RESOLVED FIXED 239588
Assertion failure crash on Wasm ref.func use in global
https://bugs.webkit.org/show_bug.cgi?id=239588
Summary Assertion failure crash on Wasm ref.func use in global
Asumu Takikawa
Reported 2022-04-20 21:43:30 PDT
Running the following Wasm program in JSC causes a crash due to an assertion failure: ``` function module(bytes, valid = true) { let buffer = new ArrayBuffer(bytes.length); let view = new Uint8Array(buffer); for (let i = 0; i < bytes.length; ++i) { view[i] = bytes.charCodeAt(i); } return new WebAssembly.Module(buffer); } // (module // (type (func)) // (global funcref (ref.func 0)) // (func (type 0))) new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x06\x06\x01\x70\x00\xd2\x00\x0b\x0a\x04\x01\x02\x00\x0b")); ``` The crashing invocation and result: ``` $ ~/WebKit/WebKitBuild/GTK/Release/bin/jsc foo.js 1 0x7f16de19e349 WTFCrash 2 0x7f16de10178d /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184a78d) [0x7f16de10178d] 3 0x7f16de1022ce /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184b2ce) [0x7f16de1022ce] 4 0x7f16de0d98ad /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x18228ad) [0x7f16de0d98ad] 5 0x7f16de0efcbc /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x1838cbc) [0x7f16de0efcbc] 6 0x7f1698fff0c7 [0x7f1698fff0c7] Segmentation fault (core dumped) ``` The crash seems to be in `CalleeGroup::embedderEntrypointCalleeFromFunctionIndexSpace` line 86 where there is a `RELEASE_ASSERT(callee);` but the `callee` is uninitialized for some reason.
Attachments
Patch (2.90 KB, patch)
2022-05-05 18:32 PDT, Asumu Takikawa
no flags
Patch (2.17 KB, patch)
2022-05-18 16:02 PDT, Asumu Takikawa
no flags
Patch (2.17 KB, patch)
2022-05-26 15:05 PDT, Asumu Takikawa
no flags
Radar WebKit Bug Importer
Comment 1 2022-04-27 21:44:12 PDT
Asumu Takikawa
Comment 2 2022-05-05 18:32:28 PDT
Keith Miller
Comment 3 2022-05-06 08:50:12 PDT
Comment on attachment 458931 [details] Patch r=me
Asumu Takikawa
Comment 4 2022-05-18 16:02:23 PDT
Asumu Takikawa
Comment 5 2022-05-18 16:02:56 PDT
Just removed ChangeLog entries since those have been deprecated. No other changes.
Asumu Takikawa
Comment 6 2022-05-26 15:05:19 PDT
EWS
Comment 7 2022-06-01 09:55:11 PDT
Committed r295091 (251186@main): <https://commits.webkit.org/251186@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 459794 [details].
Note You need to log in before you can comment on or make changes to this bug.