179606 – WebAssembly crash in UIWebView iOS 11

NEW 179606

WebAssembly crash in UIWebView iOS 11

https://bugs.webkit.org/show_bug.cgi?id=179606

Summary WebAssembly crash in UIWebView iOS 11

Jin

Reported 2017-11-13 01:56:15 PST

Created attachment 326751 [details] Bugfix Patch iOS UIWebView's JavaScript runtime NOT allow to use Assembler. It will crash when running the following code in iOS 11: UIWebView* webview = [[UIWebView alloc] init]; [webview stringByEvaluatingJavaScriptFromString:@"new WebAssembly.Memory({initial:10, maximum:100});"]; And the crash stack is : Thread 60 name: Thread 60 Crashed: 0 JavaScriptCore 0x00000001895ef37c JSC::ExecutableAllocator::allocate(unsigned long, void*, JSC::JITCompilationEffort) + 644 (ExecutableAllocator.cpp:426) 1 JavaScriptCore 0x00000001895ef37c JSC::ExecutableAllocator::allocate(unsigned long, void*, JSC::JITCompilationEffort) + 644 (ExecutableAllocator.cpp:426) 2 JavaScriptCore 0x000000018983f6a8 JSC::LinkBuffer::allocate(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) + 256 (LinkBuffer.cpp:245) 3 JavaScriptCore 0x000000018983edb4 void JSC::LinkBuffer::copyCompactAndLinkCode<unsigned int>(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) + 60 (LinkBuffer.cpp:101) 4 JavaScriptCore 0x000000018983ecd4 JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) + 56 (LinkBuffer.cpp:221) 5 JavaScriptCore 0x00000001899fa894 JSC::Wasm::throwExceptionFromWasmThunkGenerator(WTF::AbstractLocker const&) + 752 (LinkBuffer.h:89) 6 JavaScriptCore 0x00000001899fadd4 JSC::Wasm::Thunks::stub(WTF::AbstractLocker const&, JSC::MacroAssemblerCodeRef (*)(WTF::AbstractLocker const&)) + 120 (WasmThunks.cpp:160) 7 JavaScriptCore 0x00000001899fb190 JSC::Wasm::Thunks::stub(JSC::MacroAssemblerCodeRef (*)(WTF::AbstractLocker const&)) + 92 (WasmThunks.cpp:148) 8 JavaScriptCore 0x00000001899e3a5c JSC::Wasm::Memory::create(JSC::VM&, JSC::Wasm::PageCount, JSC::Wasm::PageCount) + 96 (WasmMemory.cpp:381) 9 JavaScriptCore 0x0000000189a1512c JSC::constructJSWebAssemblyMemory(JSC::ExecState*) + 1236 (WebAssemblyMemoryConstructor.cpp:99) 10 JavaScriptCore 0x0000000189153a1c JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 440 (JSObject.h:1465) 11 JavaScriptCore 0x0000000189853d14 llint_entry + 27908 12 JavaScriptCore 0x000000018984ce40 vmEntryToJavaScript + 272 13 JavaScriptCore 0x0000000189732948 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 136 (JITCode.cpp:81) 14 JavaScriptCore 0x00000001897098dc JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11244 (Interpreter.cpp:912) 15 JavaScriptCore 0x00000001893fde7c JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 316 (Completion.cpp:103) 16 WebCore 0x000000018b6c91f4 WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::NakedPtr<JSC::Exception>&) + 152 (WorkerScriptController.cpp:127) 17 WebCore 0x000000018b6c9100 WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&) + 44 (WorkerScriptController.cpp:109) 18 WebCore 0x000000018b6cae48 WebCore::WorkerThread::workerThread() + 612 (WorkerThread.cpp:186) 19 JavaScriptCore 0x0000000189121660 WTF::threadEntryPoint(void*) + 120 (Function.h:56) 20 JavaScriptCore 0x00000001891215a0 WTF::wtfThreadEntryPoint(void*) + 84 (ThreadingPthreads.cpp:209) 21 libsystem_pthread.dylib 0x000000018241431c _pthread_body + 308 (pthread.c:740) 22 libsystem_pthread.dylib 0x00000001824141e8 _pthread_start + 312 (pthread.c:799) 23 libsystem_pthread.dylib 0x0000000182412c28 thread_start + 4 This is slightly similar to JIT, so I try to fix it with the Patch.

Attachments
Bugfix Patch (909 bytes, patch) 2017-11-13 01:56 PST, Jin	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2017-11-13 18:58:14 PST

Thank you for the report and the fix! Would you be willing to submit a patch for review in accordance with <https://webkit.org/contributing-code/>?

JF Bastien

Comment 2 2017-11-14 10:19:47 PST

Comment on attachment 326751 [details] Bugfix Patch Options.cpp does the following: if (!Options::useJIT()) Options::useWebAssembly() = false; That should cover some cases, but indeed doesn't cover the case where we dynamically discover that we can't allocate executable memory. I think we might want to update useJIT in that case and re-run the part that makes options consistent, since executable allocation runs early?

Keith Miller

Comment 3 2017-11-14 10:38:50 PST

(In reply to JF Bastien from comment #2) > Comment on attachment 326751 [details] > Bugfix Patch > > Options.cpp does the following: > > if (!Options::useJIT()) > Options::useWebAssembly() = false; > > That should cover some cases, but indeed doesn't cover the case where we > dynamically discover that we can't allocate executable memory. I think we > might want to update useJIT in that case and re-run the part that makes > options consistent, since executable allocation runs early? I think we should do this the same way that we do it for other JITs. It looks like we use a boolean on VM for the others. e.g. m_canUseJIT.

Saam Barati

Comment 4 2017-11-14 11:15:53 PST

(In reply to JF Bastien from comment #2) > Comment on attachment 326751 [details] > Bugfix Patch > > Options.cpp does the following: > > if (!Options::useJIT()) > Options::useWebAssembly() = false; > > That should cover some cases, but indeed doesn't cover the case where we > dynamically discover that we can't allocate executable memory. I think we > might want to update useJIT in that case and re-run the part that makes > options consistent, since executable allocation runs early? VM::canUseJIT() is the way we ask this question, not Options::useJIT(). VM::canUseJIT() changes its answer based on Options::useJIT(). There really shouldn't be any other clients of Options::useJIT().

Saam Barati

Comment 5 2017-11-14 11:17:11 PST

Comment on attachment 326751 [details] Bugfix Patch View in context: https://bugs.webkit.org/attachment.cgi?id=326751&action=review > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:873 > + if (Options::useWebAssembly() && ExecutableAllocator::singleton().isValid()) { Let's make this condition: Options::useWebAssembly() && vm.canUseJIT() Can you also write a changelog? Or if you prefer, somebody on the JSC team can take this through the finish line.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Major

Classification Unclassified

Version Other

Hardware iPhone / iPad

OS iOS 11

Product WebKit

Component WebAssembly

Assignee

Nobody

Reported

2017-11-13 01:56 PST

Modified

2017-11-14 11:17 PST History

CC List

4 users Show

URL

Keywords

Depends on

Blocks