[webkit-changes] [WebKit/WebKit] 4e83ac: [JSC] Fix an !binding.isScratch() assertion failur...

Thu, 18 Sep 2025 15:29:07 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 4e83acc55657a5a86f1af2389e1b88ddf84913f3
      
https://github.com/WebKit/WebKit/commit/4e83acc55657a5a86f1af2389e1b88ddf84913f3
  Author: Mikhail R. Gadelha <mikh...@igalia.com>
  Date:   2025-09-11 (Thu, 11 Sep 2025)

  Changed paths:
    M Source/JavaScriptCore/assembler/ARMv7Assembler.h
    M Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp

  Log Message:
  -----------
  [JSC] Fix an !binding.isScratch() assertion failure on 32-bit
https://bugs.webkit.org/show_bug.cgi?id=298157

Reviewed by Justin Michaud.

In 32-bit, we use scratch fp regs to check the bounds of the input of in the
truncSaturated and truncTrapping functions, before emitting the right ccall.

However, the scratch fp registers are still bound when we emit the ccall, which
leads to this assertion failure. These assertions only fail in debug mode and
still provide the correct result in release mode because these fp registers are
not used in the emitted C call.

This PR implements the missing JIT calls for ARMv7 so we don't have to emit the
C calls.

* Source/JavaScriptCore/assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::vcmpz):
(JSC::ARMv7Assembler::vmla):
* Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchFloatWithZero):
(JSC::MacroAssemblerARMv7::branchDoubleWithZero):
(JSC::MacroAssemblerARMv7::convertDoubleToUint64):
(JSC::MacroAssemblerARMv7::truncateDoubleToUint64):
(JSC::MacroAssemblerARMv7::truncateDoubleToInt64):
(JSC::MacroAssemblerARMv7::truncateFloatToUint64):
(JSC::MacroAssemblerARMv7::truncateFloatToInt64):
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::truncInBounds):
(JSC::Wasm::BBQJITImpl::BBQJIT::truncTrapping):
(JSC::Wasm::BBQJITImpl::BBQJIT::truncSaturated):

Canonical link: https://commits.webkit.org/299853@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to