[Webkit-unassigned] [Bug 202786] New: Wasm engine segmentation fault

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 10 02:56:36 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=202786

            Bug ID: 202786
           Summary: Wasm engine segmentation fault
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: macOS 10.12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mail at janmidtgaard.dk

Created attachment 380620

  --> https://bugs.webkit.org/attachment.cgi?id=380620&action=review

JS program illustrating the segfault

I'm running the prebuilt jsc binaries available through JSVU: https://github.com/GoogleChromeLabs/jsvu
specifically JavaScriptCore version: v250961.
from URL: https://s3-us-west-2.amazonaws.com/minified-archives.webkit.org/mac-highsierra-x86_64-release/250961.zip

Consider the following Wasm (wat) program:

(module
  (type $0 (func (result f32)))
  (memory $0 2 41_018)
  (global $0 i32 (i32.const -1_329_474_845))
  (func $0
    (type 0)
    (f64.const 0.0)
    (f64.const 0.0)
    (i32.const 0)
    (select)
    (loop (result f32) (f32.const 0.0) (global.get 0) (br_if 0))
    (f64.promote_f32)
    (f64.ne)
    (f32.load offset=0 align=1)
  )
  (export "runf32" (func 0))
)

If I translate it to wasm and inline it in a minimal JS-program that merely calls the exported function:

let importObject = { imports: { } };
let buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,5,1,96,0,1,125,3,2,1,0,5,6,1,1,2,186,192,2,6,10,1,127,0,65,227,165,135,134,123,11,7,10,1,6,114,117,110,102,51,50,0,0,10,42,1,40,0,68,0,0,0,0,0,0,0,0,68,0,0,0,0,0,0,0,0,65,0,27,3,125,67,0,0,0,0,35,0,13,0,11,187,98,42,0,0,11 ]);

let m = new WebAssembly.Instance(new WebAssembly.Module(buffer), importObject);
m.exports.runf32();

I consistently segfault JavaScriptCore.
Compare with other JS/wasm engines:

$ timeout 10 v8 jscissue-min2.js 
$ timeout 10 sm jscissue-min2.js 
$ timeout 10 ch jscissue-min2.js 
$ jsc jscissue-min2.js 
/Users/jmid/.jsvu/jsc: line 2: 35687 Segmentation fault: 11  DYLD_FRAMEWORK_PATH="/Users/jmid/.jsvu/engines/javascriptcore" DYLD_LIBRARY_PATH="/Users/jmid/.jsvu/engines/javascriptcore" "/Users/jmid/.jsvu/engines/javascriptcore/javascriptcore" "$@"
$ 

The program is just an infinite loop when interpreted correctly, so the other engines are run with a timeout of 10 sec.

Running from a Linux Docker image I experience the same behaviour (again jsc installed through jsvu):
$ jsc jscissue-min2.js 
Segmentation fault
$ uname -a
Linux 496d66cd2709 4.9.125-linuxkit #1 SMP Fri Sep 7 08:20:28 UTC 2018 x86_64 GNU/Linux
$ 

Interestingly, when I tried to constant-fold the (select) from the beginning the error does trigger.
This was also the case for me if I turn the global look-up inside the loop into an equivalent i32.const.
These suggest that it may be some pattern matching optimization that is faulty.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191010/15ec5907/attachment.html>

More information about the webkit-unassigned mailing list