Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 93a792f5574a5fea86f235f999bd7320d98579da
https://github.com/WebKit/WebKit/commit/93a792f5574a5fea86f235f999bd7320d98579da
Author: Sosuke Suzuki <[email protected]>
Date: 2025-07-09 (Wed, 09 Jul 2025)
Changed paths:
M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
Log Message:
-----------
[JSC] Fix ARMv7 segfault in BBQJIT by avoid the use of `wasmScratchGPR`
https://bugs.webkit.org/show_bug.cgi?id=295498
Reviewed by Justin Michaud.
WASM BBQJIT on 32-bit uses wasmScratchGPR when loading F32/F64 constants,
causing segmentation faults in JetStream3's tfjs-wasm.
The issue occurs when emitCheckAndPrepareAndMaterializePointerApply stores a
memory address in wasmScratchGPR, then passes it to a functor. If the functor
loads a floating-point constant, it overwrites wasmScratchGPR, corrupting the
address and causing null pointer access.
This patch fixes by using MacroAssembler's move32ToFloat and move64ToDouble
directly with immediate values, eliminating the use of wasmScratchGPR.
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::emitMoveConst):
Canonical link: https://commits.webkit.org/297169@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
