[Webkit-unassigned] [Bug 258127] New: [WASM] SHOULD NEVER BE REACHED in JSC::Wasm::typeKindSizeInBytes(TypeKind)

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=258127

            Bug ID: 258127
           Summary: [WASM] SHOULD NEVER BE REACHED in
                    JSC::Wasm::typeKindSizeInBytes(TypeKind)
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cz18811105578 at gmail.com

Commit: fa9df2d4f442ce1c83aa934ce603fd3ce303aff0
Flags:  --useWebAssemblyGC=true

Poc:
```
var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,173,128,128,128,0,7,80,0,95,3,123,0,127,0,127,0,80,0,94,127,1,80,0,94,127,1,80,0,96,3,127,127,127,1,127,80,0,96,0,0,80,0,96,0,0,80,0,96,0,0,3,133,128,128,128,0,4,3,4,5,6,4,133,128,128,128,0,1,112,1,4,4,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,4,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,148,128,128,128,0,1,6,0,65,0,11,112,4,210,0,11,210,1,11,210,2,11,210,3,11,10,147,128,128,128,0,4,8,0,65,138,205,191,249,3,11,2,0,11,2,0,11,2,0,11]);
var wasm_module = new WebAssembly.Module(wasm_code);
var wasm_instance = new WebAssembly.Instance(wasm_module);
var f = wasm_instance.exports.main;
f();
```

Backtrace:
* thread #1, name = 'jsc', stop reason = signal SIGABRT
  * frame #0: 0x00007ffff5aca00b libc.so.6`raise + 203
    frame #1: 0x00007ffff5aa9859 libc.so.6`abort + 299
    frame #2: 0x00005555561c679a jsc`WTFCrashWithInfo((null)=311, (null)="../../Source/JavaScriptCore/wasm/WasmTypeDefinition.h", (null)="size_t JSC::Wasm::typeKindSizeInBytes(TypeKind)", (null)=2203) at Assertions.h:762:5
    frame #3: 0x0000555557846899 jsc`JSC::Wasm::SectionParser::parseStructType(unsigned int, WTF::RefPtr<JSC::Wasm::TypeDefinition, WTF::RawPtrTraits<JSC::Wasm::TypeDefinition>, WTF::DefaultRefDerefTraits<JSC::Wasm::TypeDefinition> >&) [inlined] JSC::Wasm::typeKindSizeInBytes(JSC::Wasm::TypeKind) at WasmTypeDefinition.h:311:5
    frame #4: 0x0000555557846864 jsc`JSC::Wasm::SectionParser::parseStructType(unsigned int, WTF::RefPtr<JSC::Wasm::TypeDefinition, WTF::RawPtrTraits<JSC::Wasm::TypeDefinition>, WTF::DefaultRefDerefTraits<JSC::Wasm::TypeDefinition> >&) [inlined] JSC::Wasm::typeSizeInBytes(storageType=<unavailable>) at WasmTypeDefinition.h:482:12
    frame #5: 0x0000555557846864 jsc`JSC::Wasm::SectionParser::parseStructType(this=0x0000555555a931db, position=<unavailable>, structType=<unavailable>) at WasmSectionParser.cpp:859:38
    frame #6: 0x0000555557847ea4 jsc`JSC::Wasm::SectionParser::parseSubtype(this=0x00007fffffffd5e0, position=0, subtype=0x00007fffffffd550, recursionGroupTypes=0x00007fffffffd530) at WasmSectionParser.cpp:1070:9
    frame #7: 0x0000555557845375 jsc`JSC::Wasm::SectionParser::parseType(this=0x00007fffffffd5e0) at WasmSectionParser.cpp:92:13
    frame #8: 0x000055555785a3ef jsc`JSC::Wasm::StreamingParser::parseSectionPayload(this=0x00007fffec07fe70, data=0x00007fffffffd650) at WasmStreamingParser.cpp:197:5
    frame #9: 0x000055555785ad53 jsc`JSC::Wasm::StreamingParser::addBytes(this=0x00007fffec07fe70, bytes="", bytesSize=165, isEndOfStream=<unavailable>) at WasmStreamingParser.cpp:344:23
    frame #10: 0x00005555577a8ec6 jsc`JSC::Wasm::EntryPlan::parseAndValidateModule(unsigned char const*, unsigned long) [inlined] JSC::Wasm::StreamingParser::addBytes(this=0x00007fffec07fe70, bytes="", length=165) at WasmStreamingParser.h:81:66
    frame #11: 0x00005555577a8eb6 jsc`JSC::Wasm::EntryPlan::parseAndValidateModule(this=0x00007fffec07fde0, source="", sourceLength=165) at WasmEntryPlan.cpp:91:23
    frame #12: 0x00005555577be62c jsc`JSC::Wasm::LLIntPlan::LLIntPlan(this=0x00007fffec07fde0, vm=<unavailable>, source=<unavailable>, compilerMode=<unavailable>, task=<unavailable>)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> > >&&) at WasmLLIntPlan.cpp:49:9
    frame #13: 0x000055555782f5ed jsc`JSC::Wasm::Module::validateSync(vm=0x00007fffaa000000, source=0x00007fffffffd878) at WasmModule.cpp:70:41
    frame #14: 0x00005555578afe76 jsc`JSC::WebAssemblyModuleConstructor::createModule(globalObject=0x00007fffaa41a068, callFrame=0x00007fffffffd900, buffer=0x00007fffffffd878) at WebAssemblyModuleConstructor.cpp:188:5
    frame #15: 0x00005555578b03c4 jsc`JSC::constructJSWebAssemblyModule(globalObject=0x00007fffaa41a068, callFrame=0x00007fffffffd900) at WebAssemblyModuleConstructor.cpp:169:5
    frame #16: 0x00007fffab2800c7
    frame #17: 0x00005555563aa945 jsc`js_trampoline_op_construct + 23
    frame #18: 0x00005555563886fc jsc`vmEntryToJavaScript + 259
    frame #19: 0x0000555556efb31b jsc`JSC::Interpreter::executeProgram(this=0x00007fffaa00dd00, source=<unavailable>, (null)=<unavailable>, thisObj=0x00007fffec003a28) at Interpreter.cpp:1025:28
    frame #20: 0x00005555571b994f jsc`JSC::evaluate(globalObject=0x00007fffaa41a068, source=0x00007fffffffdeb0, thisValue=JSValue @ 0x00007fffffffdd88, returnedException=0x00007fffffffdf38) at Completion.cpp:137:37
    frame #21: 0x000055555619f794 jsc`jscmain(int, char**) at jsc.cpp:3478:35
    frame #22: 0x000055555619ea84 jsc`jscmain(int, char**) [inlined] jscmain(globalObject=0x00007fffaa41a068, success=0x00007fffffffde57)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4058:13
    frame #23: 0x000055555619ea77 jsc`jscmain(int, char**) at jsc.cpp:3869:9
    frame #24: 0x000055555619e8de jsc`jscmain(argc=3, argv=0x00007fffffffe1b8) at jsc.cpp:4051:18
    frame #25: 0x000055555619e525 jsc`main(argc=3, argv=0x00007fffffffe1b8) at jsc.cpp:3252:15
    frame #26: 0x00007ffff5aab083 libc.so.6`__libc_start_main + 243
    frame #27: 0x000055555619aace jsc`_start + 46

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230615/ec4f91b1/attachment-0001.htm>