249377 – [WASM] Memory Corruption in JSC::Wasm::AirIRGenerator64::addSIMDRelOp

Bug 249377 - [WASM] Memory Corruption in JSC::Wasm::AirIRGenerator64::addSIMDRelOp

Summary: [WASM] Memory Corruption in JSC::Wasm::AirIRGenerator64::addSIMDRelOp

Status:	RESOLVED DUPLICATE of bug 249418

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	All Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-12-15 00:37 PST by CAO ZONG
Modified:	2022-12-16 13:05 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Reproducible poc (932 bytes, text/javascript) 2022-12-15 00:37 PST, CAO ZONG	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description CAO ZONG 2022-12-15 00:37:27 PST

Created attachment 464054 [details]
Reproducible poc

this poc can reproduce the crash stably
commit: bcd8cc0c0c83b0f2ddb78977a843650168bb138f

#0  0x00007ffff5ad400b in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff5ab3859 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x0000555555a3a1da in WTFCrashWithInfo(int, char const*, char const*, int) ()
#3  0x0000555556a83ca7 in JSC::Wasm::AirIRGenerator64::addSIMDRelOp(JSC::SIMDLaneOperation, JSC::SIMDInfo, JSC::Wasm::TypedTmp, JSC::Wasm::TypedTmp, JSC::B3::Air::Arg, JSC::Wasm::TypedTmp&) ()
#4  0x0000555556a63bf0 in std::experimental::fundamentals_v3::expected<void, WTF::String> JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::simd<true, void>(JSC::SIMDLaneOperation, JSC::SIMDLane, JSC::SIMDSignMode, JSC::B3::Air::Arg) ()
#5  0x0000555556a43901 in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseExpression() ()
#6  0x0000555556a2d5db in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parseBody() ()
#7  0x0000555556a2c65f in JSC::Wasm::FunctionParser<JSC::Wasm::AirIRGenerator64>::parse() ()
#8  0x0000555556a23eae in std::experimental::fundamentals_v3::expected<std::unique_ptr<JSC::Wasm::InternalFunction, std::default_delete<JSC::Wasm::InternalFunction> >, WTF::String> JSC::Wasm::parseAndCompileAirImpl<JSC::Wasm::AirIRGenerator64>(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) ()
#9  0x0000555556a1c5d1 in JSC::Wasm::parseAndCompileAir(JSC::Wasm::CompilationContext&, JSC::Wasm::FunctionData const&, JSC::Wasm::TypeDefinition const&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::ModuleInformation const&, JSC::MemoryMode, unsigned int, std::optional<bool>, JSC::Wasm::TierUpCount*) ()
#10 0x00005555569c7e76 in JSC::Wasm::BBQPlan::compileFunction(unsigned int, JSC::Wasm::CompilationContext&, WTF::Vector<JSC::Wasm::UnlinkedWasmToWasmCall, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, JSC::Wasm::TierUpCount*) ()
#11 0x00005555569c6a56 in JSC::Wasm::BBQPlan::work(JSC::Wasm::Plan::CompilationEffort) ()
#12 0x0000555556b49ab2 in JSC::Wasm::Worklist::Thread::work() ()
#13 0x0000555556bf4143 in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() ()
#14 0x0000555556c1537f in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) ()
#15 0x0000555556c6f096 in WTF::wtfThreadEntryPoint(void*) ()
#16 0x00007ffff5fe3609 in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#17 0x00007ffff5bb0133 in clone () from /lib/x86_64-linux-gnu/libc.so.6

Comment 1 Radar WebKit Bug Importer 2022-12-15 00:37:37 PST

<rdar://problem/103391933>

Comment 2 CAO ZONG 2022-12-15 00:39:55 PST

with --useWebAssemblySIMD=true flag

Comment 3 Yusuke Suzuki 2022-12-16 12:54:58 PST

This is just because it is not implemented yet on x64. (and this is why --useWebAssemblySIMD=false right now).

Comment 4 Yusuke Suzuki 2022-12-16 12:58:55 PST

Moving from security to normal bug since useWebAssemblySIMD on x64 is not ready (so not enabled at all).

Comment 5 Yusuke Suzuki 2022-12-16 13:05:57 PST

Dupe to bug 249418, just feature is not implemented yet (that's why `useWebAssemblySIMD` is not enabled), and now implemented.

*** This bug has been marked as a duplicate of bug 249418 ***