<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"

"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />

<title>[213653] trunk</title>

</head>

<body>

<style type="text/css"><!--

#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }

#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }

#msg dt:after { content:':';}

#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }

#msg dl a { font-weight: bold}

#msg dl a:link    { color:#fc3; }

#msg dl a:active  { color:#ff0; }

#msg dl a:visited { color:#cc6; }

h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }

#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }

#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }

#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }

#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }

#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }

#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }

#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }

#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }

#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }

#logmsg pre { background: #eee; padding: 1em; }

#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}

#logmsg dl { margin: 0; }

#logmsg dt { font-weight: bold; }

#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }

#logmsg dd:before { content:'\00bb';}

#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }

#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }

#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }

#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }

#logmsg table th.Corner { text-align: left; }

#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }

#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }

#patch { width: 100%; }

#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}

#patch .propset h4, #patch .binary h4 {margin:0;}

#patch pre {padding:0;line-height:1.2em;margin:0;}

#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}

#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}

#patch span {display:block;padding:0 10px;}

#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}

#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}

#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}

#patch .lines, .info {color:#888;background:#fff;}

--></style>

<div id="msg">

<dl class="meta">

<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/213653">213653</a></dd>

<dt>Author</dt> <dd>sbarati@apple.com</dd>

<dt>Date</dt> <dd>2017-03-09 11:18:34 -0800 (Thu, 09 Mar 2017)</dd>

</dl>

<h3>Log Message</h3>

<pre>WebAssembly: Make the Unity AngryBots demo run

https://bugs.webkit.org/show_bug.cgi?id=169268

Reviewed by Keith Miller.

JSTests:

* wasm/function-tests/many-arguments-to-function.js: Added.

(import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.I32Const.0.I32Const.1.I32Const.2.I32Const.3.I32Const.4.I32Const.5.I32Const.6.I32Const.7.I32Const.8.I32Const.9.I32Const.10.I32Const.11.I32Const.12.I32Const.13.I32Const.14.I32Const.15.I32Const.16.I32Const.17.Call.0.Return.End.End.foo):

(i.instance.exports.f0.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.Call.Return.End.End.foo):

(i.instance.exports.f0):

(instance.exports.f0.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.Call.Return.End.End.foo):

(instance.exports.f0):

Source/JavaScriptCore:

This patch fixes three bugs:

1. The WasmBinding code for making a JS call was off

by 1 in its stack layout code.

2. The WasmBinding code had a &quot;&lt;&quot; comparison instead

of a &quot;&gt;=&quot; comparison. This would cause us to calculate

the wrong frame pointer offset.

3. The code to reload wasm state inside B3IRGenerator didn't

properly represent its effects.

* wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::restoreWebAssemblyGlobalState):

(JSC::Wasm::parseAndCompile):

* wasm/WasmBinding.cpp:

(JSC::Wasm::wasmToJs):

* wasm/js/WebAssemblyInstanceConstructor.cpp:

(JSC::WebAssemblyInstanceConstructor::createInstance):</pre>

<h3>Modified Paths</h3>

<ul>

<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>

<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>

<li><a href="#trunkSourceJavaScriptCorewasmWasmB3IRGeneratorcpp">trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCorewasmWasmBindingcpp">trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp</a></li>

<li><a href="#trunkSourceJavaScriptCorewasmjsWebAssemblyInstanceConstructorcpp">trunk/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp</a></li>

</ul>

<h3>Added Paths</h3>

<ul>

<li><a href="#trunkJSTestswasmfunctiontestsmanyargumentstofunctionjs">trunk/JSTests/wasm/function-tests/many-arguments-to-function.js</a></li>

</ul>

</div>

<div id="patch">

<h3>Diff</h3>

<a id="trunkJSTestsChangeLog"></a>

<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (213652 => 213653)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/JSTests/ChangeLog        2017-03-09 19:08:46 UTC (rev 213652)

+++ trunk/JSTests/ChangeLog        2017-03-09 19:18:34 UTC (rev 213653)

</span><span class="lines">@@ -1,3 +1,17 @@

</span><ins>+2017-03-09  Saam Barati  &lt;sbarati@apple.com&gt;

+

+        WebAssembly: Make the Unity AngryBots demo run

+        https://bugs.webkit.org/show_bug.cgi?id=169268

+

+        Reviewed by Keith Miller.

