[Webkit-unassigned] [Bug 266167] New: [Wasm-GC] Fix returned reference in br_on_null in LLInt/B3
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Dec 9 23:01:22 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=266167
Bug ID: 266167
Summary: [Wasm-GC] Fix returned reference in br_on_null in
LLInt/B3
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebAssembly
Assignee: webkit-unassigned at lists.webkit.org
Reporter: asumu at igalia.com
The following test case using `br_on_null` crashes on some tiers:
```
//@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true")
import * as assert from "../assert.js";
import { compile, instantiate } from "./wast-wrapper.js";
instantiate(`
(module
(type (struct (field i32)))
(func (export "f")
(block
(struct.new 0 (i32.const 42))
(br_on_null 0)
(struct.get 0 0)
drop
))
)
`).exports.f();
```
It works fine in BBQJIT, but seems to have issues in LLInt (possibly OMG). The problem is the returned reference on a non-taken branch case is not handled quite right.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231210/888f1c95/attachment.htm>
More information about the webkit-unassigned
mailing list