Analyzing and Fixing realloc Memory Issues in WABT's wasm2c Component

WebAssembly (Wasm) is a stack‑based binary instruction format designed as a portable compilation target for high‑level languages such as C, C++, and Rust, enabling client‑side and server‑side applications.

1. Introduction to the WABT Project

The WebAssembly Binary Toolkit (WABT) is a foundational set of tools referenced by many projects, including Ethereum’s next‑generation virtual machine Hera and EOS’s VM. It offers a complete suite of utilities for convenient conversion between various Wasm file formats. The project repository is https://github.com/WebAssembly/wabt .

2. Issue in WABT

A memory problem was discovered in the wasm2c component, specifically in wasm-rt-impl.c within the function wasm_rt_register_func_type, where realloc is used incorrectly.

uint32_t wasm_rt_register_func_type(uint32_t param_count,
                                    uint32_t result_count,
                                    ...) {
  FuncType func_type;
  ...
  uint32_t idx = g_func_type_count++;
  // Critical realloc call
  g_func_types = realloc(g_func_types, g_func_type_count * sizeof(FuncType));
  g_func_types[idx] = func_type;
  return idx + 1;
}

The code illustrates two classic misuse patterns of realloc:

2.1 Failure‑Detection Issue

If realloc fails, it returns NULL, overwriting the original pointer and causing a memory leak. The unsafe pattern looks like this:

void *p = realloc(p, size);
if (!p) {
  // handle error and return
  ...
  return err;
}

A safer approach is to use a temporary pointer:

void *pTmp = realloc(p, size);
if (!pTmp) {
  // handle error and return
  ...
  return err;
}

p = pTmp;

2.2 Zero‑Size Allocation Issue

Calling realloc(p, 0) can either free the memory and return NULL (C89/C90) or return an implementation‑defined pointer that must not be dereferenced (C++11 onward). Using the result as a valid pointer leads to double‑free crashes:

void *pTmp = realloc(p, 0);
free(pTmp);

This demonstrates the importance of handling both failure and zero‑size cases correctly.

3. Fix

The bug has been reported on GitHub and a new branch wasm2c-realloc was created to address it. The corrected code follows the safe temporary‑pointer pattern described above, and the changes have been merged into the main branch.

4. Conclusion

The analysis shows that memory management in C/C++ is considerably more intricate than in higher‑level languages; overlooking subtle behaviors of functions like realloc can easily introduce bugs. Understanding and applying proper allocation patterns prevents such issues.