fuzz: remove unnecessary internal headers from wasm_mutator_fuzz (#4865)

Remove `wasm_runtime_common.h` and `bh_read_file.h` includes from the
wasm_mutator_fuzz harness. All runtime APIs used by this fuzzer
(wasm_runtime_init, wasm_runtime_load, wasm_runtime_instantiate,
wasm_runtime_call_wasm_a, wasm_runtime_get_export_count, etc.) are
declared in the public `wasm_export.h` header.

- `wasm_runtime_common.h` (core/iwasm/common/) is an internal
  implementation header not intended for external use.
- `bh_read_file.h` (core/shared/utils/uncommon/) is an internal
  utility header whose functions are never called in this fuzzer.

Verified that the modified harness compiles and runs correctly for all
three build targets (classic-interp, fast-interp, llvm-jit) with
identical code coverage.

* Fix missing IS_INVALID_TAGINDEX check in RETHROW handler (#4837)

* Fix RETHROW handler missing IS_INVALID_TAGINDEX check

Add validation for exception_tag_index in the RETHROW opcode handler
to prevent out-of-bounds access to module->module->tags[] when the
tag index is INVALID_TAGINDEX (0xFFFFFFFF). This matches the existing
check in the THROW handler.

When CATCH_ALL catches a cross-module exception with an unknown tag,
it pushes INVALID_TAGINDEX onto the stack. Without this check, a
subsequent RETHROW would access tags[0xFFFFFFFF].

* Fix incorrect code section byte counts in exception handling test

The hand-crafted WASM binary in load_module_with_exception_handling had
an off-by-one in the code section: body size was declared as 7 but the
actual body (local count + try/catch_all/end/end) is only 6 bytes.
This caused the WASM loader to fail with "unexpected end" when it tried
to read past the available bytes.

Fix the body size from 7 to 6 and the code section size from 9 to 8.

* Fix relocation addend sign extension on 32-bit platforms (#4846)

* Fix relocation addend sign extension on 32-bit platforms

When loading relocations on 32-bit platforms, the addend is read
as uint32 and zero-extended to uint64, which corrupts negative
addends. For example, -4 (0xFFFFFFFC) becomes 4294967292 instead
of remaining -4. Use int32 with sign extension to int64, matching
the Windows code path which already handles this correctly.

* Fix mismatch of enum sizes between WASM and host (#4676)

- refactor(wasi_types): deprecate enums in platform_wasi_types.h.
- Use macros instead.

Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>
Signed-off-by: Dan Kouba <dan@atym.io>

* build(deps): Bump github/codeql-action from 4.32.5 to 4.32.6 (#4868)

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.5 to 4.32.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Commits](github/codeql-action@v4.32.5...v4.32.6)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fuzzing: reject non-wasm files quickly and execute aot after compilation (#4780)

* fix: disable unsigned integer overflow sanitization in build configurations

FYI: from https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html

`-fsanitize=unsigned-integer-overflow`: Unsigned integer overflow, where the result of an unsigned integer computation cannot be represented in its type. Unlike signed integer overflow, this is not undefined behavior, but it is often unintentional. This sanitizer does not check for lossy implicit conversions performed before such a computation.

It brings a more common question: which is better, pre-additional-check or post-additional-check to fix a potential unsigned integer overflow? A pre-additional-check involves using a check to prevent integer overflow from the very beginning. A post-additional-check involves using a check after addition to see if there is an overflow.

In this project, post-additional-checking is widely used. let's follow the routine.

for performance sensitive logic, use __builtin_add_overflow etc. provide something like https://github.com/yamt/toywasm/blob/9a5622791e99395e26e6e96cef830af3d91a1685/lib/platform.h#L176-L191 and encourage the use of them.

ref. #4549 (comment)

* fix: update AOT compiler configuration and enhance error handling in fuzz tests

* Fix: initialize record_frame in aot_copy_callstack (#4861)

* Fix: Fix null pointer dereference in wasm_c_api.c (#4863)

* Enable Unit test on Mac(m1) (#4841)

- detecting host arch. and platform instead of hard-coding
- fix few compilation errors because of stricter rules involve by appleclang
- refactor: modernize wasm-apps CMakeLists.txt to target-specific options and install commands
- refactor: modernize memory64 CMakeLists.txt to target-specific options and install commands
- Update running-modes CMakeLists.txt: enable AOT and INTERP; JIT/FAST_JIT gating for x86_64. Fix typo in JIT section.
- fix: replace deprecated get_binary_path function with get_test_binary_dir for improved portability
- fix: adjust size_level test cases for aarch64 architecture compatibility

* Move exception lock to ModuleInstance data. (#4772)

* Move exception lock to ModuleInstance data.

