fix(compiler): replace createInBoundsGEP1 with createGEP1 to prevent UB #4563
+11
−2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5efde1a to
46815f9
Compare
Contributor
Author
|
before after |
Contributor
Author
hydai
requested changes
Jan 28, 2026
Member
There was a problem hiding this comment.
The code is fine. The comments are really redundant.
Member
|
Also, no merging master to branch, use rebase instead in the future. I think you can:
This gains you a single commit for your changes here. |
Contributor
Author
Thanks, will reduce it to single line comment. |
Contributor
Author
Thank You, I really needed those tips since I did realise that unknowingly i pushed 5 commits into this PR, even though even doing pushing with no addition msg |
8a63fa4 to
bea642f
Compare
Summary: Replaces 'createInBoundsGEP1' with 'createGEP1' for memory access operations in the AOT compiler. This fixes a raw Segmentation Fault issue where the WasmEdge signal handler failed to trap out-of-bounds accesses. Root Cause: WasmEdge's zero-cost bounds checking relies on pointers legally hitting the OS Guard Page to trigger a SIGSEGV. The LLVM 'inbounds' keyword contract states that pointers must stay within allocated objects. When a pointer hits the Guard Page, this contract is violated, resulting in Undefined Behavior (Poison). This UB allowed LLVM to optimize away the necessary trap mechanics. Fix: Using standard 'createGEP1' (without 'inbounds') forces the compiler to generate the exact pointer arithmetic required to hit the Guard Page and trigger the trap deterministically. Verification: - Checked LLVM IR: Verified 'inbounds' keyword is removed from generated 'getelementptr' instructions. - Runtime: Confirmed raw Segfault is replaced by graceful '[error] execution failed: out of bounds memory access'. Fixes WasmEdge#3063 Signed-off-by: blackdragoon26 <sankalp.jha9643@gmail.com>
bea642f to
197d032
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to m
2C34
erge.
Suggestion cannot be applied right now. Please check back later.
Summary:
Replaces 'createInBoundsGEP1' with 'createGEP1' for memory access operations in the AOT compiler. This fixes a raw Segmentation Fault issue where the WasmEdge signal handler failed to trap out-of-bounds accesses.
Root Cause:
WasmEdge's zero-cost bounds checking relies on pointers legally hitting the OS Guard Page to trigger a SIGSEGV.
The LLVM 'inbounds' keyword contract states that pointers must stay within allocated objects. When a pointer hits the Guard Page, this contract is violated, resulting in Undefined Behavior (Poison). This UB allowed LLVM to optimize away the necessary trap mechanics.
Fix:
Using standard 'createGEP1' (without 'inbounds') forces the compiler to generate the exact pointer arithmetic required to hit the Guard Page and trigger the trap deterministically.
Verification:
Fixes #3063