[webkit-changes] [WebKit/WebKit] 3a62d3: [merge-back]OMG should pop try arguments

Justin Michaud noreply at github.com
Thu May 25 19:40:49 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3a62d3df302dbce15ff8235c45c8f3b40a43d21d
      https://github.com/WebKit/WebKit/commit/3a62d3df302dbce15ff8235c45c8f3b40a43d21d
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-05-25 (Thu, 25 May 2023)

  Changed paths:
    A JSTests/wasm/stress/block_end_aliasing.js
    A JSTests/wasm/stress/block_end_aliasing.wasm
    A JSTests/wasm/stress/block_end_aliasing_2.js
    A JSTests/wasm/stress/block_end_aliasing_2.wasm
    A JSTests/wasm/stress/block_end_aliasing_2.wat
    A JSTests/wasm/stress/if-block-arguments-2.js
    A JSTests/wasm/stress/if-block-arguments.js
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

  Log Message:
  -----------
  [merge-back]OMG should pop try arguments
rdar://109857225

Reviewed by Yusuke Suzuki.

The parser and the B3 generator both maintain their own separate wasm stacks.
When we end a block, these two stacks can get out of sync because we forgot
to pop on the b3 side. This can cause type confusion.

The real fix for this is to fix the underlying design flaw.

In the future, we should only store one copy of the stack state in the parser,
including the wasm type, and refer exclusively to that. This is what the new BBQ tier does.

For now, we just pop as needed.

* JSTests/wasm/stress/block_end_aliasing.js: Added.
(instantiate):
(async let):
* JSTests/wasm/stress/block_end_aliasing.wasm: Added.
* JSTests/wasm/stress/block_end_aliasing_2.js: Added.
(instantiate):
(async let):
(async let.i4.await.instantiate):
* JSTests/wasm/stress/block_end_aliasing_2.wasm: Added.
* JSTests/wasm/stress/block_end_aliasing_2.wat: Added.
* JSTests/wasm/stress/loop-end-aliasing.js: Added.
(from.string_appeared_here.import.as.assert.from.string_appeared_here.let.wat.module.import.string_appeared_here.string_appeared_here.memory.mem.1.func.export.string_appeared_here.result.i64.funcref.i64.const.14.block.param.i64.end.ref.func.0.return.async test):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::didPopValueFromStack):
(JSC::Wasm::B3IRGenerator::makePushVariable):
(JSC::Wasm::B3IRGenerator::addEndToUnreachable):

Originally-landed-as: 259548.624 at safari-7615-branch (c9d960b1956a). rdar://109857225
Canonical link: https://commits.webkit.org/264551@main

More information about the webkit-changes mailing list