WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
258128
[WASM] ASSERTION FAILED: subRTT.has_value() && parentRTT.has_value() in JSC::Wasm::isSubtypeIndex(TypeIndex, TypeIndex)
https://bugs.webkit.org/show_bug.cgi?id=258128
Summary
[WASM] ASSERTION FAILED: subRTT.has_value() && parentRTT.has_value() in JSC::...
CAO ZONG
Reported
2023-06-15 06:21:21 PDT
Commit: fa9df2d4f442ce1c83aa934ce603fd3ce303aff0 Flags: --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true --useWebAssemblyTailCalls=true Poc: ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,183,128,128,128,0,8,80,0,95,1,127,0,80,0,94,127,1,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,80,0,96,2,124,123,1,108,1,80,0,96,1,108,1,1,108,1,80,0,96,1,108,1,1,127,3,130,128,128,128,0,1,3,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,200,128,128,128,0,1,70,1,1,108,1,68,93,89,199,3,77,228,17,150,65,179,248,160,217,123,253,15,65,175,207,170,196,120,253,15,253,14,2,5,26,26,208,102,251,73,1,11,2,6,26,208,1,11,2,6,26,208,1,11,2,6,26,208,1,11,2,7,26,65,143,248,237,233,1,11,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` Backtrace: * thread #3, name = 't Helper Thread', stop reason = signal SIGABRT * frame #0: 0x00007ffff5aca00b libc.so.6`raise + 203 frame #1: 0x00007ffff5aa9859 libc.so.6`abort + 299 frame #2: 0x00005555561c679a jsc`WTFCrashWithInfo((null)=277, (null)="../../Source/JavaScriptCore/wasm/WasmFormat.h", (null)="bool JSC::Wasm::isSubtypeIndex(TypeIndex, TypeIndex)", (null)=2260) at Assertions.h:762:5 frame #3: 0x0000555557657d23 jsc`JSC::Wasm::isSubtypeIndex(sub=<unavailable>, parent=93824997224017) at WasmFormat.h:277:5 frame #4: 0x0000555557657548 jsc`JSC::Wasm::isSubtype(sub=<unavailable>, parent=<unavailable>) at WasmFormat.h:289:20 [artificial] frame #5: 0x0000555557763398 jsc`JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::unifyValuesWithBlock(WTF::Vector<JSC::Wasm::FunctionParserTypes<JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::ControlData, JSC::Wasm::TypedTmp, JSC::CallLinkInfo::CallType>::TypedExpression, 16ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<JSC::Wasm::TypedTmp, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) [inlined] JSC::Wasm::AirIRGenerator64::emitMove(this=0x00007fffa92771c0, src=0x00007fffa92739e0, dst=<unavailable>) at WasmAirIRGenerator64.cpp:697:9 frame #6: 0x000055555776337c jsc`JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::unifyValuesWithBlock(this=0x00007fffa92771c0, resultStack=0x00007fffa9277330, result=0x00007fffa9274458) at WasmAirIRGeneratorBase.h:3889:16 frame #7: 0x00005555577603df jsc`JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::endBlock(this=0x00007fffa92771c0, entry=0x00007fffa9273f20, expressionStack=0x00007fffa9277330) at WasmAirIRGeneratorBase.h:3487:9 frame #8: 0x000055555774de4e jsc`JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseExpression(this=0x00007fffa92772f8) at WasmFunctionParser.h:0 frame #9: 0x0000555557742a1b jsc`JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody(this=0x00007fffa92772f8) at WasmFunctionParser.h:365:13 frame #10: 0x0000555557741f2c jsc`JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse(this=0x00007fffa92772f8) at WasmFunctionParser.h:336:5 frame #11: 0x0000555557730f6c jsc`std::experimental::fundamentals_v3::expected<std::unique_ptr<JSC::Wasm::InternalFunction, std::default_delete<JSC::Wasm::InternalFunction> >, WTF::String> JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64>(compilationContext=0x00007fffa927dd30, callee=0x00007fffec2441c0, function=0x00007fffec0356b0, signature=0x00007fffec030b00, unlinkedWasmToWasmCalls=0x00007fffa927dca0, info=<unavailable>, mode=<unavailable>, functionIndex=<unavailable>, hasExceptionHandlers=<unavailable>, tierUp=<unavailable>) at WasmAirIRGeneratorBase.h:3956:5 frame #12: 0x0000555557727829 jsc`JSC::Wasm::parseAndCompileAir(compilationContext=0x00007fffa927dd30, callee=0x00007fffec2441c0, function=0x00007fffec0356b0, signature=0x00007fffec030b00, unlinkedWasmToWasmCalls=0x00007fffa927dca0, info=<unavailable>, mode=<unavailable>, functionIndex=<unavailable>, hasExceptionHandlers=<unavailable>, tierUp=<unavailable>) at WasmAirIRGenerator64.cpp:2664:12 frame #13: 0x0000555557612d1a jsc`JSC::Wasm::BBQPlan::compileFunction(this=0x0000000000000001, functionIndex=0, callee=0x00007fffec2441c0, context=0x00007fffa927dd30, unlinkedWasmToWasmCalls=0x00007fffa927dca0, tierUp=<unavailable>) at WasmBBQPlan.cpp:305:33 frame #14: 0x0000555557611963 jsc`JSC::Wasm::BBQPlan::work(this=0x00007fffec07d080, effort=<unavailable>) at WasmBBQPlan.cpp:184:50 frame #15: 0x0000555557884123 jsc`JSC::Wasm::Worklist::Thread::work(this=0x00007fffec0271a0) at WasmWorklist.cpp:111:15 frame #16: 0x00005555579aad32 jsc`WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() at AutomaticThread.cpp:229:37 frame #17: 0x00005555579aaa39 jsc`WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call(this=<unavailable>) at Function.h:53:39 frame #18: 0x00005555579d463f jsc`WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) [inlined] WTF::Function<void ()>::operator()() const at Function.h:82:35 frame #19: 0x00005555579d462d jsc`WTF::Thread::entryPoint(newThreadContext=<unavailable>) at Threading.cpp:250:5 frame #20: 0x0000555557a4ca56 jsc`WTF::wtfThreadEntryPoint(context=<unavailable>) at ThreadingPOSIX.cpp:242:5 frame #21: 0x00007ffff5fd9609 libpthread.so.0`start_thread(arg=<unavailable>) at pthread_create.c:477:8 frame #22: 0x00007ffff5ba6133 libc.so.6`__clone + 67
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2023-06-22 06:22:15 PDT
<
rdar://problem/111156824
>
Asumu Takikawa
Comment 2
2023-12-12 11:13:29 PST
Pull request:
https://github.com/WebKit/WebKit/pull/21696
EWS
Comment 3
2023-12-13 11:57:52 PST
Committed
271997@main
(2e312e1da48b): <
https://commits.webkit.org/271997@main
> Reviewed commits have been landed. Closing PR #21696 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug