Segfault when loading WASM plugin

[shaneutt]

When loading this WASM module on Envoy it segfaults in v8::Isolate::Initialize().

After it's re-kicked, it starts working.

Logs & Details

Applied via Istio's WasmPlugin:

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  creationTimestamp: "2026-02-17T20:26:05Z"
  generation: 1
  name: coraza-engine-coraza
  namespace: integration-tests
  ownerReferences:
  - apiVersion: waf.k8s.coraza.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Engine
    name: coraza
    uid: 9ccc4e0c-c202-4ee3-80f8-de581a26b437
  resourceVersion: "2311"
  uid: bdbc7793-7ce9-449e-88d8-7ec480606beb
spec:
  pluginConfig:
    cache_server_cluster: outbound|80||coraza-controller-manager.coraza-system.svc.cluster.local
    cache_server_instance: integration-tests/default-ruleset
    rule_reload_interval_seconds: 5
  selector:
    matchLabels:
      gateway.networking.k8s.io/gateway-name: coraza-gateway
  url: oci://ghcr.io/networking-incubator/coraza-proxy-wasm:179ea90b2617f557f805fe672daf880c14c6b8b7

When loaded the first time, it fails:

$ kubectl logs -f deployments/coraza-gateway-istio
2026-02-17T20:24:00.708164Z	info	FLAG: --concurrency="0"
2026-02-17T20:24:00.708196Z	info	FLAG: --domain="integration-tests.svc.cluster.local"
2026-02-17T20:24:00.708199Z	info	FLAG: --help="false"
2026-02-17T20:24:00.708201Z	info	FLAG: --log_as_json="false"
2026-02-17T20:24:00.708202Z	info	FLAG: --log_caller=""
2026-02-17T20:24:00.708205Z	info	FLAG: --log_output_level="default:info"
2026-02-17T20:24:00.708206Z	info	FLAG: --log_stacktrace_level="default:none"
2026-02-17T20:24:00.708211Z	info	FLAG: --log_target="[stdout]"
2026-02-17T20:24:00.708213Z	info	FLAG: --meshConfig="./etc/istio/config/mesh"
2026-02-17T20:24:00.708215Z	info	FLAG: --outlierLogPath=""
2026-02-17T20:24:00.708217Z	info	FLAG: --profiling="true"
2026-02-17T20:24:00.708218Z	info	FLAG: --proxyComponentLogLevel="misc:error"
2026-02-17T20:24:00.708220Z	info	FLAG: --proxyLogLevel="warning"
2026-02-17T20:24:00.708221Z	info	FLAG: --serviceCluster="istio-proxy"
2026-02-17T20:24:00.708223Z	info	FLAG: --stsPort="0"
2026-02-17T20:24:00.708225Z	info	FLAG: --templateFile=""
2026-02-17T20:24:00.708226Z	info	FLAG: --tokenManagerPlugin=""
2026-02-17T20:24:00.708229Z	info	FLAG: --vklog="0"
2026-02-17T20:24:00.708231Z	info	Version 1.28.2-ab413ac6c1f40b2f7c69d97e0db4e712e4ef1ecc-Clean
2026-02-17T20:24:00.708421Z	info	Proxy role	ips=[10.244.0.9] type=router id=coraza-gateway-istio-ff5596897-7nwzp.integration-tests domain=integration-tests.svc.cluster.local
2026-02-17T20:24:00.708475Z	info	Apply proxy config from env {"discoveryAddress":"istiod-coraza.coraza-system.svc:15012"}

2026-02-17T20:24:00.710097Z	info	cpu limit detected as 2, setting concurrency
2026-02-17T20:24:00.710223Z	info	Effective config: binaryPath: /usr/local/bin/envoy
concurrency: 2
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod-coraza.coraza-system.svc:15012
drainDuration: 45s
proxyAdminPort: 15000
serviceCluster: istio-proxy
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s

