[Webkit-unassigned] [Bug 179606] New: WebAssembly crash in UIWebView iOS 11

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Nov 13 01:56:15 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=179606

            Bug ID: 179606
           Summary: WebAssembly crash in UIWebView iOS 11
           Product: WebKit
           Version: Other
          Hardware: iPhone / iPad
                OS: iOS 11
            Status: NEW
          Severity: Major
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ljin.zq at gmail.com

Created attachment 326751

  --> https://bugs.webkit.org/attachment.cgi?id=326751&action=review

Bugfix Patch

iOS UIWebView's JavaScript runtime NOT allow to use  Assembler. 

It will crash when running  the following code in iOS 11:

UIWebView* webview = [[UIWebView alloc] init];
[webview stringByEvaluatingJavaScriptFromString:@"new WebAssembly.Memory({initial:10, maximum:100});"];


And the crash stack is :

Thread 60 name:
Thread 60 Crashed:
0   JavaScriptCore                      0x00000001895ef37c JSC::ExecutableAllocator::allocate(unsigned long, void*, JSC::JITCompilationEffort) + 644 (ExecutableAllocator.cpp:426)
1   JavaScriptCore                      0x00000001895ef37c JSC::ExecutableAllocator::allocate(unsigned long, void*, JSC::JITCompilationEffort) + 644 (ExecutableAllocator.cpp:426)
2   JavaScriptCore                      0x000000018983f6a8 JSC::LinkBuffer::allocate(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) + 256 (LinkBuffer.cpp:245)
3   JavaScriptCore                      0x000000018983edb4 void JSC::LinkBuffer::copyCompactAndLinkCode<unsigned int>(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) + 60 (LinkBuffer.cpp:101)
4   JavaScriptCore                      0x000000018983ecd4 JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) + 56 (LinkBuffer.cpp:221)
5   JavaScriptCore                      0x00000001899fa894 JSC::Wasm::throwExceptionFromWasmThunkGenerator(WTF::AbstractLocker const&) + 752 (LinkBuffer.h:89)
6   JavaScriptCore                      0x00000001899fadd4 JSC::Wasm::Thunks::stub(WTF::AbstractLocker const&, JSC::MacroAssemblerCodeRef (*)(WTF::AbstractLocker const&)) + 120 (WasmThunks.cpp:160)
7   JavaScriptCore                      0x00000001899fb190 JSC::Wasm::Thunks::stub(JSC::MacroAssemblerCodeRef (*)(WTF::AbstractLocker const&)) + 92 (WasmThunks.cpp:148)
8   JavaScriptCore                      0x00000001899e3a5c JSC::Wasm::Memory::create(JSC::VM&, JSC::Wasm::PageCount, JSC::Wasm::PageCount) + 96 (WasmMemory.cpp:381)
9   JavaScriptCore                      0x0000000189a1512c JSC::constructJSWebAssemblyMemory(JSC::ExecState*) + 1236 (WebAssemblyMemoryConstructor.cpp:99)
10  JavaScriptCore                      0x0000000189153a1c JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 440 (JSObject.h:1465)
11  JavaScriptCore                      0x0000000189853d14 llint_entry + 27908
12  JavaScriptCore                      0x000000018984ce40 vmEntryToJavaScript + 272
13  JavaScriptCore                      0x0000000189732948 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 136 (JITCode.cpp:81)
14  JavaScriptCore                      0x00000001897098dc JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 11244 (Interpreter.cpp:912)
15  JavaScriptCore                      0x00000001893fde7c JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 316 (Completion.cpp:103)
16  WebCore                             0x000000018b6c91f4 WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::NakedPtr<JSC::Exception>&) + 152 (WorkerScriptController.cpp:127)
17  WebCore                             0x000000018b6c9100 WebCore::WorkerScriptController::evaluate(WebCore::ScriptSourceCode const&) + 44 (WorkerScriptController.cpp:109)
18  WebCore                             0x000000018b6cae48 WebCore::WorkerThread::workerThread() + 612 (WorkerThread.cpp:186)
19  JavaScriptCore                      0x0000000189121660 WTF::threadEntryPoint(void*) + 120 (Function.h:56)
20  JavaScriptCore                      0x00000001891215a0 WTF::wtfThreadEntryPoint(void*) + 84 (ThreadingPthreads.cpp:209)
21  libsystem_pthread.dylib             0x000000018241431c _pthread_body + 308 (pthread.c:740)
22  libsystem_pthread.dylib             0x00000001824141e8 _pthread_start + 312 (pthread.c:799)
23  libsystem_pthread.dylib             0x0000000182412c28 thread_start + 4



This is slightly similar to JIT, so I try to fix it with the Patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171113/88ea7173/attachment-0001.html>

More information about the webkit-unassigned mailing list