oven-sh
diff --git a/‎Source/WTF/wtf/RunLoop.h‎
Lines changed: 2 additions & 1 deletion b/‎Source/WTF/wtf/RunLoop.h‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎Ziit‎
Lines changed: 1 addition & 0 deletions b/‎Ziit‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎build.log‎
Lines changed: 53 additions & 0 deletions b/‎build.log‎
Lines changed: 53 additions & 0 deletions
diff --git a/‎test-ipint-with-file.js‎
Lines changed: 123 additions & 0 deletions b/‎test-ipint-with-file.js‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎test-wasm-crash-loader.js‎
Lines changed: 142 additions & 0 deletions b/‎test-wasm-crash-loader.js‎
Lines changed: 142 additions & 0 deletions
@@ -43,6 +43,7 @@
 #include <wtf/Threading.h>
 #include <wtf/ThreadingPrimitives.h>
 #include <wtf/TypeTraits.h>
+#include <wtf/Variant.h>
 #include <wtf/WeakHashSet.h>
 #include <wtf/text/WTFString.h>
 
@@ -230,7 +231,7 @@ class WTF_CAPABILITY("is current") RunLoop final : public GuaranteedSerialFuncti
         // VirtualMachine.is_bundler_thread_for_bytecode_cache is true. In that case we use a
         // special tag.
         enum NullWTFTimerTag { NullWTFTimer };
-        std::variant<Ref<ScheduledTask>, std::reference_wrapper<Bun__WTFTimer>, NullWTFTimerTag> m_impl;
+        Variant<Ref<ScheduledTask>, std::reference_wrapper<Bun__WTFTimer>, NullWTFTimerTag> m_impl;
 #endif
     };
 
 
@@ -0,0 +1 @@
+Subproject commit 521e39dcb6052606563da529ff8b11459d798438
@@ -0,0 +1,53 @@
+Building JSC with configuration: debug
+Build directory: /home/claude/webkit/WebKitBuild/Debug
+Using ccache for faster builds: /usr/bin/ccache
+
+📦 Configuring with CMake...
+Running: cmake -DPORT=JSCOnly -DENABLE_STATIC_JSC=ON -DALLOW_LINE_AND_COLUMN_NUMBER_IN_BUILTINS=ON -DUSE_THIN_ARCHIVES=OFF -DUSE_BUN_JSC_ADDITIONS=ON -DUSE_BUN_EVENT_LOOP=ON -DENABLE_FTL_JIT=ON -G Ninja -DCMAKE_C_COMPILER_LAUNCHER=/usr/bin/ccache -DCMAKE_CXX_COMPILER_LAUNCHER=/usr/bin/ccache -DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DJSEXPORT_PRIVATE=WTF_EXPORT_DECLARATION -DUSE_VISIBILITY_ATTRIBUTE=1 -DENABLE_REMOTE_INSPECTOR=ON -DCMAKE_BUILD_TYPE=Debug -DENABLE_BUN_SKIP_FAILING_ASSERTIONS=ON -DCMAKE_EXPORT_COMPILE_COMMANDS=ON -DENABLE_REMOTE_INSPECTOR=ON -DUSE_VISIBILITY_ATTRIBUTE=1 -DENABLE_SANITIZERS=address /home/claude/webkit /home/claude/webkit/WebKitBuild/Debug
+-- The CMake build type is: Debug
+-- Enabling ccache: Setting ccache prefix for compiler.
+-- Linker variant in use: BFD 
+--   Linker supports thin archives - TRUE
+--   Linker supports split debug info - TRUE
+--   Linker supports --gdb-index - FALSE
+--   Linker supports --disable-new-dtags - TRUE
+--   Linker supports --gc-sections - TRUE
+-- Archiver variant in use: LLVM
+--   Archiver supports thin archives - TRUE
+-- C++ standard library in use: GLIBCXX
+--   Assertions enabled, _GLIBCXX_ASSERTIONS=1
+-- Disabling USE_SKIA_ENCODERS since USE_SKIA is disabled.
