[webkit-changes] [WebKit/WebKit] 65f379: Fix flushing constants to StackArguments in WasmBB...

Commit Queue noreply at github.com
Tue Mar 7 21:37:58 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 65f37957e2718b0104e2a3bb13086626dafe23d5
      https://github.com/WebKit/WebKit/commit/65f37957e2718b0104e2a3bb13086626dafe23d5
  Author: David Degazio <d_degazio at apple.com>
  Date:   2023-03-07 (Tue, 07 Mar 2023)

  Changed paths:
    A JSTests/wasm/stress/constant-overlaps-stack-argument.js
    A JSTests/wasm/stress/spilled-block-argument.js
    A JSTests/wasm/stress/spilled-block-result.js
    A JSTests/wasm/stress/spilled-constant-block-argument.js
    A JSTests/wasm/stress/spilled-constant-block-result.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp

  Log Message:
  -----------
  Fix flushing constants to StackArguments in WasmBBQJIT
https://bugs.webkit.org/show_bug.cgi?id=253530
rdar://106358707

Reviewed by Yusuke Suzuki.

The current WASM BBQ JIT trips some assertions when constants are flushed at the
end of a block in certain circumstances. Specifically, if a temp was previously
bound to a StackArgument, then was popped and replaced with a constant, the constant
will flush to the StackArgument slot which is wrong and caught by the assertion.

This patch addresses two issues: first, we shouldn't actually fail an assertion here,
it's totally fine in theory to store a constant in a stack argument location. But the
reason we flush to a StackArgument to begin with is that BBQ JIT doesn't correctly
unbind temporaries from StackArgument slots when they are popped - with this patch, we
should now always restore temps to their canonical slots if they are bound elsewhere
and popped.

* JSTests/wasm/stress/constant-overlaps-stack-argument.js: Added.
* JSTests/wasm/stress/spilled-block-argument.js: Added.
* JSTests/wasm/stress/spilled-block-result.js: Added.
* JSTests/wasm/stress/spilled-constant-block-argument.js: Added.
* JSTests/wasm/stress/spilled-constant-block-result.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::emitMoveConst):
(JSC::Wasm::BBQJIT::consume):

Canonical link: https://commits.webkit.org/261358@main

More information about the webkit-changes mailing list