| Summary: | [WASM-Function-References] Assertion failure when a function returns (ref <idx>) to JS | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Asumu Takikawa <asumu> |
| Component: | WebAssembly | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | saam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | |||
| Bug Blocks: | 247393 | ||
Pull request: https://github.com/WebKit/WebKit/pull/2983 Committed 253734@main (0c946f31a451): <https://commits.webkit.org/253734@main> Reviewed commits have been landed. Closing PR #2983 and removing active labels. |
A test case like the following will currently raise an assertion error: ``` //@ runWebAssemblySuite("--useWebAssemblyTypedFunctionReferences=true", "--useWebAssemblyGC=false") import * as assert from "../assert.js"; import { compile, instantiate } from "./wast-wrapper.js"; let m1 = instantiate(` (module (type (func)) (type (func (result (ref 0)))) (elem declare funcref (ref.func 0)) (func) (func (export "f") (type 1) (ref.func 0)) ) `); instantiate(` (module (type (func)) (type (func (result (ref 0)))) (func (import "m" "f") (type 1)) ) `, { m: { f: m1.exports.f } }); ``` This will instead raise a parse error if typed funcrefs are turned off (the default). The assertion failure comes from a ref-with-index type not being supported in `WasmToJS.cpp` in processing the result of an exported Wasm function. I think it should be possible to support this case, it just requires checking if the type index points to a function signature or not. For non-function signatures, it should probably error for now.