+-- Using platform-specific CMakeLists: /home/claude/webkit/Source/bmalloc/PlatformJSCOnly.cmake
+-- Using platform-specific CMakeLists: /home/claude/webkit/Source/WTF/wtf/PlatformJSCOnly.cmake
+-- Copying generate-unified-source-bundles.rb to: /home/claude/webkit/WebKitBuild/Debug/WTF/Scripts
+-- Using platform-specific CMakeLists: /home/claude/webkit/Source/JavaScriptCore/PlatformJSCOnly.cmake
+-- Using source list file: Sources.txt
+-- Using source list file: inspector/remote/SourcesSocket.txt
+-- Platform-specific CMakeLists not found: /home/claude/webkit/Source/JavaScriptCore/shell/PlatformJSCOnly.cmake
+-- Platform-specific CMakeLists not found: /home/claude/webkit/Source/ThirdParty/gtest/PlatformJSCOnly.cmake
+-- Platform-specific CMakeLists not found: /home/claude/webkit/Source/PlatformJSCOnly.cmake
+-- Platform-specific CMakeLists not found: /home/claude/webkit/Tools/PlatformJSCOnly.cmake
+-- Using platform-specific CMakeLists: /home/claude/webkit/Tools/TestWebKitAPI/PlatformJSCOnly.cmake
+-- Enabled features:
+--  ALLOW_LINE_AND_COLUMN_NUMBER_IN_BUILTINS ...... ON
+--  ENABLE_BUN_SKIP_FAILING_ASSERTIONS              ON
+--  ENABLE_JSC_GLIB_API ........................... OFF
+--  ENABLE_STATIC_JSC                               ON
+--  USE_BUN_JSC_ADDITIONS ......................... 1
+--  USE_LIBBACKTRACE                                OFF
+-- Configuring done (0.4s)
+-- Generating done (0.3s)
+-- Build files have been written to: /home/claude/webkit/WebKitBuild/Debug
+
+🔨 Building JSC...
+Running: cmake --build /home/claude/webkit/WebKitBuild/Debug --config Debug --target jsc
+[1/1204] Building CXX object Source/JavaScriptCore/CMakeFiles/LLIntOffsetsExtractor.dir/llint/LLIntOffsetsExtractor.cpp.o
+FAILED: Source/JavaScriptCore/CMakeFiles/LLIntOffsetsExtractor.dir/llint/LLIntOffsetsExtractor.cpp.o 
+/usr/bin/ccache /usr/bin/clang++ -DBUILDING_JSCONLY__ -DBUILDING_LLIntOffsetsExtractor -DBUILDING_WEBKIT=1 -DBUILDING_WITH_CMAKE=1 -DHAVE_CONFIG_H=1 -DPAS_BMALLOC=1 -DSTATICALLY_LINKED_WITH_WTF -DSTATICALLY_LINKED_WITH_bmalloc -D_GLIBCXX_ASSERTIONS=1 -I/home/claude/webkit/WebKitBuild/Debug/JavaScriptCore/Headers -I/home/claude/webkit/WebKitBuild/Debug -I/home/claude/webkit/Source/JavaScriptCore -I/home/claude/webkit/Source/JavaScriptCore/API -I/home/claude/webkit/Source/JavaScriptCore/assembler -I/home/claude/webkit/Source/JavaScriptCore/b3 -I/home/claude/webkit/Source/JavaScriptCore/b3/air -I/home/claude/webkit/Source/JavaScriptCore/bindings -I/home/claude/webkit/Source/JavaScriptCore/builtins -I/home/claude/webkit/Source/JavaScriptCore/bytecode -I/home/claude/webkit/Source/JavaScriptCore/bytecompiler -I/home/claude/webkit/Source/JavaScriptCore/dfg -I/home/claude/webkit/Source/JavaScriptCore/disassembler -I/home/claude/webkit/Source/JavaScriptCore/disassembler/ARM64 -I/home/claude/webkit/Source/JavaScriptCore/disassembler/zydis -I/home/claude/webkit/Source/JavaScriptCore/domjit -I/home/claude/webkit/Source/JavaScriptCore/ftl -I/home/claude/webkit/Source/JavaScriptCore/fuzzilli -I/home/claude/webkit/Source/JavaScriptCore/heap -I/home/claude/webkit/Source/JavaScriptCore/debugger -I/home/claude/webkit/Source/JavaScriptCore/inspector -I/home/claude/webkit/Source/JavaScriptCore/inspector/agents -I/home/claude/webkit/Source/JavaScriptCore/inspector/augmentable -I/home/claude/webkit/Source/JavaScriptCore/inspector/remote -I/home/claude/webkit/Source/JavaScriptCore/interpreter -I/home/claude/webkit/Source/JavaScriptCore/jit -I/home/claude/webkit/Source/JavaScriptCore/llint -I/home/claude/webkit/Source/JavaScriptCore/parser -I/home/claude/webkit/Source/JavaScriptCore/profiler -I/home/claude/webkit/Source/JavaScriptCore/runtime -I/home/claude/webkit/Source/JavaScriptCore/tools -I/home/claude/webkit/Source/JavaScriptCore/wasm -I/home/claude/webkit/Source/JavaScriptCore/wasm/js -I/home/claude/webkit/Source/JavaScriptCore/yarr -I/home/claude/webkit/WebKitBuild/Debug/JavaScriptCore/DerivedSources -I/home/claude/webkit/WebKitBuild/Debug/JavaScriptCore/DerivedSources/inspector -I/home/claude/webkit/WebKitBuild/Debug/JavaScriptCore/DerivedSources/runtime -I/home/claude/webkit/WebKitBuild/Debug/JavaScriptCore/DerivedSources/yarr -I/home/claude/webkit/Source/JavaScriptCore/inspector/remote/socket -I/home/claude/webkit/WebKitBuild/Debug/WTF/Headers -I/home/claude/webkit/WebKitBuild/Debug/bmalloc/Headers -fno-omit-frame-pointer -fno-optimize-sibling-calls -fdiagnostics-color=always -fcolor-diagnostics -Wextra -Wall -Wl,-u,_WTFTimer__cancel -Wl,-u,_WTFTimer__secondsUntilTimer -Wl,-u,_WTFTimer__isActive -Wl,-u,_WTFTimer__deinit -Wl,-u,_WTFTimer__update -Wl,-u,_WTFTimer__create -pipe -Wno-noexcept-type -Wno-psabi -Wno-misleading-indentation -Wno-parentheses-equality -Qunused-arguments -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -Wno-tautological-compare -fasynchronous-unwind-tables -fdebug-types-section -fno-strict-aliasing -fno-exceptions -fno-rtti -fcoroutines -fsanitize=address  -ffunction-sections -fdata-sections -g -std=c++23 -fPIE -fvisibility=hidden -fvisibility-inlines-hidden -MD -MT Source/JavaScriptCore/CMakeFiles/LLIntOffsetsExtractor.dir/llint/LLIntOffsetsExtractor.cpp.o -MF Source/JavaScriptCore/CMakeFiles/LLIntOffsetsExtractor.dir/llint/LLIntOffsetsExtractor.cpp.o.d -o Source/JavaScriptCore/CMakeFiles/LLIntOffsetsExtractor.dir/llint/LLIntOffsetsExtractor.cpp.o -c /home/claude/webkit/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp
+In file included from /home/claude/webkit/Source/JavaScriptCore/llint/LLIntOffsetsExtractor.cpp:65:
+/home/claude/webkit/Source/JavaScriptCore/interpreter/ProtoCallFrame.h:28:10: fatal error: 'JavaScriptCore/CodeBlock.h' file not found
+   28 | #include <JavaScriptCore/CodeBlock.h>
+      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1 error generated.
+ninja: build stopped: subcommand failed.
