[webkit-changes] [WebKit/WebKit] 470e56: BBQJIT if conditions are very wrong

Justin Michaud noreply at github.com
Tue Dec 19 13:44:45 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 470e562ed7b830ee06b73b892c6ae243e48b9af2
      https://github.com/WebKit/WebKit/commit/470e562ed7b830ee06b73b892c6ae243e48b9af2
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-12-19 (Tue, 19 Dec 2023)

  Changed paths:
    A JSTests/wasm/stress/bbq-parallel-move.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp

  Log Message:
  -----------
  BBQJIT if conditions are very wrong
https://bugs.webkit.org/show_bug.cgi?id=262222
rdar://problem/116145012

Reviewed by Keith Miller.

BBQJIT if conditions are very wrong. By random chance, the condition value
happens to be allocated in nonPreservedNonArgumentGPR1, but if you use
more than 8 registers, we end up just reading a completely random value.

Let's not do that.

We also add some extra debugging assertions for parallel move. These shouldn't ever actually
be hit, but they help us avoid a potential problem in the future if we
make BBQ register allocation smarter.

Finally, we allow allocating eax on x86, and fix some bugs surrounding if/else as a result.

* JSTests/wasm/stress/bbq-parallel-move.js: Added.
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test.):
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.func.log_value.import.string_appeared_here.string_appeared_here.param.i32.func.export.string_appeared_here.param.p0.i32.param.p1.i32.param.p2.i32.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.local.p1.result.i32.local.p0.then.local.p2.local.p0.i32.const.0.else.i32.const.0.local.p2.call.f.func.f.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.i32.param.pl.i32.call.log_value.local.pl.async test):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::ControlData::ControlData):
(JSC::Wasm::BBQJIT::addIf):
(JSC::Wasm::BBQJIT::emitIndirectCall):
(JSC::Wasm::BBQJIT::emitShuffle):

Originally-landed-as: 267815.223 at safari-7617-branch (3c476842d24c). rdar://119592377
Canonical link: https://commits.webkit.org/272297@main

More information about the webkit-changes mailing list