Bug 254414 - [WASM] Aborted in JSC::Wasm::LLIntGenerator::addCatchToUnreachable
Summary: [WASM] Aborted in JSC::Wasm::LLIntGenerator::addCatchToUnreachable
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Asumu Takikawa
URL:
Keywords: InRadar
Depends on:
Blocks: 247394
  Show dependency treegraph
 
Reported: 2023-03-24 06:30 PDT by CAO ZONG
Modified: 2024-02-01 15:12 PST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description CAO ZONG 2023-03-24 06:30:05 PDT 
Commit: cebd0f9727d7493fbbea4ebf321799bc0152642e
Flags:  --useSinglePassBBQJIT=true --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true

POC:
```
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,157,128,128,128,0,5,80,0,95,0,80,0,96,3,127,127,127,1,127,96,1,108,1,0,96,4,126,123,123,123,0,96,0,0,3,130,128,128,128,0,1,1,4,133,128,128,128,0,1,112,1,1,3,5,132,128,128,128,0,1,1,16,32,13,135,128,128,128,0,3,0,2,0,3,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,176,128,128,128,0,1,46,0,6,127,65,0,68,0,0,0,0,0,0,0,0,65,0,65,0,54,2,138,162,1,8,2,155,170,69,254,44,2,178,228,148,136,5,7,0,26,65,0,25,65,0,11,11]);
var wasm_module = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var f = wasm_instance.exports.main;
f();
```

Backtrace:
#0  0x00007ffff5aca00b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff5aa9859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x0000555555a4a11a in WTFCrashWithInfo(int, char const*, char const*, int) ()
#3  0x0000555556adaa41 in JSC::Wasm::LLIntGenerator::addCatchToUnreachable(unsigned int, JSC::Wasm::TypeDefinition const&, JSC::Wasm::LLIntGenerator::ControlType&, WTF::Vector<JSC::VirtualRegister, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) ()
#4  0x0000555556ae937e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseUnreachableExpression() ()
#5  0x0000555556ae821b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody() ()
#6  0x0000555556ae309f in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse() ()
#7  0x0000555556ad1f72 in JSC::Wasm::parseAndCompileBytecode(unsigned char const*, unsigned long, JSC::Wasm::TypeDefinition const&, JSC::Wasm::ModuleInformation&, unsigned int) ()
#8  0x0000555556adfceb in JSC::Wasm::LLIntPlan::compileFunction(unsigned int) ()
#9  0x0000555556acddf0 in JSC::Wasm::EntryPlan::compileFunctions(JSC::Wasm::Plan::CompilationEffort) ()
#10 0x0000555556b95272 in JSC::Wasm::Worklist::Thread::work() ()
#11 0x0000555556c4afa3 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() ()
#12 0x0000555556c6c1ef in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) ()
#13 0x0000555556cc71d6 in WTF::wtfThreadEntryPoint(void*) ()
#14 0x00007ffff5fd9609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#15 0x00007ffff5ba6133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
Comment 1 Radar WebKit Bug Importer 2023-03-24 06:30:15 PDT 
<rdar://problem/107184325>
Comment 2 Yusuke Suzuki 2023-03-24 11:58:17 PDT 
> --useWebAssemblyTypedFunctionReferences=true

This is not implemented fully & not enabled. So, this is not a security issue.
Comment 3 Asumu Takikawa 2024-01-29 14:10:43 PST 
Pull request: https://github.com/WebKit/WebKit/pull/23460
Comment 4 EWS 2024-02-01 15:12:27 PST 
Committed 273945@main (a7470b0dc92e): <https://commits.webkit.org/273945@main>

Reviewed commits have been landed. Closing PR #23460 and removing active labels.