+Command failed with exit code 1
@@ -0,0 +1,123 @@
+// Test WebAssembly IPInt crash with pre-compiled WASM file
+// Run with: ASAN_OPTIONS=detect_leaks=0 ./WebKitBuild/Debug/bin/jsc test-ipint-with-file.js
+
+print("=== WebAssembly IPInt Crash Test ===");
+print("Testing with compiled WASM file");
+
+// Read binary file in JSC
+// Since JSC doesn't have native file reading, we'll use a trick with $262
+// or embed the bytes directly
+
+// The WASM bytes from our compiled test-wasm-ipint-crash.wasm file
+const wasmBytes = new Uint8Array([
+  0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00, 0x01, 0x0a, 0x02, 0x60,
+  0x01, 0x7f, 0x01, 0x7f, 0x60, 0x00, 0x01, 0x7f, 0x03, 0x06, 0x05, 0x00,
+  0x00, 0x00, 0x00, 0x01, 0x04, 0x04, 0x01, 0x70, 0x00, 0x0a, 0x05, 0x04,
+  0x01, 0x01, 0x01, 0x64, 0x07, 0x1d, 0x02, 0x0b, 0x73, 0x74, 0x72, 0x65,
+  0x73, 0x73, 0x5f, 0x74, 0x65, 0x73, 0x74, 0x00, 0x03, 0x0b, 0x73, 0x69,
+  0x6d, 0x70, 0x6c, 0x65, 0x5f, 0x74, 0x65, 0x73, 0x74, 0x00, 0x04, 0x09,
+  0x09, 0x01, 0x00, 0x41, 0x00, 0x0b, 0x03, 0x00, 0x01, 0x02, 0x0a, 0xa9,
+  0x01, 0x05, 0x36, 0x01, 0x02, 0x7f, 0x20, 0x00, 0x45, 0x04, 0x40, 0x41,
+  0x2a, 0x0f, 0x0b, 0x20, 0x00, 0x41, 0x04, 0x6c, 0x21, 0x01, 0x20, 0x01,
+  0x41, 0x80, 0x80, 0x04, 0x49, 0x04, 0x40, 0x20, 0x01, 0x20, 0x00, 0x36,
+  0x02, 0x00, 0x20, 0x01, 0x28, 0x02, 0x00, 0x21, 0x02, 0x0b, 0x20, 0x00,
+  0x41, 0x01, 0x6b, 0x10, 0x00, 0x20, 0x02, 0x6a, 0x0b, 0x1f, 0x01, 0x01,
+  0x7f, 0x20, 0x00, 0x45, 0x04, 0x40, 0x41, 0xe4, 0x00, 0x0f, 0x0b, 0x20,
+  0x00, 0x41, 0x03, 0x70, 0x21, 0x01, 0x20, 0x00, 0x41, 0x01, 0x6b, 0x20,
+  0x01, 0x11, 0x00, 0x00, 0x0b, 0x26, 0x00, 0x20, 0x00, 0x45, 0x04, 0x7f,
+  0x41, 0xc8, 0x01, 0x05, 0x20, 0x00, 0x41, 0x02, 0x70, 0x04, 0x7f, 0x20,
+  0x00, 0x41, 0x01, 0x6b, 0x10, 0x00, 0x05, 0x20, 0x00, 0x41, 0x01, 0x6b,
+  0x41, 0x00, 0x11, 0x00, 0x00, 0x0b, 0x0b, 0x0b, 0x21, 0x01, 0x02, 0x7f,
+  0x03, 0x40, 0x20, 0x02, 0x41, 0xe8, 0x07, 0x10, 0x01, 0x6a, 0x21, 0x02,
+  0x20, 0x01, 0x41, 0x01, 0x6a, 0x21, 0x01, 0x20, 0x01, 0x20, 0x00, 0x49,
+  0x0d, 0x00, 0x0b, 0x20, 0x02, 0x0b, 0x07, 0x00, 0x41, 0xe4, 0x00, 0x10,
+  0x00, 0x0b
+]);
+
+function runTest() {
+    try {
+        print("\n1. Creating WebAssembly module from bytes...");
+        const module = new WebAssembly.Module(wasmBytes);
+        print("   Module created successfully");
+        
+        print("\n2. Instantiating module...");
+        const instance = new WebAssembly.Instance(module);
+        print("   Instance created successfully");
+        
+        const exports = instance.exports;
+        print("   Exports available: " + Object.keys(exports).join(", "));
+        
+        print("\n3. Testing simple_test function...");
+        try {
+            const result = exports.simple_test();
+            print(`   Result: ${result}`);
+        } catch (e) {
+            print(`   ERROR in simple_test: ${e}`);
+            if (e.stack) print(e.stack);
+        }
+        
+        print("\n4. Testing stress_test with increasing iterations...");
+        for (let iterations of [1, 10, 100]) {
+            print(`   Testing with ${iterations} iterations...`);
+            try {
+                const result = exports.stress_test(iterations);
+                print(`   Result: ${result}`);
+            } catch (e) {
+                print(`   ERROR at ${iterations} iterations: ${e}`);
+                if (e.stack) {
