Created attachment 479244 [details] Wasm file reproducer I was testing out the recent implementation of Wide Arithmetic in JSC to get some performance numbers for the proposal itself and I've found what I believe is a bug in JSC's implementation. The same wasm file will execute successfully in SpiderMonkey and Wasmtime while it crashes with an illegal instruction or segmentation fault in JSC. The full benchmark is available at https://alexcrichton.github.io/wasm-benchmark-i128/ (requires wide arithmetic to be enabled). In Firefox Nightly for example I'm able to run various benchmarks using that UI. Locally in the JSC shell running this benchmark will crash sometimes with the wrong trap message, sometimes it'll SIGILL, and sometimes it'll SIGSEGV. I've attempted to reduce this to something smaller, however, as that UI has some various features/etc which I believe are unrelated to the crash. To that end I've run the module through `wasm-tools shrink` and it's gotten something that's not tiny but should be much smaller. The attached test wasm file to this bug doesn't import anything but the internals are somewhat nonsensical in that they've been automatically reduced. The shrinking predicate I used was "succeeds in Wasmtime but fails in JSC". JSC's failure here is never a SIGILL or a SIGSEGV from what I've seen, but it's pretty deterministically generating a wasm trap when it shouldn't. For exampe, with this JS: ```js const wasmBytes = read(arguments[0], 'binary'); const module = new WebAssembly.Module(wasmBytes); const instance = new WebAssembly.Instance(module); instance.exports._start(); ``` I get this from JSC: ``` $ jsc --useWasmWideArithmetic=true ./jsc2.js -- ./test2.shrunken.wasm Exception: RuntimeError: Unreachable code should not be executed (evaluating 'instance.exports._start()') 14@wasm-function[14] 18@wasm-function[18] 19@wasm-function[19] 11@wasm-function[11] 1@wasm-function[1] 0@wasm-function[0] global code@./jsc2.js:4:24 ``` whereas I get this in Wasmtime: ``` $ wasmtime -Wwide-arithmetic --invoke _start ./test2.shrunken.wasm ``` (no output as this exits successfully) Using a slightly modified JS file: ```js const wasmBytes = os.file.readFile(scriptArgs[0], "binary"); const module = new WebAssembly.Module(wasmBytes); const instance = new WebAssembly.Instance(module); instance.exports._start(); ``` this also passes in SpiderMonkey's latest nightly shell: ``` $ ./js -m spidermonkey2.js /dev/null test2.shrunken.wasm ``` This issue reproduces on both macOS aarch64 (M5 Max & macOS 26) as well as x86_64 Linux. On macOS I was using JSC via `jsvu` at version 311724. I've done my best to shrink this to something suitable for the time being, but this isn't 100% as shrunken as it can be. If this is still not useful enough to go on I can try to work to shrink this further, just let me know.