271030 2024-03-14 19:03:35 -0700 Reproducible crash in WasmCallingConvention::numberOfStackArguments with TailCalls feature enabled 2024-08-14 15:10:23 -0700 1 1 1 Unclassified WebKit JavaScriptCore Other All Unspecified RESOLVED CONFIGURATION CHANGED InRadar P2 Normal --- 1 happytraveller3312 webkit-unassigned justin_michaud keith_miller mark.lam webkit-bug-importer ysuzuki oldest_to_newest 2021208 0 470376 happytraveller3312 2024-03-14 19:03:35 -0700 Created attachment 470376 the file that trigger crash get source code from github Repository:https://github.com/WebKit/WebKit lattest commit hash 711120e7edec012527620d07bf63d85713a180fd download and compile with args (./Tools/Scripts/build-jsc --jsc-only --build-dir=patch/) (bash) gdb source-to-webkit/patch/JSCOnly/Release/bin/jsc (gdb) set args --useWebAssemblyGC=true --useWebAssemblyTailCalls=true crash.js (gdb) r Starting program: source-to-webkit/patch/JSCOnly/Release/bin/jsc --useWebAssemblyGC=true --useWebAssemblyTailCalls=true crash.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe23b3640 (LWP 798332)] [New Thread 0x7fff9dbb0640 (LWP 798334)] [New Thread 0x7fff9d3af640 (LWP 798335)] [New Thread 0x7fff9cbae640 (LWP 798336)] [New Thread 0x7fff9c3ad640 (LWP 798337)] [New Thread 0x7fff9bbac640 (LWP 798338)] [New Thread 0x7fff9b3ab640 (LWP 798339)] [New Thread 0x7fff9abaa640 (LWP 798340)] [New Thread 0x7fff9a3a9640 (LWP 798341)] [New Thread 0x7fff99ba8640 (LWP 798342)] [New Thread 0x7fff993a7640 (LWP 798343)] [New Thread 0x7fff98ba6640 (LWP 798344)] [New Thread 0x7fff983a5640 (LWP 798345)] [New Thread 0x7fff97ba4640 (LWP 798348)] [New Thread 0x7fff973a3640 (LWP 798349)] [New Thread 0x7fff96ba2640 (LWP 798350)] [New Thread 0x7fff963a1640 (LWP 798351)] [New Thread 0x7fff95ba0640 (LWP 798352)] [New Thread 0x7fff9539f640 (LWP 798353)] [New Thread 0x7fff94b9e640 (LWP 798354)] [New Thread 0x7fff9439d640 (LWP 798355)] [New Thread 0x7fff93b9c640 (LWP 798356)] [New Thread 0x7fff9339b640 (LWP 798357)] [New Thread 0x7fff92b9a640 (LWP 798358)] [New Thread 0x7fff92399640 (LWP 798359)] [New Thread 0x7fff91b98640 (LWP 798360)] [New Thread 0x7fff91397640 (LWP 798361)] [New Thread 0x7fff90b96640 (LWP 798362)] [New Thread 0x7fff90395640 (LWP 798363)] [New Thread 0x7fff8fb94640 (LWP 798364)] [New Thread 0x7fff8f393640 (LWP 798365)] [New Thread 0x7fff8eb92640 (LWP 798366)] Thread 3 "t Helper Thread" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff9dbb0640 (LWP 798334)] 0x00007ffff76115b1 in WTF::Vector<JSC::X86Registers::XMMRegisterID, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::size (this=0x7ffff7fafb60 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention+16>) at WTF/Headers/wtf/Vector.h:799 799 size_t size() const { return m_size; } (gdb) bt #0 0x00007ffff76115b1 in WTF::Vector<JSC::X86Registers::XMMRegisterID, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::size ( this=0x7ffff7fafb60 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention+16>) at WTF/Headers/wtf/Vector.h:799 #1 JSC::Wasm::WasmCallingConvention::numberOfStackArguments (this=0x7ffff7fafb50 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention>, signature=...) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmCallingConvention.h:207 #2 JSC::Wasm::WasmCallingConvention::numberOfStackValues (this=0x7ffff7fafb50 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention>, signature=...) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmCallingConvention.h:255 #3 0x00007ffff7611d44 in JSC::Wasm::LLIntGenerator::addCallIndirect (this=0x7fff9dbac0d0, tableIndex=tableIndex@entry=0, signature=..., args=..., results=..., callType=JSC::CallLinkInfoBase::TailCall) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:1522 #4 0x00007ffff764389a in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fff9dbac1d0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2986 #5 0x00007ffff762c63b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fff9dbac1d0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:482 #6 0x00007ffff75f8c19 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fff9dbac1d0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:435 #7 0x00007ffff75f718b in