Isolate the Chrome crash #26

adamziel · 2022-10-03T03:15:18Z

What problem does this PR solve?

This PR provides a minimal reproducible Chrome crash scenario:

console.log( '[WebWorker] Spawned' );

const wasmTable = new WebAssembly.Table( {
	initial: 6743,
	maximum: 6743,
	element: 'anyfunc',
} );
const WASM_PAGE_SIZE = 65536;
const INITIAL_INITIAL_MEMORY = 1073741824;
const wasmMemory = new WebAssembly.Memory( {
	initial: INITIAL_INITIAL_MEMORY / WASM_PAGE_SIZE,
} );

const noop = function()	{};
const info = {
	env: {
		// System functions – they must be provided but don't have to be implemented to cause the crash.
		I: noop, vb: noop, ub: noop, tb: noop, sb: noop, r: noop, rb: noop, qb: noop, pb: noop, ob: noop, oa: noop, nb: noop, mb: noop, lb: noop, kb: noop, jb: noop, na: noop, ib: noop, hb: noop, gb: noop, u: noop, y: noop, D: noop, ma: noop, fb: noop, eb: noop, la: noop, db: noop, cb: noop, q: noop, bb: noop, ab: noop, $a: noop, _a: noop, Za: noop, Ya: noop, Xa: noop, Wa: noop, Va: noop, Y: noop, ka: noop, Ua: noop, Ta: noop, Sa: noop, Ra: noop, Qa: noop, Pa: noop, Oa: noop, Na: noop, H: noop, ja: noop, Ma: noop, xb: noop, La: noop, ia: noop, G: noop, ha: noop, Ka: noop, Ja: noop, Ia: noop, Ha: noop, A: noop, t: noop, F: noop, w: noop, C: noop, Fa: noop, B: noop, Ea: noop, Da: noop, Ca: noop, E: noop, ga: noop, Ba: noop, fa: noop, za: noop, ya: noop, n: noop, ea: noop, da: noop, ca: noop, xa: noop, wa: noop, va: noop, ba: noop, Fb: noop, l: noop, N: noop, ua: noop, wb: noop, X: noop, Eb: noop, W: noop, aa: noop, ta: noop, M: noop, b: noop, $: noop, V: noop, L: noop, U: noop, m: noop, Db: noop, Cb: noop, Bb: noop, z: noop, T: noop, sa: noop, K: noop, k: noop, S: noop, s: noop, J: noop, Ab: noop, zb: noop, R: noop, _: noop, yb: noop, Q: noop, e: noop, Z: noop, ra: noop, qa: noop, P: noop, pa: noop, h: noop, a: noop, O: noop, f: noop, j: noop, g: noop, x: noop, Ga: noop, Aa: noop, Gb: noop, i: noop, d: noop, o: noop, v: noop, p: noop, c: noop, __memory_base: 1024,
		__table_base: 0,
		memory: wasmMemory,
		table: wasmTable,
	},
	global: { NaN, Infinity },
	asm2wasm: {
		'f64-rem'() {},
	},
};
fetch( 'webworker-php.wasm' ).then( async ( response ) => {
	WebAssembly.instantiate(
		await response.arrayBuffer(),
		info,
	);
} );

console.log( 'Called instantiateStreaming', { info } );

It's not meant to be merged. It's meant to enable you, the reader, to clone and help.

How to help?

Think of a way to make it not crash :-)

The progress and the latest findings can be tracked in #1 (comment)

…st WPBrowser in web worker

…l load

…instantiated now! It must be about streaming

…Streaming info

…cting and do not cause the crash

…cause the crash

…e the crash

…_strpprintf $_zend_strpprintf_unchecked

…_interface $_zend_binop_error $_instanceof_function_slow

…$_zend_stack_is_empty $_zend_vspprintf $_zend_vstrpprintf

…rty_name_ex $_zend_is_true $_zend_deprecated_function

…$_zend_update_property_ex

…nd_hash_str_find

…emove $__zend_hash_index_find $_zend_undefined_offset $_zend_undefined_index $_zend_illegal_string_offset $_zend_use_resource_as_offset $_zend_illegal_offset $_zval_undefined_cv $_zend_copy_extra_args $_dummy_encoding_name_getter $_dummy_encoding_lexer_compatibility_checker $_dummy_encoding_detector $_dummy_internal_encoding_getter $abort $_zend_observer_error_notify