+

+        * wasm/function-tests/many-arguments-to-function.js: Added.

+        (import.Builder.from.string_appeared_here.import.as.assert.from.string_appeared_here.I32Const.0.I32Const.1.I32Const.2.I32Const.3.I32Const.4.I32Const.5.I32Const.6.I32Const.7.I32Const.8.I32Const.9.I32Const.10.I32Const.11.I32Const.12.I32Const.13.I32Const.14.I32Const.15.I32Const.16.I32Const.17.Call.0.Return.End.End.foo):

+        (i.instance.exports.f0.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.F32Const.Call.Return.End.End.foo):

+        (i.instance.exports.f0):

+        (instance.exports.f0.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.GetLocal.Call.Return.End.End.foo):

+        (instance.exports.f0):

+

</ins><span class="cx"> 2017-03-08  Yusuke Suzuki  &lt;utatane.tea@gmail.com&gt;

</span><span class="cx"> 

</span><span class="cx">         [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot

</span></span></pre></div>

<a id="trunkJSTestswasmfunctiontestsmanyargumentstofunctionjs"></a>

<div class="addfile"><h4>Added: trunk/JSTests/wasm/function-tests/many-arguments-to-function.js (0 => 213653)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/JSTests/wasm/function-tests/many-arguments-to-function.js                                (rev 0)

+++ trunk/JSTests/wasm/function-tests/many-arguments-to-function.js        2017-03-09 19:18:34 UTC (rev 213653)

</span><span class="lines">@@ -0,0 +1,186 @@

</span><ins>+import Builder from '../Builder.js'

+import * as assert from '../assert.js'

+

+{

+    const b = new Builder()

+        .Type().End()

+        .Import().Function(&quot;imp&quot;, &quot;func&quot;, { params: [&quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;, &quot;i32&quot;], ret:&quot;i32&quot; }).End()

+        .Function().End()

+        .Export().Function(&quot;f0&quot;).End()

+        .Code()

+            .Function(&quot;f0&quot;, { params: [], ret: &quot;i32&quot; })

+                .I32Const(0)

+                .I32Const(1)

+                .I32Const(2)

+                .I32Const(3)

+                .I32Const(4)

+                .I32Const(5)

+                .I32Const(6)

+                .I32Const(7)

+                .I32Const(8)

+                .I32Const(9)

+                .I32Const(10)

+                .I32Const(11)

+                .I32Const(12)

+                .I32Const(13)

+                .I32Const(14)

+                .I32Const(15)

+                .I32Const(16)

+                .I32Const(17)

+                .Call(0)

+                .Return()

+            .End()

+        .End()

+

+    function foo(...args) {

+        for (let i = 0; i &lt; args.length; i++) {

+            if (args[i] !== i)

+                throw new Error(&quot;Bad!&quot;);

+        }

+    }

+

+    let imp = {imp: {func: foo}}

+    let instance = new WebAssembly.Instance(new WebAssembly.Module(b.WebAssembly().get()), imp);

+    for (let i = 0; i &lt; 100; i++)

+        instance.exports.f0();

+}

+

+{

+    const b = new Builder()

+        .Type().End()

+        .Import().Function(&quot;imp&quot;, &quot;func&quot;, { params: [&quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;], ret:&quot;f32&quot; }).End()

+        .Function().End()

+        .Export().Function(&quot;f0&quot;).End()

+        .Code()

+            .Function(&quot;f0&quot;, { params: [], ret: &quot;f32&quot; })

+                .F32Const(0.5)

+                .F32Const(1.5)

+                .F32Const(2.5)

+                .F32Const(3.5)

