[WebAssembly] Compile-time rejection of unreachable tee_local

[jmid]

Consider the following program:

(module
  (func (export "run")
    (param i32)
    (unreachable)
    (tee_local 0)
    (drop)
  )
)

which we can embed in a script as follows:

var debug = debug || (arg => console.log('-->', arg));

let buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,5,1,96,1,127,0,3,2,1,0,7,7,1,3,114,117,110,0,0,10,8,1,6,0,0,34,0,26,11 ]);

let m = new WebAssembly.Instance(new WebAssembly.Module(buffer));
debug(m.exports.run());

With ch version 1.11.9.0 I get a compile-time error:

$ ch chissue.js
CompileError: function run[0] at offset 36/38 (0x24/0x26): Can't tee_local unreachable values
   at Global code (.../chissue.js:6:1)

whereas sm,v8, or jsc all throw a run-time error:

$ sm chissue.js
chissue.js line 5 > WebAssembly.Module:33:1 RuntimeError: unreachable executed
Stack:
  @chissue.js line 5 > WebAssembly.Module:wasm-function[0]:0x21
  @chissue.js:6:17

$ v8 chissue.js
wasm-function[0]:1: RuntimeError: unreachable
RuntimeError: unreachable
    at wasm-function[0]:0x21
    at chissue.js:6:17

$ jsc chissue.js
Exception: Error: Unreachable code should not be executed (evaluating 'm.exports.run()')
<?>.wasm-function[0]@[wasm code]
wasm-stub@[wasm code]
run@[native code]
global [email protected]:6:20

The weird thing is that Chakra's compile-time check seems to be limited to tee_local 😮
If we do variations that, e.g.,

• uses set_local instead (chissue2) or
• combines drop and i32const (chissue3)
  the programs pass compile-time validation and throws a run-time error like the other 3 engines.

Variation 1 (chissue2):

(module
  (func (export "run")
    (param i32)
    (unreachable)
    (set_local 0)
  )
)

var debug = debug || (arg => console.log('-->', arg));

let buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,5,1,96,1,127,0,3,2,1,0,7,7,1,3,114,117,110,0,0,10,7,1,5,0,0,33,0,11 ]);

let m = new WebAssembly.Instance(new WebAssembly.Module(buffer));
debug(m.exports.run());

$ ch chissue2.js
RuntimeError: Unreachable Code
   at Global code (.../chissue2.js:6:1)

Variation 2 (chissue3):

(module
  (func (export "run")
    (param i32)
    (unreachable)
    (drop)
    (i32.const 0)
    (set_local 0)
  )
)

var debug = debug || (arg => console.log('-->', arg));

let buffer = new Uint8Array([ 0,97,115,109,1,0,0,0,1,5,1,96,1,127,0,3,2,1,0,7,7,1,3,114,117,110,0,0,10,10,1,8,0,0,26,65,0,33,0,11 ]);

let m = new WebAssembly.Instance(new WebAssembly.Module(buffer));
debug(m.exports.run());

$ ch chissue3.js
RuntimeError: Unreachable Code
   at Global code (.../chissue3.js:6:1)

[zenparsing]

This was fixed in #5889 and should be in 1.11.10.

[jmid]

FWIW I just updated to 1.11.10 via jsvu and still see the same behaviour:

$ ch --version
ch version 1.11.10.0
$ ch chissue.js
CompileError: function run[0] at offset 36/38 (0x24/0x26): Can't tee_local unreachable values
   at Global code (.../chissue.js:6:1)

[jmid]

@zenparsing We are at 1.11.14 at this still persists. Has #5889 been forgotten or is there a new ETA?

[MikeHolman]

This was fixed in master after 1.11 forked. It will release in 1.12, but I don't know when that will happen.