278113 2024-08-14 10:09:12 -0700 REGRESSION(2.44.3): [GTK] WebProcess crash on WASM/Unity demo 2024-08-15 10:02:29 -0700 1 1 1 Unclassified WebKit WebKitGTK WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 jmason webkit-unassigned bugs-noreply mcatanzaro muziknavi oldest_to_newest 2052766 0 jmason 2024-08-14 10:09:12 -0700 This is bifurcated from Bug #278090. In 2.44.3, running the Unity Tanks demo https://www.wasm.com.cn/demo/Tanks/ crashes the WebProcess. Backtrace follows below. Note that Adrian encounters a similar issue with the Arch Linux package (see Bug 278090 Comment 2) The Tanks demo works fine in 2.44.2 and @main. I have confirmed that reverting commit 279c9d7@webkitglib/2.44 (Bug #271175) clears the issue. Note that this code is also present in @main and works fine there. Perhaps there is some later commit or dependency that is also needed to support the change. Thread 38 received signal SIGABRT, Aborted. [Switching to Thread 32 (LWP 32)] 0x00007ffc0b9711aa in __lwp_sigqueue () from /lib/64/libc.so.1 (gdb) bt #0 0x00007ffc0b9711aa in __lwp_sigqueue () at /lib/64/libc.so.1 #1 0x00007ffc0b9657c1 in thr_kill () at /lib/64/libc.so.1 #2 0x00007ffc0b913d09 in raise () at /lib/64/libc.so.1 #3 0x00007ffc0b8e8df2 in abort () at /lib/64/libc.so.1 #4 0x00007ffc038bb2fb in () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #5 0x00007ffc0491b2c7 in () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #6 0x00007ffc049b8294 in JSC::Wasm::BBQJITImpl::BBQJIT::emitMoveMemory(JSC::Wasm::TypeKind, JSC::Wasm::BBQJITImpl::BBQJIT::Location, JSC::Wasm::BBQJITImpl::BBQJIT::Location) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #7 0x00007ffc04947d16 in void JSC::Wasm::BBQJITImpl::BBQJIT::returnValuesFromCall<8ul>(WTF::Vector<JSC::Wasm::BBQJITImpl::BBQJIT::Value, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::FunctionSignature const&, JSC::Wasm::CallInformation const&) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #8 0x00007ffc0493b709 in JSC::Wasm::BBQJITImpl::BBQJIT::addCall(unsigned int, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::BBQJITImpl::BBQJIT::Value, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WTF::Vector<JSC::Wasm::BBQJITImpl::BBQJIT::Value, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::CallLinkInfoBase::CallType) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #9 0x00007ffc04963cd1 in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseExpression() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #10 0x00007ffc049557cb in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseBody() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #11 0x00007ffc04948820 in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parse() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #12 0x00007ffc0493d907 in JSC::Wasm::parseAndCompileBBQ(JSC::Wasm::CompilationContext&, JSC::Wasm::BBQCallee&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::__1::optional<bool>, unsigned int, JSC::Wasm::TierUpCount*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #13 0x00007ffc049f6a9b in JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::BBQCallee&, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #14 0x00007ffc049f5c21 in JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #15 0x00007ffc04bd3da6 in JSC::Wasm::Worklist::Thread::work() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #16 0x00007ffc04ccd1b4 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #17 0x00007ffc04cf7066 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #18 0x00007ffc04d59769 in WTF::wtfThreadEntryPoint(void*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0 #19 0x00007ffc0b967ba9 in _thrp_setup () at /lib/64/libc.so.1 #20 0x00007ffc0b967e50 in _lwp_start () at /lib/64/libc.so.1 #21 0x0000000000000000 in () 2052794 1 mcatanzaro 2024-08-14 12:26:42 -0700 Good job tracking down the problem here. 2052800 2 mcatanzaro 2024-08-14 13:03:16 -0700 I don't know how to fix this properly, so I've just reverted the bad backport. There's only one more month until 2.46, so no use worrying too much about whatever it fixed at this point. 2053039 3 mcatanzaro 2024-08-15 10:01:58 -0700 *** Bug 278169 has been marked as a duplicate of this bug. *** 2053040 4 mcatanzaro 2024-08-15 10:02:29 -0700 Announcement: https://lists.webkit.org/pipermail/webkit-gtk/2024-August/004002.html