WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED CONFIGURATION CHANGED
284873
WebAssembly: ASSERTION FAILED: signature.is<FunctionSignature>() in JSC::Wasm::SectionParser
https://bugs.webkit.org/show_bug.cgi?id=284873
Summary
WebAssembly: ASSERTION FAILED: signature.is<FunctionSignature>() in JSC::Wasm...
linjy01
Reported
2024-12-18 02:18:27 PST
Created
attachment 473592
[details]
standalone poc WebKit Commit id: 14becf89d9ce9dc33b74d5aa778b1dd21d162ef1 (Dec 18 2024) # Reproduction: build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-O3 -lrt'"` run: `./WebKitBuild/JSCOnly/Debug/bin/jsc ./poc.js` # POC ``` load("test/mjsunit/wasm/wasm-module-builder.js"); const builder = new WasmModuleBuilder(); builder.start_index = ""; builder.addArray(kWasmI32); const v30 = builder.addFunction("init", kSig_v_v);//.addBody([]); v30.type_index = v30; builder.instantiate(); ``` The attachment is a longer and standalone runnable POC (poc_withbuilder.js) that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js). `` # Output: ``` ASSERTION FAILED: signature.is<FunctionSignature>() ./WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h(63) : static const JSC::Wasm::FunctionSignature &JSC::Wasm::TypeInformation::getFunctionSignature(JSC::Wasm::TypeIndex) 1 0x55f895ddfcf3 ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x1265cf3) [0x55f895ddfcf3] 2 0x55f89710e571 ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x2594571) [0x55f89710e571] 3 0x55f897125fe6 ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x25abfe6) [0x55f897125fe6] 4 0x55f897126ae9 ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x25acae9) [0x55f897126ae9] 5 0x55f896f275a6 ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x23ad5a6) [0x55f896f275a6] 6 0x55f896fa3099 ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x2429099) [0x55f896fa3099] 7 0x55f89705a664 ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24e0664) [0x55f89705a664] 8 0x55f897173adf ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x25f9adf) [0x55f897173adf] 9 0x55f89717407f ../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x25fa07f) [0x55f89717407f] 10 0x7f21273283e7 [0x7f21273283e7] Aborted (core dumped) ``` # Backtrace: ``` #2 __GI___pthread_kill (threadid=140737311933376, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007ffff5803476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x000055555639263a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913 #6 0x00005555567b9d08 in JSC::Wasm::TypeInformation::getFunctionSignature (index=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h:63 #7 0x0000555557ae8571 in JSC::Wasm::SectionParser::parseStart (this=0x7fffffffd6d8) at ./WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:511 #8 0x0000555557afffe6 in JSC::Wasm::StreamingParser::parseSectionPayload (this=this@entry=0x7fffeb09a3c0, data=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:200 #9 0x0000555557b00ae9 in JSC::Wasm::StreamingParser::addBytes (this=0x7fffeb09a3c0, bytes=std::span of length 47 = {...}, isEndOfStream=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:344 #10 0x00005555579015a6 in JSC::Wasm::StreamingParser::addBytes (this=0x7fffeb09a3c0, bytes=std::span of length 47 = {...}) at ./WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.h:84 #11 JSC::Wasm::EntryPlan::parseAndValidateModule (this=0x7fffeb09a310, source=std::span of length 47 = {...}) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:93 #12 0x000055555797d099 in JSC::Wasm::LLIntPlan::LLIntPlan(JSC::VM&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, JSC::Wasm::CompilerMode, WTF::RefPtr<WTF::SharedTask<void (JSC::Wasm::Plan&)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> > >&&) (this=0x7fffeb09a310, vm=..., source=..., compilerMode=<optimized out>, task=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:54 #13 0x0000555557a34664 in JSC::Wasm::Module::validateSync (vm=..., source=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmModule.cpp:98 #14 0x0000555557b4dadf in JSC::WebAssemblyModuleConstructor::createModule (globalObject=<optimized out>, globalObject@entry=0x7fffe903a088, callFrame=callFrame@entry=0x7fffffffda40, buffer=...) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:301 #15 0x0000555557b4e07f in JSC::constructJSWebAssemblyModule (globalObject=0x7fffe903a088, callFrame=0x7fffffffda40) at ./WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:282 #16 0x00007fffa8fc83e7 in ?? () ```
Attachments
standalone poc
(73.10 KB, text/javascript)
2024-12-18 02:18 PST
,
linjy01
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2024-12-25 02:19:12 PST
<
rdar://problem/142021546
>
Yusuke Suzuki
Comment 2
2025-05-23 18:09:05 PDT
OK it is fixed in ToT.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug