RESOLVED FIXED 260516
[WASM] SEGV in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression 
https://bugs.webkit.org/show_bug.cgi?id=260516
Summary [WASM] SEGV in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExp...
CAO ZONG
Reported 2023-08-22 05:29:21 PDT
Created attachment 467386 [details] Reproducible poc Commit: 5466cd2c24514bdeee05075d5a2eb35e8c146e40 Run Flag: --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true Backtrace: ``` #0 JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fffa8a78348) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:2728 #1 0x0000555557f34f4b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fffa8a78348) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:366 #2 0x0000555557ecb64e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fffa8a78348) at ../../Source/JavaScriptCore/wasm/WasmFunctionParser.h:336 #3 0x0000555557ec9edf in JSC::Wasm::parseAndCompileBytecode (functionStart=0x7fffec00f480 "", functionLength=<optimized out>, signature=..., info=..., functionIndex=functionIndex@entry=0x0) at ../../Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580 #4 0x0000555557fff3ba in JSC::Wasm::LLIntPlan::compileFunction (this=0x7fffec05d200, functionIndex=0x0) at ../../Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89 #5 0x0000555557eaebd6 in JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffec05d200, effort=<optimized out>) at ../../Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218 #6 0x000055555809a50f in JSC::Wasm::Worklist::Thread::work (this=0x7fffec02e1b0) at ../../Source/JavaScriptCore/wasm/WasmWorklist.cpp:111 #7 0x00005555582308b0 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/AutomaticThread.cpp:229 #8 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:53 #9 0x00005555582763a9 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ../../Source/WTF/wtf/Function.h:82 #10 WTF::Thread::entryPoint (newThreadContext=0x7fffec02ebb0) at ../../Source/WTF/wtf/Threading.cpp:250 #11 0x0000555558339543 in WTF::wtfThreadEntryPoint (context=0x5555587a53bc) at ../../Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242 #12 0x00007ffff5fd8609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #13 0x00007ffff5ba5133 in clone () from /lib/x86_64-linux-gnu/libc.so.6 ``` Segment fault when visitng the field of object inlineSignature while it is NULL.
Attachments
Reproducible poc (897 bytes, text/javascript)
2023-08-22 05:29 PDT, CAO ZONG 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-08-29 05:30:13 PDT
<rdar://problem/114622205>
Asumu Takikawa
Comment 2 2023-12-12 10:48:18 PST
Pull request: https://github.com/WebKit/WebKit/pull/21693
EWS
Comment 3 2023-12-14 10:10:14 PST
Committed 272049@main (06ddd6593c2d): <https://commits.webkit.org/272049@main> Reviewed commits have been landed. Closing PR #21693 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.