262861 – [JSC] BBQJIT tail-call should not pass InvalidGPRReg to preserved registers

RESOLVED FIXED 262861

[JSC] BBQJIT tail-call should not pass InvalidGPRReg to preserved registers

https://bugs.webkit.org/show_bug.cgi?id=262861

Summary [JSC] BBQJIT tail-call should not pass InvalidGPRReg to preserved registers

xiangwei1895

Reported 2023-10-08 04:48:10 PDT

## JavaScriptCore Version 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,150,128,128,128,0,4,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,2,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,151,128,128,128,0,1,21,3,1,108,1,1,126,1,108,0,65,230,0,65,162,127,65,92,18,0,168,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; f(); ``` ./bin/jsc --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyTailCalls=true testcase.js ## Output ASSERTION FAILED: is<T>() /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h(762) : T *JSC::Wasm::TypeDefinition::as() [T = JSC::Wasm::FunctionSignature] ## Backtrace #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140735826318912) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140735826318912) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140735826318912, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007fffeb36b476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007fffeb3517f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff03b92ff in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:778 #6 0x00007ffff45eb33a in JSC::Wasm::LLIntGenerator::addCall ( this=0x7fff9cef0a10, functionIndex=0, signature=..., args=..., results=..., callType=JSC::CallLinkInfo::TailCall) at WTF/Headers/wtf/Assertions.h:802 #7 0x00007ffff4658c5e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fff9cef0ba0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2574 #8 0x00007ffff462a57e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fff9cef0ba0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:429 #9 0x00007ffff4614fcd in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fff9cef0ba0) --Type <RET> for more, q to quit, c to continue without paging-- at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:382 #10 0x00007ffff45c0412 in JSC::Wasm::parseAndCompileBytecode ( functionStart=<optimized out>, functionLength=<optimized out>, signature=..., info=..., functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580 #11 0x00007ffff45f9cfc in JSC::Wasm::LLIntPlan::compileFunction ( this=0x615000018180, functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89 #12 0x00007ffff43f6411 in JSC::Wasm::EntryPlan::compileFunctions ( this=0x615000018180, effort=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:220 #13 0x00007ffff484efe1 in JSC::Wasm::Worklist::Thread::work ( this=0x607000004460) at /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111 #14 0x00007ffff4d0b9d1 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229 #15 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:53 #16 0x00007ffff4dc07b6 in WTF::Function<void ()>::operator()() const ( this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:82 #17 WTF::Thread::entryPoint (newThreadContext=<optimized out>) --Type <RET> for more, q to quit, c to continue without paging-- at /home/WebKit/Source/WTF/wtf/Threading.cpp:258 #18 0x00007ffff4f52126 in WTF::wtfThreadEntryPoint (context=0x2bb640) at /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242 #19 0x00007fffeb3bdb43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #20 0x00007fffeb44fa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Attachments
Add attachment proposed patch, testcase, etc.

xiangwei1895

Comment 1 2023-10-08 04:54:17 PDT

I'm testing on commit 3cf70a3a572708fefd7eb755db3cc211798022a7 not 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81

Radar WebKit Bug Importer

Comment 2 2023-10-15 04:49:13 PDT

<rdar://problem/116978809>

Asumu Takikawa

Comment 3 2023-12-01 16:32:20 PST

Here is an updated test case for this: ``` //@ runWebAssemblySuite("--useWebAssemblyTailCalls=true", "--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") //import * as assert from "../assert.js"; function module(bytes, valid = true) { let buffer = new ArrayBuffer(bytes.length); let view = new Uint8Array(buffer); for (let i = 0; i < bytes.length; ++i) { view[i] = bytes.charCodeAt(i); } return new WebAssembly.Module(buffer); } /* * * (module * (type $0 (func)) * (type $1 (sub (func (param i32 i32 i32) (result i32)))) * (type $2 (sub (array (mut i32)))) * (type $3 (sub (struct ))) * (memory $0 16 32) * (table $0 1 1 funcref) * (elem $0 (i32.const 0) $0) * (tag $tag$0) * (export "main" (func $0)) * (func $0 (param $0 i32) (param $1 i32) (param $2 i32) (result i32) * (local $3 (ref null $2)) * (local $4 i64) * (local $5 (ref null $3)) * (return_call $0 * (i32.const 102) * (i32.const -94) * (i32.const -36) * ) * ) * ) * */ const m = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x96\x80\x80\x80\x00\x04\x50\x00\x5f\x00\x50\x00\x5e\x7f\x01\x50\x00\x60\x03\x7f\x7f\x7f\x01\x7f\x60\x00\x00\x03\x82\x80\x80\x80\x00\x01\x02\x04\x85\x80\x80\x80\x00\x01\x70\x01\x01\x01\x05\x84\x80\x80\x80\x00\x01\x01\x10\x20\x0d\x83\x80\x80\x80\x00\x01\x00\x03\x07\x88\x80\x80\x80\x00\x01\x04\x6d\x61\x69\x6e\x00\x00\x09\x8b\x80\x80\x80\x00\x01\x06\x00\x41\x00\x0b\x70\x01\xd2\x00\x0b\x0a\x97\x80\x80\x80\x00\x01\x15\x03\x01\x63\x01\x01\x7e\x01\x63\x00\x41\xe6\x00\x41\xa2\x7f\x41\x5c\x12\x00\xa8\x0b")); m.exports.main(); ``` It still fails, but it's entirely inside the codepath for tail calls. There is an easy fix but if tailcalls are WONTFIX for now then I can defer the fix until tail calls are in a better state.

Yusuke Suzuki

Comment 4 2024-08-14 17:09:40 PDT

Pull request: https://github.com/WebKit/WebKit/pull/32219

EWS

Comment 5 2024-08-15 07:00:20 PDT

Committed 282283@main (0be62f7bf9ec): <https://commits.webkit.org/282283@main> Reviewed commits have been landed. Closing PR #32219 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebAssembly

Assignee

Yusuke Suzuki

Reported

2023-10-08 04:48 PDT

Modified

2024-08-15 07:00 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks