RESOLVED DUPLICATE of bug 249418 249377
[WASM] Memory Corruption in JSC::Wasm::AirIRGenerator64::addSIMDRelOp 
https://bugs.webkit.org/show_bug.cgi?id=249377
Summary [WASM] Memory Corruption in JSC::Wasm::AirIRGenerator64::addSIMDRelOp
CAO ZONG
Reported 2022-12-15 00:37:27 PST
Created attachment 464054 [details] Reproducible poc this poc can reproduce the crash stably commit: bcd8cc0c0c83b0f2ddb78977a843650168bb138f #0 0x00007ffff5ad400b in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff5ab3859 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x0000555555a3a1da in WTFCrashWithInfo(int, char const*, char const*, int) () #3 0x0000555556a83ca7 in JSC::Wasm::AirIRGenerator64::addSIMDRelOp(JSC::SIMDLaneOperation, JSC::SIMDInfo, JSC::Wasm::TypedTmp, JSC::Wasm::TypedTmp, JSC::B3::Air::Arg, JSC::Wasm::TypedTmp&) () #4 0x0000555556a63bf0 in std::experimental::fundamentals_v3::expected<void, WTF::String> JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::simd<true, void>(JSC::SIMDLaneOperation, JSC::SIMDLane, JSC::SIMDSignMode, JSC::B3::Air::Arg) () #5 0x0000555556a43901 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseExpression() () #6 0x0000555556a2d5db in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody() () #7 0x0000555556a2c65f in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse() () #8 0x0000555556a23eae in std::experimental::fundamentals_v3::expected<std::unique_ptr<JSC::Wasm::InternalFunction, std::default_delete<JSC::Wasm::InternalFunction> >, WTF::String> JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64>(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) () #9 0x0000555556a1c5d1 in JSC::Wasm::parseAndCompileAir(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) () #10 0x00005555569c7e76 in JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) () #11 0x00005555569c6a56 in JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) () #12 0x0000555556b49ab2 in JSC::Wasm::Worklist::Thread::work() () #13 0x0000555556bf4143 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () #14 0x0000555556c1537f in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () #15 0x0000555556c6f096 in WTF::wtfThreadEntryPoint(void*) () #16 0x00007ffff5fe3609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #17 0x00007ffff5bb0133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
Attachments
Reproducible poc (932 bytes, text/javascript)
2022-12-15 00:37 PST, CAO ZONG 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-12-15 00:37:37 PST
<rdar://problem/103391933>
CAO ZONG
Comment 2 2022-12-15 00:39:55 PST
with --useWebAssemblySIMD=true flag
Yusuke Suzuki
Comment 3 2022-12-16 12:54:58 PST
This is just because it is not implemented yet on x64. (and this is why --useWebAssemblySIMD=false right now).
Yusuke Suzuki
Comment 4 2022-12-16 12:58:55 PST
Moving from security to normal bug since useWebAssemblySIMD on x64 is not ready (so not enabled at all).
Yusuke Suzuki
Comment 5 2022-12-16 13:05:57 PST
Dupe to bug 249418, just feature is not implemented yet (that's why `useWebAssemblySIMD` is not enabled), and now implemented. *** This bug has been marked as a duplicate of bug 249418 ***
Note You need to log in before you can comment on or make changes to this bug.