263965 – Concurrency bug in WebAssembly LLInt compilation

Bug 263965 - Concurrency bug in WebAssembly LLInt compilation

Summary: Concurrency bug in WebAssembly LLInt compilation

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-10-31 07:25 PDT by Ian Grunert
Modified:	2024-02-20 03:13 PST (History)
CC List:	6 users (show)

See Also:	267686

Attachments
Stack trace (3.92 KB, text/plain) 2023-10-31 09:26 PDT, Ian Grunert	no flags	Details
workaround patch (839 bytes, patch) 2023-12-13 17:37 PST, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
WIP patch (560 bytes, patch) 2023-12-13 20:54 PST, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
WIP patch (1.05 KB, patch) 2023-12-14 15:58 PST, Fujii Hironori	justin_michaud: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ian Grunert 2023-10-31 07:25:25 PDT

On Windows, I reliably hit a heap corruption error on the release build when running the async clock yew wasm example (https://examples.yew.rs/async_clock/). The heap corruption is discovered when resizing a vector for the microtasks queue.

It looks like it's a concurrency bug in WebAssembly LLInt compilation, which triggers on my machine because it has 16 cores / 24 threads. It doesn't happen if I reduce the numberOfWasmCompilerThreads in OptionsList.h. Might be something in WebAssembly LLInt compilation using a shared Vector without a lock. I suspect this isn't a Windows specific issue and may impact all platforms.

Comment 1 Ian Grunert 2023-10-31 09:26:47 PDT

Created attachment 468427 [details]
Stack trace

Comment 2 Radar WebKit Bug Importer 2023-11-07 06:26:13 PST

<rdar://problem/118054777>

Comment 3 Ian Grunert 2023-12-12 18:29:20 PST

I spent some time looking at this today. On a release build, I was able to repro this even with a single wasm compiler thread.

With the logging enabled for WasmEntryPlan and WasmWorklist, on a single thread it was able to complete wasm compilation - crashed afterwards with the same stack trace as before.

Couldn't repro on Gnome Web running under WSL. No problems running JetStream2, I wonder if it's something to do with the number of functions involved (520).

Comment 4 Fujii Hironori 2023-12-13 17:37:50 PST

Created attachment 469029 [details]
workaround patch

Comment 5 Fujii Hironori 2023-12-13 20:54:16 PST

Created attachment 469035 [details]
WIP patch

Comment 6 Fujii Hironori 2023-12-14 15:58:16 PST

Created attachment 469050 [details]
WIP patch

Comment 7 Justin Michaud 2023-12-14 16:01:32 PST

@Fujii Hironori Nice catch! r=me

Comment 8 Fujii Hironori 2023-12-14 17:06:55 PST

I'm not confident this is clang's bug. This might be a JSC bug. JSC may break callee saved registers.