[Webkit-unassigned] [Bug 284627] New: WebAssembly instantiate assertion failed in JSC::Wasm::ExternOrAnyRefTable::ExternOrAnyRefTable

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 13 05:42:26 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=284627

            Bug ID: 284627
           Summary: WebAssembly instantiate assertion failed in
                    JSC::Wasm::ExternOrAnyRefTable::ExternOrAnyRefTable
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: linjy01 at connect.hku.hk

Created attachment 473561

  --> https://bugs.webkit.org/attachment.cgi?id=473561&action=review

standalone poc

WebKit Commit id: 2b42362df0287dfaed6d74d1f280176ed0e4c19c (Dec 13 2024)

# Reproduction:

build: `./Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs='-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_CXX_FLAGS="-g"'`

run: `./WebKitBuild/JSCOnly/Debug/bin/jsc ./poc.js`

# POC
```
load("test/mjsunit/wasm/wasm-module-builder.js");
const builder = new WasmModuleBuilder()
const sigtype = builder.addType(kSig_v_v);
builder.addTable(kWasmExnRef);
const body = [kExprLoop,kWasmVoid,kExprI32Const,0,kExprCallIndirect,sigtype,builder.addTable(kWasmFuncRef).index,kExprLocalGet,0,kExprI32Const,1,kExprI32Sub,kExprLocalTee,0,kExprBrIf,0,kExprEnd];
builder.addFunction("main", kSig_v_i).exportFunc().addBody(body);
builder.instantiate();
```

It seems like the type kWasmExnRef is not handled.

The attachment is a longer and standalone runnable POC (poc_withbuilder.js) that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js).

``

# Output:
```
ASSERTION FAILED: isExternref(wasmType) || (Options::useWasmGC() && (isSubtype(wasmType, externrefType()) || isSubtype(wasmType, anyrefType())))
./WebKitcov/Source/JavaScriptCore/wasm/WasmTable.cpp(240) : JSC::Wasm::ExternOrAnyRefTable::ExternOrAnyRefTable(uint32_t, std::optional<uint32_t>, Type)
1   0x7ffff733dbc4 ./WebKitcov/builddebug/lib/libJavaScriptCore.so.1(+0x3cb3bc4) [0x7ffff733dbc4]
2   0x7ffff733c3e6 ./WebKitcov/builddebug/lib/libJavaScriptCore.so.1(+0x3cb23e6) [0x7ffff733c3e6]
3   0x7ffff73b2bbd ./WebKitcov/builddebug/lib/libJavaScriptCore.so.1(+0x3d28bbd) [0x7ffff73b2bbd]
4   0x7ffff737defb ./WebKitcov/builddebug/lib/libJavaScriptCore.so.1(+0x3cf3efb) [0x7ffff737defb]
5   0x7ffff73a6652 ./WebKitcov/builddebug/lib/libJavaScriptCore.so.1(+0x3d1c652) [0x7ffff73a6652]
6   0x7fffa66543e7 [0x7fffa66543e7]
Aborted (core dumped)
```

# Backtrace:
```
#2  __GI___pthread_kill (threadid=<optimized out>, signo=signo at entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff3b4326e in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff3b268ff in __GI_abort () at ./stdlib/abort.c:79
#5  0x00007ffff69a72ea in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913
#6  0x00007ffff7cc989f in JSC::Wasm::ExternOrAnyRefTable::ExternOrAnyRefTable (this=0x7fffea14c600, initial=initial at entry=0, maximum=maximum at entry=std::optional [no contained value], wasmType=...) at ./WebKitcov/Source/JavaScriptCore/wasm/WasmTable.cpp:240
#7  0x00007ffff7cc8a54 in JSC::Wasm::Table::tryCreate (initial=0, maximum=std::optional [no contained value], type=<optimized out>, wasmType=...) at ./WebKitcov/Source/JavaScriptCore/wasm/WasmTable.cpp:101
#8  0x00007ffff7cfd490 in JSC::WebAssemblyModuleRecord::initializeExports (this=0x7fffea087a88, globalObject=0x7fffa841a088) at ./WebKitcov/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:544
#9  0x00007ffff7ce7ce6 in JSC::JSWebAssemblyInstance::finalizeCreation (this=0x7fffea046508, vm=..., globalObject=0x7fffa841a088, wasmCalleeGroup=..., creationMode=JSC::Wasm::CreationMode::FromJS) at ./WebKitcov/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:204
#10 0x00007ffff7cf7981 in JSC::constructJSWebAssemblyInstance (globalObject=0x7fffa841a088, callFrame=<optimized out>) at ./WebKitcov/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp:71
#11 0x00007fffa93003e7 in ?? ()
#12 0x00007fffffffd9f0 in ?? ()
#13 0x00007ffff690ef63 in llint_op_construct () from ./WebKitcov/build/lib/libJavaScriptCore.so.1
#14 0x0000000000000000 in ?? ()
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241213/46887ebc/attachment.htm>

More information about the webkit-unassigned mailing list