[Webkit-unassigned] [Bug 265927] New: Aborted in JSC::Wasm::SectionParser::parseTableHelper ( this=this at entry=0x7fffffffdae0, isImport=144) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:329

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 5 21:24:47 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=265927

            Bug ID: 265927
           Summary: Aborted in JSC::Wasm::SectionParser::parseTableHelper
                    (     this=this at entry=0x7fffffffdae0, isImport=144)
                     at
                    /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionPar
                    ser.cpp:329
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: xiangwei1895 at gmail.com

## JavaScriptCore Version
4425cc9b8d966cab3215732b6ae7449d51c713eb

## Build 
Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'"

## Testcase and  Execution steps

```
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,150,128,128,128,0,4,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,2,4,150,128,128,128,0,2,64,0,112,1,1,25,208,112,11,64,0,107,106,1,0,0,65,0,251,32,11,5,132,128,128,128,0,1,1,16,32,13,133,128,128,128,0,2,0,3,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,138,128,128,128,0,1,8,0,65,203,144,170,207,1,11]);
var wasm_module = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var f = wasm_instance.exports.main;
f();

```
./bin/jsc  --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true  testcase.js

## Output
Aborted (core dumped)

## Backtrace
#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737258203072)
    at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140737258203072)
    at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140737258203072, signo=signo at entry=6)
    at ./nptl/pthread_kill.c:89
#3  0x00007ffff24c9476 in __GI_raise (sig=sig at entry=6)
    at ../sysdeps/posix/raise.c:26
#4  0x00007ffff24af7f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff51b32ea in WTFCrashWithInfo ()
    at WTF/Headers/wtf/Assertions.h:778
#6  0x00007ffff7769fa2 in JSC::Wasm::SectionParser::parseTableHelper (
    this=this at entry=0x7fffffffdae0, isImport=144)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:329
#7  0x00007ffff776ec1d in JSC::Wasm::SectionParser::parseTable (
    this=0x7fffffffdae0)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:345
#8  0x00007ffff77a1cc5 in JSC::Wasm::StreamingParser::parseSectionPayload (
    this=this at entry=0x7fffe8061480, data=...)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:197
#9  0x00007ffff77a2f80 in JSC::Wasm::StreamingParser::addBytes (
    this=0x7fffe8061480, bytes=0x7fffe800b1a0 "", bytesSize=140, 
    isEndOfStream=<optimized out>)
--Type <RET> for more, q to quit, c to continue without paging--
   smStreamingParser.cpp:342
#10 0x00007ffff7516f43 in JSC::Wasm::StreamingParser::addBytes (this=0x7fffe8061480, bytes=0x7fffe800b1a0 "", length=140) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.h:81
#11 JSC::Wasm::EntryPlan::parseAndValidateModule (this=0x7fffe8061400, source=0x7fffe800b1a0 "", sourceLength=140) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:91
#12 0x00007ffff764e3fa in JSC::Wasm::LLIntPlan::LLIntPlan(JSC::VM&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, JSC::Wasm::CompilerMode, WTF::RefPtr<WTF::SharedTask<void (JSC::Wasm::Plan&)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> > >&&) (this=0x7fffe8061400, vm=..., 
    source=..., compilerMode=<optimized out>, task=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:49

#13 0x00007ffff76597ee in JSC::Wasm::Module::validateSync (vm=..., source=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmModule.cpp:98

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231206/08f198f6/attachment.htm>

More information about the webkit-unassigned mailing list