291795 – [JSC] WASM JIT compiler uses the wrong comparison for br_if after i32.ne or i64.ne

RESOLVED FIXED291795

[JSC] WASM JIT compiler uses the wrong comparison for br_if after i32.ne or i64.ne

https://bugs.webkit.org/show_bug.cgi?id=291795

Summary [JSC] WASM JIT compiler uses the wrong comparison for br_if after i32.ne or i...

ashivaram264

Reported 2025-04-19 12:05:30 PDT

When constant folding in BBQJIT::tryFoldFusedBranchCompare, the cases for OpType::I32Ne and OpType::I64Ne use == instead of !=. This leads to incorrect behavior from WASM functions that push two i32.consts followed by i32.ne and br_if. The problem is on this line: https://github.com/WebKit/WebKit/blob/39dc4cc26a3d9115a99f248c577464a48629f181/Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp#L3354 and the corresponding line further down for I64Ne.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2025-04-20 04:52:13 PDT

Yusuke Suzuki

Comment 2 2025-04-20 04:53:00 PDT

EWS

Comment 3 2025-04-23 13:02:37 PDT

Committed 294022@main (7bb4eb9855e0): <https://commits.webkit.org/294022@main> Reviewed commits have been landed. Closing PR #44307 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebAssembly

Assignee

Yusuke Suzuki

Reported

2025-04-19 12:05 PDT

Modified

2025-04-23 13:02 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks