Bug 271030

Summary: Reproducible crash in WasmCallingConvention::numberOfStackArguments with TailCalls feature enabled
Product: WebKit Reporter: Yuanfeng Xie <happytraveller3312>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: justin_michaud, keith_miller, mark.lam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: All   
OS: Unspecified   
Attachments:
Description Flags
the file that trigger crash none

Yuanfeng Xie
Reported 2024-03-14 19:03:35 PDT
Created attachment 470376 [details] the file that trigger crash get source code from github Repository:https://github.com/WebKit/WebKit lattest commit hash 711120e7edec012527620d07bf63d85713a180fd download and compile with args (./Tools/Scripts/build-jsc --jsc-only --build-dir=patch/) (bash) gdb source-to-webkit/patch/JSCOnly/Release/bin/jsc (gdb) set args --useWebAssemblyGC=true --useWebAssemblyTailCalls=true crash.js (gdb) r Starting program: source-to-webkit/patch/JSCOnly/Release/bin/jsc --useWebAssemblyGC=true --useWebAssemblyTailCalls=true crash.js [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe23b3640 (LWP 798332)] [New Thread 0x7fff9dbb0640 (LWP 798334)] [New Thread 0x7fff9d3af640 (LWP 798335)] [New Thread 0x7fff9cbae640 (LWP 798336)] [New Thread 0x7fff9c3ad640 (LWP 798337)] [New Thread 0x7fff9bbac640 (LWP 798338)] [New Thread 0x7fff9b3ab640 (LWP 798339)] [New Thread 0x7fff9abaa640 (LWP 798340)] [New Thread 0x7fff9a3a9640 (LWP 798341)] [New Thread 0x7fff99ba8640 (LWP 798342)] [New Thread 0x7fff993a7640 (LWP 798343)] [New Thread 0x7fff98ba6640 (LWP 798344)] [New Thread 0x7fff983a5640 (LWP 798345)] [New Thread 0x7fff97ba4640 (LWP 798348)] [New Thread 0x7fff973a3640 (LWP 798349)] [New Thread 0x7fff96ba2640 (LWP 798350)] [New Thread 0x7fff963a1640 (LWP 798351)] [New Thread 0x7fff95ba0640 (LWP 798352)] [New Thread 0x7fff9539f640 (LWP 798353)] [New Thread 0x7fff94b9e640 (LWP 798354)] [New Thread 0x7fff9439d640 (LWP 798355)] [New Thread 0x7fff93b9c640 (LWP 798356)] [New Thread 0x7fff9339b640 (LWP 798357)] [New Thread 0x7fff92b9a640 (LWP 798358)] [New Thread 0x7fff92399640 (LWP 798359)] [New Thread 0x7fff91b98640 (LWP 798360)] [New Thread 0x7fff91397640 (LWP 798361)] [New Thread 0x7fff90b96640 (LWP 798362)] [New Thread 0x7fff90395640 (LWP 798363)] [New Thread 0x7fff8fb94640 (LWP 798364)] [New Thread 0x7fff8f393640 (LWP 798365)] [New Thread 0x7fff8eb92640 (LWP 798366)] Thread 3 "t Helper Thread" received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff9dbb0640 (LWP 798334)] 0x00007ffff76115b1 in WTF::Vector<JSC::X86Registers::XMMRegisterID, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::size (this=0x7ffff7fafb60 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention+16>) at WTF/Headers/wtf/Vector.h:799 799 size_t size() const { return m_size; } (gdb) bt #0 0x00007ffff76115b1 in WTF::Vector<JSC::X86Registers::XMMRegisterID, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::size ( this=0x7ffff7fafb60 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention+16>) at WTF/Headers/wtf/Vector.h:799 #1 JSC::Wasm::WasmCallingConvention::numberOfStackArguments (this=0x7ffff7fafb50 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention>, signature=...) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmCallingConvention.h:207 #2 JSC::Wasm::WasmCallingConvention::numberOfStackValues (this=0x7ffff7fafb50 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention>, signature=...) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmCallingConvention.h:255 #3 0x00007ffff7611d44 in JSC::Wasm::LLIntGenerator::addCallIndirect (this=0x7fff9dbac0d0, tableIndex=tableIndex@entry=0, signature=..., args=..., results=..., callType=JSC::CallLinkInfoBase::TailCall) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:1522 #4 0x00007ffff764389a in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fff9dbac1d0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2986 #5 0x00007ffff762c63b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fff9dbac1d0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:482 #6 0x00007ffff75f8c19 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fff9dbac1d0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:435 #7 0x00007ffff75f718b in JSC::Wasm::parseAndCompileBytecode (functionStart=0x7fffe0000580 "", functionLength=<optimized out>, signature=..., info=..., functionIndex=functionIndex@entry=0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:586 #8 0x00007ffff7619e38 in JSC::Wasm::LLIntPlan::compileFunction (this=0x7fffe005d600, functionIndex=0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89 #9 0x00007ffff74d0596 in JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffe005d600, effort=<optimized out>) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:223 #10 0x00007ffff77b16df in JSC::Wasm::Worklist::Thread::work (this=0x7fffe0035ad0) at /home/.../WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:119 #11 0x00007ffff79518e0 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/.../WebKit/Source/WTF/wtf/AutomaticThread.cpp:229 #12 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/.../WebKit/Source/WTF/wtf/Function.h:53 #13 0x00007ffff79b7b7a in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/.../WebKit/Source/WTF/wtf/Function.h:82 #14 WTF::Thread::entryPoint (newThreadContext=0x7fffe0036480) at /home/.../WebKit/Source/WTF/wtf/Threading.cpp:258 #15 0x00007ffff7a99563 in WTF::wtfThreadEntryPoint (context=0x7ffff7fafb50 <JSC::Wasm::wasmCallingConvention()::staticWasmCallingConvention>) at /home/.../WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:247 #16 0x00007ffff244fac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #17 0x00007ffff24e1850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Attachments
the file that trigger crash (924 bytes, text/javascript)
2024-03-14 19:03 PDT, Yuanfeng Xie 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2024-03-18 19:03:11 PDT
I can reproduce with `jsc` on macOS. $ jsc --useWebAssemblyGC=true --useWebAssemblyTailCalls=true crash.js Segmentation fault: 11 Thread 4 Crashed:: Wasm Worklist Helper Thread 0 JavaScriptCore 0x1bbc92a78 JSC::Wasm::WasmCallingConvention::numberOfStackValues(JSC::Wasm::FunctionSignature const&) const + 12 1 JavaScriptCore 0x1bbc92d78 JSC::Wasm::LLIntGenerator::addCallIndirect(unsigned int, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::VirtualRegister, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WTF::Vector<JSC::VirtualRegister, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::CallLinkInfoBase::CallType) + 380 2 JavaScriptCore 0x1bbcb4488 JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() + 32884
Radar WebKit Bug Importer
Comment 2 2024-03-21 19:04:13 PDT
<rdar://problem/125207125>
Mark Lam
Comment 3 2024-03-21 21:42:35 PDT
FYI, Wasm tail calls is not a completed nor supported feature. That's why it's disabled by default.
Yusuke Suzuki
Comment 4 2024-08-14 15:10:23 PDT
Thanks! Old wasm tail call implementation was not ready and disabled (it was disabled because it was not ready). We made the complete implementation and now enabled. Now I've tested this example, and confirmed that this does not cause crashes. Closing.
Note You need to log in before you can comment on or make changes to this bug.