Bug 268990
| Summary: | Web process hits breakpoint in complex Wasm pages | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Asumu Takikawa <asumu> |
| Component: | WebAssembly | Assignee: | Justin Michaud <justin_michaud> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bashorov, darbinyan, justin_michaud, keith_miller, mark.lam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Asumu Takikawa
There potentially appears to be a bug related to recent calling convention changes in Wasm (commit c2eee1bb4cec95f71e53400d83a2985463423c17).
I unfortunately don't have a small reproduction case, but I do have consistent steps which worked for me at commit 200045f29c1b7ecf425cd1dc954c85689ac7f163.
Step 1.
Add the following patch just for debugging (to show which breakpoint you are at).
```
diff --git a/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp b/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp
index 238443c5615b..dc36e73e94e0 100644
--- a/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp
+++ b/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp
@@ -137,6 +137,7 @@ void LLIntPlan::didCompleteCompilation()
auto good = jit.branchPtr(MacroAssembler::Equal, GPRInfo::nonPreservedNonArgumentGPR0,
MacroAssembler::TrustedImmPtr(reinterpret_cast<uint64_t>(CalleeBits::boxNativeCallee(m_calleesVector[i].ptr()))));
jit.breakpoint();
+ jit.move(MacroAssembler::Imm32(0xabababa), GPRInfo::nonPreservedNonArgumentGPR0);
good.link(&jit);
}
jumps[i] = jit.jump();
```
Step 2.
Build WebKit in debug mode, run Minibrowser.
Step 3.
Go to a complex Wasm app such as the Doom 3 demo: https://wasm.continuation-labs.com/d3demo/
Step 4.
The web process will crash non-deterministically (refresh if it doesn't crash). If you hook it up to `lldb -p` you will see that it has hit the breakpoint where we put the junk move to mark it above.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Asumu Takikawa
Here's an example debugging output from the crash:
```
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x2807e97a0)
frame #0: 0x00000002807e97a0
-> 0x2807e97a0: brk #0xc471
0x2807e97a4: mov w8, #0xbaba
0x2807e97a8: movk w8, #0xaba, lsl #16
0x2807e97ac: b 0x28000c140
Target 0: (com.apple.WebKit.WebContent.Development) stopped.
(lldb) x/20i 0x2807e9760
0x2807e9760: 0xf84083e8 unknown ldur x8, [sp, #0x8]
0x2807e9764: 0xd289a470 unknown mov x16, #0x4d23
0x2807e9768: 0xf2b98970 unknown movk x16, #0xcc4b, lsl #16
0x2807e976c: 0xf2c00030 unknown movk x16, #0x1, lsl #32
0x2807e9770: 0xeb10011f unknown cmp x8, x16
0x2807e9774: 0x54000080 unknown b.eq 0x2807e9784
0x2807e9778: 0xd4388e20 unknown brk #0xc471
0x2807e977c: 0x52975748 unknown mov w8, #0xbaba
0x2807e9780: 0x72a15748 unknown movk w8, #0xaba, lsl #16
0x2807e9784: 0x17e08a6f unknown b 0x28000c140
0x2807e9788: 0xf84083e8 unknown ldur x8, [sp, #0x8]
0x2807e978c: 0xd289c070 unknown mov x16, #0x4e03
0x2807e9790: 0xf2b98970 unknown movk x16, #0xcc4b, lsl #16
0x2807e9794: 0xf2c00030 unknown movk x16, #0x1, lsl #32
0x2807e9798: 0xeb10011f unknown cmp x8, x16
0x2807e979c: 0x54000080 unknown b.eq 0x2807e97ac
-> 0x2807e97a0: 0xd4388e20 unknown brk #0xc471
0x2807e97a4: 0x52975748 unknown mov w8, #0xbaba
0x2807e97a8: 0x72a15748 unknown movk w8, #0xaba, lsl #16
0x2807e97ac: 0x17e08a65 unknown b 0x28000c140
```
Note the junk data at 0x2807e97a4 showing it's the same breakpoint in the LLInt entry.
Radar WebKit Bug Importer
<rdar://problem/123015079>
Justin Michaud
Pull request: https://github.com/WebKit/WebKit/pull/24842
EWS
Committed 275095@main (a9c33a2b496a): <https://commits.webkit.org/275095@main>
Reviewed commits have been landed. Closing PR #24842 and removing active labels.
Alexey Proskuryakov
*** Bug 269598 has been marked as a duplicate of this bug. ***