293107 2025-05-15 23:32:39 -0700 Wasm module compile error when a function contains `ref.null` after `return` 2025-05-31 03:01:41 -0700 1 1 1 Unclassified WebKit WebAssembly Other Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 seyoon1705 sosuke d_degazio keith_miller webkit-bug-importer oldest_to_newest 2117558 0 475263 seyoon1705 2025-05-15 23:32:39 -0700 Created attachment 475263 return_ref_null.js Commit version: 9d02067f5de4b0402f58d6c83039e206439a8a8c System: Ubuntu 20.04.6 LTS, x86_64 The following Wasm module contains three types and a function that includes `ref.null` after `return`. ``` ;; return_ref_null.wat (module (type $0 (func)) (type $1 (func)) (type $2 (func)) (func (return) (ref.null $2) (drop) ) ) ``` It is a valid Wasm module, so it must succeed to parse and validate. However, when running `return_ref_null.js`, the equivalent JavaScript file, JavaScriptCore raises compile error. ``` $ jsc return_ref_null.js Exception: Error: Wasm validate failure module@return_ref_null.js:64:20 global code@return_ref_null.js:215:17 --> CompileError: WebAssembly.Module doesn't parse at byte 5: can't get inline type for Block in unreachable context, in function at index 0 ``` The bug is reproduced only when there are at least 3 types. 2117559 1 seyoon1705 2025-05-15 23:35:17 -0700 Oh, I forgot to mention one thing. The compile error occurs when`ref.null` has immediate with type index larger than 2. 2117564 2 seyoon1705 2025-05-16 00:44:54 -0700 Additionally note: It doesn't have to be `return`. Same bug happens when `ref.null` appears after `br`, `unreachable`, and `throw_ref`. 2119209 3 webkit-bug-importer 2025-05-22 23:33:14 -0700 <rdar://problem/151905390> 2120893 4 sosuke 2025-05-31 00:52:13 -0700 Pull request: https://github.com/WebKit/WebKit/pull/46164 2120899 5 ews-feeder 2025-05-31 03:01:39 -0700 Committed 295644@main (d8a5f39bad4f): <https://commits.webkit.org/295644@main> Reviewed commits have been landed. Closing PR #46164 and removing active labels. 475263 2025-05-15 23:32:39 -0700 2025-05-15 23:32:39 -0700 return_ref_null.js return_ref_null.js application/x-javascript 839 seyoon1705 J3VzZSBzdHJpY3QnOwoKZnVuY3Rpb24gbW9kdWxlKGJ5dGVzLCB2YWxpZCA9IHRydWUpIHsKICBs ZXQgYnVmZmVyID0gbmV3IEFycmF5QnVmZmVyKGJ5dGVzLmxlbmd0aCk7CiAgbGV0IHZpZXcgPSBu ZXcgVWludDhBcnJheShidWZmZXIpOwogIGZvciAobGV0IGkgPSAwOyBpIDwgYnl0ZXMubGVuZ3Ro OyArK2kpIHsKICAgIHZpZXdbaV0gPSBieXRlcy5jaGFyQ29kZUF0KGkpOwogIH0KICBsZXQgdmFs aWRhdGVkOwogIHRyeSB7CiAgICB2YWxpZGF0ZWQgPSBXZWJBc3NlbWJseS52YWxpZGF0ZShidWZm ZXIpOwogIH0gY2F0Y2ggKGUpIHsKICAgIHRocm93IG5ldyBFcnJvcigiV2FzbSB2YWxpZGF0ZSB0 aHJvd3MiKTsKICB9CiAgaWYgKHZhbGlkYXRlZCAhPT0gdmFsaWQpIHsKICAgIGlmICghdmFsaWRh dGVkKSBXZWJBc3NlbWJseS5jb21waWxlKGJ1ZmZlcikuY2F0Y2goZSA9PiBkZWJ1ZyhlKSk7CiAg ICB0aHJvdyBuZXcgRXJyb3IoIldhc20gdmFsaWRhdGUgZmFpbHVyZSIgKyAodmFsaWQgPyAiIiA6 ICIgZXhwZWN0ZWQiKSk7CiAgfQogIHJldHVybiBuZXcgV2ViQXNzZW1ibHkuTW9kdWxlKGJ1ZmZl cik7Cn0KCi8vIGJpbmFyeSBmb3JtYXQgb2YgcmV0dXJuX3JlZl9udWxsLndhdApsZXQgJCQxID0g bW9kdWxlKCJceDAwXHg2MVx4NzNceDZkXHgwMVx4MDBceDAwXHgwMFx4MDFceDhhXHg4MFx4ODBc eDgwXHgwMFx4MDNceDYwXHgwMFx4MDBceDYwXHgwMFx4MDBceDYwXHgwMFx4MDBceDAzXHg4Mlx4 ODBceDgwXHg4MFx4MDBceDAxXHgwMFx4MGFceDhjXHg4MFx4ODBceDgwXHgwMFx4MDFceDg2XHg4 MFx4ODBceDgwXHgwMFx4MDBceDBmXHhkMFx4MDJceDFhXHgwYiIpOwo=