Skip to content

Exclude guard page from stack bounds check in initialize#13704

Merged
cfallin merged 1 commit into
bytecodealliance:mainfrom
SebTardif:fix-guard-page-accounting
Jun 22, 2026
Merged

Exclude guard page from stack bounds check in initialize#13704
cfallin merged 1 commit into
bytecodealliance:mainfrom
SebTardif:fix-guard-page-accounting

Conversation

@SebTardif

@SebTardif SebTardif commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Fix the bounds check in VMContinuationStack::initialize to compare
against usable stack space rather than total allocation size.

Prior to #13662, initialize() had no bounds check at all, so a
high-arity function type (e.g. 600 params on an 8192-byte stack)
would unconditionally write control data into the guard page and
segfault. PR #13662 added a bounds check, but compared against
self.len which for Mmap allocations includes the guard page. This
meant the 600-param case still slipped through: 9664 <= 12288
passed the check, but the write still landed in the non-writable
guard page.

This fix subtracts the guard page size for Mmap allocations so
the check reflects the actual usable stack space. Custom
allocations are unaffected since their len does not include a
guard page.

Adds a regression test matching the exact scenario from #13703
(600 params on an 8192-byte stack).

Closes #13703

@SebTardif
Exclude guard page from stack bounds check in initialize
2e296a6 
Fix the bounds check in VMContinuationStack::initialize to compare
against usable stack space rather than total allocation size.

Prior to bytecodealliance#13662, initialize() had no bounds check at all, so a
high-arity function type (e.g. 600 params on an 8192-byte stack)
would unconditionally write control data into the guard page and
segfault. PR bytecodealliance#13662 added a bounds check, but compared against
self.len which for Mmap allocations includes the guard page. This
meant the 600-param case still slipped through: 9664 <= 12288
passed the check, but the write still landed in the non-writable
guard page.

This fix subtracts the guard page size for Mmap allocations so
the check reflects the actual usable stack space. Custom
allocations are unaffected since their len does not include a
guard page.

Adds a regression test matching the exact scenario from bytecodealliance#13703
(600 params on an 8192-byte stack).

Closes bytecodealliance#13703

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif SebTardif requested a review from a team as a code owner June 22, 2026 05:19
@SebTardif SebTardif requested review from cfallin and removed request for a team June 22, 2026 05:19
@github-actions github-actions Bot added the wasmtime:api Related to the API of the `wasmtime` crate itself label Jun 22, 2026
cfallin
cfallin reviewed Jun 22, 2026
View reviewed changes

@cfallin cfallin left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; thanks!

@cfallin cfallin enabled auto-merge June 22, 2026 21:35
@cfallin cfallin added this pull request to the merge queue Jun 22, 2026
Merged via the queue into bytecodealliance:main with commit 8c9ec39 Jun 22, 2026
52 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cfallin cfallin cfallin approved these changes

Assignees

No one assigned

Labels

wasmtime:api Related to the API of the `wasmtime` crate itself

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Stack-switching crash with just enough parameters

2 participants

@SebTardif @cfallin