Created attachment 474371 [details] Wasm binary that fails validation Tail calling a function that returns a non-nullable reference type from a caller that returns a nullable reference type throws an error at validation time. Here's a minimal WAT program (Wasm binary attached) to demonstrate: ``` (module (func $bar (param $x i32) (result (ref i31)) (ref.i31 (local.get $x))) (func $foo (export "foo") (param $x i32) (result (ref null i31)) (if (result (ref null i31)) (i32.eqz (local.get $x)) (then (ref.null i31)) (else (return_call $bar (local.get $x)))))) ``` I believe this program is valid. I used this JavaScript code to instantiate and call the exported "foo" function: ``` const module = await WebAssembly.instantiateStreaming(fetch("foo.wasm")); console.log(module.instance.exports.foo(42)); ``` The expected result is to see "42" printed to the console. Instead, I see this error: ``` WebAssembly.Module doesn't validate: tail call function index 0 return type mismatch: expected (ref null i31), got (ref i31), in function at index 1 ``` Relevant line in the WebKit source: https://github.com/WebKit/WebKit/blob/bda8d91633ad360c8cb949ff20e19c1276f80a5d/Source/JavaScriptCore/wasm/WasmFunctionParser.h#L3116 I observed this issue in my own local Epiphany build using WebKitGTK 2.47.90 on Linux. The above program was also tested on Chrome and Firefox where it ran successfully. While the above WAT code is a minimal example of the problem, this is a real-world blocker issue that was found when attempting to run Scheme programs built with the Hoot compiler (https://spritely.institute/hoot/) on WebKit based browsers.