RESOLVED DUPLICATE of bug 283261 283260
WebAssembly: JavaScriptCore crash at JSC::Wasm::wasmToJS inside generateWasmToJSStubs 
https://bugs.webkit.org/show_bug.cgi?id=283260
Summary WebAssembly: JavaScriptCore crash at JSC::Wasm::wasmToJS inside generateWasmT...
linjy01
Reported 2024-11-17 07:49:56 PST
Created attachment 473248 [details] standalone runnable poc WebKit commit id: 1a9adbce1d3fbd78795e86aad2c57ce384e31168 (Nov 16 2024) Reproduction: build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-O3 -lrt'"` run: `./WebKitBuild/JSCOnly/Debug/bin/jsc ./poc_withbuilder.js` POC (short version): ``` load("test/mjsunit/wasm/wasm-module-builder.js"); let builder = new WasmModuleBuilder() builder.addImport("imp_func", "module", builder.nextTypeIndex()); builder.addStruct([]); builder.instantiate(); ``` The attachment is a longer and standalone POC that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js). This POC crashes in `generateWasmToJSStubs` inside the `Options::useWasmJIT()` branch in `Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:320`: ``` bool EntryPlan::generateWasmToJSStubs() { m_wasmToJSExitStubs.resize(m_moduleInformation->importFunctionCount()); for (unsigned importIndex = 0; importIndex < m_moduleInformation->importFunctionCount(); ++importIndex) { #if ENABLE(JIT) Wasm::TypeIndex typeIndex = m_moduleInformation->importFunctionTypeIndices.at(importIndex); if (Options::useWasmJIT()) { auto binding = wasmToJS(typeIndex, importIndex); ``` Output: ``` ASSERTION FAILED: is<T>() ./WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h(813) : T *JSC::Wasm::TypeDefinition::as() [T = JSC::Wasm::FunctionSignature] 1 0x55fc3f2b74be ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x270d4be) [0x55fc3f2b74be] 2 0x55fc3efae050 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x2404050) [0x55fc3efae050] 3 0x55fc3efae721 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x2404721) [0x55fc3efae721] 4 0x55fc3f04c275 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24a2275) [0x55fc3f04c275] 5 0x55fc3efae563 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x2404563) [0x55fc3efae563] 6 0x55fc3efad819 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x2403819) [0x55fc3efad819] 7 0x55fc3f299771 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x26ef771) [0x55fc3f299771] 8 0x55fc3f3e4964 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x283a964) [0x55fc3f3e4964] 9 0x55fc3f4044da ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x285a4da) [0x55fc3f4044da] 10 0x55fc3f48fd36 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x28e5d36) [0x55fc3f48fd36] 11 0x7f6ab39b7ac3 /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f6ab39b7ac3] 12 0x7f6ab3a49850 /lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7f6ab3a49850] Aborted (core dumped) ``` GDB backtrace: ``` #2 __GI___pthread_kill (threadid=140735951894080, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5803476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555639304a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913 #6 0x0000555557c6150b in JSC::Wasm::wasmToJS (typeIndex=typeIndex@entry=140737137437568, importIndex=importIndex@entry=0) at WTF/Headers/wtf/Assertions.h:936 #7 0x0000555557958050 in JSC::Wasm::EntryPlan::generateWasmToJSStubs (this=this@entry=0x7fffeb04a940) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:320 #8 0x0000555557958721 in JSC::Wasm::EntryPlan::generateStubsIfNecessary (this=0x7fffeb04a940) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:278 #9 0x00005555579f6275 in JSC::Wasm::LLIntPlan::didCompleteCompilation (this=0x7fffeb04a940) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:182 #10 0x0000555557958563 in JSC::Wasm::EntryPlan::complete (this=0x7fffeb04a940) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:244 #11 0x0000555557957819 in JSC::Wasm::EntryPlan::ThreadCountHolder::~ThreadCountHolder (this=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:167 #12 JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffeb04a940, effort=JSC::Wasm::Plan::Partial) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:236 #13 0x0000555557c43771 in JSC::Wasm::Worklist::Thread::work (this=0x7fffeb158e00) at ./WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:108 #14 0x0000555557d8e964 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/AutomaticThread.cpp:225 #15 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:53 #16 0x0000555557dae4da in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:82 #17 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at ./WebKit/Source/WTF/wtf/Threading.cpp:265 #18 0x0000555557e39d36 in WTF::wtfThreadEntryPoint (context=0x3e9f5f) at ./WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241 ```
Attachments
standalone runnable poc (73.22 KB, text/javascript)
2024-11-17 07:49 PST, linjy01 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
linjy01
Comment 1 2024-11-17 07:59:53 PST
*** This bug has been marked as a duplicate of bug 283261 ***
Note You need to log in before you can comment on or make changes to this bug.