267381 2024-01-10 16:15:02 -0800 [Wasm-GC] Fix write barrier bug in BBQ array.set 2024-01-11 10:10:14 -0800 1 1 1 Unclassified WebKit WebAssembly WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 247394 1 asumu webkit-unassigned bashorov webkit-bug-importer oldest_to_newest 2004260 0 asumu 2024-01-10 16:15:02 -0800 A recent PR added JIT inlining for array ops, and also has write barriers for these situations. Unfortunately while the write barrier is in the right place, the condition to add them is slightly wrong. Test case: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true", "--useWebAssemblyExtendedConstantExpressions=true") import * as assert from "../assert.js"; import { instantiate } from "./wast-wrapper.js"; { const m1 = instantiate(` (module (type (struct (field i32))) (type (array (mut (ref null 0)))) (func (export "maker") (result (ref 1)) (array.new_default 1 (i32.const 5)))) `); const arr = m1.exports.maker(); assert.isObject(arr); // Do a GC to ensure the array is an old object. gc(); const m2 = instantiate(` (module (type (struct (field i32))) (type (array (mut (ref null 0)))) (func (export "set") (param (ref 1) i32) (array.set 1 (local.get 0) (local.get 1) (struct.new 0 (i32.const 42)))) (func (export "get") (param (ref 1) i32) (result i32) (struct.get 0 0 (array.get 1 (local.get 0) (local.get 1))))) `); for (var i = 0; i < 5; i++) m2.exports.set(arr, i); // Do an eden GC to test write barriers. edenGC(); for (var i = 0; i < 5; i++) assert.eq(m2.exports.get(arr, i), 42); } ``` The fix is straightforward (just fix the condition to check the right type). 2004263 1 asumu 2024-01-10 16:27:12 -0800 Pull request: https://github.com/WebKit/WebKit/pull/22630 2004480 2 ews-feeder 2024-01-11 10:09:39 -0800 Committed 272923@main (6decd847ff17): <https://commits.webkit.org/272923@main> Reviewed commits have been landed. Closing PR #22630 and removing active labels. 2004481 3 webkit-bug-importer 2024-01-11 10:10:14 -0800 <rdar://problem/120852672>