[Webkit-unassigned] [Bug 283258] New: WebAssembly assertion error in FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Nov 17 04:22:34 PST 2024 

https://bugs.webkit.org/show_bug.cgi?id=283258

            Bug ID: 283258
           Summary: WebAssembly assertion error in
                    FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpres
                    sion
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Major
          Priority: P1
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: linjy01 at connect.hku.hk

Created attachment 473247

  --> https://bugs.webkit.org/attachment.cgi?id=473247&action=review

standalone runnable poc

WebKit commit id: 1a9adbce1d3fbd78795e86aad2c57ce384e31168 (Nov 16 2024)

Reproduction:

build: `./Tools/Scripts/build-jsc --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_CXX_FLAGS='  -O3 -lrt'"`
run: `./WebKitBuild/JSCOnly/Debug/bin/jsc  ./poc_withbuilder.js`


POC (short version):
```
load("test/mjsunit/wasm/wasm-module-builder.js");
builder = new WasmModuleBuilder();
const function_body = [kExprLocalGet,0,kGCPrefix,kExprRefTest,kExnRefCode];
builder.addFunction("func", makeSig([], [])).addLocals(kWasmExnRef, 1).addBody(function_body);
builder.instantiate(builder);
```

The attachment is a longer and standalone POC that contains the `wasm-module-builder.js` source code (the poc code is at the end of the attached poc_withbuilder.js).


Output:
```
SHOULD NEVER BE REACHED
/home/fuzzer/WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h(2714) : JSC::Wasm::ParserBase::PartialResult JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression() [Context = JSC::Wasm::LLIntGenerator]
1   0x55f30d6c904d ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x252704d) [0x55f30d6c904d]
2   0x55f30d6a166b ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24ff66b) [0x55f30d6a166b]
3   0x55f30d62566c ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x248366c) [0x55f30d62566c]
4   0x55f30d62459f ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x248259f) [0x55f30d62459f]
5   0x55f30d642920 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24a0920) [0x55f30d642920]
6   0x55f30d5a52dd ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x24032dd) [0x55f30d5a52dd]
7   0x55f30d891771 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x26ef771) [0x55f30d891771]
8   0x55f30d9dc964 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x283a964) [0x55f30d9dc964]
9   0x55f30d9fc4da ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x285a4da) [0x55f30d9fc4da]
10  0x55f30da87d36 ../../WebKit/WebKitBuild/JSCOnly/Debug/bin/jsc(+0x28e5d36) [0x55f30da87d36]
11  0x7f3171a96ac3 /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3) [0x7f3171a96ac3]
12  0x7f3171b28850 /lib/x86_64-linux-gnu/libc.so.6(+0x126850) [0x7f3171b28850]
Aborted (core dumped)
```

GDB backtrace:

```
#2  __GI___pthread_kill (threadid=140735951894080, signo=signo at entry=6) at ./nptl/pthread_kill.c:89
#3  0x00007ffff5803476 in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#4  0x00007ffff57e97f3 in __GI_abort () at ./stdlib/abort.c:79
#5  0x000055555639304a in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:913
#6  0x0000555557a7b062 in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseExpression (this=this at entry=0x7fffa46b3180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:2714
#7  0x0000555557a5366b in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parseBody (this=this at entry=0x7fffa46b3180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:534
#8  0x00005555579d766c in JSC::Wasm::FunctionParser<JSC::Wasm::LLIntGenerator>::parse (this=this at entry=0x7fffa46b3180) at ./WebKit/Source/JavaScriptCore/wasm/WasmFunctionParser.h:487
#9  0x00005555579d659f in JSC::Wasm::parseAndCompileBytecode (function=..., signature=..., info=..., functionIndex=functionIndex at entry=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:634
#10 0x00005555579f4920 in JSC::Wasm::LLIntPlan::compileFunction (this=0x7fffeb04b7b0, functionIndex=...) at ./WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:105
#11 0x00005555579572dd in JSC::Wasm::EntryPlan::compileFunctions (this=0x7fffeb04b7b0, effort=JSC::Wasm::Plan::Partial) at ./WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:218
#12 0x0000555557c43771 in JSC::Wasm::Worklist::Thread::work (this=0x7fffeb16c680) at ./WebKit/Source/JavaScriptCore/wasm/WasmWorklist.cpp:108
#13 0x0000555557d8e964 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/AutomaticThread.cpp:225
#14 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:53
#15 0x0000555557dae4da in WTF::Function<void ()>::operator()() const (this=<optimized out>) at ./WebKit/Source/WTF/wtf/Function.h:82
#16 WTF::Thread::entryPoint (newThreadContext=<optimized out>) at ./WebKit/Source/WTF/wtf/Threading.cpp:265
#17 0x0000555557e39d36 in WTF::wtfThreadEntryPoint (context=0x20f3c2) at ./WebKit/Source/WTF/wtf/posix/ThreadingPOSIX.cpp:241
#18 0x00007ffff5855ac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#19 0x00007ffff58e7850 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241117/ced4ae5c/attachment.htm>

More information about the webkit-unassigned mailing list