[Webkit-unassigned] [Bug 258499] New: JavaScriptCore Aborted at Source/JavaScriptCore/wasm/WasmFunctionParser.h:1960

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Jun 25 07:41:32 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=258499

            Bug ID: 258499
           Summary: JavaScriptCore Aborted at
                    Source/JavaScriptCore/wasm/WasmFunctionParser.h:1960
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: xiangwei1895 at gmail.com

## JavaScriptCore Version
1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81

## Build 
Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64)
./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'"

## Testcase and  Execution steps

```
var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,150,128,128,128,0,4,80,0,95,0,80,0,94,127,1,80,0,96,3,127,127,127,1,127,96,0,0,3,130,128,128,128,0,1,2,4,133,128,128,128,0,1,112,1,1,1,5,132,128,128,128,0,1,1,16,32,13,131,128,128,128,0,1,0,3,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,169,128,128,128,0,1,39,0,65,155,156,226,160,125,65,223,213,167,111,65,175,127,71,109,65,166,141,228,182,122,65,205,0,71,65,20,111,251,27,1,65,51,251,19,1,11]);
var module = new WebAssembly.Module(buffer);
```
./bin/jsc  --useWebAssemblyGC=true testcase.js

## Output
Aborted

## Backtrace

#0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140735915472448) at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=6, threadid=140735915472448) at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140735915472448, signo=signo at entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007fffed881476 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007fffed8677f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff0eebffb in std::__throw_bad_optional_access () at /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/optional:102
#6  0x00007ffff4f55558 in std::optional<unsigned int>::value() const & (this=<optimized out>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/optional:952
#7  JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this at entry=0x7fffa23f6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:1960
#8  0x00007ffff4eece8e in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this at entry=0x7fffa23f6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:365
#9  0x00007ffff4ecd434 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this at entry=0x7fffa23f6c40) at /home/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:336
#10 0x00007ffff4e85c3a in JSC::Wasm::parseAndCompileBytecode (functionStart=<optimized out>, functionLength=<optimized out>, signature=..., info=..., functionIndex=0)
    at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:580
#11 0x00007ffff4ebf4ac in JSC::Wasm::LLIntPlan::compileFunction (this=0x615000017f00, functionIndex=0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:89
#12 0x00007ffff4e73891 in JSC::Wasm::EntryPlan::compileFunctions (this=0x615000017f00, effort=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218
#13 0x00007ffff5101ad1 in JSC::Wasm::Worklist::Thread::work (this=0x6070000042a0) at /home/WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:111
#14 0x00007ffff55ddfa1 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/AutomaticThread.cpp:229
#15 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:53
#16 0x00007ffff56994c6 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/WebKit/Source/WTF/wtf/Function.h:82
#17 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at /home/WebKit/Source/WTF/wtf/Threading.cpp:250
#18 0x00007ffff58377a6 in WTF::wtfThreadEntryPoint (context=0x6180) at /home/WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:242
#19 0x00007fffed8d3b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#20 0x00007fffed965a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230625/e0421835/attachment.htm>

More information about the webkit-unassigned mailing list