This lock acquired on each native function call. This cause performance impact
on programs, containing many native function calls, and running in multithreaded environment.

Update AOT_CURRENT_VERSION constant.

* fix: use copy of input for wasm_runtime_load to fix overwrites-const-input in fuzz (#4869)

Signed-off-by: zhenweijin <zhenwei.jin@intel.com>

---------

Signed-off-by: Huang Qi <huangqi3@xiaomi.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Krisztian Szilvasi <34309983+kr-t@users.noreply.github.com>
Signed-off-by: zhenweijin <zhenwei.jin@intel.com>
Signed-off-by: Haitao Huang <haitaohuang@microsoft.com>
Signed-off-by: Dan Kouba <dan@atym.io>
Co-authored-by: liang.he <liang.he@intel.com>
Co-authored-by: Huang Qi <huangqi3@xiaomi.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Chris Woods <6069113+woodsmc@users.noreply.github.com>
Co-authored-by: Zhenwei Jin <109658203+kylo5aby@users.noreply.github.com>
Co-authored-by: YAMAMOTO Takashi <yamamoto@midokura.com>
Co-authored-by: Krisztian <34309983+kr-t@users.noreply.github.com>
Co-authored-by: Kakhaber <kaxabernet@gmail.com>
Co-authored-by: Yosh <2467194+yoshuawuyts@users.noreply.github.com>
Co-authored-by: TianlongLiang <111852609+TianlongLiang@users.noreply.github.com>
Co-authored-by: linear0211 <144136043+linear0211@users.noreply.github.com>
Co-authored-by: 石博文 <sbw@sbw.so>
Co-authored-by: Steven <25894545+teamchong@users.noreply.github.com>
Co-authored-by: Haitao Huang <4699115+haitaohuang@users.noreply.github.com>
Co-authored-by: Alex <ph1048@gmail.com>
Co-authored-by: vkensou <boyplaydota@hotmail.com>
Co-authored-by: Yi Liu <yi@quantstamp.com>
Co-authored-by: Robert Ismo <robertismo@protonmail.com>
Co-authored-by: Taylor C. Richberger <taylor.richberger@procern.com>
Co-authored-by: kogum4 <112237015+kogum4@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Ze Sheng <108382772+OwenSanzas@users.noreply.github.com>
Co-authored-by: Dan Kouba <dan@atym.io>
Co-authored-by: Vyacheslav Chigrin <vyacheslav.chigrin@yandex.ru>

Author: 25 people

.clang-tidy

@@ -1,16 +1,49 @@
 # refer to https://clang.llvm.org/extra/clang-tidy/checks/list.html
+#
+# Configure clang-tidy for this project.
+
+# Here is an explanation for why some of the checks are disabled:
+#
+
+Checks: >
+  -*,
+  bugprone-*,
+  cert-*,
+  clang-analyzer-*,
+  concurrency-*,
+  misc-*,
+  modernize-*,
+  performance-*,
+  portability-*,
+  readability-*,
+  -bugprone-easily-swappable-parameters,
+  -bugprone-macro-parentheses,
+  -misc-no-recursion,
+  -misc-unused-parameters,
+  -readability-braces-around-statements,
+  -readability-else-after-return,
+  -readability-function-cognitive-complexity,
+  -readability-identifier-length,
+  -readability-isolate-declaration,
+  -readability-magic-numbers,
+  -readability-named-parameter,
+  -readability-non-const-parameter,
+  -readability-redundant-preprocessor,
+  -readability-suspicious-call-argument,
+  -readability-uppercase-literal-suffix
+
+
+# Turn all the warnings from the checks above into errors.
+WarningsAsErrors: "*"
+
+# headers in the following directories will be checked:
+#   - core/iwasm/
+#   - core/shared/
+HeaderFilterRegex: '(core/iwasm/|core/shared/).*\\.h$'
+
+# goto .clang-format at root directory to see the format style
+FormatStyle: file
 
