<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[260632] releases/WebKitGTK/webkit-2.28</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/260632">260632</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2020-04-24 02:20:58 -0700 (Fri, 24 Apr 2020)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/256665">r256665</a> - [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
https://bugs.webkit.org/show_bug.cgi?id=207727

JSTests:

Reviewed by Mark Lam.

* wasm/regress/llint-callee-saves-with-fast-memory.js: Added.
* wasm/regress/llint-callee-saves-without-fast-memory.js: Added.

Source/JavaScriptCore:

Reviewed by Mark Lam.

The Wasm JIT has unusual calling conventions, which were further complicated by the addition
of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly
saving and restoring the callee save registers used for the memory base and size). Here's a summary
of the calling convention:

- When entering Wasm from JS, the wrapper must:
    - Preserve the base and size when entering LLInt regardless of the mode. (Prior to this
      patch we only preserved the base in Signaling mode)
    - Preserve the memory base in either mode, and the size for BoundsChecking.
- Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB
  and wasmInstance, but must *not* preserve memoryBase and memorySize.
- Changes to memoryBase and memorySize are visible to the caller. This means that:
    - Intra-module calls can assume these registers are up-to-date even if the memory was
      resized. The only exception here is if the LLInt calls a signaling JIT, in which case
      the JIT will not update the size register, since it won't be using it.
    - Inter-module and JS calls require the caller to reload these registers. These calls may
      result in memory changes (e.g. the callee may call memory.grow).
    - A Signaling JIT caller must be aware that the LLInt may trash the size register, since
      it always bounds checks.

