[webkit-changes] [WebKit/WebKit] 7842f4: [JSC] B3 CSE asserts on struct.new_default with f3...

Kai Tamkun Mon, 04 May 2026 15:30:12 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 7842f4848d8259d14f510fc671081fbeb6bff3f1
      
https://github.com/WebKit/WebKit/commit/7842f4848d8259d14f510fc671081fbeb6bff3f1
  Author: Kai Tamkun <[email protected]>
  Date:   2026-05-04 (Mon, 04 May 2026)


  Changed paths:
    A JSTests/wasm/stress/new_default-f32.js
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp

  Log Message:
  -----------
  [JSC] B3 CSE asserts on struct.new_default with f32/f64 fields due to type 
mismatch in store-to-load forwarding
https://bugs.webkit.org/show_bug.cgi?id=313591
rdar://175665634

Reviewed by Keith Miller and Yusuke Suzuki.

The struct.new_default wasm instruction currently writes Int32(0) for f32 types.
If store-to-load forwarding occurs, B3::Value::replaceWithIdentity will fail a
RELEASE_ASSERT because the expected type is f32, not i32. This patch adjusts
OMGIRGenerator::addStructNewDefault and OMGIRGenerator::addArrayNewDefault to
create a constant of the correct type instead of defaulting to int types.

Test: JSTests/wasm/stress/new_default-f32.js

* JSTests/wasm/stress/new_default-f32.js: Added.
(instantiate):
(async let):
(then.async let):
(then):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::addArrayNewDefault):
(JSC::Wasm::OMGIRGenerator::addStructNewDefault):

Canonical link: https://commits.webkit.org/312557@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

[webkit-changes] [WebKit/WebKit] 7842f4: [JSC] B3 CSE asserts on struct.new_default with f3...

Reply via email to