[webkit-changes] [WebKit/WebKit] dde2af: [JSC] Always claim bounds-checking-size register a...

Fri Feb 17 15:49:10 PST 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: dde2af69c8970f8ac8f77b16cd17571b8dc0bed5
      https://github.com/WebKit/WebKit/commit/dde2af69c8970f8ac8f77b16cd17571b8dc0bed5
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-02-17 (Fri, 17 Feb 2023)

  Changed paths:
    M Source/JavaScriptCore/jit/RegisterSet.cpp
    M Source/JavaScriptCore/jit/RegisterSet.h
    M Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/js/JSToWasm.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

  Log Message:
  -----------
  [JSC] Always claim bounds-checking-size register as pinned
https://bugs.webkit.org/show_bug.cgi?id=252508
rdar://105614733

Reviewed by Justin Michaud.

Except only one place, every place passes BoundChecking mode to wasmPinnedRegisters.
Eventually tail-call also clobbers it, and wasm LLInt / new Baseline clobber it.
So, let's alwasy include boundsCheckingSizeRegister as a part of wasmPinnedRegisters.
This difference only affects on JSToWasm code, which is slow code so it doesn't matter (this is not fast IC path).

This fixes many crashes with new wasm baseline JIT.

* Source/JavaScriptCore/jit/RegisterSet.cpp:
(JSC::RegisterSetBuilder::wasmPinnedRegisters):
* Source/JavaScriptCore/jit/RegisterSet.h:
* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
(JSC::Wasm::ExpressionType>::addCall):
(JSC::Wasm::ExpressionType>::emitIndirectCall):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitIndirectCall):
(JSC::Wasm::B3IRGenerator::addCall):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::calleeSaves const):

Canonical link: https://commits.webkit.org/260477@main