[webkit-changes] [WebKit/WebKit] 65f379: Fix flushing constants to StackArguments in WasmBB...

Tue, 07 Mar 2023 21:38:06 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 65f37957e2718b0104e2a3bb13086626dafe23d5
      
https://github.com/WebKit/WebKit/commit/65f37957e2718b0104e2a3bb13086626dafe23d5
  Author: David Degazio <[email protected]>
  Date:   2023-03-07 (Tue, 07 Mar 2023)

  Changed paths:
    A JSTests/wasm/stress/constant-overlaps-stack-argument.js
    A JSTests/wasm/stress/spilled-block-argument.js
    A JSTests/wasm/stress/spilled-block-result.js
    A JSTests/wasm/stress/spilled-constant-block-argument.js
    A JSTests/wasm/stress/spilled-constant-block-result.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp

  Log Message:
  -----------
  Fix flushing constants to StackArguments in WasmBBQJIT
https://bugs.webkit.org/show_bug.cgi?id=253530
rdar://106358707

Reviewed by Yusuke Suzuki.

The current WASM BBQ JIT trips some assertions when constants are flushed at the
end of a block in certain circumstances. Specifically, if a temp was previously
bound to a StackArgument, then was popped and replaced with a constant, the 
constant
will flush to the StackArgument slot which is wrong and caught by the assertion.

This patch addresses two issues: first, we shouldn't actually fail an assertion 
here,
it's totally fine in theory to store a constant in a stack argument location. 
But the
reason we flush to a StackArgument to begin with is that BBQ JIT doesn't 
correctly
unbind temporaries from StackArgument slots when they are popped - with this 
patch, we
should now always restore temps to their canonical slots if they are bound 
elsewhere
and popped.

* JSTests/wasm/stress/constant-overlaps-stack-argument.js: Added.
* JSTests/wasm/stress/spilled-block-argument.js: Added.
* JSTests/wasm/stress/spilled-block-result.js: Added.
* JSTests/wasm/stress/spilled-constant-block-argument.js: Added.
* JSTests/wasm/stress/spilled-constant-block-result.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::emitMoveConst):
(JSC::Wasm::BBQJIT::consume):

Canonical link: https://commits.webkit.org/261358@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to