Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dd1c094a5f04ea5a5f93e236ff3b4db43d85a226
https://github.com/WebKit/WebKit/commit/dd1c094a5f04ea5a5f93e236ff3b4db43d85a226
Author: Yusuke Suzuki <[email protected]>
Date: 2024-02-05 (Mon, 05 Feb 2024)
Changed paths:
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Log Message:
-----------
[JSC] Suppress broken assertion in DFG register allocation
https://bugs.webkit.org/show_bug.cgi?id=268727
rdar://122279383
Reviewed by Mark Lam.
DFG register allocation check's assertion is broken. It records
register-allocation offset, and attempt to do assert when jump is going over it.
But this does not work at all if register allocation does not emit any
instructions. In that case, the offset can be valid instruction' one
after the register allocation is done. And this is what is happening here.
We workaround this silly bug by reordering instruction and jump target a bit.
emitStoreCallSiteIndex always emits some instructions, so it distinguishes
register allocation offset from the actual one. And when retrying (jumping to
mainPath), we do not need to perform emitStoreCallSiteIndex again.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
Canonical link: https://commits.webkit.org/274116@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
