Summary: | Wasm engine segmentation fault | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Jan M <mail> | ||||
Component: | WebAssembly | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | ||||||
Priority: | P2 | ||||||
Version: | WebKit Nightly Build | ||||||
Hardware: | Unspecified | ||||||
OS: | macOS 10.12 | ||||||
Attachments: |
|
Description
Jan M
2019-10-10 02:56:36 PDT
Typo: Interestingly, when I tried to constant-fold the (select) from the beginning the error does *not* trigger. I just tried the latest JavaScriptCore version: v250962. from URL: https://s3-us-west-2.amazonaws.com/minified-archives.webkit.org/mac-highsierra-x86_64-release/250962.zip and the example still segfaults jsc. Also segfaults v250964. Also segfaults v251008. FWIW, this appears to hang WebContent in Safari, but I don't observe a crash. Yes, the example also just hangs Safari 12.1.2 (12607.3.10) on my MacBook Pro (suitably inlined in a minimal HTML document). This is the expected behaviour and agrees with V8, SpiderMonkey and Chakra's interpretation of the infinite Wasm loop (run with a 10sec timeout). Since the example has crashed every nightly build I've tried for the past three days, I guess it has been introduced into WebKit since the release Safari is built with. With a ulimit -c unlimited I get a core dump that can be loaded with lldb. Here's a stack trace from the nightly build: $ lldb -c /cores/core.75180 (lldb) target create --core "/cores/core.75180" Core file '/cores/core.75180' (x86_64) was loaded. (lldb) bt * thread #1, stop reason = signal SIGSTOP * frame #0: 0x0000020be155cb2c frame #1: 0x0000020be155cd38 frame #2: 0x00000001094d82af JavaScriptCore`vmEntryToJavaScript + 200 frame #3: 0x000000010a00639c JavaScriptCore`JSC::callWebAssemblyFunction(JSC::JSGlobalObject*, JSC::CallFrame*) + 1116 frame #4: 0x0000020be155c16b frame #5: 0x00000001094eec90 JavaScriptCore`llint_entry + 92211 frame #6: 0x00000001094eec90 JavaScriptCore`llint_entry + 92211 frame #7: 0x00000001094eec90 JavaScriptCore`llint_entry + 92211 frame #8: 0x00000001094eec90 JavaScriptCore`llint_entry + 92211 frame #9: 0x00000001094eec90 JavaScriptCore`llint_entry + 92211 frame #10: 0x00000001094d82af JavaScriptCore`vmEntryToJavaScript + 200 frame #11: 0x0000000109b18ce9 JavaScriptCore`JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::CallFrame*, JSC::JSObject*) + 11785 frame #12: 0x0000000109da2668 JavaScriptCore`JSC::evaluate(JSC::CallFrame*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 328 frame #13: 0x000000010920864c javascriptcore`jscmain(int, char**) + 3804 frame #14: 0x000000010920775b javascriptcore`main + 27 frame #15: 0x00007fff90d67235 libdyld.dylib`start + 1 (lldb) ...and the segfault continues with v251480. Slightly more interesting, I've found out that the error does not occur in "249479" (which was laying around in an old Docker container). That indicates a commit between versions 249479 and 250961 introduced the bug. Being a newcomer to this system I probably registered the bug wrongly. I've just changed 'Component': 'JavaScriptCore' -> 'WebAssembly'. I've managed to reduce the example further: (module (type $0 (func (result f32))) (global $0 i32 (i32.const 1)) (func $0 (type 0) (f32.const 0.0) (f32.const 0.0) (i32.const 0) (select) (loop (result f32) (f32.const 0.0) (global.get 0) (br_if 0)) (drop) ) (export "runf32" (func 0)) ) Basically it's a 'select' followed by an infinite loop that looks up a global. The corresponding JS (also reduced): let buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,5,1,96,0,1,125,3,2,1,0,6,6,1,127,0,65,1,11,7,10,1,6,114,117,110,102,51,50,0,0,10,30,1,28,0,67,0,0,0,0,67,0,0,0,0,65,0,27,3,125,67,0,0,0,0,35,0,13,0,11,26,11 ]); let m = new WebAssembly.Instance(new WebAssembly.Module(buffer)); m.exports.runf32(); This continues to segfault the nightly builds (from jsvu), tested with 252179 and 252135. As mentioned, it doesn't segfault 249479 where it just runs an infinite loop, as expected. I can add that this example now loops (as expected) with version 267333. I'll therefore change the status to 'resolved'. |