-Checks:  '-*, readability-identifier-naming, clang-analyzer-core.*,'
-WarningsAsErrors:    '-*'
-HeaderFilterRegex:   ''
-FormatStyle:         file
-InheritParentConfig: false
-AnalyzeTemporaryDtors: false
-User:                wamr
 CheckOptions:
-  - key:             readability-identifier-naming.VariableCase
-    value:           lower_case
-  - key:             readability-identifier-naming.ParameterCase
-    value:           lower_case
-  - key:             readability-identifier-naming.MacroDefinitionCase
-    value:           UPPER_CASE
+  - { key: readability-identifier-naming.NamespaceCase, value: lower_case }
+  - { key: readability-function-cognitive-complexity.Threshold, value: 100 }

.devcontainer/Dockerfile

@@ -1,150 +1,42 @@
 # Copyright (C) 2019 Intel Corporation.  All rights reserved.
 # SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 
-# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/cpp/.devcontainer/base.Dockerfile
-# [Choice] Debian / Ubuntu version (use Debian 12/11/9, Ubuntu 18.04/21.04 on local arm64/Apple Silicon): debian-12, debian-11, debian-10, debian-9, ubuntu-21.04, ubuntu-20.04, ubuntu-18.04
+# hadolint global ignore=DL3008,DL3009
+
 ARG VARIANT=debian-12
-FROM mcr.microsoft.com/vscode/devcontainers/cpp:${VARIANT}
+FROM mcr.microsoft.com/devcontainers/cpp:${VARIANT}
 
 ARG DEBIAN_FRONTEND=noninteractive
-ENV TZ=Asian/Shanghai
+ENV TZ=Asia/Shanghai
 
-# hadolint ignore=DL3008
 RUN apt-get update \
-  && apt-get upgrade -y \
-  && apt-get install -y apt-transport-https apt-utils build-essential \
-  ca-certificates ccache cmake curl g++-multilib git gnupg \
-  libgcc-12-dev lib32gcc-12-dev lsb-release \
-  ninja-build ocaml ocamlbuild \
-  software-properties-common tree tzdata \
-  unzip valgrind vim wget zip --no-install-recommends \
-  && apt-get clean -y \
-  && rm -rf /var/lib/apt/lists/*
-
-#
-# binaryen
-ARG BINARYEN_VER=114
-WORKDIR /opt
-RUN wget -c --progress=dot:giga https://github.com/WebAssembly/binaryen/releases/download/version_${BINARYEN_VER}/binaryen-version_${BINARYEN_VER}-x86_64-linux.tar.gz \
-  && tar xf binaryen-version_${BINARYEN_VER}-x86_64-linux.tar.gz \
-  && ln -sf /opt/binaryen-version_${BINARYEN_VER} /opt/binaryen \
-  && rm binaryen-version_${BINARYEN_VER}-x86_64-linux.tar.gz
-
-#
-# CMAKE (https://apt.kitware.com/)
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-# hadolint ignore=DL3008
-ARG CMAKE_VER=3.27.0
-RUN wget https://github.com/Kitware/CMake/releases/download/v${CMAKE_VER}/cmake-${CMAKE_VER}-Linux-x86_64.sh \
-      -q -O /tmp/cmake-install.sh \
-      && chmod u+x /tmp/cmake-install.sh \
-      && mkdir /opt/cmake-${CMAKE_VER} \
-      && /tmp/cmake-install.sh --skip-license --prefix=/opt/cmake-${CMAKE_VER} \
-      && rm /tmp/cmake-install.sh \
-      && ln -s /opt/cmake-${CMAKE_VER}/bin/* /usr/local/bin
-
-#
-# install emsdk
-WORKDIR /opt
-RUN git clone https://github.com/emscripten-core/emsdk.git
-
-ARG EMSDK_VER=3.1.43
-WORKDIR /opt/emsdk
-RUN  git pull \
-  && ./emsdk install ${EMSDK_VER} \
-  && ./emsdk activate ${EMSDK_VER} \
-  && echo "source /opt/emsdk/emsdk_env.sh" >> /root/.bashrc
-
-#
-# install wasi-sdk
-ARG WASI_SDK_VER=20
-RUN wget -c --progress=dot:giga https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${WASI_SDK_VER}/wasi-sdk-${WASI_SDK_VER}.0-linux.tar.gz -P /opt \
-  && tar xf /opt/wasi-sdk-${WASI_SDK_VER}.0-linux.tar.gz -C /opt \
-  && ln -sf /opt/wasi-sdk-${WASI_SDK_VER}.0 /opt/wasi-sdk \
-  && rm /opt/wasi-sdk-${WASI_SDK_VER}.0-linux.tar.gz
-
-#
-#install wabt
-ARG WABT_VER=1.0.33
-RUN wget -c --progress=dot:giga https://github.com/WebAssembly/wabt/releases/download/${WABT_VER}/wabt-${WABT_VER}-ubuntu.tar.gz -P /opt \
-  && tar xf /opt/wabt-${WABT_VER}-ubuntu.tar.gz -C /opt \
-  && ln -sf /opt/wabt-${WABT_VER} /opt/wabt \
-  && rm /opt/wabt-${WABT_VER}-ubuntu.tar.gz
+  && apt-get upgrade -y
 
