Catcrafts/Crafter.Build
2
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

wasi-runtime random_get is a no-op stub (returns 0, writes nothing) #22

New issue
Closed
opened 2026-06-02 02:03:14 +02:00 by catbot · 0 comments
catbot commented 2026-06-02 02:03:14 +02:00
Member
Copy link

In wasi-runtime/runtime.js the WASI random_get import is stubbed:

random_get() { return 0; }

It returns success (0) but never writes any bytes into the target buffer, so the destination stays whatever it was (zero in practice). Any wasm program that uses std::random_device (or otherwise calls random_get) therefore gets all-zero "randomness".

This bit us in 3DForts: every browser tab generated an identical all-zero peer id from std::random_device, which collided WebRTC signaling routing (two peers can't share an id). We worked around it app-side by sourcing entropy from crypto.getRandomValues via our own JS bridge, but the runtime stub is the root cause and will silently break any other random_device user.

Suggested fix: back random_get with crypto.getRandomValues, e.g.

random_get(ptr, len) {
    const mem = new Uint8Array(this.instance.exports.memory.buffer, ptr, len);
    crypto.getRandomValues(mem);
    return 0;
}

(adjust for how the runtime accesses wasm memory / the import's arg shape). Found via Catcrafts/3DForts#50.

In `wasi-runtime/runtime.js` the WASI `random_get` import is stubbed: ```js random_get() { return 0; } ``` It returns success (`0`) but never writes any bytes into the target buffer, so the destination stays whatever it was (zero in practice). Any wasm program that uses `std::random_device` (or otherwise calls `random_get`) therefore gets all-zero "randomness". This bit us in 3DForts: every browser tab generated an identical all-zero peer id from `std::random_device`, which collided WebRTC signaling routing (two peers can't share an id). We worked around it app-side by sourcing entropy from `crypto.getRandomValues` via our own JS bridge, but the runtime stub is the root cause and will silently break any other `random_device` user. Suggested fix: back `random_get` with `crypto.getRandomValues`, e.g. ```js random_get(ptr, len) { const mem = new Uint8Array(this.instance.exports.memory.buffer, ptr, len); crypto.getRandomValues(mem); return 0; } ``` (adjust for how the runtime accesses wasm memory / the import's arg shape). Found via Catcrafts/3DForts#50.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
latest
Labels
Clear labels   
bug
Something isn't working

  
claude:done

   
claude:failed

   
claude:in-progress

   
claude:ready
Ready for Claude to pick up

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
wontfix
This will not be worked on

No labels
bug
claude:done
claude:failed
claude:in-progress
claude:ready
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Catcrafts/Crafter.Build#22
No description provided.