Bug 263965

Summary: Concurrency bug in WebAssembly LLInt compilation
Product: WebKit Reporter: Ian Grunert <ian.grunert>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: Hironori.Fujii, justin_michaud, keith_miller, mark.lam, max, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=267686
Attachments:
Description Flags
Stack trace
none
workaround patch
none
WIP patch
none
WIP patch justin_michaud: review+

Description Ian Grunert 2023-10-31 07:25:25 PDT 
On Windows, I reliably hit a heap corruption error on the release build when running the async clock yew wasm example (https://examples.yew.rs/async_clock/). The heap corruption is discovered when resizing a vector for the microtasks queue.

It looks like it's a concurrency bug in WebAssembly LLInt compilation, which triggers on my machine because it has 16 cores / 24 threads. It doesn't happen if I reduce the numberOfWasmCompilerThreads in OptionsList.h. Might be something in WebAssembly LLInt compilation using a shared Vector without a lock. I suspect this isn't a Windows specific issue and may impact all platforms.
Comment 1 Ian Grunert 2023-10-31 09:26:47 PDT 
Created attachment 468427 [details]
Stack trace
Comment 2 Radar WebKit Bug Importer 2023-11-07 06:26:13 PST 
<rdar://problem/118054777>
Comment 3 Ian Grunert 2023-12-12 18:29:20 PST 
I spent some time looking at this today. On a release build, I was able to repro this even with a single wasm compiler thread.

With the logging enabled for WasmEntryPlan and WasmWorklist, on a single thread it was able to complete wasm compilation - crashed afterwards with the same stack trace as before.

Couldn't repro on Gnome Web running under WSL. No problems running JetStream2, I wonder if it's something to do with the number of functions involved (520).
Comment 4 Fujii Hironori 2023-12-13 17:37:50 PST 
Created attachment 469029 [details]
workaround patch
Comment 5 Fujii Hironori 2023-12-13 20:54:16 PST 
Created attachment 469035 [details]
WIP patch
Comment 6 Fujii Hironori 2023-12-14 15:58:16 PST 
Created attachment 469050 [details]
WIP patch
Comment 7 Justin Michaud 2023-12-14 16:01:32 PST 
@Fujii Hironori Nice catch! r=me
Comment 8 Fujii Hironori 2023-12-14 17:06:55 PST 
I'm not confident this is clang's bug. This might be a JSC bug. JSC may break callee saved registers.