+                .F32Const(4.5)

+                .F32Const(5.5)

+                .F32Const(6.5)

+                .F32Const(7.5)

+                .F32Const(8.5)

+                .F32Const(9.5)

+                .F32Const(10.5)

+                .F32Const(11.5)

+                .F32Const(12.5)

+                .F32Const(13.5)

+                .F32Const(14.5)

+                .F32Const(15.5)

+                .F32Const(16.5)

+                .F32Const(17.5)

+                .Call(0)

+                .Return()

+            .End()

+        .End()

+

+    function foo(...args) {

+        for (let i = 0; i &lt; args.length; i++) {

+            if (args[i] !== (i + 0.5))

+                throw new Error(&quot;Bad!&quot;);

+        }

+    }

+

+    let imp = {imp: {func: foo}}

+    let instance = new WebAssembly.Instance(new WebAssembly.Module(b.WebAssembly().get()), imp);

+    for (let i = 0; i &lt; 100; i++)

+        instance.exports.f0();

+}

+

+{

+    const b = new Builder()

+        .Type().End()

+        .Import().Function(&quot;imp&quot;, &quot;func&quot;, { params: [&quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;], ret:&quot;f32&quot; }).End()

+        .Function().End()

+        .Export().Function(&quot;f0&quot;).End()

+        .Code()

+            .Function(&quot;f0&quot;, { params: [&quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;, &quot;f32&quot;] , ret: &quot;f32&quot; })

+                .GetLocal(0)

+                .GetLocal(1)

+                .GetLocal(2)

+                .GetLocal(3)

+                .GetLocal(4)

+                .GetLocal(5)

+                .GetLocal(6)

+                .GetLocal(7)

+                .GetLocal(8)

+                .GetLocal(9)

+                .GetLocal(10)

+                .GetLocal(11)

+                .GetLocal(12)

+                .GetLocal(13)

+                .GetLocal(14)

+                .GetLocal(15)

+                .GetLocal(16)

+                .GetLocal(17)

+                .Call(0)

+                .Return()

+            .End()

+        .End()

+

+    function foo(...args) {

+        for (let i = 0; i &lt; args.length; i++) {

+            if (args[i] !== i)

+                throw new Error(&quot;Bad!&quot;);

+        }

+    }

+

+    let imp = {imp: {func: foo}}

+    let instance = new WebAssembly.Instance(new WebAssembly.Module(b.WebAssembly().get()), imp);

+    let arr = [];

+    for (let i = 0; i &lt; 18; i++)

+        arr.push(i);

+    for (let i = 0; i &lt; 100; i++)

+        instance.exports.f0(...arr);

+}

+

+

+{

+    let signature = [];

+    function addType(t, i) {

+        for (let j = 0; j &lt; i; j++) {

+            signature.push(t);

+        }

+    }

+    addType(&quot;i32&quot;, 16);

+    addType(&quot;f32&quot;, 16);

+

+    let b = new Builder()

+        .Type().End()

+        .Import().Function(&quot;imp&quot;, &quot;func&quot;, { params: signature, ret:&quot;f32&quot; }).End()

+        .Function().End()

+        .Export().Function(&quot;f0&quot;).End()

+        .Code()

+            .Function(&quot;f0&quot;, { params: signature , ret: &quot;f32&quot; });

+    for (let i = 0; i &lt; (16 + 16); i++) {

+        b = b.GetLocal(i);

+    }

+

+    b = b.Call(0).Return().End().End();

+

+    function foo(...args) {

+        if (args.length !== 32)

+            throw new Error(&quot;Bad!&quot;)

+

+        for (let i = 0; i &lt; 16; i++) {

+            if (args[i] !== i)

+                throw new Error(&quot;Bad!&quot;);

+            if (args[i + 16] !== (i + 16 + 0.5))

+                throw new Error(&quot;Bad!&quot;);

+        }

+    }

+

+    let imp = {imp: {func: foo}}

+    let instance = new WebAssembly.Instance(new WebAssembly.Module(b.WebAssembly().get()), imp);

