[Webkit-unassigned] [Bug 282810] New: Aborted in JSC::LLInt::slow_path_wasm_simd_go_straight_to_bbq_osr

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 7 21:24:55 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=282810

            Bug ID: 282810
           Summary: Aborted in
                    JSC::LLInt::slow_path_wasm_simd_go_straight_to_bbq_osr
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fufuyqqqqqq at gmail.com

### Title
Aborted in JSC::LLInt::slow_path_wasm_simd_go_straight_to_bbq_osr
### Environment
```
OS      : Linux Ubuntu
Commit  : a6d261838dcb9f9e9c7bad991bc3d880ae5358ee
Build   : ./Tools/Scripts/build-jsc  --debug --jsc-only --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-15' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-15' -DCMAKE_CXX_FLAGS='-O3 -lrt  -Wno-error=cast-align -std=c++20 -stdlib=libc++'"
```

### Proof of concept
Run jsc:
```
/WebKit/build/JSCOnly/Debug/bin/jsc --useBBQJIT=false  ./bug_4068.js
```

### Output
```
ASSERTION FAILED: shouldJIT(callee)
/WebKit/Source/JavaScriptCore/wasm/WasmSlowPaths.cpp(334) : JSC::UGPRPair JSC::LLInt::slow_path_wasm_simd_go_straight_to_bbq_osr(JSC::CallFrame *, const JSC::WasmInstruction *, JSC::JSWebAssemblyInstance *)
1   0x56145d1d9c35 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x30f0c35) [0x56145d1d9c35]
2   0x56145b2bf2f3 /WebKit/build/JSCOnly/Debug/bin/jsc(+0x11d62f3) [0x56145b2bf2f3]
Aborted
```

### Stack dump
```
gdb-peda$ r --useBBQJIT=false  ./bug_4068.js
Starting program: /WebKit/build/JSCOnly/Debug/bin/jsc --useBBQJIT=false  ./bug_4068.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffed767700 (LWP 1649658)]
[New Thread 0x7fffa8f64700 (LWP 1649834)]
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff5869740 (0x00007ffff5869740)
RCX: 0x7ffff5a9300b (<raise+203>:       mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffffcee0 --> 0x0 
RDI: 0x2 
RBP: 0x5555557afbf4 ("JSC::UGPRPair JSC::LLInt::slow_path_wasm_simd_go_straight_to_bbq_osr(JSC::CallFrame *, const JSC::WasmInstruction *, JSC::JSWebAssemblyInstance *)")
RSP: 0x7fffffffcee0 --> 0x0 
RIP: 0x7ffff5a9300b (<raise+203>:       mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffffcee0 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x55555950a000 --> 0x7fffaaf66000 --> 0x0 
R13: 0x7fffeb040460 --> 0x7fffeb094920 --> 0x2f2f2f3a656c6900 ('')
R14: 0x7fe02c000000 --> 0x0 
R15: 0x7fffffffd2e0 --> 0x7fffffffd340 --> 0x7fffffffd3a0 --> 0x7fffffffd410 --> 0x7fffeb0933f8 --> 0x4
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff5a92fff <raise+191>:  mov    edi,0x2
   0x7ffff5a93004 <raise+196>:  mov    eax,0xe
   0x7ffff5a93009 <raise+201>:  syscall 
=> 0x7ffff5a9300b <raise+203>:  mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff5a93013 <raise+211>:  xor    rax,QWORD PTR fs:0x28
   0x7ffff5a9301c <raise+220>:  jne    0x7ffff5a93044 <raise+260>
   0x7ffff5a9301e <raise+222>:  mov    eax,r8d
   0x7ffff5a93021 <raise+225>:  add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffcee0 --> 0x0 
0008| 0x7fffffffcee8 ("sult != ")
0016| 0x7fffffffcef0 --> 0x0 
0024| 0x7fffffffcef8 --> 0x0 
0032| 0x7fffffffcf00 --> 0xbfe552222222222d 
0040| 0x7fffffffcf08 --> 0x0 
0048| 0x7fffffffcf10 --> 0x3fe99555551519c7 
0056| 0x7fffffffcf18 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
0x00007ffff5a9300b in raise () from /lib/x86_64-linux-gnu/libc.so.6
gdb-peda$ bt
#0  0x00007ffff5a9300b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff5a72859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x000055555641399a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:912
#3  0x0000555558644c4a in slow_path_wasm_simd_go_straight_to_bbq_osr (callFrame=0x7fffffffd2e0, pc=<optimized out>, instance=<optimized out>) at /WebKit/Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:334
#4  0x000055555672a2f3 in wasm_function_prologue_simd ()
#5  0x00007fffaaf94246 in ?? ()
#6  0x00007fffeb20c218 in ?? ()
#7  0x00007fffeb03f463 in ?? ()
#8  0x00007f0000000003 in ?? ()
#9  0x0000555556714540 in llint_op_put_to_scope ()
#10 0x00007fffffffd320 in ?? ()
#11 0x00007fffeb0933f0 in ?? ()
#12 0x00007fffeb011300 in ?? ()
#13 0x00007fffeb0933f0 in ?? ()
#14 0xfffe000000000000 in ?? ()
#15 0xfffe000000000002 in ?? ()
#16 0x00007fffffffd3a0 in ?? ()
#17 0x0000555556723050 in llint_op_call ()
#18 0x00007fffeb20c218 in ?? ()
#19 0x00007fffeb1f72c3 in ?? ()
#20 0x00007fff00000001 in ?? ()
#21 0x00007fffa941a088 in ?? ()
#22 0x00007fffeb214188 in ?? ()
#23 0x00007fffeb058318 in ?? ()
#24 0x00007fffeb0933f8 in ?? ()
#25 0x00007fffa9000000 in ?? ()
#26 0x00007fffeb0933f0 in ?? ()
#27 0x00007fffa90163b8 in ?? ()
#28 0x00007fffffffd410 in ?? ()
#29 0x00005555566ffef2 in llint_call_javascript ()
#30 0x00007fffa94dc150 in ?? ()
#31 0x00007fffeb020508 in ?? ()
#32 0x000000ee00000001 in ?? ()
#33 0x00007fffeb022308 in ?? ()
#34 0x00007fffa9000000 in ?? ()
#35 0x0000000000000000 in ?? ()
```

### Credit
Q1IQ(@q1iqF) and P1umer(@p1umer)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241108/dc170e20/attachment-0001.htm>

More information about the webkit-unassigned mailing list