Bug 260516 - [WASM] SEGV in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression
Summary: [WASM] SEGV in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExp...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebAssembly (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Asumu Takikawa
URL:
Keywords: InRadar
Depends on:
Blocks: 247394
  Show dependency treegraph
 
Reported: 2023-08-22 05:29 PDT by CAO ZONG
Modified: 2023-12-14 10:10 PST (History)
2 users (show)

See Also:

Attachments
Reproducible poc (897 bytes, text/javascript)
2023-08-22 05:29 PDT, CAO ZONG 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description CAO ZONG 2023-08-22 05:29:21 PDT 
Created attachment 467386 [details]
Reproducible poc

Commit: 5466cd2c24514bdeee05075d5a2eb35e8c146e40

Run Flag: --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true

Backtrace:
```
#0  JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fffa8a78348) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:2728
#1  0x0000555557f34f4b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fffa8a78348) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:366
#2  0x0000555557ecb64e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fffa8a78348) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:336
#3  0x0000555557ec9edf in JSC::Wasm::parseAndCompileBytecode (functionStart=0x7fffec00f480 "", functionLength=<optimized out>, signature=..., info=..., 
    functionIndex=functionIndex@entry=0x0) at ../../Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580
#4  0x0000555557fff3ba in JSC::Wasm::LLIntPlan::compileFunction (this=0x7fffec05d200, functionIndex=0x0) at ../../Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89
#5  0x0000555557eaebd6 in JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffec05d200, effort=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218
#6  0x000055555809a50f in JSC::Wasm::Worklist::Thread::work (this=0x7fffec02e1b0) at ../../Source/JavaScriptCore/wasm/WasmWorklist.cpp:111
#7  0x00005555582308b0 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/AutomaticThread.cpp:229
#8  WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:53
#9  0x00005555582763a9 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:82
#10 WTF::Thread::entryPoint (newThreadContext=0x7fffec02ebb0) at ../../Source/WTF/wtf/Threading.cpp:250
#11 0x0000555558339543 in WTF::wtfThreadEntryPoint (context=0x5555587a53bc) at ../../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242
#12 0x00007ffff5fd8609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#13 0x00007ffff5ba5133 in clone () from /lib/x86_64-linux-gnu/libc.so.6
```

Segment fault when visitng the field of object inlineSignature while it is NULL.
Comment 1 Radar WebKit Bug Importer 2023-08-29 05:30:13 PDT 
<rdar://problem/114622205>
Comment 2 Asumu Takikawa 2023-12-12 10:48:18 PST 
Pull request: https://github.com/WebKit/WebKit/pull/21693
Comment 3 EWS 2023-12-14 10:10:14 PST 
Committed 272049@main (06ddd6593c2d): <https://commits.webkit.org/272049@main>

Reviewed commits have been landed. Closing PR #21693 and removing active labels.