[webkit-changes] [WebKit/WebKit] 583899: Signed loads should not zero-def their destination.

Justin Michaud noreply at github.com
Fri Mar 29 09:51:46 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 58389979b17a533801e90121829b5e1e2b4068cc
      https://github.com/WebKit/WebKit/commit/58389979b17a533801e90121829b5e1e2b4068cc
  Author: Justin Michaud <justin at justinmichaud.com>
  Date:   2024-03-29 (Fri, 29 Mar 2024)

  Changed paths:
    M Source/JavaScriptCore/b3/air/AirOpcode.opcodes

  Log Message:
  -----------
  Signed loads should not zero-def their destination.
https://bugs.webkit.org/show_bug.cgi?id=271866
rdar://122959696

Reviewed by Yusuke Suzuki.

This fixes a hang in Google Meet when applying the Black Noir filter.

Suppose we have:

```
@a = Load8SignedExtendTo32(@x)

@b = Trunc(ZExt32(@a))
```

B3 reduceStrength will convert @b to @a. The Air register allocator will
see that we ZDef 64 bits in @a, but on ARM64, we actually sign-extend them.

This was caught by changing reduceStrength:

```
case Trunc:
    // Turn this: Trunc(SExt32(value)) or Trunc(ZExt32(value))
    // Into this: value
    if (m_value->child(0)->opcode() == SExt32 || m_value->child(0)->opcode() == ZExt32) {
        auto* value = m_value->child(0)->child(0);
        auto* patchpoint = m_insertionSet.insert<PatchpointValue>(
            m_index, m_value->type(), m_value->origin());

        patchpoint->effects = Effects();
        patchpoint->effects.reads = HeapRange::top();
        patchpoint->effects.exitsSideways = true;

        patchpoint->append(value);
        patchpoint->setGenerator([&] (CCallHelpers& jit, const StackmapGenerationParams& params) {
            RELEASE_ASSERT(params.size() == 2);
            RELEASE_ASSERT(params[0].isGPR());
            RELEASE_ASSERT(params[1].isGPR());
            auto dst = params[0].gpr();
            auto a = params[1].gpr();
            auto branch = jit.branchTest64(CCallHelpers::Zero, a, MacroAssembler::TrustedImm64(0xFFFFFFFF00000000));
            jit.breakpoint();
            jit.breakpoint(0);
            jit.breakpoint(1);
            jit.breakpoint(2);
            branch.link(&jit);
            jit.move(a, dst);
        });

        replaceWithNew<Value>(Identity, m_value->origin(), patchpoint);
```

* Source/JavaScriptCore/b3/air/AirOpcode.opcodes:

Canonical link: https://commits.webkit.org/276829@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list