* llint/WebAssembly.asm:
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::addCall):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCall):
* wasm/WasmCallee.cpp:
(JSC::Wasm::LLIntCallee::calleeSaveRegisters):
* wasm/WasmCallingConvention.h:
* wasm/WasmLLIntPlan.cpp:
(JSC::Wasm::LLIntPlan::didCompleteCompilation):
* wasm/WasmMemoryInformation.cpp:
(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::getPinnedRegisters): Deleted.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit228JSTestsChangeLog">releases/WebKitGTK/webkit-2.28/JSTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCorellintWebAssemblyasm">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/llint/WebAssembly.asm</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmAirIRGeneratorcpp">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmB3IRGeneratorcpp">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmCalleecpp">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallee.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmCallingConventionh">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallingConvention.h</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmLLIntPlancpp">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmMemoryInformationcpp">releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit228JSTestswasmregressllintcalleesaveswithfastmemoryjs">releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-with-fast-memory.js</a></li>
<li><a href="#releasesWebKitGTKwebkit228JSTestswasmregressllintcalleesaveswithoutfastmemoryjs">releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-without-fast-memory.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit228JSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/JSTests/ChangeLog (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/JSTests/ChangeLog 2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/JSTests/ChangeLog    2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -1,3 +1,13 @@
</span><ins>+2020-02-14  Tadeu Zagallo  <tzagallo@apple.com>
+
+        [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
+        https://bugs.webkit.org/show_bug.cgi?id=207727
+
+        Reviewed by Mark Lam.
+
+        * wasm/regress/llint-callee-saves-with-fast-memory.js: Added.
+        * wasm/regress/llint-callee-saves-without-fast-memory.js: Added.
+
</ins><span class="cx"> 2020-03-19  Tomas Popela  <tpopela@redhat.com>
</span><span class="cx"> 
</span><span class="cx">         [JSC][BigEndians] Several JSC stress tests failing
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228JSTestswasmregressllintcalleesaveswithfastmemoryjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-with-fast-memory.js (0 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-with-fast-memory.js                               (rev 0)
+++ releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-with-fast-memory.js  2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -0,0 +1,40 @@
</span><ins>+//@ skip if $architecture != "x86-64"
+//@ requireOptions("--useWebAssemblyFastMemory=true")
+// FIXME: Stop skipping when we enable fast memory for iOS. https://bugs.webkit.org/show_bug.cgi?id=170774
+
+import { instantiate } from '../wabt-wrapper.js';
+
+const instance = instantiate(`
+    (module
+
+    (memory 0)
+
+    (func $grow
+        (memory.grow (i32.const 1))
+        (drop)
+    )
+
+    (func $f (param $bail i32)
+        (br_if 0 (local.get $bail))
+        (call $grow)
+        (i32.store (i32.const 42) (i32.const 0))
+    )
+
+    (func (export "main")
+        (local $i i32)
+        (local.set $i (i32.const 100000))
+        (loop $warmup
+            (i32.sub (local.get $i) (i32.const 1))
+            (local.tee $i)
+            (call $f (i32.const 1))
+            (br_if $warmup)
+        )
+        (call $f (i32.const 0))
+    )
+
+    )
+`);
+
+
+// This should not throw an OutOfBounds exception
+instance.exports.main();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit228JSTestswasmregressllintcalleesaveswithoutfastmemoryjs"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-without-fast-memory.js (0 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-without-fast-memory.js                            (rev 0)
+++ releases/WebKitGTK/webkit-2.28/JSTests/wasm/regress/llint-callee-saves-without-fast-memory.js       2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -0,0 +1,38 @@
</span><ins>+//@ requireOptions("--useWebAssemblyFastMemory=false")
+
+import { instantiate } from '../wabt-wrapper.js';
+
+const instance = instantiate(`
+    (module
+
+    (memory 0)
+
+    (func $grow
+        (memory.grow (i32.const 1))
+        (drop)
+    )
+
+    (func $f (param $bail i32)
+        (br_if 0 (local.get $bail))
+        (call $grow)
+        (i32.store (i32.const 42) (i32.const 0))
+    )
+
+    (func (export "main")
+        (local $i i32)
+        (local.set $i (i32.const 100000))
+        (loop $warmup
+            (i32.sub (local.get $i) (i32.const 1))
+            (local.tee $i)
+            (call $f (i32.const 1))
+            (br_if $warmup)
+        )
+        (call $f (i32.const 0))
+    )
+
+    )
+`);
+
+
+// This should not throw an OutOfBounds exception
+instance.exports.main();
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/ChangeLog (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/ChangeLog   2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/ChangeLog      2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -1,3 +1,44 @@
</span><ins>+2020-02-14  Tadeu Zagallo  <tzagallo@apple.com> and Michael Saboff  <msaboff@apple.com>
+
+        [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
+        https://bugs.webkit.org/show_bug.cgi?id=207727
+
+        Reviewed by Mark Lam.
