[Webkit-unassigned] [Bug 239588] New: Assertion failure crash on Wasm ref.func use in global

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Apr 20 21:43:30 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=239588

            Bug ID: 239588
           Summary: Assertion failure crash on Wasm ref.func use in global
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

Running the following Wasm program in JSC causes a crash due to an assertion failure:

```
function module(bytes, valid = true) {
  let buffer = new ArrayBuffer(bytes.length);
  let view = new Uint8Array(buffer);
  for (let i = 0; i < bytes.length; ++i) {
    view[i] = bytes.charCodeAt(i);
  }
  return new WebAssembly.Module(buffer);
}

//  (module
//    (type (func))
//    (global funcref (ref.func 0))
//    (func (type 0)))
new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x06\x06\x01\x70\x00\xd2\x00\x0b\x0a\x04\x01\x02\x00\x0b"));
```

The crashing invocation and result:

```
$ ~/WebKit/WebKitBuild/GTK/Release/bin/jsc foo.js
1   0x7f16de19e349 WTFCrash
2   0x7f16de10178d /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184a78d) [0x7f16de10178d]
3   0x7f16de1022ce /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x184b2ce) [0x7f16de1022ce]
4   0x7f16de0d98ad /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x18228ad) [0x7f16de0d98ad]
5   0x7f16de0efcbc /app/webkit/WebKitBuild/Release/lib/libjavascriptcoregtk-4.1.so.0(+0x1838cbc) [0x7f16de0efcbc]
6   0x7f1698fff0c7 [0x7f1698fff0c7]
Segmentation fault (core dumped)
```

The crash seems to be in `CalleeGroup::embedderEntrypointCalleeFromFunctionIndexSpace` line 86 where there is a `RELEASE_ASSERT(callee);` but the `callee` is uninitialized for some reason.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220421/08ab7e32/attachment.htm>

More information about the webkit-unassigned mailing list