From 628d4110a4758b02e65e023ef7a08ccb9df63fa5 Mon Sep 17 00:00:00 2001
From: teamchong <25894545+teamchong@users.noreply.github.com>
Date: Mon, 29 Dec 2025 13:13:12 -0500
Subject: [PATCH] fix: clear exec_env_tls when destroying exec_env

When an exec_env is destroyed, check if it matches the current thread's
exec_env_tls and clear it to avoid dangling pointer issues.

Without this fix, in daemon-style execution where the same thread runs
multiple WASM modules sequentially (like Cloudflare Workers), the
exec_env_tls can point to freed memory after an exec_env is destroyed,
causing crashes on subsequent executions when the signal handler tries
to access it.

This is critical for AOT mode with hardware bounds checking enabled,
where signal handlers rely on exec_env_tls to handle SIGSEGV properly.
---
 core/iwasm/common/wasm_exec_env.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/core/iwasm/common/wasm_exec_env.c b/core/iwasm/common/wasm_exec_env.c
index 47752950f..3d9d4aa5a 100644
--- a/core/iwasm/common/wasm_exec_env.c
+++ b/core/iwasm/common/wasm_exec_env.c
@@ -199,6 +199,20 @@ wasm_exec_env_create(struct WASMModuleInstanceCommon *module_inst,
 void
 wasm_exec_env_destroy(WASMExecEnv *exec_env)
 {
+#ifdef OS_ENABLE_HW_BOUND_CHECK
+    /*
+     * Clear exec_env_tls if it points to this exec_env to avoid dangling
+     * pointer after destruction. This is critical for daemon-style execution
+     * where the same thread runs multiple WASM modules sequentially.
+     * Without this, the signal handler may access freed memory on subsequent
+     * executions, causing crashes.
+     */
+    WASMExecEnv *current_tls = wasm_runtime_get_exec_env_tls();
+    if (current_tls == exec_env) {
+        wasm_runtime_set_exec_env_tls(NULL);
+    }
+#endif
+
 #if WASM_ENABLE_THREAD_MGR != 0
     /* Wait for all sub-threads */
     WASMCluster *cluster = wasm_exec_env_get_cluster(exec_env);