268990 2024-02-08 08:18:39 -0800 Web process hits breakpoint in complex Wasm pages 2024-02-21 11:33:29 -0800 1 1 1 Unclassified WebKit WebAssembly WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 asumu justin_michaud bashorov darbinyan justin_michaud keith_miller mark.lam webkit-bug-importer oldest_to_newest 2011756 0 asumu 2024-02-08 08:18:39 -0800 There potentially appears to be a bug related to recent calling convention changes in Wasm (commit c2eee1bb4cec95f71e53400d83a2985463423c17). I unfortunately don't have a small reproduction case, but I do have consistent steps which worked for me at commit 200045f29c1b7ecf425cd1dc954c85689ac7f163. Step 1. Add the following patch just for debugging (to show which breakpoint you are at). ``` diff --git a/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp b/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp index 238443c5615b..dc36e73e94e0 100644 --- a/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp +++ b/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp @@ -137,6 +137,7 @@ void LLIntPlan::didCompleteCompilation() auto good = jit.branchPtr(MacroAssembler::Equal, GPRInfo::nonPreservedNonArgumentGPR0, MacroAssembler::TrustedImmPtr(reinterpret_cast<uint64_t>(CalleeBits::boxNativeCallee(m_calleesVector[i].ptr())))); jit.breakpoint(); + jit.move(MacroAssembler::Imm32(0xabababa), GPRInfo::nonPreservedNonArgumentGPR0); good.link(&jit); } jumps[i] = jit.jump(); ``` Step 2. Build WebKit in debug mode, run Minibrowser. Step 3. Go to a complex Wasm app such as the Doom 3 demo: https://wasm.continuation-labs.com/d3demo/ Step 4. The web process will crash non-deterministically (refresh if it doesn't crash). If you hook it up to `lldb -p` you will see that it has hit the breakpoint where we put the junk move to mark it above. 2011757 1 asumu 2024-02-08 08:26:05 -0800 Here's an example debugging output from the crash: ``` * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x2807e97a0) frame #0: 0x00000002807e97a0 -> 0x2807e97a0: brk #0xc471 0x2807e97a4: mov w8, #0xbaba 0x2807e97a8: movk w8, #0xaba, lsl #16 0x2807e97ac: b 0x28000c140 Target 0: (com.apple.WebKit.WebContent.Development) stopped. (lldb) x/20i 0x2807e9760 0x2807e9760: 0xf84083e8 unknown ldur x8, [sp, #0x8] 0x2807e9764: 0xd289a470 unknown mov x16, #0x4d23 0x2807e9768: 0xf2b98970 unknown movk x16, #0xcc4b, lsl #16 0x2807e976c: 0xf2c00030 unknown movk x16, #0x1, lsl #32 0x2807e9770: 0xeb10011f unknown cmp x8, x16 0x2807e9774: 0x54000080 unknown b.eq 0x2807e9784 0x2807e9778: 0xd4388e20 unknown brk #0xc471 0x2807e977c: 0x52975748 unknown mov w8, #0xbaba 0x2807e9780: 0x72a15748 unknown movk w8, #0xaba, lsl #16 0x2807e9784: 0x17e08a6f unknown b 0x28000c140 0x2807e9788: 0xf84083e8 unknown ldur x8, [sp, #0x8] 0x2807e978c: 0xd289c070 unknown mov x16, #0x4e03 0x2807e9790: 0xf2b98970 unknown movk x16, #0xcc4b, lsl #16 0x2807e9794: 0xf2c00030 unknown movk x16, #0x1, lsl #32 0x2807e9798: 0xeb10011f unknown cmp x8, x16 0x2807e979c: 0x54000080 unknown b.eq 0x2807e97ac -> 0x2807e97a0: 0xd4388e20 unknown brk #0xc471 0x2807e97a4: 0x52975748 unknown mov w8, #0xbaba 0x2807e97a8: 0x72a15748 unknown movk w8, #0xaba, lsl #16 0x2807e97ac: 0x17e08a65 unknown b 0x28000c140 ``` Note the junk data at 0x2807e97a4 showing it's the same breakpoint in the LLInt entry. 2013952 2 webkit-bug-importer 2024-02-15 08:19:13 -0800 <rdar://problem/123015079> 2015616 3 justin_michaud 2024-02-20 14:34:41 -0800 Pull request: https://github.com/WebKit/WebKit/pull/24842 2015742 4 ews-feeder 2024-02-21 06:31:29 -0800 Committed 275095@main (a9c33a2b496a): <https://commits.webkit.org/275095@main> Reviewed commits have been landed. Closing PR #24842 and removing active labels. 2015819 5 ap 2024-02-21 11:33:29 -0800 *** Bug 269598 has been marked as a duplicate of this bug. ***