Bug 268848
| Summary: | [Wasm-GC] Fix br_on_cast issue on BBQ | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Asumu Takikawa <asumu> |
| Component: | WebAssembly | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | bashorov, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 247394 | ||
Asumu Takikawa
There's a bug in the handling of `br_on_cast` on the BBQJIT tier. Test case:
```
diff --git a/JSTests/wasm/gc/br_on_cast.js b/JSTests/wasm/gc/br_on_cast.js
index dbf465442c6b..f62897236627 100644
--- a/JSTests/wasm/gc/br_on_cast.js
+++ b/JSTests/wasm/gc/br_on_cast.js
@@ -116,6 +116,22 @@ function testBrOnCast() {
assert.eq(m.exports.f1(), 1);
assert.eq(m.exports.f2(), 0);
}
+
+ {
+ let m = instantiate(`
+ (module
+ (type (struct))
+ (type (struct (field (ref null 0))))
+ (global (ref 1) (struct.new 1 (struct.new 0)))
+ (func (export "f") (param) (result structref)
+ (block $exit (result structref)
+ (struct.get 1 0
+ (br_on_cast_fail $exit structref (ref 1)
+ (global.get 0)))))
+ )
+ `);
+ m.exports.f();
+ }
}
testBrOnCastValidation();
```
The test runs fine in LLInt and OMG tiers though. I think it has to do with register allocation or the stack handling in BBQ (which is generally trickier than in those tiers, especially for this instruction).
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Asumu Takikawa
Pull request: https://github.com/WebKit/WebKit/pull/24016
Radar WebKit Bug Importer
<rdar://problem/122902355>
EWS
Committed 275920@main (d8ada2256e9e): <https://commits.webkit.org/275920@main>
Reviewed commits have been landed. Closing PR #24016 and removing active labels.