258805 2023-07-03 04:50:40 -0700 SHOULD NEVER BE REACHED: Source/JavaScriptCore/wasm/WasmTypeDefinition.h(311) : size_t JSC::Wasm::typeKindSizeInBytes(JSC::Wasm::TypeKind) 2024-01-30 22:29:49 -0800 1 1 1 Unclassified WebKit WebAssembly WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 247394 1 xiangwei1895 asumu d_degazio justin_michaud mark.lam webkit-bug-importer oldest_to_newest 1964770 0 xiangwei1895 2023-07-03 04:50:40 -0700 ## JavaScriptCore Version 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,142,129,128,128,0,12,80,0,95,3,123,1,127,1,123,0,80,0,95,3,127,0,127,1,124,1,80,0,95,3,127,0,124,0,124,0,80,0,94,106,1,80,0,94,124,1,80,0,94,127,1,80,0,96,3,127,127,127,1,127,80,0,96,6,108,2,123,108,0,108,2,107,4,127,15,124,107,110,109,123,107,2,127,127,127,127,127,127,127,127,110,107,5,80,0,96,3,107,103,107,110,125,0,80,0,96,9,124,127,107,106,107,111,107,8,127,125,127,127,0,96,0,0,80,0,96,1,106,15,124,107,110,109,123,107,2,127,127,127,127,127,127,127,127,110,107,5,3,133,128,128,128,0,4,6,7,8,9,4,133,128,128,128,0,1,112,1,4,4,5,132,128,128,128,0,1,1,16,32,13,133,128,128,128,0,2,0,10,0,10,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,148,128,128,128,0,1,6,0,65,0,11,112,4,210,0,11,210,1,11,210,2,11,210,3,11,12,1,1,10,242,131,128,128,0,4,8,0,65,143,168,200,199,2,11,184,2,1,1,126,208,3,208,112,65,206,0,252,15,0,251,19,3,2,11,26,68,184,25,231,49,254,15,167,66,68,150,148,159,3,200,134,156,167,65,166,130,239,151,124,253,15,65,200,221,207,188,6,65,161,137,152,243,123,253,15,251,7,0,208,109,65,130,195,136,131,120,253,15,65,178,137,189,163,127,68,231,84,164,196,252,248,68,90,68,48,227,118,174,124,53,7,198,251,7,2,65,225,221,192,247,120,65,251,133,254,221,6,65,135,146,142,147,122,65,223,133,148,193,2,65,251,144,128,170,120,65,230,176,136,245,124,65,241,250,148,186,127,65,141,226,164,228,123,208,110,65,237,235,201,233,7,65,162,189,207,167,4,65,20,111,251,27,5,208,110,212,1,26,26,26,26,26,26,26,26,26,26,26,26,26,26,26,170,40,1,221,241,167,172,2,105,65,137,127,254,30,1,219,209,193,191,3,251,32,208,109,65,207,193,167,207,120,253,15,65,200,132,132,248,125,68,253,80,222,108,2,91,186,184,68,248,59,252,18,221,61,46,34,251,7,2,65,204,131,151,96,65,152,163,176,235,124,65,178,215,239,104,65,134,159,222,207,121,65,247,132,233,148,125,65,177,128,213,163,2,65,188,181,217,128,6,65,229,207,219,183,5,208,110,65,168,159,176,8,65,248,233,136,145,6,65,20,111,251,27,5,11,11,49,0,65,149,204,193,234,120,253,15,253,195,1,65,217,155,236,176,125,253,15,253,12,236,43,211,7,121,28,117,6,215,0,57,171,51,202,142,219,253,111,253,11,2,195,139,177,227,3,11,123,0,12,0,65,154,195,136,230,7,66,151,197,135,240,249,138,247,236,66,254,27,0,190,174,186,222,10,208,4,208,112,65,157,204,144,129,6,252,15,0,208,4,65,170,252,203,173,124,65,222,143,205,168,3,251,24,4,4,208,3,65,150,183,180,136,125,208,106,65,232,208,131,191,6,65,20,111,251,27,3,65,203,225,141,165,127,65,169,150,253,65,251,24,3,3,65,244,193,198,164,2,66,150,233,130,174,177,158,233,224,129,127,66,93,84,54,2,239,155,187,155,2,11,11,131,128,128,128,0,1,1,0]); var module = new WebAssembly.Module(buffer); ``` ./bin/jsc --useWebAssemblyGC=true testcase.js ## Output SHOULD NEVER BE REACHED /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h(311) : size_t JSC::Wasm::typeKindSizeInBytes(JSC::Wasm::TypeKind) ## Backtrace #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737178216384) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737178216384) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737178216384, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007fffed881476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007fffed8677f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff0c7a16f in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:762 #6 0x00007ffff50349a4 in JSC::Wasm::typeKindSizeInBytes (kind=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h:311 #7 JSC::Wasm::typeSizeInBytes (storageType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h:482 #8 JSC::Wasm::SectionParser::parseStructType (this=0x7fffffffbb70, this@entry=0x7fffffffb460, position=0, structType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:859 #9 0x00007ffff50386e8 in JSC::Wasm::SectionParser::parseSubtype (this=0x30753c, this@entry=0x7fffffffbb70, position=position@entry=0, subtype=..., recursionGroupTypes=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:1070 #10 0x00007ffff502ff20 in JSC::Wasm::SectionParser::parseType (this=0x30753c, this@entry=0x7fffffffbb70) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:92 #11 0x00007ffff5075976 in JSC::Wasm::StreamingParser::parseSectionPayload (this=this@entry=0x615000017f90, data=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:197 #12 0x00007ffff5078e17 in JSC::Wasm::StreamingParser::addBytes (this=0x30753c, bytes=0x617000001c80 "", bytesSize=755, isEndOfStream=(unknown: 0x14)) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:344 #13 0x00007ffff4e71abd in JSC::Wasm::StreamingParser::addBytes (this=0x615000017f90, bytes=0x617000001c80 "", length=755) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.h:81 #14 JSC::Wasm::EntryPlan::parseAndValidateModule (this=0x615000017f00, source=0x617000001c80 "", sourceLength=755) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:91 #15 0x00007ffff4ebe6c7 in JSC::Wasm::LLIntPlan::LLIntPlan(JSC::VM&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, JSC::Wasm::CompilerMode, WTF::RefPtr<WTF::SharedTask<void (JSC::Wasm::Plan&)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> > >&&) (this=0x615000017f00, vm=..., source=..., compilerMode=<optimized out>, task=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:49 #16 0x00007ffff4ff0550 in JSC::Wasm::Module::validateSync (vm=..., source=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmModule.cpp:70 #17 0x00007ffff5173ef8 in JSC::WebAssemblyModuleConstructor::createModule (globalObject=<optimized out>, globalObject@entry=0x61f000000ee8, callFrame=callFrame@entry=0x7fffffffc670, buffer=...) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:188 #18 0x00007ffff517505f in JSC::constructJSWebAssemblyModule (globalObject=0x61f000000ee8, callFrame=0x7fffffffc670) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:169 #19 0x00007fffabb000c7 in ?? () #20 0x00007fffffffc6f0 in ?? () #21 0x00007ffff0c59b95 in js_trampoline_op_construct () from /home/WebKit/asan/Debug/lib/libJavaScriptCore.so.1 #22 0x0000000000000000 in ?? () 1964883 1 webkit-bug-importer 2023-07-03 15:24:24 -0700 <rdar://problem/111708126> 2008691 2 asumu 2024-01-29 15:37:19 -0800 Pull request: https://github.com/WebKit/WebKit/pull/23472 2009221 3 ews-feeder 2024-01-30 22:29:47 -0800 Committed 273813@main (167dc00a1f29): <https://commits.webkit.org/273813@main> Reviewed commits have been landed. Closing PR #23472 and removing active labels.