+                    const stack = e.stack.toString();
+                    // Check if the crash is in wasm_trampoline_wasm_ipint_call
+                    if (stack.includes('wasm_trampoline') || stack.includes('ipint')) {
+                        print("   *** FOUND IPINT CRASH SIGNATURE ***");
+                    }
+                    print("   Stack trace:");
+                    print(stack);
+                }
+                break;
+            }
+        }
+        
+        print("\n5. Testing rapid repeated calls...");
+        const rapidIterations = 10000;
+        let successCount = 0;
+        let lastError = null;
+        
+        for (let i = 0; i < rapidIterations; i++) {
+            try {
+                exports.simple_test();
+                successCount++;
+                
+                if (i % 1000 === 0 && i > 0) {
+                    print(`   Progress: ${i}/${rapidIterations} calls completed`);
+                }
+            } catch (e) {
+                lastError = e;
+                print(`   ERROR at call ${i}: ${e}`);
+                break;
+            }
+        }
+        
+        print(`   Completed ${successCount}/${rapidIterations} calls`);
+        if (lastError) {
+            print(`   Last error: ${lastError}`);
+        }
+        
+        print("\n=== Test completed ===");
+        
+    } catch (e) {
+        print(`\nFATAL ERROR: ${e}`);
+        if (e.stack) {
+            print("Stack trace:");
+            print(e.stack);
+        }
+    }
+}
+
+// Check WebAssembly support
+if (typeof WebAssembly === 'undefined') {
+    print("ERROR: WebAssembly is not available");
+} else {
+    print("WebAssembly support detected");
+    print(`IPInt should be enabled by default (useWasmIPInt=true)`);
+    runTest();
+}
@@ -0,0 +1,142 @@
+// Load and test the WebAssembly module in JSC
+// Run with: ./WebKitBuild/Debug/bin/jsc test-wasm-crash-loader.js
+
+print("Loading WebAssembly module for crash reproduction test...");
+
+// Read the wasm binary file
+function loadWasmFile(path) {
+    // In JSC shell, we need to read binary data differently
+    // We'll embed the compiled wasm bytes directly
+    
+    // This is the actual WASM binary compiled from test-wasm-ipint-crash.wat
+    // We'll use a simpler test module for now
+    const wasmModule = new WebAssembly.Module(new Uint8Array([
+        // WASM Magic number and version
+        0x00, 0x61, 0x73, 0x6d, 0x01, 0x00, 0x00, 0x00,
+        
+        // Type section (1 type)
+        0x01, 0x07, 0x01, 0x60, 0x01, 0x7f, 0x01, 0x7f,  // (func (param i32) (result i32))
+        
+        // Function section (1 function)
+        0x03, 0x02, 0x01, 0x00,
+        
+        // Table section (1 table with 2 funcref)
+        0x04, 0x05, 0x01, 0x70, 0x00, 0x02,
+        
+        // Memory section (1 page)
+        0x05, 0x03, 0x01, 0x00, 0x01,
+        
+        // Export section (export "test")
+        0x07, 0x08, 0x01, 0x04, 0x74, 0x65, 0x73, 0x74, 0x00, 0x00,
+        
+        // Element section (initialize table with function 0)
+        0x09, 0x09, 0x01, 0x00, 0x41, 0x00, 0x0b, 0x02, 0x00, 0x00,
+        
+        // Code section
+        0x0a, 0x2b, 0x01, 0x29, 0x01, 0x01, 0x7f,
+        // Function body with recursive call and indirect call
+        0x20, 0x00,        // local.get 0
+        0x45,              // i32.eqz
+        0x04, 0x40,        // if
