[Webkit-unassigned] [Bug 256331] New: Shuffle clobbers indirect call target in BBQ JIT
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 4 13:09:02 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=256331
Bug ID: 256331
Summary: Shuffle clobbers indirect call target in BBQ JIT
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Keywords: InRadar
Severity: Normal
Priority: P2
Component: WebAssembly
Assignee: webkit-unassigned at lists.webkit.org
Reporter: d_degazio at apple.com
rdar://108908936
https://bugs.webkit.org/show_bug.cgi?id=256235 removed some redundant loads and stores from the call code generation in BBQ JIT. As part of this, we now use a parallel move/shuffle to move the arguments into their intended locations per the calling convention. Shuffling can require an extra scratch register, and we currently use wasmScratchGPR.
However, the implementation of indirect calls specifically depends on the target address being kept live in wasmScratchGPR across the parameter passing. If the shuffle touches wasmScratchGPR, it will clobber this address, and likely cause a crash. We should just use a different register for shuffles in indirect calls.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230504/e07a8408/attachment-0001.htm>
More information about the webkit-unassigned
mailing list