RESOLVED FIXED 254414
[WASM] Aborted in JSC::Wasm::LLIntGenerator::addCatchToUnreachable 
https://bugs.webkit.org/show_bug.cgi?id=254414
Summary [WASM] Aborted in JSC::Wasm::LLIntGenerator::addCatchToUnreachable
CAO ZONG
Reported 2023-03-24 06:30:05 PDT
Commit: cebd0f9727d7493fbbea4ebf321799bc0152642e Flags: --useSinglePassBBQJIT=true --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true POC: ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,157,128,128,128,0,5,80,0,95,0,80,0,96,3,127,127,127,1,127,96,1,108,1,0,96,4,126,123,123,123,0,96,0,0,3,130,128,128,128,0,1,1,4,133,128,128,128,0,1,112,1,1,3,5,132,128,128,128,0,1,1,16,32,13,135,128,128,128,0,3,0,2,0,3,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,176,128,128,128,0,1,46,0,6,127,65,0,68,0,0,0,0,0,0,0,0,65,0,65,0,54,2,138,162,1,8,2,155,170,69,254,44,2,178,228,148,136,5,7,0,26,65,0,25,65,0,11,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` Backtrace: #0 0x00007ffff5aca00b in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff5aa9859 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x0000555555a4a11a in WTFCrashWithInfo(int, char const*, char const*, int) () #3 0x0000555556adaa41 in JSC::Wasm::LLIntGenerator::addCatchToUnreachable(unsigned int, JSC::Wasm::TypeDefinition const&, JSC::Wasm::LLIntGenerator::ControlType&, WTF::Vector<JSC::VirtualRegister, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) () #4 0x0000555556ae937e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseUnreachableExpression() () #5 0x0000555556ae821b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody() () #6 0x0000555556ae309f in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse() () #7 0x0000555556ad1f72 in JSC::Wasm::parseAndCompileBytecode(unsigned char const*, unsigned long, JSC::Wasm::TypeDefinition const&, JSC::Wasm::ModuleInformation&, unsigned int) () #8 0x0000555556adfceb in JSC::Wasm::LLIntPlan::compileFunction(unsigned int) () #9 0x0000555556acddf0 in JSC::Wasm::EntryPlan::compileFunctions(JSC::Wasm::Plan::CompilationEffort) () #10 0x0000555556b95272 in JSC::Wasm::Worklist::Thread::work() () #11 0x0000555556c4afa3 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () #12 0x0000555556c6c1ef in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () #13 0x0000555556cc71d6 in WTF::wtfThreadEntryPoint(void*) () #14 0x00007ffff5fd9609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #15 0x00007ffff5ba6133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-03-24 06:30:15 PDT
<rdar://problem/107184325>
Yusuke Suzuki
Comment 2 2023-03-24 11:58:17 PDT
> --useWebAssemblyTypedFunctionReferences=true This is not implemented fully & not enabled. So, this is not a security issue.
Asumu Takikawa
Comment 3 2024-01-29 14:10:43 PST
Pull request: https://github.com/WebKit/WebKit/pull/23460
EWS
Comment 4 2024-02-01 15:12:27 PST
Committed 273945@main (a7470b0dc92e): <https://commits.webkit.org/273945@main> Reviewed commits have been landed. Closing PR #23460 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.