[Webkit-unassigned] [Bug 268848] New: [Wasm-GC] Fix br_on_cast issue on BBQ

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=268848

            Bug ID: 268848
           Summary: [Wasm-GC] Fix br_on_cast issue on BBQ
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: asumu at igalia.com

There's a bug in the handling of `br_on_cast` on the BBQJIT tier. Test case:

```
diff --git a/JSTests/wasm/gc/br_on_cast.js b/JSTests/wasm/gc/br_on_cast.js
index dbf465442c6b..f62897236627 100644
--- a/JSTests/wasm/gc/br_on_cast.js
+++ b/JSTests/wasm/gc/br_on_cast.js
@@ -116,6 +116,22 @@ function testBrOnCast() {
     assert.eq(m.exports.f1(), 1);
     assert.eq(m.exports.f2(), 0);
   }
+
+  {
+    let m = instantiate(`
+      (module
+        (type (struct))
+        (type (struct (field (ref null 0))))
+        (global (ref 1) (struct.new 1 (struct.new 0)))
+        (func (export "f") (param) (result structref)
+          (block $exit (result structref)
+            (struct.get 1 0
+               (br_on_cast_fail $exit structref (ref 1)
+                 (global.get 0)))))
+      )
+    `);
+    m.exports.f();
+  }
 }

 testBrOnCastValidation();
```

The test runs fine in LLInt and OMG tiers though. I think it has to do with register allocation or the stack handling in BBQ (which is generally trickier than in those tiers, especially for this instruction).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240206/ebd872af/attachment-0001.htm>