From 9fd3d53bc95ae8f8fb756e2956bf5fc6512bfe4e Mon Sep 17 00:00:00 2001 From: "liang.he" Date: Tue, 15 Mar 2022 20:10:48 +0800 Subject: [PATCH] Reset members of jit block/value stack after destroy (#1048) After `jit_value_stack_destory()`, the `JitValue` pointed by `value_list_head` and `value_list_end` are freed and still keep the value. So, when `jit_value_stack_push()` is called, for example, `load_block_params()` after `jit_value_stack_destroy()` in `handle_op_else()`, `value_stack` will not be treated like an empty one, and new `JitValue` will be appended to `value_list_end`, which is a dangling pointer(pointer to the freed `JitValue`). --- core/iwasm/fast-jit/jit_ir.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/iwasm/fast-jit/jit_ir.c b/core/iwasm/fast-jit/jit_ir.c index 4291ea0c9..c683d6ec1 100644 --- a/core/iwasm/fast-jit/jit_ir.c +++ b/core/iwasm/fast-jit/jit_ir.c @@ -1330,6 +1330,9 @@ jit_value_stack_destroy(JitValueStack *stack) jit_free(value); value = p; } + + stack->value_list_head = NULL; + stack->value_list_end = NULL; } void @@ -1373,6 +1376,9 @@ jit_block_stack_destroy(JitBlockStack *stack) jit_block_destroy(block); block = p; } + + stack->block_list_head = NULL; + stack->block_list_end = NULL; } bool