[webkit-changes] [WebKit/WebKit] e2679a: Fix BBQ tail call stack pointer restore site

[Keith Miller]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e2679aee4b9cff97b802d66ac933c28da2fc1d40
      https://github.com/WebKit/WebKit/commit/e2679aee4b9cff97b802d66ac933c28da2fc1d40
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-10-16 (Wed, 16 Oct 2024)

  Changed paths:
    A JSTests/wasm/stress/tail-call-js-to-wasm.js
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
    M Source/JavaScriptCore/wasm/js/JSToWasm.cpp

  Log Message:
  -----------
  Fix BBQ tail call stack pointer restore site
https://bugs.webkit.org/show_bug.cgi?id=281529
rdar://137994450

Reviewed by David Degazio.

When adding tail calls to BBQ the restore site for sp was after
getting the results. However, since stack results are at the
*top* of the reserved frame we want to address from where the
caller thought sp should be not where the tail callee's frame pointer
was.

Also, restore sp in OMG after calls since I think it's possible to
stack overflow in a way that would be unexpected if we don't.

* Source/JavaScriptCore/assembler/MacroAssemblerARM64.cpp:
(JSC::MacroAssembler::probe):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTopLevel):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitTailCall):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCall):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitIndirectCall):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::emitIndirectCall):
(JSC::Wasm::OMGIRGenerator::addCall):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::FunctionSignature::jsToWasmICEntrypoint const):

Canonical link: https://commits.webkit.org/285268@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications