[Webkit-unassigned] [Bug 258126] New: [WASM] ASSERTION FAILED: !tmp.type().isV128() in JSC::Wasm::AirIRGenerator64::emitTailCallPatchpoint

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 15 06:14:56 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=258126

            Bug ID: 258126
           Summary: [WASM] ASSERTION FAILED: !tmp.type().isV128() in
                    JSC::Wasm::AirIRGenerator64::emitTailCallPatchpoint
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cz18811105578 at gmail.com

Created attachment 466699

  --> https://bugs.webkit.org/attachment.cgi?id=466699&action=review

Reproducible poc

Commit: fa9df2d4f442ce1c83aa934ce603fd3ce303aff0
Flags:  --useWebAssemblyTypedFunctionReferences=true --useWebAssemblyGC=true 

Backtrace:
* thread #3, name = 't Helper Thread', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff5aca00b libc.so.6`raise + 203
    frame #1: 0x00007ffff5aa9859 libc.so.6`abort + 299
    frame #2: 0x00005555561c679a jsc`WTFCrashWithInfo((null)=2217, (null)="../../Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp", (null)="CallPatchpointData JSC::Wasm::AirIRGenerator64::emitTailCallPatchpoint(BasicBlock *, const Checked<int32_t> &, const Vector<ArgumentLocation> &, const Vector<TypedTmp> &, Vector<ConstrainedTmp>)", (null)=2874) at Assertions.h:762:5
    frame #3: 0x0000555557726055 jsc`JSC::Wasm::AirIRGenerator64::emitTailCallPatchpoint(this=0x00007fffa92771c0, block=0x00007fffec294300, tailCallStackOffsetFromFP=0x00007fffa927372c, constrainedArgLocations=0x00007fffa9273868, tmpArgs=0x00007fffa9273b70, patchArgs=Vector<JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::ConstrainedTmp, 0UL, WTF::CrashOnOverflow, 16UL, WTF::FastMalloc> @ 0x00007fffa9273820) at WasmAirIRGenerator64.cpp:2217:9
    frame #4: 0x000055555779f916 jsc`JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::emitIndirectCall(this=0x00007fffa92771c0, calleeInstance=TypedTmp @ 0x00007fffa92738e0, calleeCode=TypedTmp @ 0x00007fffa92738f8, jsCalleeAnchor=TypedTmp @ 0x00007fffa9273910, signature=0x00007fffec090240, args=0x00007fffa9273b70, results=0x00007fffa9273f20, callType=TailCall) at WasmAirIRGeneratorBase.h:3833:28
    frame #5: 0x0000555557778b00 jsc`JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::addCallIndirect(this=0x00007fffa92771c0, tableIndex=<unavailable>, originalSignature=0x00007fffec090240, args=0x00007fffa9273b70, results=0x00007fffa9273f20, callType=TailCall) at WasmAirIRGeneratorBase.h:3738:19
    frame #6: 0x000055555774eba2 jsc`JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseExpression(this=0x00007fffa92772f8) at WasmFunctionParser.h:2534:13
    frame #7: 0x0000555557742a1b jsc`JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody(this=0x00007fffa92772f8) at WasmFunctionParser.h:365:13
    frame #8: 0x0000555557741f2c jsc`JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse(this=0x00007fffa92772f8) at WasmFunctionParser.h:336:5
    frame #9: 0x0000555557730f6c jsc`std::experimental::fundamentals_v3::expected<std::unique_ptr<JSC::Wasm::InternalFunction, std::default_delete<JSC::Wasm::InternalFunction> >, WTF::String> JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64>(compilationContext=0x00007fffa927dd30, callee=0x00007fffec2780e0, function=0x00007fffec008f40, signature=0x00007fffec030b00, unlinkedWasmToWasmCalls=0x00007fffa927dca0, info=<unavailable>, mode=<unavailable>, functionIndex=<unavailable>, hasExceptionHandlers=<unavailable>, tierUp=<unavailable>) at WasmAirIRGeneratorBase.h:3956:5
    frame #10: 0x0000555557727829 jsc`JSC::Wasm::parseAndCompileAir(compilationContext=0x00007fffa927dd30, callee=0x00007fffec2780e0, function=0x00007fffec008f40, signature=0x00007fffec030b00, unlinkedWasmToWasmCalls=0x00007fffa927dca0, info=<unavailable>, mode=<unavailable>, functionIndex=<unavailable>, hasExceptionHandlers=<unavailable>, tierUp=<unavailable>) at WasmAirIRGenerator64.cpp:2664:12
    frame #11: 0x0000555557612d1a jsc`JSC::Wasm::BBQPlan::compileFunction(this=0x0000000000000001, functionIndex=0, callee=0x00007fffec2780e0, context=0x00007fffa927dd30, unlinkedWasmToWasmCalls=0x00007fffa927dca0, tierUp=<unavailable>) at WasmBBQPlan.cpp:305:33
    frame #12: 0x0000555557611963 jsc`JSC::Wasm::BBQPlan::work(this=0x00007fffec07c210, effort=<unavailable>) at WasmBBQPlan.cpp:184:50
    frame #13: 0x0000555557884123 jsc`JSC::Wasm::Worklist::Thread::work(this=0x00007fffec027010) at WasmWorklist.cpp:111:15
    frame #14: 0x00005555579aad32 jsc`WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() at AutomaticThread.cpp:229:37
    frame #15: 0x00005555579aaa39 jsc`WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call(this=<unavailable>) at Function.h:53:39
    frame #16: 0x00005555579d463f jsc`WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) [inlined] WTF::Function<void ()>::operator()() const at Function.h:82:35
    frame #17: 0x00005555579d462d jsc`WTF::Thread::entryPoint(newThreadContext=<unavailable>) at Threading.cpp:250:5
    frame #18: 0x0000555557a4ca56 jsc`WTF::wtfThreadEntryPoint(context=<unavailable>) at ThreadingPOSIX.cpp:242:5
    frame #19: 0x00007ffff5fd9609 libpthread.so.0`start_thread(arg=<unavailable>) at pthread_create.c:477:8
    frame #20: 0x00007ffff5ba6133 libc.so.6`__clone + 67

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230615/73cf8ed5/attachment.htm>

More information about the webkit-unassigned mailing list