RESOLVED FIXED 254413
[WASM] Aborted in JSC::Wasm::B3IRGenerator::emitStructSet 
https://bugs.webkit.org/show_bug.cgi?id=254413
Summary [WASM] Aborted in JSC::Wasm::B3IRGenerator::emitStructSet
CAO ZONG
Reported 2023-03-24 06:28:11 PDT
commit: cebd0f9727d7493fbbea4ebf321799bc0152642e Flags: --useSinglePassBBQJIT=true --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true Poc ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,169,128,128,128,0,4,80,0,95,4,124,0,126,0,126,0,123,0,80,0,96,3,127,127,127,1,127,96,0,0,80,0,96,9,123,107,0,127,127,127,127,127,127,127,1,127,3,130,128,128,128,0,1,1,4,137,128,128,128,0,2,112,1,1,8,111,1,0,0,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,2,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,184,128,128,128,0,1,54,0,65,0,253,15,68,0,0,0,0,0,0,0,0,66,0,66,0,65,0,253,15,251,7,0,65,0,65,0,65,0,65,0,65,0,65,0,65,0,2,3,26,26,26,26,26,26,26,26,26,65,0,11,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` Backtrace: #0 0x00007ffff5aca00b in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff5aa9859 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x0000555555a4a11a in WTFCrashWithInfo(int, char const*, char const*, int) () #3 0x00005555569e06ff in JSC::Wasm::B3IRGenerator::emitStructSet(JSC::B3::Value*, unsigned int, JSC::Wasm::StructType const&, JSC::B3::Value*) () #4 0x00005555569e4954 in JSC::Wasm::B3IRGenerator::addStructNew(unsigned int, WTF::Vector<JSC::B3::Variable*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::B3::Variable*&) () #5 0x0000555556a2fa39 in JSC::Wasm::FunctionParser<JSC::Wasm::B3IRGenerator>::parseExpression() () #6 0x0000555556a1c7cb in JSC::Wasm::FunctionParser<JSC::Wasm::B3IRGenerator>::parseBody() () #7 0x0000555556a13045 in JSC::Wasm::FunctionParser<JSC::Wasm::B3IRGenerator>::parse() () #8 0x00005555569ee926 in JSC::Wasm::parseAndCompileB3(JSC::Wasm::CompilationContext&, JSC::Wasm::Callee&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, JSC::Wasm::CompilationMode, unsigned int, std::optional<bool>, unsigned int, JSC::Wasm::TierUpCount*) () #9 0x0000555556a03017 in JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::Callee&, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) () #10 0x0000555556a01c92 in JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) () #11 0x0000555556b95272 in JSC::Wasm::Worklist::Thread::work() () #12 0x0000555556c4afa3 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () #13 0x0000555556c6c1ef in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () #14 0x0000555556cc71d6 in WTF::wtfThreadEntryPoint(void*) () #15 0x00007ffff5fd9609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #16 0x00007ffff5ba6133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-03-24 06:28:20 PDT
<rdar://problem/107184303>
Yusuke Suzuki
Comment 2 2023-03-24 11:58:49 PDT
> --useWebAssemblyTypedFunctionReferences=true This is not implemented fully & not enabled. So, this is not a security issue.
Asumu Takikawa
Comment 3 2024-01-26 16:13:32 PST
This bug depends on v128 support, so it should be fixed after https://github.com/WebKit/WebKit/pull/22727 lands. I will upload a test after that PR is merged.
Asumu Takikawa
Comment 4 2024-01-29 13:44:37 PST
Pull request: https://github.com/WebKit/WebKit/pull/23457
EWS
Comment 5 2024-01-30 16:31:16 PST
Committed 273793@main (15a216e460c4): <https://commits.webkit.org/273793@main> Reviewed commits have been landed. Closing PR #23457 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.