WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
284161
ASSERTION FAILED: initValue.getObject() in JSC::JSWebAssemblyInstance::initElementSegment
https://bugs.webkit.org/show_bug.cgi?id=284161
Summary
ASSERTION FAILED: initValue.getObject() in JSC::JSWebAssemblyInstance::initEl...
linjy01
Reported
2024-12-06 06:21:32 PST
Created
attachment 473484
[details]
standalone poc WebKit Commit id: fc785d01b89ffc35cfd2df81c3f81dc541404a6f (Dec 6 2024) # Reproduction: build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-O3 -lrt'"` run: `./WebKitBuild/JSCOnly/Debug/bin/jsc ./poc.js` # POC ``` load("test/mjsunit/wasm/wasm-module-builder.js"); const builder = new WasmModuleBuilder(); const v9 = builder.addTable(kWasmFuncRef, 10); const v31 = builder.addGlobal(kWasmFuncRef); builder.addActiveElementSegment(v9.index, wasmI32Const(0), [[kExprGlobalGet,v31.index]], kWasmFuncRef); builder.instantiate(); ``` The attachment is a longer and standalone runnable POC (poc_withbuilder.js) that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js). `` # Output: ``` ASSERTION FAILED: initValue.getObject() ./WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp(520) : void JSC::JSWebAssemblyInstance::initElementSegment(uint32_t, const JSC::Wasm::Element &, uint32_t, uint32_t, uint32_t) ``` # Backtrace: ``` #3 0x00007ffff5803476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x0000555556390d2a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913 #6 0x0000555557b2a258 in JSC::JSWebAssemblyInstance::initElementSegment (this=0x7fffeb010558, tableIndex=<optimized out>, segment=..., dstOffset=0, srcOffset=0, length=1) at ./WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:520 #7 0x0000555557b4f32d in JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_2::operator()(JSC::Wasm::Element const&, unsigned int, unsigned int) const (element=..., tableIndex=0, elementIndex=0, this=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:882 #8 JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_1::operator()<JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_2>(JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_2) const (fn=..., this=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:838 #9 JSC::WebAssemblyModuleRecord::evaluate (this=0x7fffeb0103c8, globalObject=0x7fffa941a088) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:875 #10 0x0000555557b2719b in JSC::JSWebAssemblyInstance::finalizeCreation (this=0x7fffeb010558, vm=..., globalObject=0x7fffa941a088, wasmCalleeGroup=..., creationMode=JSC::Wasm::CreationMode::FromJS) at ./WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:207 #11 0x0000555557b41440 in JSC::constructJSWebAssemblyInstance (globalObject=0x7fffa941a088, callFrame=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:71 #12 0x00007fffaafc83e7 in ?? () #13 0x00007fffffffdb90 in ?? () #14 0x00005555565ab76a in llint_op_construct () #15 0x0000000000000000 in ?? () ```
Attachments
standalone poc
(73.31 KB, text/javascript)
2024-12-06 06:21 PST
,
linjy01
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2024-12-13 06:22:13 PST
<
rdar://problem/141434674
>
Yusuke Suzuki
Comment 2
2025-06-04 11:46:21 PDT
OK, this is deterministic crash with particular bit pattern (0x2). So not a security issue.
Yusuke Suzuki
Comment 3
2025-06-04 11:49:43 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/46335
EWS
Comment 4
2025-06-05 11:13:44 PDT
Committed
295880@main
(c169f9138a5f): <
https://commits.webkit.org/295880@main
> Reviewed commits have been landed. Closing PR #46335 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug