[Webkit-unassigned] [Bug 279182] New: WasmGC program may be mis-optimized

Thu Sep 5 04:57:01 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=279182

            Bug ID: 279182
           Summary: WasmGC program may be mis-optimized
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: kustermann.martin at gmail.com

Created attachment 472464

  --> https://bugs.webkit.org/attachment.cgi?id=472464&action=review

Contains a helper script used to run dart2wasm compiled modules and the corresponding JS & Wasm files of a compiled application that triggers misoptimization

The attached program seems to run fine with V8's commandline JS engine but fails with JavaScriptCore command line shell.

By modifying the program slightly or changing JSC flags it appears to behave differently, making me believe this is an optimization bug.

This reproduction uses the build from: https://webkitgtk.org/jsc-built-products/x86_64/release/283199@main.zip

---------------------------
---- Issue 1) Run the app with dart2wasm -O1 optimization (which uses the binaryen wasm2wasm optimizer)
---------------------------
```
% jsc $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O1.mjs $PWD/repro.O1.wasm

i=128      
i=128 done
i=129      
i=129 done
...

i=4627
Error: RuntimeError: struct.get to a null reference (evaluating 'this.instantiatedModule.exports.$invokeMain(args)')
Stack: <?>.wasm-function[Expect.throws]@[wasm code]
<?>.wasm-function[main tear-off trampoline]@[wasm code]
<?>.wasm-function[_invokeMain]@[wasm code]
invokeMain at .../repro.O1.mjs:358:48
@.../pkg/dart2wasm/bin/run_wasm.js:412:31
````

Running with `--useJIT=false` behaves flakily and differently

Sometimes:
```
% jsc --useJIT=false $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O1.mjs $PWD/repro.O1.wasm

Error: RuntimeError: ref.cast failed to cast reference to target heap type (evaluating 'read(s, index++)')
Stack: <?>.wasm-function[_stringRead1]@[wasm code]
73@[native code]
_253 at .../repro.O1.mjs:188:28
<?>.wasm-function[print]@[wasm code]
<?>.wasm-function[_invokeMain]@[wasm code]
58@[native code]
invokeMain at .../repro.O1.mjs:358:48
@.../pkg/dart2wasm/bin/run_wasm.js:412:31
```
Sometimes:
```
% jsc --useJIT=false $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O1.mjs $PWD/repro.O1.wasm

Error: RangeError: Array length must be a positive integer of safe magnitude.
Stack: _253 at .../repro.O1.mjs:184:30
<?>.wasm-function[print]@[wasm code]
<?>.wasm-function[_invokeMain]@[wasm code]
58@[native code]
invokeMain at .../repro.O1.mjs:358:48
@.../dart2wasm/bin/run_wasm.js:412:31

```

---------------------------
---- Issue 1) Run the app with dart2wasm -O0, i.e. without any optimization
---------------------------

```
% jsc  $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O0.mjs $PWD/repro.O0.wasm

... 
Error: RuntimeError: call_indirect to a signature that does not match (evaluating 'this.instantiatedModule.exports.$invokeMain(args)')
Stack: <?>.wasm-function[Expect.throws]@[wasm code]
<?>.wasm-function[main]@[wasm code]
<?>.wasm-function[main tear-off trampoline]@[wasm code]
<?>.wasm-function[_invokeMain]@[wasm code]
invokeMain at .../repro.O0.mjs:358:48
@.../pkg/dart2wasm/bin/run_wasm.js:412:31

```

```
% jsc --useJIT=false $PWD/pkg/dart2wasm/bin/run_wasm.js -- $PWD/repro.O0.mjs $PWD/repro.O0.wasm

Error: CompileError: WebAssembly.Module doesn't parse at byte 1012: can't get 0th field Type
Stack: undefined
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240905/6d671048/attachment-0001.htm>