+        0x41, 0x01,        // i32.const 1
+        0x0f,              // return
+        0x0b,              // end
+        // Store to memory to trigger potential bounds issues
+        0x20, 0x00,        // local.get 0
+        0x41, 0x04,        // i32.const 4
+        0x6c,              // i32.mul
+        0x21, 0x01,        // local.set 1
+        0x20, 0x01,        // local.get 1
+        0x20, 0x00,        // local.get 0
+        0x36, 0x02, 0x00,  // i32.store offset=0
+        // Indirect call through table
+        0x20, 0x00,        // local.get 0
+        0x41, 0x01,        // i32.const 1
+        0x6b,              // i32.sub
+        0x41, 0x00,        // i32.const 0 (table index)
+        0x11, 0x00, 0x00,  // call_indirect type 0
+        0x0b               // end
+    ]));
+    
+    return wasmModule;
+}
+
+function runTests() {
+    try {
+        print("\n=== Creating WebAssembly module ===");
+        const module = loadWasmFile();
+        
+        print("=== Instantiating module ===");
+        const instance = new WebAssembly.Instance(module);
+        
+        print("=== Running tests ===");
+        
+        // Test 1: Small recursion depth
+        print("\nTest 1: Small recursion (depth=10)");
+        try {
+            const result = instance.exports.test(10);
+            print(`  Result: ${result}`);
+        } catch (e) {
+            print(`  Error: ${e}`);
+        }
+        
+        // Test 2: Medium recursion depth
+        print("\nTest 2: Medium recursion (depth=100)");
+        try {
+            const result = instance.exports.test(100);
+            print(`  Result: ${result}`);
+        } catch (e) {
+            print(`  Error: ${e}`);
+        }
+        
+        // Test 3: Deep recursion (potential stack overflow)
+        print("\nTest 3: Deep recursion (depth=1000)");
+        try {
+            const result = instance.exports.test(1000);
+            print(`  Result: ${result}`);
+        } catch (e) {
+            print(`  Error: ${e}`);
+        }
+        
+        // Test 4: Very deep recursion
+        print("\nTest 4: Very deep recursion (depth=10000)");
+        try {
+            const result = instance.exports.test(10000);
+            print(`  Result: ${result}`);
+        } catch (e) {
+            print(`  Error: ${e}`);
+        }
+        
+        // Test 5: Rapid repeated calls
+        print("\nTest 5: Rapid repeated calls (1000 iterations)");
+        let successCount = 0;
+        for (let i = 0; i < 1000; i++) {
+            try {
+                instance.exports.test(50);
+                successCount++;
+            } catch (e) {
+                print(`  Failed at iteration ${i}: ${e}`);
+                break;
+            }
+        }
+        print(`  Completed ${successCount}/1000 calls`);
+        
+        print("\n=== All tests completed ===");
+        
+    } catch (e) {
+        print(`\nFATAL ERROR: ${e}`);
+        if (e.stack) {
+            print("Stack trace:");
+            print(e.stack);
+        }
+    }
+}
+
+// Check for WebAssembly support
+if (typeof WebAssembly === 'undefined') {
+    print("ERROR: WebAssembly is not available in this environment");
+} else {
+    print("WebAssembly is available");
+    print("Starting tests...");
+    runTests();
+}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Subproject commit 521e39dcb6052606563da529ff8b11459d798438`