2026-02-17T20:24:00.710234Z	info	JWT policy is third-party-jwt
2026-02-17T20:24:00.710236Z	info	using credential fetcher of JWT type in cluster.local trust domain
2026-02-17T20:24:00.911579Z	info	Opening status port 15020
2026-02-17T20:24:00.911601Z	info	Starting default Istio SDS Server
2026-02-17T20:24:00.911617Z	info	CA Endpoint istiod-coraza.coraza-system.svc:15012, provider Citadel
2026-02-17T20:24:00.911635Z	info	Using CA istiod-coraza.coraza-system.svc:15012 cert with certs: var/run/secrets/istio/root-cert.pem
2026-02-17T20:24:00.912146Z	info	xdsproxy	Initializing with upstream address "istiod-coraza.coraza-system.svc:15012" and cluster "Kubernetes"
2026-02-17T20:24:00.912307Z	info	sds	Starting SDS grpc server
2026-02-17T20:24:00.912326Z	info	sds	Starting SDS server for workload certificates, will listen on "var/run/secrets/workload-spiffe-uds/socket"
2026-02-17T20:24:00.913187Z	info	Pilot SAN: [istiod-coraza.coraza-system.svc]
2026-02-17T20:24:00.915011Z	info	Starting proxy agent
2026-02-17T20:24:00.915042Z	info	Envoy command: [-c etc/istio/proxy/envoy-rev.json --drain-time-s 45 --drain-strategy immediate --local-address-ip-version v4 --file-flush-interval-msec 1000 --disable-hot-restart --allow-unknown-static-fields -l warning --component-log-level misc:error --skip-deprecated-logs --concurrency 2]
2026-02-17T20:24:00.955102Z	info	xdsproxy	connected to delta upstream XDS server: istiod-coraza.coraza-system.svc:15012	id=1
2026-02-17T20:24:00.966778Z	info	ads	ADS: new connection for node:1
2026-02-17T20:24:00.967562Z	info	ads	ADS: new connection for node:2
2026-02-17T20:24:00.976181Z	info	cache	generated new workload certificate	resourceName=default latency=63.765414ms ttl=23h59m59.023822596s
2026-02-17T20:24:00.976383Z	info	cache	Root cert has changed, start rotating root cert
2026-02-17T20:24:00.976417Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.023583493s
2026-02-17T20:24:00.976411Z	info	cache	returned workload certificate from cache	ttl=23h59m59.023591459s
2026-02-17T20:24:00.976505Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.023495363s
2026-02-17T20:24:00.976763Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.023237024s
2026-02-17T20:24:01.415634Z	info	Readiness succeeded in 709.472124ms
2026-02-17T20:24:01.415847Z	info	Envoy proxy is ready
2026-02-17T20:26:05.408094Z	info	wasm	fetching image networking-incubator/coraza-proxy-wasm from registry ghcr.io with tag 179ea90b2617f557f805fe672daf880c14c6b8b7
2026-02-17T20:26:12.147806Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Fetching initial rules from ruleset cache server: outbound|80||coraza-controller-manager.coraza-system.svc.cluster.local, instance: integration-tests/default-ruleset	thread=21
2026-02-17T20:26:12.148297Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Enabled periodic rule reloading every 5 seconds	thread=21
2026-02-17T20:26:12.149245Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:129	Caught Segmentation fault, suspect faulting address 0x7ff3bc7d0540	thread=29
2026-02-17T20:26:12.149255Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:113	Backtrace (use tools/stack_decode.py to get line numbers):	thread=29
2026-02-17T20:26:12.149261Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:114	Envoy version: 0879e0055d1da524a89415acd456e230b27fba70/1.36.5-dev/Clean/RELEASE/BoringSSL	thread=29
2026-02-17T20:26:12.149263Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:116	Address mapping: 55976344a000-5597668c1000 /usr/local/bin/envoy	thread=29
2026-02-17T20:26:12.159170Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:123	#0: [0x7ff3d5857330]	thread=29
2026-02-17T20:26:12.166288Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Fetching initial rules from ruleset cache server: outbound|80||coraza-controller-manager.coraza-system.svc.cluster.local, instance: integration-tests/default-ruleset	thread=21
2026-02-17T20:26:12.166444Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Enabled periodic rule reloading every 5 seconds	thread=21