+
+        The Wasm JIT has unusual calling conventions, which were further complicated by the addition
+        of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly
+        saving and restoring the callee save registers used for the memory base and size). Here's a summary
+        of the calling convention:
+
+        - When entering Wasm from JS, the wrapper must:
+            - Preserve the base and size when entering LLInt regardless of the mode. (Prior to this
+              patch we only preserved the base in Signaling mode)
+            - Preserve the memory base in either mode, and the size for BoundsChecking.
+        - Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB
+          and wasmInstance, but must *not* preserve memoryBase and memorySize.
+        - Changes to memoryBase and memorySize are visible to the caller. This means that:
+            - Intra-module calls can assume these registers are up-to-date even if the memory was
+              resized. The only exception here is if the LLInt calls a signaling JIT, in which case
+              the JIT will not update the size register, since it won't be using it.
+            - Inter-module and JS calls require the caller to reload these registers. These calls may
+              result in memory changes (e.g. the callee may call memory.grow).
+            - A Signaling JIT caller must be aware that the LLInt may trash the size register, since
+              it always bounds checks.
+
+        * llint/WebAssembly.asm:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addCall):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCall):
+        * wasm/WasmCallee.cpp:
+        (JSC::Wasm::LLIntCallee::calleeSaveRegisters):
+        * wasm/WasmCallingConvention.h:
+        * wasm/WasmLLIntPlan.cpp:
+        (JSC::Wasm::LLIntPlan::didCompleteCompilation):
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::getPinnedRegisters): Deleted.
+
</ins><span class="cx"> 2020-03-23  Michael Catanzaro  <mcatanzaro@gnome.org>
</span><span class="cx"> 
</span><span class="cx">         REGRESSION(r249808): [GTK] Crash in JSC Config::permanentlyFreeze() on architecture ppc64el
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCorellintWebAssemblyasm"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/llint/WebAssembly.asm (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/llint/WebAssembly.asm       2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/llint/WebAssembly.asm  2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -178,15 +178,14 @@
</span><span class="cx"> # Wasm specific helpers
</span><span class="cx"> 
</span><span class="cx"> macro preserveCalleeSavesUsedByWasm()
</span><ins>+    # NOTE: We intentionally don't save memoryBase and memorySize here. See the comment
+    # in restoreCalleeSavesUsedByWasm() below for why.
</ins><span class="cx">     subp CalleeSaveSpaceStackAligned, sp
</span><span class="cx">     if ARM64 or ARM64E
</span><del>-        emit "stp x23, x26, [x29, #-16]"
-        emit "stp x19, x22, [x29, #-32]"
</del><ins>+        emit "stp x19, x26, [x29, #-16]"
</ins><span class="cx">     elsif X86_64
</span><del>-        storep memorySize, -0x08[cfr]
-        storep memoryBase, -0x10[cfr]
-        storep PB, -0x18[cfr]
-        storep wasmInstance, -0x20[cfr]
</del><ins>+        storep PB, -0x8[cfr]
+        storep wasmInstance, -0x10[cfr]
</ins><span class="cx">     else
</span><span class="cx">         error
</span><span class="cx">     end
</span><span class="lines">@@ -193,14 +192,14 @@
</span><span class="cx"> end
</span><span class="cx"> 
</span><span class="cx"> macro restoreCalleeSavesUsedByWasm()
</span><ins>+    # NOTE: We intentionally don't restore memoryBase and memorySize here. These are saved
+    # and restored when entering Wasm by the JSToWasm wrapper and changes to them are meant
+    # to be observable within the same Wasm module.
</ins><span class="cx">     if ARM64 or ARM64E
</span><del>-        emit "ldp x23, x26, [x29, #-16]"
-        emit "ldp x19, x22, [x29, #-32]"
</del><ins>+        emit "ldp x19, x26, [x29, #-16]"
</ins><span class="cx">     elsif X86_64
</span><del>-        loadp -0x08[cfr], memorySize
-        loadp -0x10[cfr], memoryBase
-        loadp -0x18[cfr], PB
-        loadp -0x20[cfr], wasmInstance
</del><ins>+        loadp -0x8[cfr], PB
+        loadp -0x10[cfr], wasmInstance
</ins><span class="cx">     else
</span><span class="cx">         error
</span><span class="cx">     end
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmAirIRGeneratorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp 2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp    2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -2173,6 +2173,9 @@
</span><span class="cx">         restoreWebAssemblyGlobalState(RestoreCachedStackLimit::Yes, m_info.memory, currentInstance, continuation);
</span><span class="cx">     } else {
</span><span class="cx">         auto* patchpoint = emitCallPatchpoint(m_currentBlock, signature, results, args);
</span><ins>+        // We need to clobber the size register since the LLInt always bounds checks
+        if (m_mode == MemoryMode::Signaling)
+            patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().sizeRegister });
</ins><span class="cx">         patchpoint->setGenerator([unlinkedWasmToWasmCalls, functionIndex] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
</span><span class="cx">             AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx">             CCallHelpers::Call call = jit.threadSafePatchableNearCall();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmB3IRGeneratorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp  2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp     2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -1726,6 +1726,9 @@
