RESOLVED FIXED 249378
[JSC] Tuple should be able to include V128 constant 
https://bugs.webkit.org/show_bug.cgi?id=249378
Summary [JSC] Tuple should be able to include V128 constant
CAO ZONG
Reported 2022-12-15 00:45:39 PST
Created attachment 464055 [details] Reproducible poc this poc can reproduce the crash stably commit: bcd8cc0c0c83b0f2ddb78977a843650168bb138f Stack #0 0x00007ffff5ad400b in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff5ab3859 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x0000555555a3a1da in WTFCrashWithInfo(int, char const*, char const*, int) () #3 0x0000555556a13a79 in JSC::Wasm::AirIRGenerator64::emitMaterializeConstant(JSC::B3::Air::BasicBlock*, JSC::Wasm::Type, unsigned long, JSC::Wasm::TypedTmp&) () #4 0x0000555556a48b0d in JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::addEndToUnreachable(JSC::Wasm::FunctionParserTypes<JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::ControlData, JSC::Wasm::TypedTmp>::ControlEntry&, WTF::Vector<JSC::Wasm::FunctionParserTypes<JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::ControlData, JSC::Wasm::TypedTmp>::TypedExpression, 16ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc> const&) () #5 0x0000555556a2dfa6 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseUnreachableExpression() () #6 0x0000555556a2d5c1 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody() () #7 0x0000555556a2c65f in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse() () #8 0x0000555556a23eae in std::experimental::fundamentals_v3::expected<std::unique_ptr<JSC::Wasm::InternalFunction, std::default_delete<JSC::Wasm::InternalFunction> >, WTF::String> JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64>(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) () #9 0x0000555556a1c5d1 in JSC::Wasm::parseAndCompileAir(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) () #10 0x00005555569c7e76 in JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) () #11 0x00005555569c6a56 in JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) () #12 0x0000555556b49ab2 in JSC::Wasm::Worklist::Thread::work() () #13 0x0000555556bf4143 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () #14 0x0000555556c1537f in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () #15 0x0000555556c6f096 in WTF::wtfThreadEntryPoint(void*) () #16 0x00007ffff5fe3609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #17 0x00007ffff5bb0133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
Attachments
Reproducible poc (1.04 KB, text/javascript)
2022-12-15 00:45 PST, CAO ZONG 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-12-15 00:45:51 PST
<rdar://problem/103392110>
CAO ZONG
Comment 2 2022-12-15 22:04:14 PST
with --useWebAssemblySIMD=true flag
Yusuke Suzuki
Comment 3 2022-12-16 13:01:40 PST
Changing the component from security to normal since this is not shipped. This is WIP developing feature.
Yusuke Suzuki
Comment 4 2022-12-16 14:03:03 PST
Pull request: https://github.com/WebKit/WebKit/pull/7779
EWS
Comment 5 2022-12-16 21:34:10 PST
Committed 258034@main (c19143329472): <https://commits.webkit.org/258034@main> Reviewed commits have been landed. Closing PR #7779 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.