[webkit-changes] [WebKit/WebKit] 5156f9: [WASM GC] Reference instructions should consume ar...

David Degazio noreply at github.com
Fri Jan 31 21:54:47 PST 2025 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5156f93cff547f3c9a66684be4e0d5d65897f26d
      https://github.com/WebKit/WebKit/commit/5156f93cff547f3c9a66684be4e0d5d65897f26d
  Author: David Degazio <d_degazio at apple.com>
  Date:   2025-01-31 (Fri, 31 Jan 2025)

  Changed paths:
    A JSTests/wasm/stress/array-copy-with-constant-null.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h
    M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.h

  Log Message:
  -----------
  [WASM GC] Reference instructions should consume arguments even when operand is constant null
https://bugs.webkit.org/show_bug.cgi?id=283889
rdar://140774231

Reviewed by Yusuke Suzuki.

Fixes all instances where we have a WASM GC opcode that fails to call
consume() on its arguments. Generally this previously happened in the
case we detected one of the arguments was a JSNull constant.

In order to limit the impact of failing to consume(), this patch also
removes a case in BBQJIT::allocateWithHint that would blindly reuse
the existing register binding for a value. This case seems to only have
been reachable when calling allocate() on the result of a C call - a
procedure that allocates a location for its result internally. I've
replaced these redundant allocate() calls with loadIfNecessary() calls,
although we pretty much always expect the value to already be in a
register.

Finally, this patch adds debug-only verification that every value we
pop from the expression stack is consumed in BBQ. This required some
minor changes to the implementations of some instructions to ensure
we don't detect spurious errors. It was a big help in finding buggy
cases when making this patch and should help defend against such bugs
in the future.

* JSTests/wasm/stress/array-copy-with-constant-null.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableSet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableInit):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableCopy):
(JSC::Wasm::BBQJITImpl::BBQJIT::addMemoryFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addMemoryCopy):
(JSC::Wasm::BBQJITImpl::BBQJIT::addMemoryInit):
(JSC::Wasm::BBQJITImpl::BBQJIT::atomicWait):
(JSC::Wasm::BBQJITImpl::BBQJIT::atomicNotify):
(JSC::Wasm::BBQJITImpl::BBQJIT::pushArrayNewFromSegment):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayCopy):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayInitElem):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayInitData):
(JSC::Wasm::BBQJITImpl::BBQJIT::addAnyConvertExtern):
(JSC::Wasm::BBQJITImpl::BBQJIT::addExternConvertAny):
(JSC::Wasm::BBQJITImpl::BBQJIT::willParseOpcode):
(JSC::Wasm::BBQJITImpl::BBQJIT::didPopValueFromStack):
(JSC::Wasm::BBQJITImpl::BBQJIT::allocateWithHint):
(JSC::Wasm::BBQJITImpl::BBQJIT::consume):
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayNewFixed):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArraySet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNewDefault):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNew):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addRefCast):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayNew):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayNewFixed):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArraySet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNewDefault):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNew):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addRefCast):
(JSC::Wasm::BBQJITImpl::BBQJIT::addBranchNull):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCallRef):
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::isCompareOpType):

Originally-landed-as: 283286.567 at safari-7620-branch (8964a07ea3fb). rdar://143593696
Canonical link: https://commits.webkit.org/289657@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list