258805 – SHOULD NEVER BE REACHED: Source/JavaScriptCore/wasm/WasmTypeDefinition.h(311) : size_t JSC::Wasm::typeKindSizeInBytes(JSC::Wasm::TypeKind)

RESOLVED FIXED258805

SHOULD NEVER BE REACHED: Source/JavaScriptCore/wasm/WasmTypeDefinition.h(311) : size_t JSC::Wasm::typeKindSizeInBytes(JSC::Wasm::TypeKind)

https://bugs.webkit.org/show_bug.cgi?id=258805

Summary SHOULD NEVER BE REACHED: Source/JavaScriptCore/wasm/WasmTypeDefinition.h(311)...

xiangwei1895

Reported 2023-07-03 04:50:40 PDT

## JavaScriptCore Version 1f2d2a92eeb831bedd01bbb5b694a0e29fa9af81 ## Build Ubuntu 20.04.2 LTS (Linux 5.15.0-67-generic x86_64) ./Tools/Scripts/build-jsc --jsc-only --debug --build-dir=asan --cmakeargs="-DCMAKE_C_COMPILER='/usr/bin/clang' -DCMAKE_CXX_COMPILER='/usr/bin/clang++' -DCMAKE_CXX_FLAGS='-g -O3 -fsanitize=address'" ## Testcase and Execution steps ``` var buffer = new Uint8Array([0,97,115,109,1,0,0,0,1,142,129,128,128,0,12,80,0,95,3,123,1,127,1,123,0,80,0,95,3,127,0,127,1,124,1,80,0,95,3,127,0,124,0,124,0,80,0,94,106,1,80,0,94,124,1,80,0,94,127,1,80,0,96,3,127,127,127,1,127,80,0,96,6,108,2,123,108,0,108,2,107,4,127,15,124,107,110,109,123,107,2,127,127,127,127,127,127,127,127,110,107,5,80,0,96,3,107,103,107,110,125,0,80,0,96,9,124,127,107,106,107,111,107,8,127,125,127,127,0,96,0,0,80,0,96,1,106,15,124,107,110,109,123,107,2,127,127,127,127,127,127,127,127,110,107,5,3,133,128,128,128,0,4,6,7,8,9,4,133,128,128,128,0,1,112,1,4,4,5,132,128,128,128,0,1,1,16,32,13,133,128,128,128,0,2,0,10,0,10,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,148,128,128,128,0,1,6,0,65,0,11,112,4,210,0,11,210,1,11,210,2,11,210,3,11,12,1,1,10,242,131,128,128,0,4,8,0,65,143,168,200,199,2,11,184,2,1,1,126,208,3,208,112,65,206,0,252,15,0,251,19,3,2,11,26,68,184,25,231,49,254,15,167,66,68,150,148,159,3,200,134,156,167,65,166,130,239,151,124,253,15,65,200,221,207,188,6,65,161,137,152,243,123,253,15,251,7,0,208,109,65,130,195,136,131,120,253,15,65,178,137,189,163,127,68,231,84,164,196,252,248,68,90,68,48,227,118,174,124,53,7,198,251,7,2,65,225,221,192,247,120,65,251,133,254,221,6,65,135,146,142,147,122,65,223,133,148,193,2,65,251,144,128,170,120,65,230,176,136,245,124,65,241,250,148,186,127,65,141,226,164,228,123,208,110,65,237,235,201,233,7,65,162,189,207,167,4,65,20,111,251,27,5,208,110,212,1,26,26,26,26,26,26,26,26,26,26,26,26,26,26,26,170,40,1,221,241,167,172,2,105,65,137,127,254,30,1,219,209,193,191,3,251,32,208,109,65,207,193,167,207,120,253,15,65,200,132,132,248,125,68,253,80,222,108,2,91,186,184,68,248,59,252,18,221,61,46,34,251,7,2,65,204,131,151,96,65,152,163,176,235,124,65,178,215,239,104,65,134,159,222,207,121,65,247,132,233,148,125,65,177,128,213,163,2,65,188,181,217,128,6,65,229,207,219,183,5,208,110,65,168,159,176,8,65,248,233,136,145,6,65,20,111,251,27,5,11,11,49,0,65,149,204,193,234,120,253,15,253,195,1,65,217,155,236,176,125,253,15,253,12,236,43,211,7,121,28,117,6,215,0,57,171,51,202,142,219,253,111,253,11,2,195,139,177,227,3,11,123,0,12,0,65,154,195,136,230,7,66,151,197,135,240,249,138,247,236,66,254,27,0,190,174,186,222,10,208,4,208,112,65,157,204,144,129,6,252,15,0,208,4,65,170,252,203,173,124,65,222,143,205,168,3,251,24,4,4,208,3,65,150,183,180,136,125,208,106,65,232,208,131,191,6,65,20,111,251,27,3,65,203,225,141,165,127,65,169,150,253,65,251,24,3,3,65,244,193,198,164,2,66,150,233,130,174,177,158,233,224,129,127,66,93,84,54,2,239,155,187,155,2,11,11,131,128,128,128,0,1,1,0]); var module = new WebAssembly.Module(buffer); ``` ./bin/jsc --useWebAssemblyGC=true testcase.js ## Output SHOULD NEVER BE REACHED /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h(311) : size_t JSC::Wasm::typeKindSizeInBytes(JSC::Wasm::TypeKind) ## Backtrace #0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737178216384) at ./nptl/pthread_kill.c:44 #1 __pthread_kill_internal (signo=6, threadid=140737178216384) at ./nptl/pthread_kill.c:78 #2 __GI___pthread_kill (threadid=140737178216384, signo=signo@entry=6) at ./nptl/pthread_kill.c:89 #3 0x00007fffed881476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #4 0x00007fffed8677f3 in __GI_abort () at ./stdlib/abort.c:79 #5 0x00007ffff0c7a16f in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:762 #6 0x00007ffff50349a4 in JSC::Wasm::typeKindSizeInBytes (kind=<optimized out>) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h:311 #7 JSC::Wasm::typeSizeInBytes (storageType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmTypeDefinition.h:482 #8 JSC::Wasm::SectionParser::parseStructType (this=0x7fffffffbb70, this@entry=0x7fffffffb460, position=0, structType=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:859 #9 0x00007ffff50386e8 in JSC::Wasm::SectionParser::parseSubtype (this=0x30753c, this@entry=0x7fffffffbb70, position=position@entry=0, subtype=..., recursionGroupTypes=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:1070 #10 0x00007ffff502ff20 in JSC::Wasm::SectionParser::parseType (this=0x30753c, this@entry=0x7fffffffbb70) at /home/WebKit/Source/JavaScriptCore/wasm/WasmSectionParser.cpp:92 #11 0x00007ffff5075976 in JSC::Wasm::StreamingParser::parseSectionPayload (this=this@entry=0x615000017f90, data=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:197 #12 0x00007ffff5078e17 in JSC::Wasm::StreamingParser::addBytes (this=0x30753c, bytes=0x617000001c80 "", bytesSize=755, isEndOfStream=(unknown: 0x14)) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:344 #13 0x00007ffff4e71abd in JSC::Wasm::StreamingParser::addBytes (this=0x615000017f90, bytes=0x617000001c80 "", length=755) at /home/WebKit/Source/JavaScriptCore/wasm/WasmStreamingParser.h:81 #14 JSC::Wasm::EntryPlan::parseAndValidateModule (this=0x615000017f00, source=0x617000001c80 "", sourceLength=755) at /home/WebKit/Source/JavaScriptCore/wasm/WasmEntryPlan.cpp:91 #15 0x00007ffff4ebe6c7 in JSC::Wasm::LLIntPlan::LLIntPlan(JSC::VM&, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, JSC::Wasm::CompilerMode, WTF::RefPtr<WTF::SharedTask<void (JSC::Wasm::Plan&)>, WTF::RawPtrTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> >, WTF::DefaultRefDerefTraits<WTF::SharedTask<void (JSC::Wasm::Plan&)> > >&&) (this=0x615000017f00, vm=..., source=..., compilerMode=<optimized out>, task=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp:49 #16 0x00007ffff4ff0550 in JSC::Wasm::Module::validateSync (vm=..., source=...) at /home/WebKit/Source/JavaScriptCore/wasm/WasmModule.cpp:70 #17 0x00007ffff5173ef8 in JSC::WebAssemblyModuleConstructor::createModule (globalObject=<optimized out>, globalObject@entry=0x61f000000ee8, callFrame=callFrame@entry=0x7fffffffc670, buffer=...) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:188 #18 0x00007ffff517505f in JSC::constructJSWebAssemblyModule (globalObject=0x61f000000ee8, callFrame=0x7fffffffc670) at /home/WebKit/Source/JavaScriptCore/wasm/js/WebAssemblyModuleConstructor.cpp:169 #19 0x00007fffabb000c7 in ?? () #20 0x00007fffffffc6f0 in ?? () #21 0x00007ffff0c59b95 in js_trampoline_op_construct () from /home/WebKit/asan/Debug/lib/libJavaScriptCore.so.1 #22 0x0000000000000000 in ?? ()

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-07-03 15:24:24 PDT

<rdar://problem/111708126>

Asumu Takikawa

Comment 2 2024-01-29 15:37:19 PST

Pull request: https://github.com/WebKit/WebKit/pull/23472

EWS

Comment 3 2024-01-30 22:29:47 PST

Committed 273813@main (167dc00a1f29): <https://commits.webkit.org/273813@main> Reviewed commits have been landed. Closing PR #23472 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebAssembly

Assignee

Asumu Takikawa

Reported

2023-07-03 04:50 PDT

Modified

2024-01-30 22:29 PST History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks

247394

Dependencies

tree graph