+    let arr = [];

+    for (let i = 0; i &lt; 16; i++)

+        arr.push(i);

+    for (let i = 16; i &lt; 32; i++)

+        arr.push(i + 0.5);

+    for (let i = 0; i &lt; 100; i++)

+        instance.exports.f0(...arr);

+}

+

+

</ins></span></pre></div>

<a id="trunkSourceJavaScriptCoreChangeLog"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (213652 => 213653)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2017-03-09 19:08:46 UTC (rev 213652)

+++ trunk/Source/JavaScriptCore/ChangeLog        2017-03-09 19:18:34 UTC (rev 213653)

</span><span class="lines">@@ -1,3 +1,27 @@

</span><ins>+2017-03-09  Saam Barati  &lt;sbarati@apple.com&gt;

+

+        WebAssembly: Make the Unity AngryBots demo run

+        https://bugs.webkit.org/show_bug.cgi?id=169268

+

+        Reviewed by Keith Miller.

+

+        This patch fixes three bugs:

+        1. The WasmBinding code for making a JS call was off

+        by 1 in its stack layout code.

+        2. The WasmBinding code had a &quot;&lt;&quot; comparison instead

+        of a &quot;&gt;=&quot; comparison. This would cause us to calculate

+        the wrong frame pointer offset.

+        3. The code to reload wasm state inside B3IRGenerator didn't

+        properly represent its effects.

+

+        * wasm/WasmB3IRGenerator.cpp:

+        (JSC::Wasm::restoreWebAssemblyGlobalState):

+        (JSC::Wasm::parseAndCompile):

+        * wasm/WasmBinding.cpp:

+        (JSC::Wasm::wasmToJs):

+        * wasm/js/WebAssemblyInstanceConstructor.cpp:

+        (JSC::WebAssemblyInstanceConstructor::createInstance):

+

</ins><span class="cx"> 2017-03-09  Mark Lam  &lt;mark.lam@apple.com&gt;

</span><span class="cx"> 

<span class="cx">         Make the VM Traps mechanism non-polling for the DFG and FTL.

</span></span></pre></div>

<a id="trunkSourceJavaScriptCorewasmWasmB3IRGeneratorcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (213652 => 213653)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp        2017-03-09 19:08:46 UTC (rev 213652)

+++ trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp        2017-03-09 19:18:34 UTC (rev 213653)

</span><span class="lines">@@ -304,8 +304,10 @@

</span><span class="cx">             clobbers.set(info.sizeRegister);

</span><span class="cx"> 

</span><span class="cx">         B3::PatchpointValue* patchpoint = block-&gt;appendNew&lt;B3::PatchpointValue&gt;(proc, B3::Void, Origin());

</span><del>-        patchpoint-&gt;effects = Effects::none();

-        patchpoint-&gt;effects.writesPinned = true;

</del><ins>+        Effects effects = Effects::none();

+        effects.writesPinned = true;

+        effects.reads = B3::HeapRange::top();

+        patchpoint-&gt;effects = effects;

</ins><span class="cx">         patchpoint-&gt;clobber(clobbers);

</span><span class="cx"> 

</span><span class="cx">         patchpoint-&gt;append(instance, ValueRep::SomeRegister);

</span><span class="lines">@@ -1131,13 +1133,12 @@

</span><span class="cx">     WASM_FAIL_IF_HELPER_FAILS(parser.parse());

</span><span class="cx"> 

</span><span class="cx">     procedure.resetReachability();

</span><del>-    validate(procedure, &quot;After parsing:\n&quot;);

</del><ins>+    if (!ASSERT_DISABLED)

+        validate(procedure, &quot;After parsing:\n&quot;);

</ins><span class="cx"> 

</span><del>-    if (verbose)

-        dataLog(&quot;Pre SSA: &quot;, procedure);

</del><ins>+    dataLogIf(verbose, &quot;Pre SSA: &quot;, procedure);

