288722 2025-02-27 07:54:54 -0800 Tail call result type validation not working correctly for nullable types 2025-03-10 14:24:17 -0700 1 1 1 Unclassified WebKit WebAssembly Other PC Linux RESOLVED FIXED InRadar P2 Blocker --- 1 dave daniel_liu4 webkit-bug-importer oldest_to_newest 2098771 0 474371 dave 2025-02-27 07:54:54 -0800 Created attachment 474371 Wasm binary that fails validation Tail calling a function that returns a non-nullable reference type from a caller that returns a nullable reference type throws an error at validation time. Here's a minimal WAT program (Wasm binary attached) to demonstrate: ``` (module (func $bar (param $x i32) (result (ref i31)) (ref.i31 (local.get $x))) (func $foo (export "foo") (param $x i32) (result (ref null i31)) (if (result (ref null i31)) (i32.eqz (local.get $x)) (then (ref.null i31)) (else (return_call $bar (local.get $x)))))) ``` I believe this program is valid. I used this JavaScript code to instantiate and call the exported "foo" function: ``` const module = await WebAssembly.instantiateStreaming(fetch("foo.wasm")); console.log(module.instance.exports.foo(42)); ``` The expected result is to see "42" printed to the console. Instead, I see this error: ``` WebAssembly.Module doesn't validate: tail call function index 0 return type mismatch: expected (ref null i31), got (ref i31), in function at index 1 ``` Relevant line in the WebKit source: https://github.com/WebKit/WebKit/blob/bda8d91633ad360c8cb949ff20e19c1276f80a5d/Source/JavaScriptCore/wasm/WasmFunctionParser.h#L3116 I observed this issue in my own local Epiphany build using WebKitGTK 2.47.90 on Linux. The above program was also tested on Chrome and Firefox where it ran successfully. While the above WAT code is a minimal example of the problem, this is a real-world blocker issue that was found when attempting to run Scheme programs built with the Hoot compiler (https://spritely.institute/hoot/) on WebKit based browsers. 2100982 1 webkit-bug-importer 2025-03-06 07:55:15 -0800 <rdar://problem/146391286> 2102020 2 daniel_liu4 2025-03-10 13:25:58 -0700 Pull request: https://github.com/WebKit/WebKit/pull/42206 2102033 3 ews-feeder 2025-03-10 14:24:15 -0700 Committed 291918@main (61e1a1710342): <https://commits.webkit.org/291918@main> Reviewed commits have been landed. Closing PR #42206 and removing active labels. 474371 2025-02-27 07:54:54 -0800 2025-02-27 07:54:54 -0800 Wasm binary that fails validation foo.wasm application/wasm 64 dave AGFzbQEAAAABDQJgAX8BZGxgAX8BY2wDAwIAAQcHAQNmb28AAQoZAgYAIAD7HAsQACAARQRjbNBs BSAAEgALCw==