Bugzilla

The failure is reproducible on Ion and x86_64 platforms.

The reason is during tail calls, the SP pointer is moved with alignment of `WasmStackAlignment`. The Ion is trying to pack locals and parameters, and during a tail call, that "gives" stack back (see $func2 has less parameters than $func1), the SP was moved too far and locals/temps where overwritten. In the test above, temp for `ref.null` was replaced.

The solution is to align locals/temps on the boundary of `WasmStackAlignment` at https://searchfox.org/mozilla-central/source/js/src/jit/shared/CodeGenerator-shared.cpp#82 (as we do for Aarch64). The already do the same thing in the baseline https://searchfox.org/mozilla-central/source/js/src/wasm/WasmStubs.cpp#718.

The failure is reproducible on Ion and x86_64 platforms.

The reason is during tail calls, the SP pointer is moved with alignment of `WasmStackAlignment`. The Ion is trying to pack locals and parameters, and during a tail call, that "gives" stack back (see $func2 has less parameters than $func1), the SP was moved too far and locals/temps were overwritten. In the test above, temp for `ref.null` was replaced.

The solution is to align locals/temps on the boundary of `WasmStackAlignment` at https://searchfox.org/mozilla-central/source/js/src/jit/shared/CodeGenerator-shared.cpp#82 (as we do for Aarch64). The already do the same thing in the baseline https://searchfox.org/mozilla-central/source/js/src/wasm/WasmStubs.cpp#718.

The failure is reproducible on Ion and x86_64 platforms.

The reason is during tail calls, the SP pointer is moved with alignment of `WasmStackAlignment`. The Ion is trying to pack locals and parameters, and during a tail call (especially that "gives" stack back, see $func2 has less parameters than $func1), the SP was moved too far and locals/temps were overwritten. In the test above, temp for `ref.null` was replaced.

The solution is to align locals/temps on the boundary of `WasmStackAlignment` at https://searchfox.org/mozilla-central/source/js/src/jit/shared/CodeGenerator-shared.cpp#82 (as we do for Aarch64). The already do the same thing in the baseline https://searchfox.org/mozilla-central/source/js/src/wasm/WasmStubs.cpp#718.

The failure is reproducible on Ion and x86_64 platforms.

The reason is during tail calls, the SP pointer is moved with alignment of `WasmStackAlignment`. The Ion is trying to pack locals and parameters, and during a tail call (especially that "gives" stack back, see $func2 has more parameters than $func1), the SP was moved too far and locals/temps were overwritten. In the test above, temp for `ref.null` was replaced.

The solution is to align locals/temps on the boundary of `WasmStackAlignment` at https://searchfox.org/mozilla-central/source/js/src/jit/shared/CodeGenerator-shared.cpp#82 (as we do for Aarch64). The already do the same thing in the baseline https://searchfox.org/mozilla-central/source/js/src/wasm/WasmStubs.cpp#718.

The failure is reproducible on Ion and x86_64 platforms.

The reason is during tail calls, the SP pointer is moved with alignment of `WasmStackAlignment`. The Ion is trying to pack locals and parameters, and during a tail call (especially that "gives" stack back, see $func2 has more parameters than $func1), the SP was moved too far and locals/temps were overwritten. In the test above, temp for `ref.null` was replaced.

The solution is to align locals/temps on the boundary of `WasmStackAlignment` at https://searchfox.org/mozilla-central/source/js/src/jit/shared/CodeGenerator-shared.cpp#82 (as we do for Aarch64). We already do the same thing in the baseline https://searchfox.org/mozilla-central/source/js/src/wasm/WasmStubs.cpp#718.