The following test crashes in the BBQJIT tier: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=true") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; const m1 = instantiate(` (module (type (struct (field i32))) (type (struct (field (mut (ref null 0))))) (func (export "f") (result (ref any)) (struct.new 1 (ref.null 0))) ) `); const struct = m1.exports.f() gc(); const m2 = instantiate(` (module (type (struct (field i32))) (type (struct (field (mut (ref null 0))))) (func (export "g") (param (ref 1)) (struct.set 1 0 (local.get 0) (struct.new 0 (i32.const 42)))) (func (export "h") (param (ref 1)) (result i32) (struct.get 0 0 (struct.get 1 0 (local.get 0)))) ) `); m2.exports.g(struct); edenGC(); assert.equals(m2.exports.h(struct), 42); ``` This is due to a missing write barrier, ensuring that the old object from module m1 has a reference to a new object in module m2 that will be traced.
Pull request: https://github.com/WebKit/WebKit/pull/21484
Committed 271740@main (50def56d3557): <https://commits.webkit.org/271740@main> Reviewed commits have been landed. Closing PR #21484 and removing active labels.
<rdar://problem/119382549>