Bug 262861

Summary:	[JSC] BBQJIT tail-call should not pass InvalidGPRReg to preserved registers
Product:	WebKit	Reporter:	xiangwei1895
Component:	WebAssembly	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	asumu, juju6985, justin_michaud, keith_miller, mark.lam, webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

xiangwei1895

Reported 2023-10-08 04:48:10 PDT

## JavaScriptCore Version 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,150,128,128,128,0,4,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,2,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,151,128,128,128,0,1,21,3,1,108,1,1,126,1,108,0,65,230,0,65,162,127,65,92,18,0,168,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` ./bin/jsc --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyTailCalls=true testcase.js ## Output ASSERTION FAILED: is<T>() /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h(762) : T *JSC::Wasm::TypeDefinition::as() [T = JSC::Wasm::FunctionSignature] ## Backtrace #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140735826318912) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140735826318912) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140735826318912, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007fffeb36b476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007fffeb3517f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff03b92ff in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:778 #6 0x00007ffff45eb33a in JSC::Wasm::LLIntGenerator::addCall ( this=0x7fff9cef0a10, functionIndex=0, signature=..., args=..., results=..., callType=JSC::CallLinkInfo::TailCall) at WTF/Headers/wtf/Assertions.h:802 #7 0x00007ffff4658c5e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fff9cef0ba0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2574 #8 0x00007ffff462a57e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fff9cef0ba0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:429 #9 0x00007ffff4614fcd in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fff9cef0ba0) --Type <RET> for more, q to quit, c to continue without paging-- at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:382 #10 0x00007ffff45c0412 in JSC::Wasm::parseAndCompileBytecode ( functionStart=<optimized out>, functionLength=<optimized out>, signature=..., info=..., functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580 #11 0x00007ffff45f9cfc in JSC::Wasm::LLIntPlan::compileFunction ( this=0x615000018180, functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89 #12 0x00007ffff43f6411 in JSC::Wasm::EntryPlan::compileFunctions ( this=0x615000018180, effort=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:220 #13 0x00007ffff484efe1 in JSC::Wasm::Worklist::Thread::work ( this=0x607000004460) at /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111 #14 0x00007ffff4d0b9d1 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229 #15 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:53 #16 0x00007ffff4dc07b6 in WTF::Function<void ()>::operator()() const ( this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:82 #17 WTF::Thread::entryPoint (newThreadContext=<optimized out>) --Type <RET> for more, q to quit, c to continue without paging-- at /home/WebKit/Source/WTF/wtf/Threading.cpp:258 #18 0x00007ffff4f52126 in WTF::wtfThreadEntryPoint (context=0x2bb640) at /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242 #19 0x00007fffeb3bdb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #20 0x00007fffeb44fa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Attachments
Add attachment proposed patch, testcase, etc.

xiangwei1895

Comment 1 2023-10-08 04:54:17 PDT

I'm testing on commit 3cf70a3a572708fefd7eb755db3cc211798022a7 not 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81

Radar WebKit Bug Importer

Comment 2 2023-10-15 04:49:13 PDT

<rdar://problem/116978809>

Asumu Takikawa

Comment 3 2023-12-01 16:32:20 PST

Here is an updated test case for this: ``` //@ runWebAssemblySuite("--useWebAssemblyTailCalls=true", "--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") //import * as assert from "../assert.js"; function module(bytes, valid = true) { let buffer = new ArrayBuffer(bytes.length); let view = new Uint8Array(buffer); for (let i = 0; i < bytes.length; ++i) { view[i] = bytes.charCodeAt(i); } return new WebAssembly.Module(buffer); } /* * * (module * (type $0 (func)) * (type $1 (sub (func (param i32 i32 i32) (result i32)))) * (type $2 (sub (array (mut i32)))) * (type $3 (sub (struct ))) * (memory $0 16 32) * (table $0 1 1 funcref) * (elem $0 (i32.const 0) $0) * (tag $tag$0) * (export "main" (func $0)) * (func $0 (param $0 i32) (param $1 i32) (param $2 i32) (result i32) * (local $3 (ref null $2)) * (local $4 i64) * (local $5 (ref null $3)) * (return_call $0 * (i32.const 102) * (i32.const -94) * (i32.const -36) * ) * ) * ) * */ const m = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x96\x80\x80\x80\x00\x04\x50\x00\x5f\x00\x50\x00\x5e\x7f\x01\x50\x00\x60\x03\x7f\x7f\x7f\x01\x7f\x60\x00\x00\x03\x82\x80\x80\x80\x00\x01\x02\x04\x85\x80\x80\x80\x00\x01\x70\x01\x01\x01\x05\x84\x80\x80\x80\x00\x01\x01\x10\x20\x0d\x83\x80\x80\x80\x00\x01\x00\x03\x07\x88\x80\x80\x80\x00\x01\x04\x6d\x61\x69\x6e\x00\x00\x09\x8b\x80\x80\x80\x00\x01\x06\x00\x41\x00\x0b\x70\x01\xd2\x00\x0b\x0a\x97\x80\x80\x80\x00\x01\x15\x03\x01\x63\x01\x01\x7e\x01\x63\x00\x41\xe6\x00\x41\xa2\x7f\x41\x5c\x12\x00\xa8\x0b")); m.exports.main(); ``` It still fails, but it's entirely inside the codepath for tail calls. There is an easy fix but if tailcalls are WONTFIX for now then I can defer the fix until tail calls are in a better state.

Yusuke Suzuki

Comment 4 2024-08-14 17:09:40 PDT

Pull request: https://github.com/WebKit/WebKit/pull/32219

EWS

Comment 5 2024-08-15 07:00:20 PDT

Committed 282283@main (0be62f7bf9ec): <https://commits.webkit.org/282283@main> Reviewed commits have been landed. Closing PR #32219 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.