wasmoon
wasmoon copied to clipboard
ceifa
Alignment fault happens when closing lua vm
First of all, I can't reproduce this issue in the master branch of wasmoon.
What I did:
- I compile lua and c files in my project, with emscripten's SAFE_HEAP option set to 1.
- I compile wasmoon with the glue.js.
- I run wasmoon with glus.wasm.
Testcase:
const { LuaFactory } = require('./index');
(async () => {
// Initialize a new lua environment factory
const factory = new LuaFactory();
// Create a standalone lua environment from the factory
const lua = await factory.createEngine();
lua.global.close();
})();
Error:
Aborted(alignment fault)
/Users/zhanqp/src/sconn_client/test/nodejs/index.js:1829
/** @suppress {checkTypes} */ var e = new WebAssembly.RuntimeError(what);
^
RuntimeError: Aborted(alignment fault)
at abort (/Users/zhanqp/src/sconn_client/test/nodejs/index.js:1829:45)
at alignfault (/Users/zhanqp/src/sconn_client/test/nodejs/index.js:1600:7)
at sconn_client.wasm (wasm://wasm/sconn_client.wasm-002ca6f6:wasm-function[1360]:0xa5ffa)
at sconn_client.wasm.gettable (wasm://wasm/sconn_client.wasm-002ca6f6:wasm-function[789]:0x6e6f7)
at sconn_client.wasm.lua_rawgeti (wasm://wasm/sconn_client.wasm-002ca6f6:wasm-function[791]:0x6e910)
at sconn_client.wasm.luaL_unref (wasm://wasm/sconn_client.wasm-002ca6f6:wasm-function[72]:0x52ac)
at /Users/zhanqp/src/sconn_client/test/nodejs/index.js:1861:16
at Object.ccall (/Users/zhanqp/src/sconn_client/test/nodejs/index.js:5772:17)
at LuaWasm.pointersToBeFreed [as luaL_unref] (/Users/zhanqp/src/sconn_client/test/nodejs/index.js:6777:49)
at FunctionTypeExtension.close (/Users/zhanqp/src/sconn_client/test/nodejs/index.js:715:38)
Node.js v20.18.0
This issue happens when FunctionTypeExtension.close trying to close a lua thread.
Here is the ASan report.
=================================================================
==42==ERROR: AddressSanitizer: heap-use-after-free on address 0x14602e18 at pc 0x003b9d0c bp 0x12a69620 sp 0x12a6962c
READ of size 4 at 0x14602e18 thread T0
#0 0x3b9d0c in __asan_report_load4 ../../../../../emsdk/emscripten/system/lib/compiler-rt/lib/asan/asan_rtl.cpp:132:1
0x14602e18 is located 24 bytes inside of 120-byte region [0x14602e00,0x14602e78)
freed by thread T0 here:
#0 0x4025fc in __sanitizer::StackTrace::GetCurrentPc() ../../../../../emsdk/emscripten/system/lib/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_emscripten.cpp:28:27
#1 0x3ab08b in free ../../../../../emsdk/emscripten/system/lib/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#2 0x18e52 in l_alloc ../test/websocket/wasmoon/lua/lauxlib.c:1020:5
#3 0x12ee0e in luaM_free_ ../test/websocket/wasmoon/lua/lmem.c:135:3
#4 0x2bcec in luaE_freethread ../test/websocket/wasmoon/lua/lstate.c:322:3
#5 0xf3407 in freeobj ../test/websocket/wasmoon/lua/lgc.c:792:7
#6 0x102ec8 in luaC_freeallobjects ../test/websocket/wasmoon/lua/lgc.c:1499:5
previously allocated by thread T0 here:
#0 0x4025fc in __sanitizer::StackTrace::GetCurrentPc() ../../../../../emsdk/emscripten/system/lib/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace_emscripten.cpp:28:27
#1 0x3ac573 in realloc ../../../../../emsdk/emscripten/system/lib/compiler-rt/lib/asan/asan_malloc_linux.cpp:82:3
#2 0x18e90 in l_alloc ../test/websocket/wasmoon/lua/lauxlib.c:1024:12
#3 0x12f763 in luaM_malloc_ ../test/websocket/wasmoon/lua/lmem.c:192:23
#4 0xf087f in luaC_newobjdt ../test/websocket/wasmoon/lua/lgc.c:260:24
#5 0x29125 in lua_newthread ../test/websocket/wasmoon/lua/lstate.c:294:7
#6 0x800019c0 in ret.<computed> /Users/zhanqp/src/sconn_client/test/websocket/websocket/node_modules/.pnpm/[email protected]/node_modules/wasmoon/dist/index.js:6592:24