2026-02-17T20:26:12.175179Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Successfully loaded and activated WAF configuration (UUID: 89902274-0468-4235-8620-ae626dbd876c, 1434 bytes) from the ruleset cache server	thread=21
2026-02-17T20:26:12.177708Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#1: v8::internal::Isolate::InitializeBuiltinJSDispatchTable() [0x559764280e4e]	thread=29
2026-02-17T20:26:12.181562Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#2: v8::internal::Isolate::Init() [0x5597642803da]	thread=29
2026-02-17T20:26:12.183765Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#3: v8::internal::Isolate::InitWithSnapshot() [0x559764280b99]	thread=29
2026-02-17T20:26:12.188877Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#4: v8::internal::Snapshot::Initialize() [0x5597646f51c0]	thread=29
2026-02-17T20:26:12.191198Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#5: v8::Isolate::Initialize() [0x5597641538cb]	thread=29
2026-02-17T20:26:12.194092Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#6: v8::Isolate::New() [0x559764153b66]	thread=29
2026-02-17T20:26:12.197782Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#7: wasm::Store::make() [0x559763f522f1]	thread=29
2026-02-17T20:26:12.202753Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#8: proxy_wasm::v8::V8::clone() [0x559763f274c3]	thread=29
2026-02-17T20:26:12.205637Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#9: proxy_wasm::WasmBase::WasmBase() [0x559763f1abb7]	thread=29
2026-02-17T20:26:12.218583Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#10: Envoy::Extensions::Common::Wasm::Wasm::Wasm() [0x559763cf5c91]	thread=29
2026-02-17T20:26:12.221440Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#11: std::__1::allocate_shared[abi:ne180100]<>() [0x559763cfd0ad]	thread=29
2026-02-17T20:26:12.223976Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#12: std::__1::__function::__func<>::operator()() [0x559763cfccc0]	thread=29
2026-02-17T20:26:12.227413Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#13: proxy_wasm::getOrCreateThreadLocalPlugin() [0x559763f20b45]	thread=29
2026-02-17T20:26:12.229753Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#14: Envoy::Extensions::Common::Wasm::getOrCreateThreadLocalPlugin() [0x559763cfb16b]	thread=29
2026-02-17T20:26:12.232021Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#15: std::__1::__function::__func<>::operator()() [0x559763d02706]	thread=29
2026-02-17T20:26:12.234325Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#16: std::__1::__function::__func<>::operator()() [0x559763d023bf]	thread=29
2026-02-17T20:26:12.236740Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#17: std::__1::__function::__func<>::operator()() [0x559765784388]	thread=29
2026-02-17T20:26:12.240297Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#18: Envoy::Event::DispatcherImpl::runPostCallbacks() [0x559765fae847]	thread=29
2026-02-17T20:26:12.243473Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#19: event_process_active_single_queue [0x5597662d258c]	thread=29
2026-02-17T20:26:12.246166Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#20: event_base_loop [0x5597662d1301]	thread=29
2026-02-17T20:26:12.249150Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#21: Envoy::Server::WorkerImpl::threadRoutine() [0x5597657ab549]	thread=29
2026-02-17T20:26:12.251555Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:121	#22: Envoy::Thread::PosixThreadFactory::createPthread()::$_0::__invoke() [0x5597662e2136]	thread=29
2026-02-17T20:26:12.251612Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:123	#23: [0x7ff3d58aeaa4]	thread=29
2026-02-17T20:26:12.251632Z	critical	envoy backtrace external/envoy/source/server/backtrace.h:123	#24: [0x7ff3d593bc6c]	thread=29
2026-02-17T20:26:21.673102Z	info	ads	ADS: "" 1 terminated
2026-02-17T20:26:21.673318Z	info	ads	ADS: "" 2 terminated
2026-02-17T20:26:21.673417Z	error	Envoy exited with error: signal: segmentation fault (core dumped)

