RESOLVED FIXED284161
ASSERTION FAILED: initValue.getObject() in JSC::JSWebAssemblyInstance::initElementSegment 
https://bugs.webkit.org/show_bug.cgi?id=284161
Summary ASSERTION FAILED: initValue.getObject() in JSC::JSWebAssemblyInstance::initEl...
linjy01
Reported 2024-12-06 06:21:32 PST
Created attachment 473484 [details] standalone poc WebKit Commit id: fc785d01b89ffc35cfd2df81c3f81dc541404a6f (Dec 6 2024) # Reproduction: build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-O3 -lrt'"` run: `./WebKitBuild/JSCOnly/Debug/bin/jsc ./poc.js` # POC ``` load("test/mjsunit/wasm/wasm-module-builder.js"); const builder = new WasmModuleBuilder(); const v9 = builder.addTable(kWasmFuncRef, 10); const v31 = builder.addGlobal(kWasmFuncRef); builder.addActiveElementSegment(v9.index, wasmI32Const(0), [[kExprGlobalGet,v31.index]], kWasmFuncRef); builder.instantiate(); ``` The attachment is a longer and standalone runnable POC (poc_withbuilder.js) that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js). `` # Output: ``` ASSERTION FAILED: initValue.getObject() ./WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp(520) : void JSC::JSWebAssemblyInstance::initElementSegment(uint32_t, const JSC::Wasm::Element &, uint32_t, uint32_t, uint32_t) ``` # Backtrace: ``` #3 0x00007ffff5803476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x0000555556390d2a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913 #6 0x0000555557b2a258 in JSC::JSWebAssemblyInstance::initElementSegment (this=0x7fffeb010558, tableIndex=<optimized out>, segment=..., dstOffset=0, srcOffset=0, length=1) at ./WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:520 #7 0x0000555557b4f32d in JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_2::operator()(JSC::Wasm::Element const&, unsigned int, unsigned int) const (element=..., tableIndex=0, elementIndex=0, this=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:882 #8 JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_1::operator()<JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_2>(JSC::WebAssemblyModuleRecord::evaluate(JSC::JSGlobalObject*)::$_2) const (fn=..., this=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:838 #9 JSC::WebAssemblyModuleRecord::evaluate (this=0x7fffeb0103c8, globalObject=0x7fffa941a088) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:875 #10 0x0000555557b2719b in JSC::JSWebAssemblyInstance::finalizeCreation (this=0x7fffeb010558, vm=..., globalObject=0x7fffa941a088, wasmCalleeGroup=..., creationMode=JSC::Wasm::CreationMode::FromJS) at ./WebKit/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:207 #11 0x0000555557b41440 in JSC::constructJSWebAssemblyInstance (globalObject=0x7fffa941a088, callFrame=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:71 #12 0x00007fffaafc83e7 in ?? () #13 0x00007fffffffdb90 in ?? () #14 0x00005555565ab76a in llint_op_construct () #15 0x0000000000000000 in ?? () ```
Attachments
standalone poc (73.31 KB, text/javascript)
2024-12-06 06:21 PST, linjy01 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-12-13 06:22:13 PST
<rdar://problem/141434674>
Yusuke Suzuki
Comment 2 2025-06-04 11:46:21 PDT
OK, this is deterministic crash with particular bit pattern (0x2). So not a security issue.
Yusuke Suzuki
Comment 3 2025-06-04 11:49:43 PDT
Pull request: https://github.com/WebKit/WebKit/pull/46335
EWS
Comment 4 2025-06-05 11:13:44 PDT
Committed 295880@main (c169f9138a5f): <https://commits.webkit.org/295880@main> Reviewed commits have been landed. Closing PR #46335 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.