-#
-# install bazelisk
-ARG BAZELISK_VER=1.17.0
-RUN mkdir /opt/bazelisk \
-  && wget -c --progress=dot:giga https://github.com/bazelbuild/bazelisk/releases/download/v${BAZELISK_VER}/bazelisk-linux-amd64 -P /opt/bazelisk \
-  && chmod a+x /opt/bazelisk/bazelisk-linux-amd64 \
-  && ln -fs /opt/bazelisk/bazelisk-linux-amd64 /opt/bazelisk/bazel
-
-#
-# install clang+llvm
-ARG LLVM_VER=16
-RUN apt-get purge -y clang-14 llvm-14 && apt-get autoremove -y
-WORKDIR /etc/apt/apt.conf.d
-RUN touch 99verfiy-peer.conf \
-  && echo "Acquire { https::Verify-Peer false }" > 99verfiy-peer.conf
-
-WORKDIR /tmp
-#RUN wget --progress=dot:giga https://apt.llvm.org/llvm.sh \
-#  && chmod a+x ./llvm.sh \
-#  && ./llvm.sh ${LLVM_VER} all
-
-# Workaround due to https://github.com/llvm/llvm-project/issues/62475
-# hadolint ignore=DL3008
-RUN set -ex \
-    && echo "deb http://apt.llvm.org/bookworm/ llvm-toolchain-bookworm-${LLVM_VER} main" > /etc/apt/sources.list.d/apt.llvm.org.list \
-    && wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc \
-    && apt-get update \
-    && apt-get install -y \
-    clang-${LLVM_VER} lldb-${LLVM_VER} lld-${LLVM_VER} clangd-${LLVM_VER} clang-tidy-${LLVM_VER} clang-format-${LLVM_VER} clang-tools-${LLVM_VER} \
-    llvm-${LLVM_VER}-dev lld-${LLVM_VER} lldb-${LLVM_VER} llvm-${LLVM_VER}-tools libomp-${LLVM_VER}-dev libc++-${LLVM_VER}-dev libc++abi-${LLVM_VER}-dev \
-    libclang-common-${LLVM_VER}-dev libclang-${LLVM_VER}-dev libclang-cpp${LLVM_VER}-dev libunwind-${LLVM_VER}-dev \
-    libclang-rt-${LLVM_VER}-dev libpolly-${LLVM_VER}-dev --no-install-recommends \
-    && apt-get clean -y \
-    && rm -rf /var/lib/apt/lists/*
-
-#
-# [Optional]
-
-#
-# Install pip
-# hadolint ignore=DL3008
 RUN apt-get update \
-  && apt-get install -y --reinstall python3-venv python3-pip --no-install-recommends \
-  && apt-get clean -y \
-  && rm -rf /var/lib/apt/lists/*
+  && apt-get install -y apt-transport-https apt-utils build-essential \
+      ca-certificates ccache clang-format-14 curl file g++-multilib git gnupg \
+      libgcc-12-dev lib32gcc-12-dev libzstd-dev lsb-release \
+      ninja-build ocaml ocamlbuild opam \
+      python3-venv python3-pip \
+      software-properties-common tree tzdata \
+      unzip valgrind vim wget zip --no-install-recommends
 
-#
-# Install required python packages
-# hadolint ignore=DL3013
-RUN python3 -m pip install --no-cache-dir --break-system-packages --upgrade pip \
-  && pip3 install --no-cache-dir --break-system-packages black nose pycparser pylint
+WORKDIR /opt
 
