The following program fails to compile in debug mode on BBQJIT: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; instantiate(` (module (type (struct (field (mut i32)))) (func (result i32) (local $5 i32) (local $11 i32) (local $19 (ref 0)) (local $21 (ref 0)) (local $22 i32) (local.set $19 (struct.new_default 0)) (block (result i32) ;;(call ...) ;;(local.set ...) (block (result i32) (block (result i32) (local.get $19) (struct.get 0 0) (local.get $5) i32.eq if (result i32) (local.get $19) (local.get $11) (struct.set 0 0) (local.get $19) (local.set $21) (local.get $21) (struct.get 0 0) (local.set $22) (local.get $21) (block (result i32) (local.get $22) (i32.const 1) i32.add (br 0)) (struct.set 0 0) (i32.const 1) else (i32.const 0) end))))) `); ``` Assuming this is in `JSTests/wasm/gc`. Run as `run-jsc --debug --useWebAssemblyGC=true --useWebAssemblyTypedFunctionReferences=true --jsc-only --useWasmLLInt=false -m bbq.js` It crashes with an error like this: ``` ASSERTION FAILED: !currentLocation.isRegister() /home/asumu/WebKit/Source/JavaScriptCore/wasm/WasmBBQJIT.cpp(9896) : JSC::Wasm::BBQJIT::Location JSC::Wasm::BBQJIT::bind(Value, Location) Aborted (core dumped) ```
Here's a more minimized repro case: instantiate(` (module (type (struct (field (mut i32)))) (func (result i32) (local $19 (ref 0)) (local $22 i32) (local.set $19 (struct.new_default 0)) (i32.const 1) if (result i32) (local.get $19) (block (result i32) (i32.const 1) (br 0)) (struct.set 0 0) (i32.const 1) else (i32.const 0) end)) `);
Pull request: https://github.com/WebKit/WebKit/pull/21366
Committed 271633@main (7489f1848c53): <https://commits.webkit.org/271633@main> Reviewed commits have been landed. Closing PR #21366 and removing active labels.
<rdar://problem/119275322>