On restart it loads and functions properly thereafter:

$ k logs -f deployments/coraza-gateway-istio
2026-02-17T20:26:23.321290Z	info	FLAG: --concurrency="0"
2026-02-17T20:26:23.321330Z	info	FLAG: --domain="integration-tests.svc.cluster.local"
2026-02-17T20:26:23.321336Z	info	FLAG: --help="false"
2026-02-17T20:26:23.321338Z	info	FLAG: --log_as_json="false"
2026-02-17T20:26:23.321340Z	info	FLAG: --log_caller=""
2026-02-17T20:26:23.321342Z	info	FLAG: --log_output_level="default:info"
2026-02-17T20:26:23.321344Z	info	FLAG: --log_stacktrace_level="default:none"
2026-02-17T20:26:23.321352Z	info	FLAG: --log_target="[stdout]"
2026-02-17T20:26:23.321354Z	info	FLAG: --meshConfig="./etc/istio/config/mesh"
2026-02-17T20:26:23.321356Z	info	FLAG: --outlierLogPath=""
2026-02-17T20:26:23.321358Z	info	FLAG: --profiling="true"
2026-02-17T20:26:23.321360Z	info	FLAG: --proxyComponentLogLevel="misc:error"
2026-02-17T20:26:23.321361Z	info	FLAG: --proxyLogLevel="warning"
2026-02-17T20:26:23.321363Z	info	FLAG: --serviceCluster="istio-proxy"
2026-02-17T20:26:23.321365Z	info	FLAG: --stsPort="0"
2026-02-17T20:26:23.321367Z	info	FLAG: --templateFile=""
2026-02-17T20:26:23.321368Z	info	FLAG: --tokenManagerPlugin=""
2026-02-17T20:26:23.321371Z	info	FLAG: --vklog="0"
2026-02-17T20:26:23.321374Z	info	Version 1.28.2-ab413ac6c1f40b2f7c69d97e0db4e712e4ef1ecc-Clean
2026-02-17T20:26:23.321687Z	info	Proxy role	ips=[10.244.0.9] type=router id=coraza-gateway-istio-ff5596897-7nwzp.integration-tests domain=integration-tests.svc.cluster.local
2026-02-17T20:26:23.321754Z	info	Apply proxy config from env {"discoveryAddress":"istiod-coraza.coraza-system.svc:15012"}

2026-02-17T20:26:23.323879Z	info	cpu limit detected as 2, setting concurrency
2026-02-17T20:26:23.324176Z	info	Effective config: binaryPath: /usr/local/bin/envoy
concurrency: 2
configPath: ./etc/istio/proxy
controlPlaneAuthPolicy: MUTUAL_TLS
discoveryAddress: istiod-coraza.coraza-system.svc:15012
drainDuration: 45s
proxyAdminPort: 15000
serviceCluster: istio-proxy
statNameLength: 189
statusPort: 15020
terminationDrainDuration: 5s

