Bug 291795

Summary: [JSC] WASM JIT compiler uses the wrong comparison for br_if after i32.ne or i64.ne
Product: WebKit Reporter: ashivaram264
Component: WebAssemblyAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

ashivaram264
Reported 2025-04-19 12:05:30 PDT
When constant folding in BBQJIT::tryFoldFusedBranchCompare, the cases for OpType::I32Ne and OpType::I64Ne use == instead of !=. This leads to incorrect behavior from WASM functions that push two i32.consts followed by i32.ne and br_if. The problem is on this line: https://github.com/WebKit/WebKit/blob/39dc4cc26a3d9115a99f248c577464a48629f181/Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp#L3354 and the corresponding line further down for I64Ne.
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-04-20 04:52:13 PDT
<rdar://problem/149638249>
Yusuke Suzuki
Comment 2 2025-04-20 04:53:00 PDT
Pull request: https://github.com/WebKit/WebKit/pull/44307
EWS
Comment 3 2025-04-23 13:02:37 PDT
Committed 294022@main (7bb4eb9855e0): <https://commits.webkit.org/294022@main> Reviewed commits have been landed. Closing PR #44307 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.