[webkit-changes] [WebKit/WebKit] 76f47a: [JSC] Fix BBQ JIT's shuffling

Yusuke Suzuki noreply at github.com
Tue May 23 10:30:26 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 76f47aa9042386307ab0e61744870833fd981a76
      https://github.com/WebKit/WebKit/commit/76f47aa9042386307ab0e61744870833fd981a76
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-05-23 (Tue, 23 May 2023)

  Changed paths:
    A JSTests/wasm/stress/bbq-shuffle-scratch-can-overlap-with-source-or-destination.js
    A JSTests/wasm/stress/resources/bbq-shuffle-scratch-can-overlap-with-source-or-destination.wasm
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp

  Log Message:
  -----------
  [JSC] Fix BBQ JIT's shuffling
https://bugs.webkit.org/show_bug.cgi?id=257187
rdar://109569108

Reviewed by Michael Saboff.

Current WasmBBQJIT shuffle has a bug.

1. It is taking gpTemp and fpTemp. But they do not work well because these registers can be used for the destination of
   shuffling (while they cannot be used for sources since they are allocated / reserved). Even if we use ScratchScope
   to allocate them, they can be overridden as a destination and after that they can be clobbered as a temp. So shuffling
   only works with wasmScratchGPR and wasmScratchFPR, which are excluded from sources and destinations. This patch removes
   gpTemp and fpTemp since they cannot work.
2. Instead of (1), we use GPRInfo::nonPreservedNonArgumentGPR1. It is ensured that it is not included in any of calling arguments
   as the name says. We also ensure that this is not included in arguments location for wasm blocks. So we can strongly guarantee
   that GPRInfo::nonPreservedNonArgumentGPR1 will not appear in destinations. Then, we use ScratchScope and clobber to exclude
   this from sources. So we can safely use this register to keep a value beyond shuffling.

* JSTests/wasm/stress/bbq-shuffle-scratch-can-overlap-with-source-or-destination.js: Added.
(async let):
* JSTests/wasm/stress/resources/bbq-shuffle-scratch-can-overlap-with-source-or-destination.wasm: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::ControlData::ControlData):
(JSC::Wasm::BBQJIT::addIf):
(JSC::Wasm::BBQJIT::saveValuesAcrossCallAndPassArguments):
(JSC::Wasm::BBQJIT::emitCCall):
(JSC::Wasm::BBQJIT::addCall):
(JSC::Wasm::BBQJIT::emitIndirectCall):
(JSC::Wasm::BBQJIT::addCallIndirect):
(JSC::Wasm::BBQJIT::emitShuffleMove):
(JSC::Wasm::BBQJIT::emitShuffle):

Canonical link: https://commits.webkit.org/264425@main

More information about the webkit-changes mailing list