</span><span class="cx">                 patchpoint->effects.writesPinned = true;
</span><span class="cx">                 patchpoint->effects.readsPinned = true;
</span><span class="cx"> 
</span><ins>+                // We need to clobber the size register since the LLInt always bounds checks
+                if (m_mode == MemoryMode::Signaling)
+                    patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().sizeRegister });
</ins><span class="cx">                 patchpoint->setGenerator([unlinkedWasmToWasmCalls, functionIndex] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
</span><span class="cx">                     AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx">                     CCallHelpers::Call call = jit.threadSafePatchableNearCall();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmCalleecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallee.cpp (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallee.cpp 2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallee.cpp    2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -94,8 +94,6 @@
</span><span class="cx"> #else
</span><span class="cx"> #error Unsupported architecture.
</span><span class="cx"> #endif
</span><del>-        registers.set(GPRInfo::regCS3); // Memory base
-        registers.set(GPRInfo::regCS4); // Memory size
</del><span class="cx">         ASSERT(registers.numberOfSetRegisters() == numberOfLLIntCalleeSaveRegisters);
</span><span class="cx">         calleeSaveRegisters.construct(WTFMove(registers));
</span><span class="cx">     });
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmCallingConventionh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallingConvention.h (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallingConvention.h        2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmCallingConvention.h   2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -46,7 +46,7 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace Wasm {
</span><span class="cx"> 
</span><del>-constexpr unsigned numberOfLLIntCalleeSaveRegisters = 4;
</del><ins>+constexpr unsigned numberOfLLIntCalleeSaveRegisters = 2;
</ins><span class="cx"> 
</span><span class="cx"> using ArgumentLocation = B3::ValueRep;
</span><span class="cx"> enum class CallRole : uint8_t {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmLLIntPlancpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp      2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp 2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -146,7 +146,9 @@
</span><span class="cx">             SignatureIndex signatureIndex = m_moduleInformation->internalFunctionSignatureIndices[functionIndex];
</span><span class="cx">             const Signature& signature = SignatureInformation::get(signatureIndex);
</span><span class="cx">             CCallHelpers jit;
</span><del>-            std::unique_ptr<InternalFunction> function = createJSToWasmWrapper(jit, signature, &m_unlinkedWasmToWasmCalls[functionIndex], m_moduleInformation.get(), m_mode, functionIndex);
</del><ins>+            // The LLInt always bounds checks
+            MemoryMode mode = MemoryMode::BoundsChecking;
+            std::unique_ptr<InternalFunction> function = createJSToWasmWrapper(jit, signature, &m_unlinkedWasmToWasmCalls[functionIndex], m_moduleInformation.get(), mode, functionIndex);
</ins><span class="cx"> 
</span><span class="cx">             LinkBuffer linkBuffer(jit, nullptr, JITCompilationCanFail);
</span><span class="cx">             if (UNLIKELY(linkBuffer.didFailToAllocate())) {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit228SourceJavaScriptCorewasmWasmMemoryInformationcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp (260631 => 260632)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp      2020-04-24 09:20:50 UTC (rev 260631)
+++ releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp 2020-04-24 09:20:58 UTC (rev 260632)
</span><span class="lines">@@ -35,26 +35,6 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC { namespace Wasm {
</span><span class="cx"> 
</span><del>-static Vector<GPRReg> getPinnedRegisters(unsigned remainingPinnedRegisters)
-{
-    Vector<GPRReg> registers;
-    jsCallingConvention().calleeSaveRegisters.forEach([&] (Reg reg) {
-        if (!reg.isGPR())
-            return;
-        GPRReg gpr = reg.gpr();
-        if (!remainingPinnedRegisters || RegisterSet::stackRegisters().get(reg))
-            return;
-        if (RegisterSet::runtimeTagRegisters().get(reg)) {
-            // Since we don't need to, we currently don't pick from the tag registers to allow
-            // JS->Wasm stubs to freely use these registers.
-            return;
-        }
-        --remainingPinnedRegisters;
-        registers.append(gpr);
-    });
-    return registers;
-}
-
</del><span class="cx"> const PinnedRegisterInfo& PinnedRegisterInfo::get()
</span><span class="cx"> {
</span><span class="cx">     static LazyNeverDestroyed<PinnedRegisterInfo> staticPinnedRegisterInfo;
</span><span class="lines">@@ -63,8 +43,6 @@
</span><span class="cx">         unsigned numberOfPinnedRegisters = 2;
</span><span class="cx">         if (!Context::useFastTLS())
</span><span class="cx">             ++numberOfPinnedRegisters;
</span><del>-        Vector<GPRReg> pinnedRegs = getPinnedRegisters(numberOfPinnedRegisters);
-
</del><span class="cx">         GPRReg baseMemoryPointer = GPRInfo::regCS3;
</span><span class="cx">         GPRReg sizeRegister = GPRInfo::regCS4;
</span><span class="cx">         GPRReg wasmContextInstancePointer = InvalidGPRReg;
</span></span></pre>
</div>
</div>

</body>
</html>