| Summary: | [JSC] Tuple should be able to include V128 constant | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | CAO ZONG <cz18811105578> | ||||
| Component: | JavaScriptCore | Assignee: | Yusuke Suzuki <ysuzuki> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Critical | CC: | bfulgham, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Local Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
with --useWebAssemblySIMD=true flag Changing the component from security to normal since this is not shipped. This is WIP developing feature. Pull request: https://github.com/WebKit/WebKit/pull/7779 Committed 258034@main (c19143329472): <https://commits.webkit.org/258034@main> Reviewed commits have been landed. Closing PR #7779 and removing active labels. |
Created attachment 464055 [details] Reproducible poc this poc can reproduce the crash stably commit: bcd8cc0c0c83b0f2ddb78977a843650168bb138f Stack #0 0x00007ffff5ad400b in raise () from /lib/x86_64-linux-gnu/libc.so.6 #1 0x00007ffff5ab3859 in abort () from /lib/x86_64-linux-gnu/libc.so.6 #2 0x0000555555a3a1da in WTFCrashWithInfo(int, char const*, char const*, int) () #3 0x0000555556a13a79 in JSC::Wasm::AirIRGenerator64::emitMaterializeConstant(JSC::B3::Air::BasicBlock*, JSC::Wasm::Type, unsigned long, JSC::Wasm::TypedTmp&) () #4 0x0000555556a48b0d in JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::addEndToUnreachable(JSC::Wasm::FunctionParserTypes<JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::ControlData, JSC::Wasm::TypedTmp>::ControlEntry&, WTF::Vector<JSC::Wasm::FunctionParserTypes<JSC::Wasm::AirIRGeneratorBase<JSC::Wasm::AirIRGenerator64, JSC::Wasm::TypedTmp>::ControlData, JSC::Wasm::TypedTmp>::TypedExpression, 16ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc> const&) () #5 0x0000555556a2dfa6 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseUnreachableExpression() () #6 0x0000555556a2d5c1 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody() () #7 0x0000555556a2c65f in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse() () #8 0x0000555556a23eae in std::experimental::fundamentals_v3::expected<std::unique_ptr<JSC::Wasm::InternalFunction, std::default_delete<JSC::Wasm::InternalFunction> >, WTF::String> JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64>(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) () #9 0x0000555556a1c5d1 in JSC::Wasm::parseAndCompileAir(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) () #10 0x00005555569c7e76 in JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) () #11 0x00005555569c6a56 in JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) () #12 0x0000555556b49ab2 in JSC::Wasm::Worklist::Thread::work() () #13 0x0000555556bf4143 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() () #14 0x0000555556c1537f in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () #15 0x0000555556c6f096 in WTF::wtfThreadEntryPoint(void*) () #16 0x00007ffff5fe3609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0 #17 0x00007ffff5bb0133 in clone () from /lib/x86_64-linux-gnu/libc.so.6