RESOLVED FIXED283262
WebAssembly assertion error in FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression 
https://bugs.webkit.org/show_bug.cgi?id=283262
Summary WebAssembly assertion error in FunctionParser<JSC::Wasm::LLIntGenerator>::par...
linjy01
Reported 2024-11-17 08:02:55 PST
Created attachment 473250 [details] standalone runnable poc (I reported the same bug 283258 but not in the Security component, sorry about any confusion or inconvenience) WebKit commit id: 1a9adbce1d3fbd78795e86aad2c57ce384e31168 (Nov 16 2024) Reproduction: build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS=' -O3 -lrt'"` run: `./WebKitBuild/JSCOnly/Debug/bin/jsc ./poc_withbuilder.js` POC (short version): ``` load("test/mjsunit/wasm/wasm-module-builder.js"); builder = new WasmModuleBuilder(); const function_body = [kExprLocalGet,0,kGCPrefix,kExprRefTest,kExnRefCode]; builder.addFunction("func", makeSig([], [])).addLocals(kWasmExnRef, 1).addBody(function_body); builder.instantiate(builder); ``` The attachment is a longer and standalone POC that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js). Output: ``` SHOULD NEVER BE REACHED ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h(2714) : JSC::Wasm::ParserBase::PartialResult JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() [Context = JSC::Wasm::LLIntGenerator] 1 0x55f30d6c904d ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x252704d) [0x55f30d6c904d] 2 0x55f30d6a166b ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24ff66b) [0x55f30d6a166b] 3 0x55f30d62566c ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x248366c) [0x55f30d62566c] 4 0x55f30d62459f ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x248259f) [0x55f30d62459f] 5 0x55f30d642920 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24a0920) [0x55f30d642920] 6 0x55f30d5a52dd ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24032dd) [0x55f30d5a52dd] 7 0x55f30d891771 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x26ef771) [0x55f30d891771] 8 0x55f30d9dc964 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x283a964) [0x55f30d9dc964] 9 0x55f30d9fc4da ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x285a4da) [0x55f30d9fc4da] 10 0x55f30da87d36 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x28e5d36) [0x55f30da87d36] 11 0x7f3171a96ac3 /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f3171a96ac3] 12 0x7f3171b28850 /lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7f3171b28850] Aborted (core dumped) ``` GDB backtrace: ``` #2 __GI___pthread_kill (threadid=140735951894080, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5803476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555639304a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913 #6 0x0000555557a7b062 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this@entry=0x7fffa46b3180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2714 #7 0x0000555557a5366b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this@entry=0x7fffa46b3180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:534 #8 0x00005555579d766c in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this@entry=0x7fffa46b3180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:487 #9 0x00005555579d659f in JSC::Wasm::parseAndCompileBytecode (function=..., signature=..., info=..., functionIndex=functionIndex@entry=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:634 #10 0x00005555579f4920 in JSC::Wasm::LLIntPlan::compileFunction (this=0x7fffeb04b7b0, functionIndex=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:105 #11 0x00005555579572dd in JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffeb04b7b0, effort=JSC::Wasm::Plan::Partial) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218 #12 0x0000555557c43771 in JSC::Wasm::Worklist::Thread::work (this=0x7fffeb16c680) at ./WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:108 #13 0x0000555557d8e964 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/AutomaticThread.cpp:225 #14 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:53 #15 0x0000555557dae4da in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:82 #16 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at ./WebKit/Source/WTF/wtf/Threading.cpp:265 #17 0x0000555557e39d36 in WTF::wtfThreadEntryPoint (context=0x20f3c2) at ./WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241 #18 0x00007ffff5855ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #19 0x00007ffff58e7850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 ```
Attachments
standalone runnable poc (73.29 KB, text/javascript)
2024-11-17 08:02 PST, linjy01 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-11-17 08:03:04 PST
<rdar://problem/140072695>
linjy01
Comment 2 2024-11-17 08:03:20 PST
*** Bug 283258 has been marked as a duplicate of this bug. ***
Yusuke Suzuki
Comment 3 2024-11-17 16:19:42 PST
Pull request: https://github.com/WebKit/WebKit/pull/36779
EWS
Comment 4 2024-11-18 09:33:14 PST
Committed 286733@main (de486f972120): <https://commits.webkit.org/286733@main> Reviewed commits have been landed. Closing PR #36779 and removing active labels.
Yusuke Suzuki
Comment 5 2024-11-25 11:05:25 PST
*** Bug 283277 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.