[Webkit-unassigned] [Bug 265742] New: [Wasm-GC] BBQJIT crashes compiling Wasm GC program with ASSERTION FAILED: !currentLocation.isRegister()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Dec 2 20:10:03 PST 2023 

https://bugs.webkit.org/show_bug.cgi?id=265742

            Bug ID: 265742
           Summary: [Wasm-GC] BBQJIT crashes compiling Wasm GC program
                    with ASSERTION FAILED: !currentLocation.isRegister()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

The following program fails to compile in debug mode on BBQJIT:

```
//@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true")

import * as assert from "../assert.js";
import { compile, instantiate } from "./wast-wrapper.js";

instantiate(`
  (module
    (type (struct (field (mut i32))))
    (func (result i32)
      (local $5 i32)
      (local $11 i32)
      (local $19 (ref 0))
      (local $21 (ref 0))
      (local $22 i32)
      (local.set $19 (struct.new_default 0))
      (block (result i32)
        ;;(call ...)
        ;;(local.set ...)
        (block (result i32)
          (block (result i32)
            (local.get $19)
            (struct.get 0 0)
            (local.get $5)
            i32.eq
            if (result i32)
              (local.get $19)
              (local.get $11)
              (struct.set 0 0)
              (local.get $19)
              (local.set $21)
              (local.get $21)
              (struct.get 0 0)
              (local.set $22)
              (local.get $21)
              (block (result i32)
                (local.get $22)
                (i32.const 1)
                i32.add
                (br 0))
              (struct.set 0 0)
              (i32.const 1)
            else
              (i32.const 0)
            end)))))
`);
```

Assuming this is in `JSTests/wasm/gc`. Run as `run-jsc --debug --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true --jsc-only --useWasmLLInt=false -m bbq.js`

It crashes with an error like this:

```
ASSERTION FAILED: !currentLocation.isRegister()
/home/asumu/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp(9896) : JSC::Wasm::BBQJIT::Location JSC::Wasm::BBQJIT::bind(Value, Location)
Aborted (core dumped)
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231203/53160bac/attachment.htm>

More information about the webkit-unassigned mailing list