WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
239588
Assertion failure crash on Wasm ref.func use in global
https://bugs.webkit.org/show_bug.cgi?id=239588
Summary
Assertion failure crash on Wasm ref.func use in global
Asumu Takikawa
Reported
2022-04-20 21:43:30 PDT
Running the following Wasm program in JSC causes a crash due to an assertion failure: ``` function module(bytes, valid = true) { let buffer = new ArrayBuffer(bytes.length); let view = new Uint8Array(buffer); for (let i = 0; i < bytes.length; ++i) { view[i] = bytes.charCodeAt(i); } return new WebAssembly.Module(buffer); } // (module // (type (func)) // (global funcref (ref.func 0)) // (func (type 0))) new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x06\x06\x01\x70\x00\xd2\x00\x0b\x0a\x04\x01\x02\x00\x0b")); ``` The crashing invocation and result: ``` $ ~/WebKit/WebKitBuild/GTK/Release/bin/jsc foo.js 1 0x7f16de19e349 WTFCrash 2 0x7f16de10178d /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184a78d) [0x7f16de10178d] 3 0x7f16de1022ce /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184b2ce) [0x7f16de1022ce] 4 0x7f16de0d98ad /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x18228ad) [0x7f16de0d98ad] 5 0x7f16de0efcbc /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x1838cbc) [0x7f16de0efcbc] 6 0x7f1698fff0c7 [0x7f1698fff0c7] Segmentation fault (core dumped) ``` The crash seems to be in `CalleeGroup::embedderEntrypointCalleeFromFunctionIndexSpace` line 86 where there is a `RELEASE_ASSERT(callee);` but the `callee` is uninitialized for some reason.
Attachments
Patch
(2.90 KB, patch)
2022-05-05 18:32 PDT
,
Asumu Takikawa
no flags
Details
Formatted Diff
Diff
Patch
(2.17 KB, patch)
2022-05-18 16:02 PDT
,
Asumu Takikawa
no flags
Details
Formatted Diff
Diff
Patch
(2.17 KB, patch)
2022-05-26 15:05 PDT
,
Asumu Takikawa
no flags
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2022-04-27 21:44:12 PDT
<
rdar://problem/92438940
>
Asumu Takikawa
Comment 2
2022-05-05 18:32:28 PDT
Created
attachment 458931
[details]
Patch
Keith Miller
Comment 3
2022-05-06 08:50:12 PDT
Comment on
attachment 458931
[details]
Patch r=me
Asumu Takikawa
Comment 4
2022-05-18 16:02:23 PDT
Created
attachment 459559
[details]
Patch
Asumu Takikawa
Comment 5
2022-05-18 16:02:56 PDT
Just removed ChangeLog entries since those have been deprecated. No other changes.
Asumu Takikawa
Comment 6
2022-05-26 15:05:19 PDT
Created
attachment 459794
[details]
Patch
EWS
Comment 7
2022-06-01 09:55:11 PDT
Committed
r295091
(
251186@main
): <
https://commits.webkit.org/251186@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 459794
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug