[Webkit-unassigned] [Bug 277400] New: [WASM] WASM python crashes on JSC sometimes when run JSC with JIT(BBQ, OMG).

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 31 00:26:50 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=277400

            Bug ID: 277400
           Summary: [WASM] WASM python crashes on JSC sometimes when run
                    JSC with JIT(BBQ, OMG).
           Product: WebKit
           Version: WebKit Local Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Minor
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: juju6985 at outlook.kr

Created attachment 472023

  --> https://bugs.webkit.org/attachment.cgi?id=472023&action=review

Even though same execution command, somtimes crash and sometimes run as well.

I am a student currently working on building a differential fuzzing harness (https://github.com/UsQuake/wasi_pyrb_diff_test) capable of executing WASM (WASI) Python/Ruby in the debug shell of browser JS engines.

During my fuzzing tests, I observed that the JSC shell occasionally crashes when using the default options --useOMGJIT=1 --useBBQJIT=1.
The crashes occur at least once every 100 test cycles, and the crash messages indicate out-of-memory access problems.

However, when I use the options --useOMGJIT=0 --useBBQJIT=0 (which only utilizes WASM-LLInt), the JSC shell does not crash during 100 test cycles.

Furthermore, I did not encounter any crashes when I executed the same WASM and JavaScript polyfill code in V8 or SpiderMonkey.

Based on these findings, I suspect that there may be a bug in the WASM JIT for JSC, such as OMG-JIT or BBQ-JIT.

To address this issue, I am reporting this issue to the community for insights or suggestions on how to solve or debug this problem.
Even a small opinion would be greatly appreciated. Thank you!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240731/c4078dff/attachment.htm>

More information about the webkit-unassigned mailing list