Bug 293107

Summary: Wasm module compile error when a function contains `ref.null` after `return`
Product: WebKit Reporter: seyoon1705
Component: WebAssemblyAssignee: Sosuke Suzuki <sosuke>
Status: RESOLVED FIXED    
Severity: Normal CC: d_degazio, keith_miller, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
return_ref_null.js none

seyoon1705
Reported 2025-05-15 23:32:39 PDT
Created attachment 475263 [details] return_ref_null.js Commit version: 9d02067f5de4b0402f58d6c83039e206439a8a8c System: Ubuntu 20.04.6 LTS, x86_64 The following Wasm module contains three types and a function that includes `ref.null` after `return`. ``` ;; return_ref_null.wat (module (type $0 (func)) (type $1 (func)) (type $2 (func)) (func (return) (ref.null $2) (drop) ) ) ``` It is a valid Wasm module, so it must succeed to parse and validate. However, when running `return_ref_null.js`, the equivalent JavaScript file, JavaScriptCore raises compile error. ``` $ jsc return_ref_null.js Exception: Error: Wasm validate failure module@return_ref_null.js:64:20 global code@return_ref_null.js:215:17 --> CompileError: WebAssembly.Module doesn't parse at byte 5: can't get inline type for Block in unreachable context, in function at index 0 ``` The bug is reproduced only when there are at least 3 types.
Attachments
return_ref_null.js (839 bytes, application/x-javascript)
2025-05-15 23:32 PDT, seyoon1705 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
seyoon1705
Comment 1 2025-05-15 23:35:17 PDT
Oh, I forgot to mention one thing. The compile error occurs when`ref.null` has immediate with type index larger than 2.
seyoon1705
Comment 2 2025-05-16 00:44:54 PDT
Additionally note: It doesn't have to be `return`. Same bug happens when `ref.null` appears after `br`, `unreachable`, and `throw_ref`.
Radar WebKit Bug Importer
Comment 3 2025-05-22 23:33:14 PDT
<rdar://problem/151905390>
Sosuke Suzuki
Comment 4 2025-05-31 00:52:13 PDT
Pull request: https://github.com/WebKit/WebKit/pull/46164
EWS
Comment 5 2025-05-31 03:01:39 PDT
Committed 295644@main (d8a5f39bad4f): <https://commits.webkit.org/295644@main> Reviewed commits have been landed. Closing PR #46164 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.