</ins><span class="cx">     fixSSA(procedure);

</span><del>-    if (verbose)

-        dataLog(&quot;Post SSA: &quot;, procedure);

</del><ins>+    dataLogIf(verbose, &quot;Post SSA: &quot;, procedure);

</ins><span class="cx"> 

</span><span class="cx">     {

</span><span class="cx">         B3::prepareForGeneration(procedure, optLevel);

</span></span></pre></div>

<a id="trunkSourceJavaScriptCorewasmWasmBindingcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp (213652 => 213653)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp        2017-03-09 19:08:46 UTC (rev 213652)

+++ trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp        2017-03-09 19:18:34 UTC (rev 213653)

</span><span class="lines">@@ -51,6 +51,8 @@

</span><span class="cx"> 

</span><span class="cx"> static MacroAssemblerCodeRef wasmToJs(VM* vm, Bag&lt;CallLinkInfo&gt;&amp; callLinkInfos, SignatureIndex signatureIndex, unsigned importIndex)

</span><span class="cx"> {

<ins>+    // FIXME: This function doesn't properly abstract away the calling convention.

+    // It'd be super easy to do so: https://bugs.webkit.org/show_bug.cgi?id=169401

</ins><span class="cx">     const WasmCallingConvention&amp; wasmCC = wasmCallingConvention();

</span><span class="cx">     const JSCCallingConvention&amp; jsCC = jscCallingConvention();

</span><span class="cx">     const Signature* signature = SignatureInformation::get(vm, signatureIndex);

</span><span class="lines">@@ -121,9 +123,9 @@

</span><span class="cx"> 

</span><span class="cx">     // FIXME perform a stack check before updating SP. https://bugs.webkit.org/show_bug.cgi?id=165546

</span><span class="cx"> 

</span><del>-    unsigned numberOfParameters = argCount + 1; // There is a &quot;this&quot; argument.

-    unsigned numberOfRegsForCall = CallFrame::headerSizeInRegisters + numberOfParameters;

-    unsigned numberOfBytesForCall = numberOfRegsForCall * sizeof(Register) - sizeof(CallerFrameAndPC);

</del><ins>+    const unsigned numberOfParameters = argCount + 1; // There is a &quot;this&quot; argument.

+    const unsigned numberOfRegsForCall = CallFrame::headerSizeInRegisters + numberOfParameters;

+    const unsigned numberOfBytesForCall = numberOfRegsForCall * sizeof(Register) - sizeof(CallerFrameAndPC);

</ins><span class="cx">     const unsigned stackOffset = WTF::roundUpToMultipleOf(stackAlignmentBytes(), numberOfBytesForCall);

</span><span class="cx">     jit.subPtr(MacroAssembler::TrustedImm32(stackOffset), MacroAssembler::stackPointerRegister);

</span><span class="cx">     JIT::Address calleeFrame = CCallHelpers::Address(MacroAssembler::stackPointerRegister, -static_cast&lt;ptrdiff_t&gt;(sizeof(CallerFrameAndPC)));

</span><span class="lines">@@ -135,7 +137,7 @@

</span><span class="cx">         unsigned marshalledGPRs = 0;

</span><span class="cx">         unsigned marshalledFPRs = 0;

</span><span class="cx">         unsigned calleeFrameOffset = CallFrameSlot::firstArgument * static_cast&lt;int&gt;(sizeof(Register));

</span><del>-        unsigned frOffset = CallFrameSlot::firstArgument * static_cast&lt;int&gt;(sizeof(Register));

</del><ins>+        unsigned frOffset = CallFrame::headerSizeInRegisters * static_cast&lt;int&gt;(sizeof(Register));

</ins><span class="cx">         for (unsigned argNum = 0; argNum &lt; argCount; ++argNum) {

</span><span class="cx">             Type argType = signature-&gt;argument(argNum);

</span><span class="cx">             switch (argType) {

</span><span class="lines">@@ -190,7 +192,7 @@

</span><span class="cx">         unsigned marshalledGPRs = 0;

