RESOLVED FIXED 258127
[WASM] SHOULD NEVER BE REACHED in JSC::Wasm::typeKindSizeInBytes(TypeKind) 
https://bugs.webkit.org/show_bug.cgi?id=258127
Summary [WASM] SHOULD NEVER BE REACHED in JSC::Wasm::typeKindSizeInBytes(TypeKind)
CAO ZONG
Reported 2023-06-15 06:18:53 PDT
Commit: fa9df2d4f442ce1c83aa934ce603fd3ce303aff0 Flags: --useWebAssemblyGC=true Poc: ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,173,128,128,128,0,7,80,0,95,3,123,0,127,0,127,0,80,0,94,127,1,80,0,94,127,1,80,0,96,3,127,127,127,1,127,80,0,96,0,0,80,0,96,0,0,80,0,96,0,0,3,133,128,128,128,0,4,3,4,5,6,4,133,128,128,128,0,1,112,1,4,4,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,148,128,128,128,0,1,6,0,65,0,11,112,4,210,0,11,210,1,11,210,2,11,210,3,11,10,147,128,128,128,0,4,8,0,65,138,205,191,249,3,11,2,0,11,2,0,11,2,0,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` Backtrace: * thread #1, name = 'jsc', stop reason = signal SIGABRT * frame #0: 0x00007ffff5aca00b libc.so.6`raise + 203 frame #1: 0x00007ffff5aa9859 libc.so.6`abort + 299 frame #2: 0x00005555561c679a jsc`WTFCrashWithInfo((null)=311, (null)="../../Source/JavaScriptCore/wasm/WasmTypeDefinition.h", (null)="size_t JSC::Wasm::typeKindSizeInBytes(TypeKind)", (null)=2203) at Assertions.h:762:5 frame #3: 0x0000555557846899 jsc`JSC::Wasm::SectionParser::parseStructType(unsigned int, WTF::RefPtr<JSC::Wasm::TypeDefinition, WTF::RawPtrTraits<JSC::Wasm::TypeDefinition>, WTF::DefaultRefDerefTraits<JSC::Wasm::TypeDefinition> >&) [inlined] JSC::Wasm::typeKindSizeInBytes(JSC::Wasm::TypeKind) at WasmTypeDefinition.h:311:5 frame #4: 0x0000555557846864 jsc`JSC::Wasm::SectionParser::parseStructType(unsigned int, WTF::RefPtr<JSC::Wasm::TypeDefinition, WTF::RawPtrTraits<JSC::Wasm::TypeDefinition>, WTF::DefaultRefDerefTraits<JSC::Wasm::TypeDefinition> >&) [inlined] JSC::Wasm::typeSizeInBytes(storageType=<unavailable>) at WasmTypeDefinition.h:482:12 frame #5: 0x0000555557846864 jsc`JSC::Wasm::SectionParser::parseStructType(this=0x0000555555a931db, position=<unavailable>, structType=<unavailable>) at WasmSectionParser.cpp:859:38 frame #6: 0x0000555557847ea4 jsc`JSC::Wasm::SectionParser::parseSubtype(this=0x00007fffffffd5e0, position=0, subtype=0x00007fffffffd550, recursionGroupTypes=0x00007fffffffd530) at WasmSectionParser.cpp:1070:9 frame #7: 0x0000555557845375 jsc`JSC::Wasm::SectionParser::parseType(this=0x00007fffffffd5e0) at WasmSectionParser.cpp:92:13 frame #8: 0x000055555785a3ef jsc`JSC::Wasm::StreamingParser::parseSectionPayload(this=0x00007fffec07fe70, data=0x00007fffffffd650) at WasmStreamingParser.cpp:197:5 frame #9: 0x000055555785ad53 jsc`JSC::Wasm::StreamingParser::addBytes(this=0x00007fffec07fe70, bytes="", bytesSize=165, isEndOfStream=<unavailable>) at WasmStreamingParser.cpp:344:23 frame #10: 0x00005555577a8ec6 jsc`JSC::Wasm::EntryPlan::parseAndValidateModule(unsigned char const*, unsigned long) [inlined] JSC::Wasm::StreamingParser::addBytes(this=0x00007fffec07fe70, bytes="", length=165) at WasmStreamingParser.h:81:66 frame #11: 0x00005555577a8eb6 jsc`JSC::Wasm::EntryPlan::parseAndValidateModule(this=0x00007fffec07fde0, source="", sourceLength=165) at WasmEntryPlan.cpp:91:23 frame #12: 0x00005555577be62c jsc`JSC::Wasm::LLIntPlan::LLIntPlan(this=0x00007fffec07fde0, vm=<unavailable>, source=<unavailable>, compilerMode=<unavailable>, task=<unavailable>)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> > >&&) at WasmLLIntPlan.cpp:49:9 frame #13: 0x000055555782f5ed jsc`JSC::Wasm::Module::validateSync(vm=0x00007fffaa000000, source=0x00007fffffffd878) at WasmModule.cpp:70:41 frame #14: 0x00005555578afe76 jsc`JSC::WebAssemblyModuleConstructor::createModule(globalObject=0x00007fffaa41a068, callFrame=0x00007fffffffd900, buffer=0x00007fffffffd878) at WebAssemblyModuleConstructor.cpp:188:5 frame #15: 0x00005555578b03c4 jsc`JSC::constructJSWebAssemblyModule(globalObject=0x00007fffaa41a068, callFrame=0x00007fffffffd900) at WebAssemblyModuleConstructor.cpp:169:5 frame #16: 0x00007fffab2800c7 frame #17: 0x00005555563aa945 jsc`js_trampoline_op_construct + 23 frame #18: 0x00005555563886fc jsc`vmEntryToJavaScript + 259 frame #19: 0x0000555556efb31b jsc`JSC::Interpreter::executeProgram(this=0x00007fffaa00dd00, source=<unavailable>, (null)=<unavailable>, thisObj=0x00007fffec003a28) at Interpreter.cpp:1025:28 frame #20: 0x00005555571b994f jsc`JSC::evaluate(globalObject=0x00007fffaa41a068, source=0x00007fffffffdeb0, thisValue=JSValue @ 0x00007fffffffdd88, returnedException=0x00007fffffffdf38) at Completion.cpp:137:37 frame #21: 0x000055555619f794 jsc`jscmain(int, char**) at jsc.cpp:3478:35 frame #22: 0x000055555619ea84 jsc`jscmain(int, char**) [inlined] jscmain(globalObject=0x00007fffaa41a068, success=0x00007fffffffde57)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4058:13 frame #23: 0x000055555619ea77 jsc`jscmain(int, char**) at jsc.cpp:3869:9 frame #24: 0x000055555619e8de jsc`jscmain(argc=3, argv=0x00007fffffffe1b8) at jsc.cpp:4051:18 frame #25: 0x000055555619e525 jsc`main(argc=3, argv=0x00007fffffffe1b8) at jsc.cpp:3252:15 frame #26: 0x00007ffff5aab083 libc.so.6`__libc_start_main + 243 frame #27: 0x000055555619aace jsc`_start + 46
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-06-22 06:19:15 PDT
<rdar://problem/111156720>
Asumu Takikawa
Comment 2 2024-01-29 17:24:27 PST
Pull request: https://github.com/WebKit/WebKit/pull/23483
EWS
Comment 3 2024-01-30 22:24:47 PST
Committed 273811@main (c90b5e7e935e): <https://commits.webkit.org/273811@main> Reviewed commits have been landed. Closing PR #23483 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.