Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 96e8f1d299ee4fdcb2bf2dc41c6580c3d6be946b
https://github.com/WebKit/WebKit/commit/96e8f1d299ee4fdcb2bf2dc41c6580c3d6be946b
Author: Dan Hecht <[email protected]>
Date: 2026-02-13 (Fri, 13 Feb 2026)
Changed paths:
M Source/JavaScriptCore/b3/air/AirAllocateRegistersByGreedy.cpp
Log Message:
-----------
[JSC] Remove an incorrect assert from greedy allocator stack coalescing
https://bugs.webkit.org/show_bug.cgi?id=307749
rdar://170288406
Reviewed by Yusuke Suzuki.
As the comment in mayBeCoalescable() states, it's safe to remove Move32
if either the src's defWidth is <= 32 (meaning, for 64-bit machines,
all writes to that tmp zero at least the top 32-bits) or the dst's
useWidth is <= 32 (meaning no uses of that tmp read more than 32-bits).
Despite what the comment said, this is true for anonymous stack slots as
well, beginning with trunk@195298 (2016). That comment was inherited
from the graph coloring allocator and predates that change.
The code that ensures ZDef of stack slots do zero fill is in
lowerStackArgs().
Since mayBeCoalescable() filters out Move32 with src's defWidth > 32,
the Move32 is always safe to remove when maybeCoalescable is true.
There's no assert we can write here since the tmps have already been
replaced and we can't tell what the widths determined by analysis were.
* Source/JavaScriptCore/b3/air/AirAllocateRegistersByGreedy.cpp:
(JSC::B3::Air::Greedy::GreedyAllocator::emitSpillCodeAndEnqueueNewTmps):
(JSC::B3::Air::Greedy::GreedyAllocator::mayBeCoalescable):
Canonical link: https://commits.webkit.org/307472@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