-#
-# Install github-cli. It doens't work as a feature of devcontainer.json
-ARG GH_CLI_VER=2.32.0
-WORKDIR /tmp
-RUN wget -q https://github.com/cli/cli/releases/download/v${GH_CLI_VER}/gh_${GH_CLI_VER}_linux_amd64.deb \
-  && dpkg -i gh_${GH_CLI_VER}_linux_amd64.deb
+ARG WASI_SDK_VER=25
+RUN wget -c --progress=dot:giga https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-${WASI_SDK_VER}/wasi-sdk-${WASI_SDK_VER}.0-x86_64-linux.tar.gz -P /tmp \
+  && tar xf /tmp/wasi-sdk-${WASI_SDK_VER}.0-x86_64-linux.tar.gz -C /opt \
+  && ln -sf /opt/wasi-sdk-${WASI_SDK_VER}.0-x86_64-linux /opt/wasi-sdk
 
-#
-# Install NodeJS
-RUN wget -qO- https://deb.nodesource.com/setup_20.x | bash -
-# hadolint ignore=DL3008
-RUN apt-get install -y nodejs --no-install-recommends
+ARG WABT_VER=1.0.37
+RUN wget -c --progress=dot:giga https://github.com/WebAssembly/wabt/releases/download/${WABT_VER}/wabt-${WABT_VER}-ubuntu-20.04.tar.gz -P /tmp \
+  && tar xf /tmp/wabt-${WABT_VER}-ubuntu-20.04.tar.gz -C /opt \
+  && ln -sf /opt/wabt-${WABT_VER} /opt/wabt
 
 # set path
-ENV PATH="/opt/bazelisk:/usr/lib/llvm-${LLVM_VER}/bin:${PATH}"
-ENV CC=/usr/lib/llvm-${LLVM_VER}/bin/clang CXX=/usr/lib/llvm-${LLVM_VER}/bin/clang++
-RUN printf "%s\n" "PS1='\n[ \u@wamr-dev-docker \W ]\n$ '" >> /root/.bashrc \
-  && apt-get autoremove -y \
+
+# clean up
+RUN apt-get autoremove -y \
   && apt-get clean -y \
   && rm -rf /var/lib/apt/lists/* \
   && rm -rf /tmp/*
-
-# set workdir when container run
-VOLUME /workspaces
-WORKDIR /workspaces

.devcontainer/devcontainer.json

@@ -1,50 +1,29 @@
-// Copyright (C) 2019 Intel Corporation.  All rights reserved.
-// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
-// For format details, see https://aka.ms/vscode-remote/devcontainer.json or this file's README at:
-// https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/cpp
 {
   "name": "WAMR-Dev",
   "build": {
     "dockerfile": "Dockerfile",
-    // Update 'VARIANT' to pick an Debian / Ubuntu OS version: debian-12, debian-11, debian-10, debian-9, ubuntu-21.04, ubuntu-20.04, ubuntu-18.04
-    // Use Debian 12, Debian 11, Debian 9, Ubuntu 18.04 or Ubuntu 21.04 on local arm64/Apple Silicon
     "args": {
-      "BINARYEN_VER": "114",
-      "BAZELISK_VER": "1.17.0",
-      "CMAKE_VER": "3.27.0",
-      "EMSDK_VER": "3.1.43",
-      "GH_CLI_VER": "2.32.0",
-      "LLVM_VER": "16",
       "VARIANT": "debian-12",
-      "WASI_SDK_VER": "20",
-      "WABT_VER": "1.0.33"
+      "WASI_SDK_VER": "25",
+      "WABT_VER": "1.0.37"
     }
   },
   "runArgs": [
     "--cap-add=SYS_PTRACE",
     "--security-opt",
     "seccomp=unconfined"
   ],
-  // Configure tool-specific properties.
   "customizations": {
-    // Configure properties specific to VS Code.
     "vscode": {
-      // Set *default* container specific settings.json values on container create.
       "settings": {},
-      // Add the IDs of extensions you want installed when the container is created.
       "extensions": [
         "dtsvet.vscode-wasm",
-        "llvm-vs-code-extensions.vscode-clangd",
         "ms-python.python",
         "ms-python.vscode-pylance",
         "ms-vscode.cmake-tools"
       ]
     }
   },
-  // Use 'forwardPorts' to make a list of ports inside the container available locally.
-  // "forwardPorts": [],
-  // Use 'postCreateCommand' to run commands after the container is created.
-  "postCreateCommand": "curl https://sh.rustup.rs -sSf | bash -s -- -y",
-  // Comment out this line to run as root instead.
+  "postCreateCommand": "bash .devcontainer/finalize.sh",
   "remoteUser": "vscode"
 }

