[Webkit-unassigned] [Bug 278113] New: REGRESSION(2.44.3): WebProcess crash on WASM/Unity demo

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 14 10:09:12 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=278113

            Bug ID: 278113
           Summary: REGRESSION(2.44.3): WebProcess crash on WASM/Unity
                    demo
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKitGTK
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jmason at ibinx.com
                CC: bugs-noreply at webkitgtk.org

This is bifurcated from Bug #278090.

In 2.44.3, running the Unity Tanks demo https://www.wasm.com.cn/demo/Tanks/ crashes the WebProcess.  Backtrace follows below.  Note that Adrian encounters a similar issue with the Arch Linux package (see Bug 278090 Comment 2)

The Tanks demo works fine in 2.44.2 and @main.

I have confirmed that reverting commit 279c9d7 at webkitglib/2.44 (Bug #271175) clears the issue.  Note that this code is also present in @main and works fine there.  Perhaps there is some later commit or dependency that is also needed to support the change.



Thread 38 received signal SIGABRT, Aborted.
[Switching to Thread 32 (LWP 32)]
0x00007ffc0b9711aa in __lwp_sigqueue () from /lib/64/libc.so.1
(gdb) bt
#0  0x00007ffc0b9711aa in __lwp_sigqueue () at /lib/64/libc.so.1
#1  0x00007ffc0b9657c1 in thr_kill () at /lib/64/libc.so.1
#2  0x00007ffc0b913d09 in raise () at /lib/64/libc.so.1
#3  0x00007ffc0b8e8df2 in abort () at /lib/64/libc.so.1
#4  0x00007ffc038bb2fb in  () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#5  0x00007ffc0491b2c7 in  () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#6  0x00007ffc049b8294 in JSC::Wasm::BBQJITImpl::BBQJIT::emitMoveMemory(JSC::Wasm::TypeKind, JSC::Wasm::BBQJITImpl::BBQJIT::Location, JSC::Wasm::BBQJITImpl::BBQJIT::Location) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#7  0x00007ffc04947d16 in void JSC::Wasm::BBQJITImpl::BBQJIT::returnValuesFromCall<8ul>(WTF::Vector<JSC::Wasm::BBQJITImpl::BBQJIT::Value, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::FunctionSignature const&, JSC::Wasm::CallInformation const&) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#8  0x00007ffc0493b709 in JSC::Wasm::BBQJITImpl::BBQJIT::addCall(unsigned int, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::BBQJITImpl::BBQJIT::Value, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WTF::Vector<JSC::Wasm::BBQJITImpl::BBQJIT::Value, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::CallLinkInfoBase::CallType) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#9  0x00007ffc04963cd1 in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseExpression() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#10 0x00007ffc049557cb in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseBody() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#11 0x00007ffc04948820 in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parse() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#12 0x00007ffc0493d907 in JSC::Wasm::parseAndCompileBBQ(JSC::Wasm::CompilationContext&, JSC::Wasm::BBQCallee&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::__1::optional<bool>, unsigned int, JSC::Wasm::TierUpCount*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#13 0x00007ffc049f6a9b in JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::BBQCallee&, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#14 0x00007ffc049f5c21 in JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#15 0x00007ffc04bd3da6 in JSC::Wasm::Worklist::Thread::work() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#16 0x00007ffc04ccd1b4 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#17 0x00007ffc04cf7066 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#18 0x00007ffc04d59769 in WTF::wtfThreadEntryPoint(void*) () at /usr/lib/64/libjavascriptcoregtk-4.1.so.0
#19 0x00007ffc0b967ba9 in _thrp_setup () at /lib/64/libc.so.1
#20 0x00007ffc0b967e50 in _lwp_start () at /lib/64/libc.so.1
#21 0x0000000000000000 in  ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240814/6722bc66/attachment-0001.htm>

More information about the webkit-unassigned mailing list