Bug 279182

Summary: WasmGC program may be mis-optimized
Product: WebKit Reporter: Martin Kustermann <kustermann.martin>
Component: WebAssemblyAssignee: David Degazio <d_degazio>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: asumu, d_degazio, kustermann.martin, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Contains a helper script used to run dart2wasm compiled modules and the corresponding JS & Wasm files of a compiled application that triggers misoptimization none

Martin Kustermann
Reported 2024-09-05 04:57:01 PDT
Created attachment 472464 [details] Contains a helper script used to run dart2wasm compiled modules and the corresponding JS & Wasm files of a compiled application that triggers misoptimization The attached program seems to run fine with V8's commandline JS engine but fails with JavaScriptCore command line shell. By modifying the program slightly or changing JSC flags it appears to behave differently, making me believe this is an optimization bug. This reproduction uses the build from: https://webkitgtk.org/jsc-built-products/x86_64/release/283199@main.zip --------------------------- ---- Issue 1) Run the app with dart2wasm -O1 optimization (which uses the binaryen wasm2wasm optimizer) --------------------------- ``` % jsc $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O1.mjs $PWD/repro.O1.wasm i=128 i=128 done i=129 i=129 done ... i=4627 Error: RuntimeError: struct.get to a null reference (evaluating 'this.instantiatedModule.exports.$invokeMain(args)') Stack: <?>.wasm-function[Expect.throws]@[wasm code] <?>.wasm-function[main tear-off trampoline]@[wasm code] <?>.wasm-function[_invokeMain]@[wasm code] invokeMain@.../repro.O1.mjs:358:48 @.../pkg/dart2wasm/bin/run_wasm.js:412:31 ```` Running with `--useJIT=false` behaves flakily and differently Sometimes: ``` % jsc --useJIT=false $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O1.mjs $PWD/repro.O1.wasm Error: RuntimeError: ref.cast failed to cast reference to target heap type (evaluating 'read(s, index++)') Stack: <?>.wasm-function[_stringRead1]@[wasm code] 73@[native code] _253@.../repro.O1.mjs:188:28 <?>.wasm-function[print]@[wasm code] <?>.wasm-function[_invokeMain]@[wasm code] 58@[native code] invokeMain@.../repro.O1.mjs:358:48 @.../pkg/dart2wasm/bin/run_wasm.js:412:31 ``` Sometimes: ``` % jsc --useJIT=false $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O1.mjs $PWD/repro.O1.wasm Error: RangeError: Array length must be a positive integer of safe magnitude. Stack: _253@.../repro.O1.mjs:184:30 <?>.wasm-function[print]@[wasm code] <?>.wasm-function[_invokeMain]@[wasm code] 58@[native code] invokeMain@.../repro.O1.mjs:358:48 @.../dart2wasm/bin/run_wasm.js:412:31 ``` --------------------------- ---- Issue 1) Run the app with dart2wasm -O0, i.e. without any optimization --------------------------- ``` % jsc $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O0.mjs $PWD/repro.O0.wasm ... Error: RuntimeError: call_indirect to a signature that does not match (evaluating 'this.instantiatedModule.exports.$invokeMain(args)') Stack: <?>.wasm-function[Expect.throws]@[wasm code] <?>.wasm-function[main]@[wasm code] <?>.wasm-function[main tear-off trampoline]@[wasm code] <?>.wasm-function[_invokeMain]@[wasm code] invokeMain@.../repro.O0.mjs:358:48 @.../pkg/dart2wasm/bin/run_wasm.js:412:31 ``` ``` % jsc --useJIT=false $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O0.mjs $PWD/repro.O0.wasm Error: CompileError: WebAssembly.Module doesn't parse at byte 1012: can't get 0th field Type Stack: undefined ```
Attachments
Contains a helper script used to run dart2wasm compiled modules and the corresponding JS & Wasm files of a compiled application that triggers misoptimization (73.36 KB, application/gzip)
2024-09-05 04:57 PDT, Martin Kustermann 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Asumu Takikawa
Comment 1 2024-09-11 11:56:51 PDT
I ran some of these tests in a debug build, and got some stack traces. In the jit true case, it looks like there's an assertion failing in a null/non-null branch. This code has been tricky to get right so maybe there's something off there. The assertion failure is in BBQJIT, when I turn that off with `--useBBQJIT=false` I get the `struct.get` error from the original report. But with `--useOMGJIT=false` as well it runs without failure so LLInt seems fine. ``` 1 0x7fefaa60ad76 JSC::Wasm::BBQJITImpl::BBQJIT::loadIfNecessary(JSC::Wasm::BBQJITImpl::BBQJIT::Value) 2 0x7fefaa604a7a JSC::Wasm::BBQJITImpl::BBQJIT::addBranch(JSC::Wasm::BBQJITImpl::BBQJIT::ControlData&, JSC::Wasm::BBQJITImpl::BBQJIT::Value, WTF::Vector<JSC::Wasm::FunctionParserTypes<JSC::Wasm::BBQJITImpl::BBQJIT::ControlData, JSC::Wasm::BBQJITImpl::BBQJIT::Value, JSC::CallLinkInfoBase::CallType>::TypedExpression, 16ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>&) 3 0x7fefaa6d2633 JSC::Wasm::BBQJITImpl::BBQJIT::addBranchNull(JSC::Wasm::BBQJITImpl::BBQJIT::ControlData&, JSC::Wasm::BBQJITImpl::BBQJIT::Value, WTF::Vector<JSC::Wasm::FunctionParserTypes<JSC::Wasm::BBQJITImpl::BBQJIT::ControlData, JSC::Wasm::BBQJITImpl::BBQJIT::Value, JSC::CallLinkInfoBase::CallType>::TypedExpression, 16ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc>&, bool, JSC::Wasm::BBQJITImpl::BBQJIT::Value&) i=656 done 4 0x7fefaa66d6b4 JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseExpression() i=657 5 0x7fefaa63f070 JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseBody() 6 0x7fefaa633b32 JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parse() 7 0x7fefaa60d0f7 JSC::Wasm::parseAndCompileBBQ(JSC::Wasm::CompilationContext&, JSC::Wasm::BBQCallee&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, unsigned int, JSC::Wasm::TierUpCount*) 8 0x7fefaa6f9e70 JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::BBQCallee&, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) 9 0x7fefaa6f7c33 JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) i=657 done 10 0x7fefaaa50c62 JSC::Wasm::Worklist::Thread::work() i=658 11 0x7fefaac407a0 operator() 12 0x7fefaac421b8 call 13 0x7fefa94050e1 WTF::Function<void ()>::operator()() const 14 0x7fefaad863c1 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 15 0x7fefaae53f77 wtfThreadEntryPoint 16 0x7fefa54a1e39 start_thread 17 0x7fefa55298c4 clone ``` Not sure what's going on with the JIT=false run, but it looks like maybe there is some kind of GC-related issue: ``` #0 0x00007ffff33b473e in JSC::Heap::mutatorState() const (this=0xd68948f8458b49c0) at /app/webkit/Source/JavaScriptCore/heap/Heap.h:345 #1 0x00007ffff33bcf16 in JSC::JSCell::classInfo() const (this=0x7ffff4a60c2c <JSC::encodeResult(void const*, void const*)+35>) at /app/webkit/Source/JavaScriptCore/runtime/JSCellInlines.h:380 #2 0x00007ffff33bcedc in JSC::JSCell::inherits(JSC::ClassInfo const*) const (this=0x7ffff4a60c2c <JSC::encodeResult(void const*, void const*)+35>, info=0x555555674340 <JSC::JSObject::s_info>) at /app/webkit/Source/JavaScriptCore/runtime/JSCellInlines.h:349 #3 0x00007ffff33bfc56 in JSC::jsCast<JSC::JSObject*, JSC::JSCell>(JSC::JSCell*) (from=0x7ffff4a60c2c <JSC::encodeResult(void const*, void const*)+35>) at /app/webkit/Source/JavaScriptCore/runtime/JSCast.h:37 #4 0x00007ffff33b9123 in JSC::asObject(JSC::JSCell*) (cell=0x7ffff4a60c2c <JSC::encodeResult(void const*, void const*)+35>) at /app/webkit/Source/JavaScriptCore/runtime/JSObject.h:1441 #5 0x00007ffff33dfe9c in JSC::JSValue::getPropertySlot(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const (this=0x7fffffffbb10, globalObject=0x7fffe4417088, propertyName=..., slot=...) at /app/webkit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1100 #6 0x00007ffff33dfaae in JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const (this=0x7fffffffbb10, globalObject=0x7fffe4417088, propertyName=..., slot=...) at /app/webkit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1059 #7 0x00007ffff4b564d9 in JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) (bytecodeIndex=..., codeBlock=0x7fffe44d4c40, globalObject=0x7fffe4417088, baseValue=..., ident=..., metadata=...) at /app/webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:898 #8 0x00007ffff4b5708e in JSC::LLInt::llint_slow_path_get_length(JSC::CallFrame*, JSC::JSInstruction const*) (callFrame=0x7fffffffbd80, pc=0x7fffe6122821) at /app/webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:980 #9 0x00007ffff3347db2 in llint_op_get_length () at /app/webkit/WebKitBuild/GTK/Debug/lib/libjavascriptcoregtk-6.0.so.1 #10 0x0000000000000000 in () ```
Radar WebKit Bug Importer
Comment 2 2024-09-11 13:06:11 PDT
<rdar://problem/135821678>
Yusuke Suzuki
Comment 3 2024-11-09 21:33:59 PST
Thanks! It is fixed in bug 279480, and now it is fixed in ToT.
Yusuke Suzuki
Comment 4 2024-11-10 13:29:57 PST
*** This bug has been marked as a duplicate of bug 279480 ***
Note You need to log in before you can comment on or make changes to this bug.