[Webkit-unassigned] [Bug 170973] New: B3StackmapSpecial should handle when stackmap values are not recoverable from a Def'ed arg.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 18 18:03:19 PDT 2017


https://bugs.webkit.org/show_bug.cgi?id=170973

            Bug ID: 170973
           Summary: B3StackmapSpecial should handle when stackmap values
                    are not recoverable from a Def'ed arg.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

In the event of an arithmetic overflows on a binary sub instruction (where the result register is same as one of the operand registers), the CheckSub FTL operation will try to recover the original value in the clobbered result register.  This recover is done by adding the other operand value to the result register.  However, this recovery method only works if the width of the original value in the result register is less or equal to the width of the expected result.  If the width of the original operand value (e.g. a JSInt32) is wider than the result (e.g. a machine Int32), then the sub operation would have zero extended the result and cleared the upper 32-bits of the result register.  Recovery by adding back the other operand will not restore the JSValue tag in the upper word.  This poses a problem if the stackmap value for the operand relies on that same clobbered register.

The fix is to detect this potential scenario (i.e. width of the Def's arg < width of a stackmap value).  If this condition is detected, we'll declare the stackmap value to be LateColdUse to ensure that the register allocator gives it a different register if needed so that it's not dependent on the clobbered register.

<rdar://problem/30318657>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170419/aa14cf93/attachment-0001.html>


More information about the webkit-unassigned mailing list