## JavaScriptCore Version 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,157,128,128,128,0,5,80,0,95,0,80,1,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,1,108,1,0,3,130,128,128,128,0,1,3,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,150,128,128,128,0,1,20,0,2,108,1,2,108,1,208,1,11,11,8,0,65,152,222,141,210,120,11]); var module = new WebAssembly.Module(buffer); ``` ./bin/jsc --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true testcase.js ## Output Segmentation fault ## Backtrace AddressSanitizer:DEADLYSIGNAL ================================================================= ==3175520==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f1e14f33243 bp 0x7f1dbfbe3550 sp 0x7f1dbfbe3430 T9) ==3175520==The signal is caused by a READ memory access. ==3175520==Hint: address points to the zero page. #0 0x7f1e14f33243 in JSC::Wasm::RTT::displaySize() const /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h:671:47 #1 0x7f1e14f33243 in JSC::Wasm::RTT::isSubRTT(JSC::Wasm::RTT const&) const /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:544:20 #2 0x7f1e1460a9aa in JSC::Wasm::isSubtypeIndex(unsigned long, unsigned long) /home/WebKit/Source/JavaScriptCore/wasm/WasmFormat.h:279:28 #3 0x7f1e14d9e081 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::unify(JSC::Wasm::LLIntGenerator::ControlType const&) /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:1471:9 #4 0x7f1e14d3f2c2 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2918:9 #5 0x7f1e14d1ad59 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody() /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:365:13 #6 0x7f1e14cfe8d6 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse() /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:336:5 #7 0x7f1e14cb7390 in JSC::Wasm::parseAndCompileBytecode(unsigned char const*, unsigned long, JSC::Wasm::TypeDefinition const&, JSC::Wasm::ModuleInformation&, unsigned int) /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580:5 #8 0x7f1e14cf2601 in JSC::Wasm::LLIntPlan::compileFunction(unsigned int) /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89:91 #9 0x7f1e14ca8473 in JSC::Wasm::EntryPlan::compileFunctions(JSC::Wasm::Plan::CompilationEffort) /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218:9 #10 0x7f1e14f5c6a7 in JSC::Wasm::Worklist::Thread::work() /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111:15 #11 0x7f1e154ed99a in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229:37 #12 0x7f1e154ed99a in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() /home/WebKit/Source/WTF/wtf/Function.h:53:39 #13 0x7f1e155951ef in WTF::Function<void ()>::operator()() const /home/WebKit/Source/WTF/wtf/Function.h:82:35 #14 0x7f1e155951ef in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) /home/WebKit/Source/WTF/wtf/Threading.cpp:250:5 #15 0x7f1e1571ba65 in WTF::wtfThreadEntryPoint(void*) /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242:5 #16 0x7f1e0d785b42 in start_thread nptl/./nptl/pthread_create.c:442:8 #17 0x7f1e0d8179ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81