.devcontainer/finalize.sh

@@ -0,0 +1,18 @@
+echo "Running finalize script..."
+
+#
+# Python Package Installation
+#
+echo "--- Installing Python Dependencies\n"
+
+# Upgrade pip first
+python3 -m pip install --no-cache-dir --break-system-packages --upgrade pip
+# Install required packages
+pip3 install --no-cache-dir --break-system-packages -r .devcontainer/requirements.txt
+
+echo "--- Installing Ocaml stuff\n"
+opam init --yes --shell-setup
+eval $(opam env --switch=default)
+opam install --yes dune menhir
+
+echo "Finalize script completed. ✅"

.devcontainer/requirements.txt

@@ -0,0 +1,5 @@
+black
+nose
+pycparser
+pylint
+requests

.github/actions/install-wasi-sdk-wabt/action.yml

@@ -50,18 +50,18 @@ runs:
         echo "::notice::wasi-sdk-25 and wabt-1.0.37 installed on ubuntu"
       working-directory: /opt
 
-    - name: Set up wasi-sdk and wabt on macOS-13 (intel)
-      if: ${{ inputs.os == 'macos-13' }}
+    - name: Set up wasi-sdk and wabt on macOS on Intel
+      if: ${{ inputs.os == 'macos-15-intel' }}
       shell: bash
       run: |
-        echo "Downloading wasi-sdk for macOS-13..."
+        echo "Downloading wasi-sdk for macOS on Intel..."
         sudo wget -O wasi-sdk.tar.gz --progress=dot:giga https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-25/wasi-sdk-25.0-x86_64-macos.tar.gz
 
         echo "Extracting wasi-sdk..."
         sudo tar -xf wasi-sdk.tar.gz
         sudo ln -sf  wasi-sdk-25.0-x86_64-macos wasi-sdk
 
-        echo "Downloading wabt for macOS-13..."
+        echo "Downloading wabt for macOS on Intel..."
         sudo wget -O wabt.tar.gz     --progress=dot:giga https://github.com/WebAssembly/wabt/releases/download/1.0.36/wabt-1.0.36-macos-12.tar.gz
 
         echo "Extracting wabt..."
@@ -71,21 +71,21 @@ runs:
         /opt/wasi-sdk/bin/clang --version
         /opt/wabt/bin/wasm-interp --version
 
-        echo "::notice::wasi-sdk-25 and wabt-1.0.36 installed on macos-13"
+        echo "::notice::wasi-sdk-25 and wabt-1.0.36 installed on ${{ inputs.os }}"
       working-directory: /opt
 
-    - name: Set up wasi-sdk and wabt on macOS-14 (arm64)
-      if: ${{ inputs.os == 'macos-14' }}
+    - name: Set up wasi-sdk and wabt on macOS on ARM
+      if: ${{ inputs.os == 'macos-15' }}
       shell: bash
       run: |
-        echo "Downloading wasi-sdk for macOS-14..."
+        echo "Downloading wasi-sdk for macOS on ARM..."
         sudo wget -O wasi-sdk.tar.gz --progress=dot:giga https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-25/wasi-sdk-25.0-arm64-macos.tar.gz
 
         echo "Extracting wasi-sdk..."
         sudo tar -xf wasi-sdk.tar.gz
         sudo ln -sf  wasi-sdk-25.0-arm64-macos wasi-sdk
 
-        echo "Downloading wabt for macOS-14..."
+        echo "Downloading wabt for macOS on ARM..."
         sudo wget -O wabt.tar.gz     --progress=dot:giga https://github.com/WebAssembly/wabt/releases/download/1.0.37/wabt-1.0.37-macos-14.tar.gz
 
         echo "Extracting wabt..."
@@ -95,7 +95,7 @@ runs:
         /opt/wasi-sdk/bin/clang --version
         /opt/wabt/bin/wasm-interp --version
 
-        echo "::notice::wasi-sdk-25 and wabt-1.0.37 installed on macos-14"
+        echo "::notice::wasi-sdk-25 and wabt-1.0.37 installed on ${{ inputs.os }}"
       working-directory: /opt
 
     - name: Set up wasi-sdk and wabt on Windows