RESOLVED FIXED 288722
Tail call result type validation not working correctly for nullable types
https://bugs.webkit.org/show_bug.cgi?id=288722
Summary Tail call result type validation not working correctly for nullable types
David Thompson
Reported 2025-02-27 07:54:54 PST
Created attachment 474371 [details] Wasm binary that fails validation Tail calling a function that returns a non-nullable reference type from a caller that returns a nullable reference type throws an error at validation time. Here's a minimal WAT program (Wasm binary attached) to demonstrate: ``` (module (func $bar (param $x i32) (result (ref i31)) (ref.i31 (local.get $x))) (func $foo (export "foo") (param $x i32) (result (ref null i31)) (if (result (ref null i31)) (i32.eqz (local.get $x)) (then (ref.null i31)) (else (return_call $bar (local.get $x)))))) ``` I believe this program is valid. I used this JavaScript code to instantiate and call the exported "foo" function: ``` const module = await WebAssembly.instantiateStreaming(fetch("foo.wasm")); console.log(module.instance.exports.foo(42)); ``` The expected result is to see "42" printed to the console. Instead, I see this error: ``` WebAssembly.Module doesn't validate: tail call function index 0 return type mismatch: expected (ref null i31), got (ref i31), in function at index 1 ``` Relevant line in the WebKit source: https://github.com/WebKit/WebKit/blob/bda8d91633ad360c8cb949ff20e19c1276f80a5d/Source/JavaScriptCore/wasm/WasmFunctionParser.h#L3116 I observed this issue in my own local Epiphany build using WebKitGTK 2.47.90 on Linux. The above program was also tested on Chrome and Firefox where it ran successfully. While the above WAT code is a minimal example of the problem, this is a real-world blocker issue that was found when attempting to run Scheme programs built with the Hoot compiler (https://spritely.institute/hoot/) on WebKit based browsers.
Attachments
Wasm binary that fails validation (64 bytes, application/wasm)
2025-02-27 07:54 PST, David Thompson
no flags
Radar WebKit Bug Importer
Comment 1 2025-03-06 07:55:15 PST
daniel_liu4
Comment 2 2025-03-10 13:25:58 PDT
EWS
Comment 3 2025-03-10 14:24:15 PDT
Committed 291918@main (61e1a1710342): <https://commits.webkit.org/291918@main> Reviewed commits have been landed. Closing PR #42206 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.