[Webkit-unassigned] [Bug 202786] Wasm engine segmentation fault
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Nov 8 00:46:20 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=202786
--- Comment #9 from Jan M <mail at janmidtgaard.dk> ---
I've managed to reduce the example further:
(module
(type $0 (func (result f32)))
(global $0 i32 (i32.const 1))
(func $0
(type 0)
(f32.const 0.0)
(f32.const 0.0)
(i32.const 0)
(select)
(loop (result f32) (f32.const 0.0) (global.get 0) (br_if 0))
(drop)
)
(export "runf32" (func 0))
)
Basically it's a 'select' followed by an infinite loop that looks up a global.
The corresponding JS (also reduced):
let buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,5,1,96,0,1,125,3,2,1,0,6,6,1,127,0,65,1,11,7,10,1,6,114,117,110,102,51,50,0,0,10,30,1,28,0,67,0,0,0,0,67,0,0,0,0,65,0,27,3,125,67,0,0,0,0,35,0,13,0,11,26,11 ]);
let m = new WebAssembly.Instance(new WebAssembly.Module(buffer));
m.exports.runf32();
This continues to segfault the nightly builds (from jsvu), tested with 252179 and 252135.
As mentioned, it doesn't segfault 249479 where it just runs an infinite loop, as expected.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191108/f12394c4/attachment.htm>
More information about the webkit-unassigned
mailing list