[Webkit-unassigned] [Bug 284159] New: WebAssembly execution assertion error in BBQJIT::allocateWithHint

Fri Dec 6 05:40:48 PST 2024

https://bugs.webkit.org/show_bug.cgi?id=284159

            Bug ID: 284159
           Summary: WebAssembly execution assertion error in
                    BBQJIT::allocateWithHint
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: linjy01 at connect.hku.hk

Created attachment 473483

  --> https://bugs.webkit.org/attachment.cgi?id=473483&action=review

standalone poc

WebKit Commit id: fc785d01b89ffc35cfd2df81c3f81dc541404a6f (Dec 6 2024)

# Reproduction:

build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='-O3 -lrt'"`

run: `./WebKitBuild/JSCOnly/Debug/bin/jsc  ./poc.js`

# POC
```
load("test/mjsunit/wasm/wasm-module-builder.js");
const builder = new WasmModuleBuilder();
const v6 = builder.addType(kSig_i_iii);
const v14 = builder.addType(makeSig([kWasmF32,kWasmI32,kWasmI32], []));
const v19 = builder.addType(makeSig([], []));
const v21 = builder.addFunction(undefined, v6);
builder.addMemory(5028);
const v25 = builder.addGlobal(kWasmI32);
const v27 = builder.addTable(kWasmFuncRef);
const v28 = builder.addTag(v14);
const v29 = builder.addTag(v19);
const v38 = wasmI32Const(176002);
const v42 = wasmI64Const(-6551967152140972733n);
const v45 = wasmI64Const(7056441962411871644n);
const v52 = wasmUnsignedLeb(33562);
const v57 = wasmI32Const(3774999);
const v66 = wasmUnsignedLeb(62605);
const v69 = wasmI32Const(555);
const v72 = wasmI32Const(551474);
const v253 = [kExprI32Const,3,kExprLocalSet,3,kExprLoop,kWasmF32,...v38,...v42,...v45,kExprI64Eq,kAtomicPrefix,kExprI32AtomicAdd16U,1,...v52,kExprLocalSet,1,...v57,kExprI32Const,27,kExprI32Const,28,kExprI32StoreMem,0,...v66,...v69,...v72,kExprReturnCall,v21.index,...wasmI32Const(1063008116),...wasmI32Const(3928580),kExprI32Const,0,kExprCallIndirect,v6,v27.index,kExprF64SConvertI32,kExprF64Neg,kExprThrow,v29,kExprLocalGet,3,kExprI32Const,1,kExprI32Sub,kExprLocalTee,3,kExprIf,kWasmVoid,kExprBr,1,kExprEnd,...wasmF32Const(v38),kExprEnd,...wasmF64Const(),kNumericPrefix,kExprI32SConvertSatF64,kExprI32Clz,kExprBlock,kWasmF32,kExprTry,kWasmF64,kExprTry,kWasmI64,...wasmI64Const(109301156051898n),kExprCatch,v28,kExprNop,kExprI32Const,0,kExprSelect,kExprF32SConvertI32,kExprI32Const,0,kExprSelect,kExprI64SConvertF32,...wasmF32Const(kExprI32StoreMem, 3, wasmF32Const, v72),kNumericPrefix,kExprI32UConvertSatF32,...wasmI32Const(46942),...wasmI32Const(476497),kExprI32Mul,...wasmI32Const(6278460),kExprI32Const,0,kExprReturnCallIndirect,v6,v27.index,kExprI32Const,2,kExprLocalSet,4,kExprLoop,kWasmI64,...wasmF64Const(),kExprThrow,v29,kExprLocalGet,4,kExprI32Const,1,kExprI32Sub,kExprLocalTee,4,kExprIf,kWasmVoid,kExprBr,1,kExprEnd,...wasmI64Const(2573986421922704147n),kExprEnd,kExprI64StoreMem16,1,...wasmUnsignedLeb(63506),kExprCatchAll,...wasmI64Const(-5633295575782540881n),kExprEnd,kExprF64ReinterpretI64,kExprEnd,kExprF64Floor,kExprF32ConvertF64,kExprF32Sqrt,kExprEnd,...wasmF32Const(),...wasmF32Const(),...wasmI64Const(-1042402604980003869n),...wasmI32Const(603053447),...wasmI64Const(-7491564053172945611n),kAtomicPrefix,kExprI64AtomicSub32U,2,...wasmUnsignedLeb(28950),...wasmI64Const(-8918769051964788399n),kExprI64LtU,kAtomicPrefix,kExprI64AtomicLoad8U,0,...wasmUnsignedLeb(37603),kExprI64LtS,kExprSelectWithType,1,kWasmF32,kExprF32Max,kExprF32Abs,...wasmI32Const(36752),...wasmI32Const(2300),kExprI32Eqz,kExprI32Eq,kAtomicPrefix,kExprI64AtomicLoad32U,2,...wasmUnsignedLeb(29626),...wasmI64Const(7209648322546790972n),kExprI64Eq,kExprF32ReinterpretI32,kExprF32Lt,kExprI32GeS,kExprF32UConvertI32,kExprGlobalGet,v25.index,kExprF32SConvertI32,kExprF32Trunc,kExprF32CopySign,kExprF32Eq];
v21.addLocals(kWasmI32, 2).addBody(v253);
builder.addExport("main");
const instance = builder.instantiate();
instance.exports.main();
```