…$_zend_multibyte_get_encoding_name $_zend_multibyte_check_lexer_compatibility $_zend_multibyte_encoding_detector $_zend_multibyte_get_internal_encoding $_zend_error_va $_d2b $_diff $_quorem $_Balloc $_Bfree $_zend_hex_strtod $_zend_oct_strtod $_zend_bin_strtod $_gc_remove_compressed $_zend_hash_func $_sigaction $_sigemptyset $_sigaddset $_sigprocmask $_zend_ast_create_zval_with_lineno $_zend_ast_create_zval_ex $_zend_ast_create_zval_from_str $_zend_ast_create_zval_from_long $_zend_ast_create_1 $_zend_ast_create_2 $_zend_ast_create_decl $_zend_ast_create_0 $_zend_ast_create_3 $_zend_ast_create_4 $_zend_ast_create_5 $_zend_ast_create_list_0 $_zend_ast_create_list_1 $_zend_ast_create_list_2 $_zend_ast_with_attributes $_zend_ptr_stack_init $_zend_ptr_stack_reverse_apply $_isupper $___shlim $_isspace $___toread $_isdigit $___lockfile $___unlockfile $_pop_arg $_fmt_o $_fmt_x $_fmt_u $_pthread_self $___towrite

…fer $_mult $_lshift $_zend_sigaction $_tolower $___uflow $_getint $___pthread_self_357 $___syscall_ret $___lock $___unlock $_llvm_bswap_i32 $___pthread_self_105 $___syscall91 $___fflush_unlocked $___syscall219 $_setTempRet0 $_emscripten_memcpy_big $___munmap $___madvise $_memcpy $_zend_hash_find $_zend_signal $_strncasecmp $___shgetc $_wcrtomb $_swapc $___ofl_lock $___ofl_unlock $__estrndup $_zend_string_concat3 $_resolve_class_name $_zend_string_concat2 $_memmove $_zend_set_timeout_ex $_zend_string_tolower_ex $_zval_get_string_func $_zend_array_dup $_pow5mult $_zend_ast_list_add $_zend_multibyte_set_filter $___intscan $_wctomb $___fwritex $___mo_lookup $___strdup $_zend_create_member_string $_zval_copy_ctor_func $_zend_strtod $_strtox_639

…onst $_zval_get_double_func $_get_active_function_or_method_name $_zend_get_callable_name_ex $_strtol

…__zendi_try_convert_scalar_to_number $_is_numeric_str_function $_strtoul $_out

…_arg_long_weak $_zend_parse_arg_double_weak $___lctrans_impl $___lctrans $___strerror_l

…zend_mm_gc $_zend_mm_panic $_strerror $_fprintf $_zend_mm_safe_error $_saveSetjmp $_zend_out_of_memory $_fwrite $_zend_mm_alloc_huge $_zend_mm_chunk_alloc_int $_zend_mm_mmap $___mmap $_zend_mm_del_huge_block $_zend_mm_free_pages $_zend_mm_realloc_huge $_zend_mm_realloc_slow $__efree_32 $__efree_48 $__efree $__erealloc $__erealloc2 $__safe_erealloc $___zend_realloc $_zend_file_context_end $_zend_reset_import_tables $_zend_hash_destroy $_zend_restore_compiled_filename $_zend_add_class_modifier

…ption $_zend_resolve_non_class_name $_zend_hash_find_ptr_lc $_zend_hash_str_find_ptr_lc $_zend_resolve_class_name $_zend_type_to_string_resolved $_zend_type_to_string

adamziel · 2022-10-11T21:55:58Z

Closing as this exploratory PR has fulfilled its purpose. #1 now contains the specific stack trace pinpointing the root cause of the problem (out of memory error) and #28 implements a workaround.

adamziel added 19 commits October 3, 2022 11:02

Reduced state and still crashing: No service worker, no messaging, ju…

5d20650

…st WPBrowser in web worker

Reduced state, still crashing: no PHP code execution after the initia…

1ebcd45

…l load

Further reduced state: No imports. Still crashing!

f4dbc74

Put the webworker code in setTimeout call – still crashing

665f1ae

Reduced state, no crashes, commented out new PHPWrapper() and php.init()

cc20d17

No crasehs: Restored new PHPWrapper( );

6c8c806

Crashes: Restored php.init() -> it's crashing again!

ba91296

Crashes: No default arguments to PhpBinary

848938a

Crashes: new PHP with ccall pib_init

df0b985

Crashes: new PHP without ccall

10f025e

Crashes: without document = {}

508e7db

Formatted webworker-php.js

523907c

Run prettier on webworker-php.js

0f067d3

Keeps crashing: Added early "return;" in run()!

