Bug 265262

Summary: Wasm tail call conflicts with OMG inlining - ASSERTION FAILED: !irGenerator.m_makesTailCalls
Product: WebKit Reporter: Asumu Takikawa <asumu>
Component: WebAssemblyAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: justin_michaud, keith_miller, mark.lam, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 215275, 264650    

Description Asumu Takikawa 2023-11-22 12:11:39 PST 
The following wasm program currently crashes in debug mode (using the `module` helper from function reference tests):

```
 /*                                         
  (module 
    (func (result i32) (i32.const 42))         
    (func (param) (result i32)            
      (return_call 0)                                                                                                                                                                                         
      (i32.const 5))
    (func (export "main") (result i32)
      (call 1))                                                                                        
  )                                                                                                    
  */                                    
  {                                       
    let m = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x85\x80\x80\x80\x00\x01\x60\x00\x01\x7f\x03\x84\x80\x80\x80\x00\x03\x00\x00\x00\x07\x88\x80\x80\x80\x00\x01\x04\x6d\x61\x69\
x6e\x00\x02\x0a\x9e\x80\x80\x80\x00\x03\x84\x80\x80\x80\x00\x00\x41\x2a\x0b\x86\x80\x80\x80\x00\x00\x12\x00\x41\x05\x0b\x84\x80\x80\x80\x00\x00\x10\x01\x0b"));
    assert.eq(m.exports.main(), 42);   
  }       
```

with a crash message like the following:

wasm.yaml/wasm/function-references/tail_call.js.wasm-omg: ASSERTION FAILED: !irGenerator.m_makesTailCalls                                                                                                     
wasm.yaml/wasm/function-references/tail_call.js.wasm-omg: /home/asumu/WebKit/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp(4659) : JSC::Wasm::B3IRGenerator::PartialResult JSC::Wasm::B3IRGenerator::emitIn
lineDirectCall(uint32_t, const JSC::Wasm::TypeDefinition&, WTF::Vector<JSC::B3::Variable*, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>&, ResultList&)                                                       
wasm.yaml/wasm/function-references/tail_call.js.wasm-omg: ERROR: Unexpected exit code: 134                                                                                                                    10/10 (failed 1)  

It looks like there's possibly an attempt to inline the `(call 1)` in the main function and that's failing because the function being inlined has a tail call.
Comment 1 Yusuke Suzuki 2023-11-26 16:05:35 PST 
tail call is not correctly implemented, it requires redesign and massive effort, and we are not seeing that it is currently implemented. So, wont' fix.
Comment 2 Yusuke Suzuki 2023-11-26 16:06:23 PST 
For example, stack pointer adjustment after the call is not done correctly in any places, so tail-call in wasm is not designed to be working, and that's the reason why it is not enabled. This is half baked and not having complete implementation yet.