[Webkit-unassigned] [Bug 256331] New: Shuffle clobbers indirect call target in BBQ JIT

Thu May 4 13:09:02 PDT 2023

https://bugs.webkit.org/show_bug.cgi?id=256331

            Bug ID: 256331
           Summary: Shuffle clobbers indirect call target in BBQ JIT
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: d_degazio at apple.com

rdar://108908936

https://bugs.webkit.org/show_bug.cgi?id=256235 removed some redundant loads and stores from the call code generation in BBQ JIT. As part of this, we now use a parallel move/shuffle to move the arguments into their intended locations per the calling convention. Shuffling can require an extra scratch register, and we currently use wasmScratchGPR.

However, the implementation of indirect calls specifically depends on the target address being kept live in wasmScratchGPR across the parameter passing. If the shuffle touches wasmScratchGPR, it will clobber this address, and likely cause a crash. We should just use a different register for shuffles in indirect calls.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230504/e07a8408/attachment-0001.htm>