The attachment is a longer and standalone runnable POC (poc_withbuilder.js) that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js).

``

# Output:
```
ASSERTION FAILED: signature.is<FunctionSignature>()
./WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinitionInlines.h(63) : static const JSC::Wasm::FunctionSignature &JSC::Wasm::TypeInformation::getFunctionSignature(JSC::Wasm::TypeIndex)
```

# Backtrace:
```
#4  0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x0000555556390d2a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913
#6  0x000055555786c74b in JSC::Wasm::BBQJITImpl::BBQJIT::allocateWithHint (this=this at entry=0x7fffa3fb03a0, value=..., hint=hint at entry=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:4804
#7  0x000055555783fa79 in JSC::Wasm::BBQJITImpl::BBQJIT::allocate (this=0x7fffa3fb03a0, value=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:4791
#8  JSC::Wasm::BBQJITImpl::BBQJIT::addSelect (this=0x7fffa3fb03a0, condition=..., lhs=..., rhs=..., result=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:1656
#9  0x000055555788adaa in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseExpression (this=this at entry=0x7fffa3fb0d90) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:1942
#10 0x000055555788169b in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parseBody (this=this at entry=0x7fffa3fb0d90) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:534
#11 0x000055555786e894 in JSC::Wasm::FunctionParser<JSC::Wasm::BBQJITImpl::BBQJIT>::parse (this=this at entry=0x7fffa3fb0d90) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:487
#12 0x000055555786de86 in JSC::Wasm::parseAndCompileBBQ (compilationContext=..., callee=..., function=..., signature=..., unlinkedWasmToWasmCalls=..., info=..., mode=<optimized out>, functionIndex=..., hasExceptionHandlers=..., loopIndexForOSREntry=<optimized out>) at ./WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:5084
#13 0x0000555557813702 in JSC::Wasm::BBQPlan::compileFunction (this=<optimized out>, this at entry=0x7fffeb1f8a80, functionIndex=..., callee=..., context=..., unlinkedWasmToWasmCalls=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:187
#14 0x0000555557811be1 in JSC::Wasm::BBQPlan::work (this=0x7fffeb1f8a80) at ./WebKit/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:99
#15 0x0000555557b208f5 in JSC::Wasm::Worklist::Thread::work (this=0x7fffeb166610) at ./WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:108
#16 0x0000555557c4f744 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/AutomaticThread.cpp:225
#17 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:53
#18 0x0000555557c6edca in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:82
#19 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at ./WebKit/Source/WTF/wtf/Threading.cpp:265
#20 0x0000555557cfa0f6 in WTF::wtfThreadEntryPoint (context=0x247bd0) at ./WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241
#21 0x00007ffff5855ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241206/b373dd49/attachment-0001.htm>