258796 – SHOULD NEVER BE REACHED in Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp(1189)

Bug 258796 - SHOULD NEVER BE REACHED in Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp(1189)

Summary: SHOULD NEVER BE REACHED in Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp(...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebAssembly (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Asumu Takikawa

URL:
Keywords:	InRadar

Depends on:
Blocks:	247394
	Show dependency tree / graph

Reported:	2023-07-03 02:37 PDT by xiangwei1895
Modified:	2024-02-14 10:38 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description xiangwei1895 2023-07-03 02:37:57 PDT

## JavaScriptCore Version
1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81

## Build 
Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'"

## Testcase and  Execution steps

```
var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,160,128,128,128,0,4,80,0,95,1,127,0,80,0,94,123,1,80,0,96,3,127,127,127,1,127,96,6,127,112,107,103,101,107,112,127,0,3,130,128,128,128,0,1,2,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,148,128,128,128,0,1,18,0,6,127,65,112,7,0,26,26,26,26,26,1,11,179,168,103,11]);
var module = new WebAssembly.Module(buffer);
var instance = new WebAssembly.Instance(module);
```
./bin/jsc  --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true testcase.js

## Output
SHOULD NEVER BE REACHED
/home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp(1189) : JSC::Wasm::LLIntGenerator::PartialResult JSC::Wasm::LLIntGenerator::addCatchToUnreachable(unsigned int, const JSC::Wasm::TypeDefinition &, JSC::Wasm::LLIntGenerator::ControlType &, JSC::Wasm::LLIntGenerator::ResultList &)

## Backtrace
__pthread_kill_implementation (no_tid=0, signo=6, threadid=140735922812480) at ./nptl/pthread_kill.c:44
44	./nptl/pthread_kill.c: No such file or directory.
(gdb) bt
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140735922812480) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140735922812480) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140735922812480, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007fffed881476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007fffed8677f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff0c7a16f in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:762
#6  0x00007ffff4ea9003 in JSC::Wasm::LLIntGenerator::addCatchToUnreachable (this=this@entry=0x7fffa2af6ab0, exceptionIndex=exceptionIndex@entry=0, exceptionSignature=..., data=..., results=...)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:1189
#7  0x00007ffff4f14db0 in JSC::Wasm::LLIntGenerator::addCatch (this=0x7fffa2af6ab0, exceptionIndex=0, exceptionSignature=..., data=..., expressionStack=..., results=...)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:1155
#8  JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fffa2af6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2758
#9  0x00007ffff4eece8e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fffa2af6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:365
#10 0x00007ffff4ecd434 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fffa2af6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:336
#11 0x00007ffff4e85c3a in JSC::Wasm::parseAndCompileBytecode (functionStart=<optimized out>, functionLength=<optimized out>, signature=..., info=..., functionIndex=0)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580
#12 0x00007ffff4ebf4ac in JSC::Wasm::LLIntPlan::compileFunction (this=0x615000017f00, functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89
#13 0x00007ffff4e73891 in JSC::Wasm::EntryPlan::compileFunctions (this=0x615000017f00, effort=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218
#14 0x00007ffff5101ad1 in JSC::Wasm::Worklist::Thread::work (this=0x607000004310) at /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111
#15 0x00007ffff55ddfa1 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229
#16 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:53
#17 0x00007ffff56994c6 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:82
#18 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at /home/WebKit/Source/WTF/wtf/Threading.cpp:250
#19 0x00007ffff58377a6 in WTF::wtfThreadEntryPoint (context=0x3011bf) at /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242
#20 0x00007fffed8d3b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#21 0x00007fffed965a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Comment 1 Radar WebKit Bug Importer 2023-07-10 02:38:14 PDT

<rdar://problem/112006214>

Comment 2 Asumu Takikawa 2024-01-29 14:58:53 PST

Pull request: https://github.com/WebKit/WebKit/pull/23465

Comment 3 EWS 2024-02-14 10:38:05 PST

Committed 274635@main (c76ab28ce98e): <https://commits.webkit.org/274635@main>

Reviewed commits have been landed. Closing PR #23465 and removing active labels.