2026-02-17T20:26:23.324191Z	info	JWT policy is third-party-jwt
2026-02-17T20:26:23.324194Z	info	using credential fetcher of JWT type in cluster.local trust domain
2026-02-17T20:26:23.526403Z	info	Starting default Istio SDS Server
2026-02-17T20:26:23.526687Z	info	CA Endpoint istiod-coraza.coraza-system.svc:15012, provider Citadel
2026-02-17T20:26:23.526990Z	info	Using CA istiod-coraza.coraza-system.svc:15012 cert with certs: var/run/secrets/istio/root-cert.pem
2026-02-17T20:26:23.526959Z	info	Opening status port 15020
2026-02-17T20:26:23.528034Z	info	xdsproxy	Initializing with upstream address "istiod-coraza.coraza-system.svc:15012" and cluster "Kubernetes"
2026-02-17T20:26:23.529020Z	info	Pilot SAN: [istiod-coraza.coraza-system.svc]
2026-02-17T20:26:23.529643Z	info	Starting proxy agent
2026-02-17T20:26:23.529667Z	info	Envoy command: [-c etc/istio/proxy/envoy-rev.json --drain-time-s 45 --drain-strategy immediate --local-address-ip-version v4 --file-flush-interval-msec 1000 --disable-hot-restart --allow-unknown-static-fields -l warning --component-log-level misc:error --skip-deprecated-logs --concurrency 2]
2026-02-17T20:26:23.544797Z	info	sds	Starting SDS grpc server
2026-02-17T20:26:23.544846Z	info	sds	Starting SDS server for workload certificates, will listen on "var/run/secrets/workload-spiffe-uds/socket"
2026-02-17T20:26:23.564375Z	info	cache	generated new workload certificate	resourceName=default latency=36.148861ms ttl=23h59m59.435631764s
2026-02-17T20:26:23.564452Z	info	cache	Root cert has changed, start rotating root cert
2026-02-17T20:26:23.564490Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.435510116s
2026-02-17T20:26:23.599503Z	info	xdsproxy	connected to delta upstream XDS server: istiod-coraza.coraza-system.svc:15012	id=1
2026-02-17T20:26:23.620341Z	info	ads	ADS: new connection for node:1
2026-02-17T20:26:23.620424Z	info	cache	returned workload certificate from cache	ttl=23h59m59.379578567s
2026-02-17T20:26:23.622020Z	info	ads	ADS: new connection for node:2
2026-02-17T20:26:23.623392Z	info	cache	returned workload trust anchor from cache	ttl=23h59m59.376610712s
2026-02-17T20:26:23.644638Z	info	wasm	fetching image networking-incubator/coraza-proxy-wasm from registry ghcr.io with tag 179ea90b2617f557f805fe672daf880c14c6b8b7
2026-02-17T20:26:30.669173Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Fetching initial rules from ruleset cache server: outbound|80||coraza-controller-manager.coraza-system.svc.cluster.local, instance: integration-tests/default-ruleset	thread=21
2026-02-17T20:26:30.669686Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Enabled periodic rule reloading every 5 seconds	thread=21
2026-02-17T20:26:30.701272Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Fetching initial rules from ruleset cache server: outbound|80||coraza-controller-manager.coraza-system.svc.cluster.local, instance: integration-tests/default-ruleset	thread=21
2026-02-17T20:26:30.701649Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Enabled periodic rule reloading every 5 seconds	thread=21
2026-02-17T20:26:30.748934Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Fetching initial rules from ruleset cache server: outbound|80||coraza-controller-manager.coraza-system.svc.cluster.local, instance: integration-tests/default-ruleset	thread=38
2026-02-17T20:26:30.749957Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Enabled periodic rule reloading every 5 seconds	thread=38
2026-02-17T20:26:30.752174Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Successfully loaded and activated WAF configuration (UUID: 89902274-0468-4235-8620-ae626dbd876c, 1434 bytes) from the ruleset cache server	thread=38
2026-02-17T20:26:30.762168Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Fetching initial rules from ruleset cache server: outbound|80||coraza-controller-manager.coraza-system.svc.cluster.local, instance: integration-tests/default-ruleset	thread=37
2026-02-17T20:26:30.762975Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Enabled periodic rule reloading every 5 seconds	thread=37
2026-02-17T20:26:30.765485Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Successfully loaded and activated WAF configuration (UUID: 89902274-0468-4235-8620-ae626dbd876c, 1434 bytes) from the ruleset cache server	thread=37
2026-02-17T20:26:30.774028Z	critical	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1158	wasm log: Successfully loaded and activated WAF configuration (UUID: 89902274-0468-4235-8620-ae626dbd876c, 1434 bytes) from the ruleset cache server	thread=21
2026-02-17T20:26:31.420433Z	info	Readiness succeeded in 8.101963767s
2026-02-17T20:26:31.420933Z	info	Envoy proxy is ready

Note that the WASM module is logging its startup this time.