fbc5928

Keeps crashing: ccall removed

b6bb7dc

Still crashing: Stripped more emscripten JS code

fde20c8

Keeps crashing: Removed receiveInstantiatedSource – WASM isn't being …

93569dc

…instantiated now! It must be about streaming

Keeps crashing: Stripped asm2wasm to an empty function in instantiate…

7ed1ffd

…Streaming info

Keeps crashing: Replaced all functions in info.env with empty functions

cddbdc9

adamziel mentioned this pull request Oct 3, 2022

WASM file crashes Google Chrome #1

Closed

adamziel added 3 commits October 3, 2022 14:28

Crash: Remove the system functions provided to wasm as they're distra…

0d333f2

…cting and do not cause the crash

Crashes: Remove stacktrace handling code as it distracts and doesn't …

bf68a6c

…cause the crash

Crashes: Remove FS handling code as it's distracting and doesn't caus…

2f5790f

…e the crash

adamziel changed the title ~~Debugging chrome crash~~ Isolate the indeterministic Chrome crash Oct 3, 2022

adamziel added 6 commits October 3, 2022 14:41

Crashes: Remove usleep and ATINIT

91208c6

Crashes: Remove UTF-8 handling code

34196e1

Crashes: Remove memory management code

aa03a39

Crashes: Remove unnecessary initialization code

71aa5db

Crashes: Remove dependency management

1568e2c

Crashes: Remove non-essential initialization code

6da983c

adamziel added 27 commits October 5, 2022 18:39

Crash: remove settimer

dbdbf50

Crash: remove $_zend_str_tolower_copy

e3443ce

Crash: remove f64-rem

cbf1d71

Crash: remove _zend_dval_to_lval_slow $_zend_get_type_by_const $_zend…

38d904b

…_strpprintf $_zend_strpprintf_unchecked

Crash: _zend_zval_type_name $_zend_type_error $_zend_class_implements…

22232df

…_interface $_zend_binop_error $_instanceof_function_slow

Crash: remove _zend_stack_init $_zend_stack_top $_zend_stack_del_top …

d44d2ae

…$_zend_stack_is_empty $_zend_vspprintf $_zend_vstrpprintf

Crash: remove _get_filename_lineno $_zend_error $_zend_unmangle_prope…

4739422

…rty_name_ex $_zend_is_true $_zend_deprecated_function

Remove $_zend_param_must_be_ref

a59c0dc

Remove $_zend_param_must_be_ref

a63969c

Crash: remove _gc_protect $__zend_bailout $_zend_parse_arg_bool_weak …

532e16a

…$_zend_update_property_ex

Crash: remove _zend_read_property_ex $_zend_is_iterable $_memcmp $_ze…

f97e119

…nd_hash_str_find

Crash: Removed functions $__is_numeric_string_ex $_zend_try_ct_eval_c…

e2cb34e

…onst $_zval_get_double_func $_get_active_function_or_method_name $_zend_get_callable_name_ex $_strtol

Crash: Removed functions $_zval_get_long_func $_zend_is_callable_ex $…

0d771e8

…__zendi_try_convert_scalar_to_number $_is_numeric_str_function $_strtoul $_out

Crash: Removed functions $_zend_binary_op_produces_error $_zend_parse…

6edd810

…_arg_long_weak $_zend_parse_arg_double_weak $___lctrans_impl $___lctrans $___strerror_l

Crash: Removed functions $_zend_add_member_modifier $_zend_throw_exce…

ff8d458

…ption $_zend_resolve_non_class_name $_zend_hash_find_ptr_lc $_zend_hash_str_find_ptr_lc $_zend_resolve_class_name $_zend_type_to_string_resolved $_zend_type_to_string

Tighten the max_updates check

3e2d2b4

Crash: Removed functions $_zendlex

718f0ac

Crash: $_zend_negate_num_string

3a85922

Crash: Remove call to $_lex_scan

9f438d2

Crash: Remove almost all function calls from _lex_scan

966cf5c

Crash: Remove ALL function calls from inside _lex_scan

6f569d3

Crash: remove all functions other than _lex_scan

18d3010

Crash: Remove unused imports

c95f094

adamziel closed this Oct 11, 2022

adamziel deleted the debugging-chrome-crash branch May 10, 2023 08:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Isolate the Chrome crash #26

Isolate the Chrome crash #26

adamziel commented Oct 3, 2022 •

edited

Loading

adamziel commented Oct 11, 2022

Isolate the Chrome crash #26

Isolate the Chrome crash #26

Conversation

adamziel commented Oct 3, 2022 • edited Loading

What problem does this PR solve?

How to help?

adamziel commented Oct 11, 2022

adamziel commented Oct 3, 2022 •

edited

Loading