[Webkit-unassigned] [Bug 186652] New: wasm unable to correctly handle the inconsistent of global entries

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 15 02:50:02 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=186652

            Bug ID: 186652
           Summary: wasm unable to correctly handle the inconsistent of
                    global entries
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: dwfault at 163.com

Created attachment 342797

  --> https://bugs.webkit.org/attachment.cgi?id=342797&action=review

make debug version crash

WebKit WebAssembly cannot correctly handle the inconsistent of global entries. Tested on git commit 57ff755.

#0  0x00007ffff4d540cd in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:267
ALWAYS_INLINE JSValue::JSValue(EncodeAsDoubleTag, double d)
{
    ASSERT(!isImpureNaN(d));
    u.asInt64 = reinterpretDoubleToInt64(d) + DoubleEncodeOffset;
}
#1  0x00000000004948e7 in JSC::JSValue::JSValue (this=0x7fffffffb950, d=-nan(0xf000000000000)) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:503
#2  0x0000000000494141 in JSC::JSValue::JSValue (this=0x7fffffffbd60, d=-nan(0xf000000000000)) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:172

#3  0x00007ffff4c2ccf8 in JSC::WebAssemblyModuleRecord::link (this=0x62d0001f8000, exec=0x7fffffffc250, importObject=0x0, 
    creationMode=JSC::(anonymous namespace)::CreationMode::FromJS) at ../../Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:395
#4  0x00007ffff4bec4d7 in JSC::JSWebAssemblyInstance::finalizeCreation(JSC::VM &, JSC::ExecState *, <unknown type in /home/default/Desktop/webkit-57ff755-debug-asan/WebKitBuild/Debug/lib/libJavaScriptCore.so.1, CU 0x0, DIE 0x19868a>, JSC::JSObject *, JSC::(anonymous namespace)::CreationMode) (this=0x62d000220000, vm=..., exec=0x7fffffffc250, 
    wasmCodeBlock=<unknown type in /home/default/Desktop/webkit-57ff755-debug-asan/WebKitBuild/Debug/lib/libJavaScriptCore.so.1, CU 0x0, DIE 0x19868a>, importObject=0x0, 
    creationMode=JSC::(anonymous namespace)::CreationMode::FromJS) at ../../Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:133
#5  0x00007ffff4c1fc6d in JSC::constructJSWebAssemblyInstance (exec=0x7fffffffc250) at ../../Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:83





file format wasm 0x1

Contents of section Type:
000000a: 0160 027f 7f01 7f                        .`.....

Contents of section Function:
0000013: 0100                                     ..

Contents of section Table:
0000017: 0170 0004                                .p..

Contents of section Global:
000001d: 057f 0041 2a0b 7d00 4300 0000 3f0b 7c00  ...A*.}.C...?.|.
000002d: 4400 0000 0000 00e0 3f0b 7d00 4300 00c0  D.......?.}.C...
000003d: 7f0b 7c00 [44][00 0000 0000 00ff] ff0b       ..|.D.........

Contents of section Export:
000004d: 0705 7461 626c 6501 0003 7375 6d00 0006  ..table...sum...
000005d: 616e 7377 6572 0300 0761 6e73 7765 7231  answer...answer1
000006d: 0301 0761 6e73 7765 7232 0302 0761 6e73  ...answer2...ans
000007d: 7765 7233 0303 0761 6e73 7765 7234 0304  wer3...answer4..

Contents of section Elem:
000008f: 0100 4100 0b01 00                        ..A....

Contents of section Code:
0000098: 0107 0020 0120 006a 0b                   ... . .j.



0x44 stands for type F64 while. 0xfffff00000000 is the initial value of the global variable that could not pass the handle logic.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180615/2ac12c27/attachment.html>

More information about the webkit-unassigned mailing list