RESOLVED FIXED 265742
[Wasm-GC] BBQJIT crashes compiling Wasm GC program with ASSERTION FAILED: !currentLocation.isRegister() 
https://bugs.webkit.org/show_bug.cgi?id=265742
Summary [Wasm-GC] BBQJIT crashes compiling Wasm GC program with ASSERTION FAILED: !cu...
Asumu Takikawa
Reported 2023-12-02 20:10:03 PST
The following program fails to compile in debug mode on BBQJIT: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; instantiate(` (module (type (struct (field (mut i32)))) (func (result i32) (local $5 i32) (local $11 i32) (local $19 (ref 0)) (local $21 (ref 0)) (local $22 i32) (local.set $19 (struct.new_default 0)) (block (result i32) ;;(call ...) ;;(local.set ...) (block (result i32) (block (result i32) (local.get $19) (struct.get 0 0) (local.get $5) i32.eq if (result i32) (local.get $19) (local.get $11) (struct.set 0 0) (local.get $19) (local.set $21) (local.get $21) (struct.get 0 0) (local.set $22) (local.get $21) (block (result i32) (local.get $22) (i32.const 1) i32.add (br 0)) (struct.set 0 0) (i32.const 1) else (i32.const 0) end))))) `); ``` Assuming this is in `JSTests/wasm/gc`. Run as `run-jsc --debug --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true --jsc-only --useWasmLLInt=false -m bbq.js` It crashes with an error like this: ``` ASSERTION FAILED: !currentLocation.isRegister() /home/asumu/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp(9896) : JSC::Wasm::BBQJIT::Location JSC::Wasm::BBQJIT::bind(Value, Location) Aborted (core dumped) ```
Attachments
Add attachment proposed patch, testcase, etc.
Asumu Takikawa
Comment 1 2023-12-02 20:17:05 PST
Here's a more minimized repro case: instantiate(` (module (type (struct (field (mut i32)))) (func (result i32) (local $19 (ref 0)) (local $22 i32) (local.set $19 (struct.new_default 0)) (i32.const 1) if (result i32) (local.get $19) (block (result i32) (i32.const 1) (br 0)) (struct.set 0 0) (i32.const 1) else (i32.const 0) end)) `);
Asumu Takikawa
Comment 2 2023-12-05 16:56:41 PST
Pull request: https://github.com/WebKit/WebKit/pull/21366
EWS
Comment 3 2023-12-06 14:18:06 PST
Committed 271633@main (7489f1848c53): <https://commits.webkit.org/271633@main> Reviewed commits have been landed. Closing PR #21366 and removing active labels.
Radar WebKit Bug Importer
Comment 4 2023-12-06 14:19:16 PST
<rdar://problem/119275322>
Note You need to log in before you can comment on or make changes to this bug.