[Webkit-unassigned] [Bug 271030] Reproducible crash in WasmCallingConvention::numberOfStackArguments with TailCalls feature enabled
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 18 19:03:11 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=271030
Alexey Proskuryakov <ap at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Hardware|PC |All
CC| |justin_michaud at apple.com,
| |keith_miller at apple.com,
| |mark.lam at apple.com
Summary|webkit webassemly enable |Reproducible crash in
|TailCalls feature failed |WasmCallingConvention::numb
| |erOfStackArguments with
| |TailCalls feature enabled
--- Comment #1 from Alexey Proskuryakov <ap at webkit.org> ---
I can reproduce with `jsc` on macOS.
$ jsc --useWebAssemblyGC=true --useWebAssemblyTailCalls=true crash.js
Segmentation fault: 11
Thread 4 Crashed:: Wasm Worklist Helper Thread
0 JavaScriptCore 0x1bbc92a78 JSC::Wasm::WasmCallingConvention::numberOfStackValues(JSC::Wasm::FunctionSignature const&) const + 12
1 JavaScriptCore 0x1bbc92d78 JSC::Wasm::LLIntGenerator::addCallIndirect(unsigned int, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::VirtualRegister, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WTF::Vector<JSC::VirtualRegister, 8ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::CallLinkInfoBase::CallType) + 380
2 JavaScriptCore 0x1bbcb4488 JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() + 32884
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240319/d41329ad/attachment-0001.htm>
More information about the webkit-unassigned
mailing list