JSC::Wasm::parseAndCompileBytecode (functionStart=0x7fffe0000580 "", functionLength=<optimized out>, signature=..., info=..., functionIndex=functionIndex@entry=0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:586 #8 0x00007ffff7619e38 in JSC::Wasm::LLIntPlan::compileFunction (this=0x7fffe005d600, functionIndex=0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89 #9 0x00007ffff74d0596 in JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffe005d600, effort=<optimized out>) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:223 #10 0x00007ffff77b16df in JSC::Wasm::Worklist::Thread::work (this=0x7fffe0035ad0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:119 #11 0x00007ffff79518e0 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/.../WebKit/Source/WTF/wtf/AutomaticThread.cpp:229 #12 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/.../WebKit/Source/WTF/wtf/Function.h:53 #13 0x00007ffff79b7b7a in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/.../WebKit/Source/WTF/wtf/Function.h:82 #14 WTF::Thread::entryPoint (newThreadContext=0x7fffe0036480) at /home/.../WebKit/Source/WTF/wtf/Threading.cpp:258 #15 0x00007ffff7a99563 in WTF::wtfThreadEntryPoint (context=0x7ffff7fafb50 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention>) at /home/.../WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:247 #16 0x00007ffff244fac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #17 0x00007ffff24e1850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 2022000 1 ap 2024-03-18 19:03:11 -0700 I can reproduce with `jsc` on macOS. $ jsc --useWebAssemblyGC=true --useWebAssemblyTailCalls=true crash.js Segmentation fault: 11 Thread 4 Crashed:: Wasm Worklist Helper Thread 0 JavaScriptCore 0x1bbc92a78 JSC::Wasm::WasmCallingConvention::numberOfStackValues(JSC::Wasm::FunctionSignature const&) const + 12 1 JavaScriptCore 0x1bbc92d78 JSC::Wasm::LLIntGenerator::addCallIndirect(unsigned int, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::VirtualRegister, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WTF::Vector<JSC::VirtualRegister, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::CallLinkInfoBase::CallType) + 380 2 JavaScriptCore 0x1bbcb4488 JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() + 32884 2022974 2 webkit-bug-importer 2024-03-21 19:04:13 -0700 <rdar://problem/125207125> 2023023 3 mark.lam 2024-03-21 21:42:35 -0700 FYI, Wasm tail calls is not a completed nor supported feature. That's why it's disabled by default. 2052834 4 ysuzuki 2024-08-14 15:10:23 -0700 Thanks! Old wasm tail call implementation was not ready and disabled (it was disabled because it was not ready). We made the complete implementation and now enabled. Now I've tested this example, and confirmed that this does not cause crashes. Closing. 470376 2024-03-14 19:03:35 -0700 2024-03-14 19:03:35 -0700 the file that trigger crash crash.js text/javascript 924 happytraveller3312 dmFyIHdhc21fY29kZSA9IG5ldyBVaW50OEFycmF5KFswLDk3LDExNSwxMDksMSwwLDAsMCwxLDE2 MiwxMjgsMTI4LDEyOCwwLDcsODAsMCw5NSwwLDgwLDAsOTUsMCw4MCwwLDk1LDAsODAsMCw5NSww LDgwLDAsOTQsMTI3LDEsODAsMCw5NiwzLDEyNywxMjcsMTI3LDEsMTI3LDk2LDAsMCwzLDEzMCwx MjgsMTI4LDEyOCwwLDEsNSw0LDEzMywxMjgsMTI4LDEyOCwwLDEsMTEyLDEsMSwxLDUsMTMyLDEy OCwxMjgsMTI4LDAsMSwxLDE2LDMyLDEzLDEzMSwxMjgsMTI4LDEyOCwwLDEsMCw2LDcsMTM2LDEy OCwxMjgsMTI4LDAsMSw0LDEwOSw5NywxMDUsMTEwLDAsMCw5LDEzOSwxMjgsMTI4LDEyOCwwLDEs NiwwLDY1LDAsMTEsMTEyLDEsMjEwLDAsMTEsMTAsMjM3LDEyOCwxMjgsMTI4LDAsMSwxMDcsMCw2 NSwyMjQsMjE0LDI1NSwxNTcsMTIzLDI1MywxNSw2NSwxNjMsMTM2LDIyNCwxODksMTI3LDY3LDk5 LDc5LDYyLDI0LDE2OSwxMDMsMjU0LDQ2LDAsMjAzLDE1NiwxODQsMTQyLDE0LDI1MywxMzksMSw2 NSwxOTAsMjA5LDEzOCwxMzEsNiwyNTMsMTUsNjUsMTQyLDE3NiwxOTUsMTQyLDQsMjUzLDE1LDI1 MywxMTIsMjUzLDEyOCwxLDY1LDE0OCwxMzUsMjQ1LDk0LDI1MywxNSwyNTMsMTIxLDY1LDE0Nywx MzQsMjIxLDE4MiwxMjAsMjUzLDE1LDI1MywxNDYsMSwyNTMsMjE4LDEsMjUzLDEzMiwxLDY1LDE5 NCwxNzQsMjM0LDUzLDEwNSwxMDUsMTA1LDY1LDE3MSwxNDksMTM4LDI1NCw0LDY1LDAsMTksNSww LDQ0LDAsMjIwLDE5MywyNTIsMjUzLDQsMTFdKTsKdmFyIHdhc21fbW9kdWxlID0gbmV3IFdlYkFz c2VtYmx5Lk1vZHVsZSh3YXNtX2NvZGUpOwp2YXIgd2FzbV9pbnN0YW5jZSA9IG5ldyBXZWJBc3Nl bWJseS5JbnN0YW5jZSh3YXNtX21vZHVsZSk7CnZhciBmID0gd2FzbV9pbnN0YW5jZS5leHBvcnRz Lm1haW47CmYoKTsK