[webkit-changes] [210438] branches/safari-603-branch/Source/JavaScriptCore

Fri, 06 Jan 2017 07:38:36 -0800

Title: [210438] branches/safari-603-branch/Source/_javascript_Core
Revision
210438
Author
[email protected]
Date
2017-01-06 07:38:09 -0800 (Fri, 06 Jan 2017)

Log Message

Merge r210259. rdar://problem/29856455


Modified Paths

Diff

Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (210437 => 210438)


--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-01-06 15:38:06 UTC (rev 210437)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-01-06 15:38:09 UTC (rev 210438)
@@ -1,5 +1,29 @@
 2017-01-06  Matthew Hanson  <[email protected]>
 
+        Merge r210259. rdar://problem/29856455
+
+    2017-01-03  JF Bastien  <[email protected]>
+
+            REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
+            https://bugs.webkit.org/show_bug.cgi?id=166669
+            <rdar://problem/29856455>
+
+            Reviewed by Saam Barati.
+
+            Bug #165282 added wasm -> wasm calls, but caused crashes in
+            release builds because the pinned registers are also callee-saved
+            and were being clobbered. B3 didn't see itself clobbering them
+            when no memory was used, and therefore omitted a restore.
+
+            This was causing the C++ code in callWebAssemblyFunction to crash
+            because $r12 was 0, and it expected it to have its value prior to
+            the call.
+
+            * wasm/WasmB3IRGenerator.cpp:
+            (JSC::Wasm::createJSToWasmWrapper):
+
+2017-01-06  Matthew Hanson  <[email protected]>
+
         Merge r210221. rdar://problem/29449474
 
     2017-01-01  Jeff Miller  <[email protected]>

Modified: branches/safari-603-branch/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (210437 => 210438)


--- branches/safari-603-branch/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2017-01-06 15:38:06 UTC (rev 210437)
+++ branches/safari-603-branch/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2017-01-06 15:38:09 UTC (rev 210438)
@@ -1064,6 +1064,16 @@
     // Move the arguments into place.
     Value* result = wasmCallingConvention().setupCall(proc, block, origin, arguments, toB3Type(signature->returnType()), [&] (PatchpointValue* patchpoint) {
         CompilationContext* context = &compilationContext;
+
+        // wasm -> wasm calls clobber pinned registers unconditionally. This JS -> wasm transition must therefore restore these pinned registers (which are usually callee-saved) to account for this.
+        const PinnedRegisterInfo* pinnedRegs = &PinnedRegisterInfo::get();
+        RegisterSet clobbers;
+        clobbers.set(pinnedRegs->baseMemoryPointer);
+        for (auto info : pinnedRegs->sizeRegisters)
+            clobbers.set(info.sizeRegister);
+        patchpoint->effects.writesPinned = true;
+        patchpoint->clobber(clobbers);
+
         patchpoint->setGenerator([context] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
             AllowMacroScratchRegisterUsage allowScratch(jit);
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to