## JavaScriptCore Version 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,156,128,128,128,0,5,80,0,95,0,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,1,108,2,0,3,130,128,128,128,0,1,3,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,150,128,128,128,0,1,20,0,2,108,2,2,108,2,208,2,11,11,8,0,65,236,161,152,227,125,11]); var module = new WebAssembly.Module(buffer); ``` ./bin/jsc --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true testcase.js ## Output Segmentation fault ## Backtrace AddressSanitizer:DEADLYSIGNAL ================================================================= ==3175491==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f13beabfe65 bp 0x7f136c8f6030 sp 0x7f136c8e9740 T3) ==3175491==The signal is caused by a READ memory access. ==3175491==Hint: address points to the zero page. #0 0x7f13beabfe65 in JSC::Wasm::FunctionSignature::argumentCount() const /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h:324:53 #1 0x7f13beabfe65 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2638:9 #2 0x7f13bea8ad59 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody() /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:365:13 #3 0x7f13bea6e8d6 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse() /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:336:5 #4 0x7f13bea27390 in JSC::Wasm::parseAndCompileBytecode(unsigned char const*, unsigned long, JSC::Wasm::TypeDefinition const&, JSC::Wasm::ModuleInformation&, unsigned int) /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580:5 #5 0x7f13bea62601 in JSC::Wasm::LLIntPlan::compileFunction(unsigned int) /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89:91 #6 0x7f13bea18473 in JSC::Wasm::EntryPlan::compileFunctions(JSC::Wasm::Plan::CompilationEffort) /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218:9 #7 0x7f13beccc6a7 in JSC::Wasm::Worklist::Thread::work() /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111:15 #8 0x7f13bf25d99a in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229:37 #9 0x7f13bf25d99a in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() /home/WebKit/Source/WTF/wtf/Function.h:53:39 #10 0x7f13bf3051ef in WTF::Function<void ()>::operator()() const /home/WebKit/Source/WTF/wtf/Function.h:82:35 #11 0x7f13bf3051ef in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/WebKit/Source/WTF/wtf/Threading.cpp:250:5 #12 0x7f13bf48ba65 in WTF::wtfThreadEntryPoint(void*) /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242:5 #13 0x7f13b74f5b42 in start_thread nptl/./nptl/pthread_create.c:442:8 #14 0x7f13b75879ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81