Bug 258499 - Reproducible crash in Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression, WasmFunctionParser.h:1960
Summary: Reproducible crash in Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseE...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebAssembly (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Asumu Takikawa
URL:
Keywords: InRadar
Depends on:
Blocks: 247394
  Show dependency treegraph
 
Reported: 2023-06-25 07:41 PDT by xiangwei1895
Modified: 2024-01-30 22:26 PST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description xiangwei1895 2023-06-25 07:41:32 PDT 
## JavaScriptCore Version
1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81

## Build 
Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'"

## Testcase and  Execution steps

```
var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,150,128,128,128,0,4,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,2,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,169,128,128,128,0,1,39,0,65,155,156,226,160,125,65,223,213,167,111,65,175,127,71,109,65,166,141,228,182,122,65,205,0,71,65,20,111,251,27,1,65,51,251,19,1,11]);
var module = new WebAssembly.Module(buffer);
```
./bin/jsc  --useWebAssemblyGC=true testcase.js

## Output
Aborted

## Backtrace

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140735915472448) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140735915472448) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140735915472448, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007fffed881476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007fffed8677f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff0eebffb in std::__throw_bad_optional_access () at /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/optional:102
#6  0x00007ffff4f55558 in std::optional<unsigned int>::value() const & (this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/optional:952
#7  JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fffa23f6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:1960
#8  0x00007ffff4eece8e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fffa23f6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:365
#9  0x00007ffff4ecd434 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fffa23f6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:336
#10 0x00007ffff4e85c3a in JSC::Wasm::parseAndCompileBytecode (functionStart=<optimized out>, functionLength=<optimized out>, signature=..., info=..., functionIndex=0)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580
#11 0x00007ffff4ebf4ac in JSC::Wasm::LLIntPlan::compileFunction (this=0x615000017f00, functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89
#12 0x00007ffff4e73891 in JSC::Wasm::EntryPlan::compileFunctions (this=0x615000017f00, effort=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218
#13 0x00007ffff5101ad1 in JSC::Wasm::Worklist::Thread::work (this=0x6070000042a0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111
#14 0x00007ffff55ddfa1 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229
#15 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:53
#16 0x00007ffff56994c6 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:82
#17 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at /home/WebKit/Source/WTF/wtf/Threading.cpp:250
#18 0x00007ffff58377a6 in WTF::wtfThreadEntryPoint (context=0x6180) at /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242
#19 0x00007fffed8d3b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#20 0x00007fffed965a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Comment 1 Alexey Proskuryakov 2023-06-25 15:59:46 PDT 
Reproduces with built-in JavaScriptCore on macOS 14 beta.
Comment 2 Radar WebKit Bug Importer 2023-06-25 15:59:55 PDT 
<rdar://problem/111299088>
Comment 3 Justin Michaud 2023-06-25 17:49:29 PDT 
--useWebAssemblyGC=true

This option is not ready yet, and it is off by default. Let’s pass this on to Igalia (or any contributor that wants to help out on Wasm GC).
Comment 4 xiangwei1895 2023-07-03 02:15:51 PDT 
I'm wondering if it makes sense for the community to report such bugs that require non-default parameters to be turned on to trigger them.
Comment 5 Asumu Takikawa 2024-01-29 17:17:15 PST 
Pull request: https://github.com/WebKit/WebKit/pull/23482
Comment 6 EWS 2024-01-30 22:26:36 PST 
Committed 273812@main (bc55ef669592): <https://commits.webkit.org/273812@main>

Reviewed commits have been landed. Closing PR #23482 and removing active labels.