Other Details

OCI image:

coraza-proxy-wasm:179ea90b2617f557f805fe672daf880c14c6b8b7

Kubernetes Version (kind cluster):

Client Version: v1.29.15
Server Version: v1.35.0

Sail Operator Version:

sail-operator	sail-operator	1       	2026-02-17 15:16:01.513419755 -0500 EST	deployed	sail-operator-1.28.2	1.28.2

Istio Version:

apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"sailoperator.io/v1","kind":"Istio","metadata":{"annotations":{},"name":"coraza"},"spec":{"namespace":"coraza-system","values":{"pilot":{"env":{"ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT":"false","PILOT_ENABLE_ALPHA_GATEWAY_API":"false","PILOT_ENABLE_GATEWAY_API":"true","PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY":"true","PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS":"false","PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER":"true","PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER":"false","PILOT_ENABLE_GATEWAY_API_STATUS":"true","PILOT_GATEWAY_API_CONTROLLER_NAME":"istio.io/gateway-controller","PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME":"istio","PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API":"false"}}},"version":"v1.28.2"}}
  creationTimestamp: "2026-02-17T20:16:49Z"
  generation: 1
  name: coraza
  resourceVersion: "947"
  uid: 691769f2-3eee-4973-b0f6-adaed9ed96a7
spec:
  namespace: coraza-system
  updateStrategy:
    type: InPlace
  values:
    pilot:
      env:
        ENABLE_GATEWAY_API_MANUAL_DEPLOYMENT: "false"
        PILOT_ENABLE_ALPHA_GATEWAY_API: "false"
        PILOT_ENABLE_GATEWAY_API: "true"
        PILOT_ENABLE_GATEWAY_API_CA_CERT_ONLY: "true"
        PILOT_ENABLE_GATEWAY_API_COPY_LABELS_ANNOTATIONS: "false"
        PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER: "true"
        PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLER: "false"
        PILOT_ENABLE_GATEWAY_API_STATUS: "true"
        PILOT_GATEWAY_API_CONTROLLER_NAME: istio.io/gateway-controller
        PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAME: istio
        PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_API: "false"
  version: v1.28.2
status:
  activeRevisionName: coraza
  conditions:
  - lastTransitionTime: "2026-02-17T20:16:49Z"
    status: "True"
    type: Reconciled
  - lastTransitionTime: "2026-02-17T20:18:08Z"
    status: "True"
    type: Ready
  - lastTransitionTime: "2026-02-17T20:16:49Z"
    status: "True"
    type: DependenciesHealthy
  observedGeneration: 1
  revisions:
    inUse: 1
    ready: 1
    total: 1
  state: Healthy

Envoy Version:

gcr.io/istio-release/proxyv2:1.28.2

Important - Time-Boxing

This issue is considered part of the CKO's v0.2.0 milestone.

However: we need to time-box this. If after roughly ~1day or so we don't feel like we're close to solving this then kick this back to v0.5.0 scope and we'll solve it after the more immediate critical path.

[alexsnaps]

Question here, I want to be sure I scope the issue right:

This "only" happens on fresh envoy starting up and missing the module, right? When the module is there and it starts up, that's fine. But when the module gets installed thru Istio on a running instance, that works too right?

afaict, from these logs at least, this looks like a race condition there. Somehow envoy is ready, yet the runtimes are still initialized, and one actually starts, then one other SIGSEGV. When starting fine, the modules starting up fine happen before envoy is actually ready.

[shaneutt]

If the proxy is running it crashes almost all of the time. On next startup it loads and run properly. More testing needed to further pin down the characteristics.

[alexsnaps]

From looking into it, "bad v8 usage", as per this here, can lead to this InitializeBuiltinJSDispatchTable to SIGSEGV. Now I guess part of the issue is also the fact that the module (which obviously is starting up) uses e.g import "gojs" "syscall/js.valueIndex". Now based on some real quick testing, using Golang wasip1 target, still requires some of these imports. Basing my reasoning on the fact that we've never observed that issue afaik with our rust wasm module, which "only" relies on wasi_snapshot_preview1 imports (along side the env proxy wasm ones of course)

[alexsnaps]

My understanding that's out of our control. Well, other than fixing in envoy. Now maybe, 🔥 tinygo could help us "bypassing this race". But I have little hope tbh, because of where it segfaults & the imports I have seen in the wasm imports in the resulting module from a go wasip1 build.

[shaneutt]

Sounds good, parking for now until after v0.4.0 and we will return to this.

[alexsnaps]

Could be unrelated, but a Kuadrant user is now seeing something possibly similiar.