</span><span class="cx">         unsigned marshalledFPRs = 0;

</span><span class="cx">         unsigned calleeFrameOffset = CallFrameSlot::firstArgument * static_cast&lt;int&gt;(sizeof(Register));

</span><del>-        unsigned frOffset = CallFrameSlot::firstArgument * static_cast&lt;int&gt;(sizeof(Register));

</del><ins>+        unsigned frOffset = CallFrame::headerSizeInRegisters * static_cast&lt;int&gt;(sizeof(Register));

</ins><span class="cx">         for (unsigned argNum = 0; argNum &lt; argCount; ++argNum) {

</span><span class="cx">             Type argType = signature-&gt;argument(argNum);

</span><span class="cx">             switch (argType) {

</span><span class="lines">@@ -201,7 +203,7 @@

<span class="cx">                 RELEASE_ASSERT_NOT_REACHED(); // Handled above.

</span><span class="cx">             case I32:

<span class="cx">                 // Skipped: handled above.

</span><del>-                if (marshalledGPRs &lt; wasmCC.m_gprArgs.size())

</del><ins>+                if (marshalledGPRs &gt;= wasmCC.m_gprArgs.size())

</ins><span class="cx">                     frOffset += sizeof(Register);

</span><span class="cx">                 ++marshalledGPRs;

</span><span class="cx">                 calleeFrameOffset += sizeof(Register);

</span></span></pre></div>

<a id="trunkSourceJavaScriptCorewasmjsWebAssemblyInstanceConstructorcpp"></a>

<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp (213652 => 213653)</h4>

<pre class="diff"><span>

<span class="info">--- trunk/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp        2017-03-09 19:08:46 UTC (rev 213652)

+++ trunk/Source/JavaScriptCore/wasm/js/WebAssemblyInstanceConstructor.cpp        2017-03-09 19:18:34 UTC (rev 213653)

</span><span class="lines">@@ -101,7 +101,6 @@

</span><span class="cx">     JSWebAssemblyInstance* instance = JSWebAssemblyInstance::create(vm, instanceStructure, jsModule, moduleRecord-&gt;getModuleNamespace(exec));

</span><span class="cx">     RETURN_IF_EXCEPTION(throwScope, nullptr);

</span><span class="cx"> 

</span><del>-

</del><span class="cx">     // Let funcs, memories and tables be initially-empty lists of callable JavaScript objects, WebAssembly.Memory objects and WebAssembly.Table objects, respectively.

<span class="cx">     // Let imports be an initially-empty list of external values.

</span><span class="cx">     unsigned numImportFunctions = 0;

</span><span class="lines">@@ -145,6 +144,8 @@

<span class="cx">             // Note: done as part of Plan compilation.

<span class="cx">             // iv. Append v to funcs.

<span class="cx">             // Note: adding the JSCell to the instance list fulfills closure requirements b. above (the WebAssembly.Instance wil be kept alive) and v. below (the JSFunction).

</span><ins>+

+            ASSERT(numImportFunctions == import.kindIndex);

</ins><span class="cx">             instance-&gt;setImportFunction(vm, cell, numImportFunctions++);

<span class="cx">             // v. Append closure to imports.

</span><span class="cx">             break;

</span><span class="lines">@@ -216,6 +217,7 @@

</span><span class="cx">             if (!value.isNumber())

</span><span class="cx">                 return exception(createJSWebAssemblyLinkError(exec, vm, ASCIILiteral(&quot;imported global must be a number&quot;)));

<span class="cx">             // iii. Append ToWebAssemblyValue(v) to imports.

</span><ins>+            ASSERT(numImportGlobals == import.kindIndex);

</ins><span class="cx">             switch (moduleInformation.globals[import.kindIndex].type) {

</span><span class="cx">             case Wasm::I32:

</span><span class="cx">                 instance-&gt;setGlobal(numImportGlobals++, value.toInt32(exec));

</span></span></pre>

</div>

</div>

</body>

</html>