Bug 239588 - Assertion failure crash on Wasm ref.func use in global
Summary: Assertion failure crash on Wasm ref.func use in global
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebAssembly (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2022-04-20 21:43 PDT by Asumu Takikawa
Modified: 2022-06-01 09:55 PDT (History)
8 users (show)

See Also:


Attachments
Patch (2.90 KB, patch)
2022-05-05 18:32 PDT, Asumu Takikawa
no flags Details | Formatted Diff | Diff
Patch (2.17 KB, patch)
2022-05-18 16:02 PDT, Asumu Takikawa
no flags Details | Formatted Diff | Diff
Patch (2.17 KB, patch)
2022-05-26 15:05 PDT, Asumu Takikawa
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Asumu Takikawa 2022-04-20 21:43:30 PDT
Running the following Wasm program in JSC causes a crash due to an assertion failure:

```
function module(bytes, valid = true) {
  let buffer = new ArrayBuffer(bytes.length);
  let view = new Uint8Array(buffer);
  for (let i = 0; i < bytes.length; ++i) {
    view[i] = bytes.charCodeAt(i);
  }
  return new WebAssembly.Module(buffer);
}

//  (module
//    (type (func))
//    (global funcref (ref.func 0))
//    (func (type 0)))
new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x06\x06\x01\x70\x00\xd2\x00\x0b\x0a\x04\x01\x02\x00\x0b"));
```

The crashing invocation and result:

```
$ ~/WebKit/WebKitBuild/GTK/Release/bin/jsc foo.js
1   0x7f16de19e349 WTFCrash
2   0x7f16de10178d /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184a78d) [0x7f16de10178d]
3   0x7f16de1022ce /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184b2ce) [0x7f16de1022ce]
4   0x7f16de0d98ad /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x18228ad) [0x7f16de0d98ad]
5   0x7f16de0efcbc /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x1838cbc) [0x7f16de0efcbc]
6   0x7f1698fff0c7 [0x7f1698fff0c7]
Segmentation fault (core dumped)
```

The crash seems to be in `CalleeGroup::embedderEntrypointCalleeFromFunctionIndexSpace` line 86 where there is a `RELEASE_ASSERT(callee);` but the `callee` is uninitialized for some reason.
Comment 1 Radar WebKit Bug Importer 2022-04-27 21:44:12 PDT
<rdar://problem/92438940>
Comment 2 Asumu Takikawa 2022-05-05 18:32:28 PDT
Created attachment 458931 [details]
Patch
Comment 3 Keith Miller 2022-05-06 08:50:12 PDT
Comment on attachment 458931 [details]
Patch

r=me
Comment 4 Asumu Takikawa 2022-05-18 16:02:23 PDT
Created attachment 459559 [details]
Patch
Comment 5 Asumu Takikawa 2022-05-18 16:02:56 PDT
Just removed ChangeLog entries since those have been deprecated. No other changes.
Comment 6 Asumu Takikawa 2022-05-26 15:05:19 PDT
Created attachment 459794 [details]
Patch
Comment 7 EWS 2022-06-01 09:55:11 PDT
Committed r295091 (251186@main): <https://commits.webkit.org/251186@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 459794 [details].