wasmer-c-api: wasm_val_delete causes double free error

[helmutkian]

Describe the bug

Calling wasm_val_delete on a dynamically allocated wasm_val_t * causes a double free error.

Environment info:

wasmer 4.4.0 (b2fa4b1 2024-10-05)
binary: wasmer-cli
commit-hash: b2fa4b19ff24f2facbe878b256c76d8e4bd6b25a
commit-date: 2024-10-05
host: x86_64-unknown-linux-gnu
compiler: singlepass,cranelift,llvm

rustc 1.54.0 (a178d0322 2021-07-26)
binary: rustc
commit-hash: a178d0322ce20e33eac124758e837cbd80a6f633
commit-date: 2021-07-26
host: x86_64-unknown-linux-gnu
release: 1.54.0
LLVM version: 12.0.1

Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/11/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 11.4.0-1ubuntu1~22.04' --with-bugurl=file:///usr/share/doc/gcc-11/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++,m2 --prefix=/usr --with-gcc-major-version-only --program-suffix=-11 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --enable-default-pie --with-system-zlib --enable-libphobos-checking=release --with-target-system-zlib=auto --enable-objc-gc=auto --enable-multiarch --disable-werror --enable-cet --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none=/build/gcc-11-XeT9lY/gcc-11-11.4.0/debian/tmp-nvptx/usr,amdgcn-amdhsa=/build/gcc-11-XeT9lY/gcc-11-11.4.0/debian/tmp-gcn/usr --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu --with-build-config=bootstrap-lto-lean --enable-link-serialization=2
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04) 

Steps to reproduce

test.c file :

#include <stdio.h>
#include <stdlib.h>
#include "wasmer.h"

int main(int argc, const char* argv[]) {
  wasm_val_t *val;

  val = (wasm_val_t *)malloc(sizeof(wasm_val_t));

  val->kind = WASM_I32;
  val->of.i32 = 7;

  printf("val: %d\n", val->of.i32);

  wasm_val_delete(val);
  free(val);
  
  return 0;
}

Compiled with flags

CFLAGS = -g -I$(shell $(WASMER_DIR)/bin/wasmer config --includedir)
LDFLAGS = -Wl,-rpath,$(shell $(WASMER_DIR)/bin/wasmer config --libdir)
LDLIBS = $(shell $(WASMER_DIR)/bin/wasmer config --libs)

Expected behavior

Calling wasm_val_delete then free on a dynamically allocated wasm_val_t * pointer should not result in a double free.

wasm_val_delete should only de-allocate memory referenced within its argument (e.g. if .of.ref is set) and not the memory pointed to by its argument (i.e. the argument itself). Doing so makes allocating wasm_val_t on the stack unsafe.

Actual behavior

Running the above code results in

This results in error

$ ./test
double free or corruption (out)
Aborted (core dumped)

Additional context

[xdoardo]

Thanks! I'll investigate this as soon as possible.