[webkit-changes] [WebKit/WebKit] dd1c09: [JSC] Suppress broken assertion in DFG register al...
Yusuke Suzuki
noreply at github.com
Mon Feb 5 15:03:38 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dd1c094a5f04ea5a5f93e236ff3b4db43d85a226
https://github.com/WebKit/WebKit/commit/dd1c094a5f04ea5a5f93e236ff3b4db43d85a226
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-02-05 (Mon, 05 Feb 2024)
Changed paths:
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Log Message:
-----------
[JSC] Suppress broken assertion in DFG register allocation
https://bugs.webkit.org/show_bug.cgi?id=268727
rdar://122279383
Reviewed by Mark Lam.
DFG register allocation check's assertion is broken. It records register-allocation offset, and attempt to do assert when jump is going over it.
But this does not work at all if register allocation does not emit any instructions. In that case, the offset can be valid instruction' one
after the register allocation is done. And this is what is happening here.
We workaround this silly bug by reordering instruction and jump target a bit. emitStoreCallSiteIndex always emits some instructions, so it distinguishes
register allocation offset from the actual one. And when retrying (jumping to mainPath), we do not need to perform emitStoreCallSiteIndex again.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
Canonical link: https://commits.webkit.org/274116@main
More information about the webkit-changes
mailing list