1. Forum
  2. DOVE-Net
  3. Synchronet Programming

  • src/syncterm/wren/vm/wren_vm.c

    From Deuc¨@VERT to Git commit to main/sbbs/master on Sat May 2 15:47:32 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/3e714141aa290190f0f09cdd
    Modified Files:
    src/syncterm/wren/vm/wren_vm.c
    Log Message:
    Wren: close upvalues on fiber abort to prevent UAF

    runtimeError() unwound the caller chain without calling
    closeUpvalues() on the aborting fibers. Every other code path
    that ends a function's stack Ä CODE_RETURN, CODE_CLOSE_UPVALUE Ä
    closes upvalues first; the abort path was the lone exception.

    A closure created inside an aborted frame that survives (held by
    a module-level static, a host callback, an observer list, ...) keeps
    upvalues whose `value` pointers still point INTO the dead fiber's
    stack. Once GC reclaims the dead fiber and DEALLOCATEs its stack,
    subsequent reads through those upvalues return whatever now lives
    at that address Ä silently wrong values at best, SIGSEGV at worst
    when the freed memory gets recycled into something whose bytes
    decode as a tagged pointer to a stale ObjUpvalue.

    Reproducer (200 fibers each capture and abort, then read back):
    before Ä 194 of 200 closures returned the wrong value
    after Ä 0 of 200 wrong

    Filed upstream as wren-lang/wren#1234.

    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net