Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 87ed9eac4a2e980477174981426de5172fbde95f
https://github.com/WebKit/WebKit/commit/87ed9eac4a2e980477174981426de5172fbde95f
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-10 (Tue, 10 Mar 2026)
Changed paths:
A JSTests/wasm/stress/omg-tail-call-clobber-scratch-register-2.js
M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
Log Message:
-----------
Cherry-pick 301765.350@safari-7623-branch (271320645405).
https://bugs.webkit.org/show_bug.cgi?id=303444
[JSC] Clobber scratch register in OMG tail call on non-x64
https://bugs.webkit.org/show_bug.cgi?id=303444
rdar://165678403
Reviewed by Yusuke Suzuki.
The OMG tailcall patchpoint uses the scratch register. Currently, the
scratch
is not clobbered early because on x64 we exhaust all registers if we do so.
Because of that, prepareTailCallImpl has special handling for saving and
restoring the scratch if it happens to alias one of the inputs. This special
save and restore has issues on ARM as the stack pointer arithmetic itself
may
use the scratch, which complicates the restoring.
This PR makes the tail call patchpoint code architecture specific to confine
the save/restore complexity to x64. The special scratch register
save/restore
paths are kept only on x64. On non-x64 platforms, the scratch registers are
clobbered early so they can never alias an input.
There is also a drive-by fix for negating float32s on x64 in BBQ, as the
test
case also causes an assertion failure there.
Test: JSTests/wasm/stress/omg-tail-call-clobber-scratch-register-2.js
Identifier: 301765.350@safari-7623-branch
Canonical link:
https://commits.webkit.org/298234.478@mcatanzaro/webkitglib/2.50-security
Commit: 3473b99f327f0007307bbdf6b76acbd6e1dae988
https://github.com/WebKit/WebKit/commit/3473b99f327f0007307bbdf6b76acbd6e1dae988
Author: Kai Tamkun <[email protected]>
Date: 2026-03-10 (Tue, 10 Mar 2026)
Changed paths:
A JSTests/wasm/function-references/nullability.js
M Source/JavaScriptCore/wasm/WasmExceptionType.h
M Source/JavaScriptCore/wasm/WasmOperations.cpp
M Source/JavaScriptCore/wasm/js/WasmToJS.cpp
Log Message:
-----------
Cherry-pick 301765.394@safari-7623-branch (f5681488766e).
https://bugs.webkit.org/show_bug.cgi?id=304356
[WASM] Return-from-JS conversions should check the nullability
rdar://159086936
https://bugs.webkit.org/show_bug.cgi?id=304356
Reviewed by Yusuke Suzuki.
Adds a null check when returning from JS to Wasm and the expected
return type is a nonnullable reference type.
Test: JSTests/wasm/function-references/nullability.js
* JSTests/wasm/function-references/nullability.js: Added.
(module):
(async nullability): Tests whether the null check occurs
* Source/JavaScriptCore/wasm/WasmExceptionType.h: Added
ExceptionType::TypeErrorUnexpectedNullReference
(JSC::Wasm::isTypeErrorExceptionType):
* Source/JavaScriptCore/wasm/WasmOperations.cpp: Added null checks
(JSC::Wasm::operationWasmToJSExitMarshalReturnValues):
(JSC::Wasm::operationWasmToJSExitIterateResults):
(JSC::Wasm::operationIterateResults):
* Source/JavaScriptCore/wasm/js/WasmToJS.cpp: Added null check
(JSC::Wasm::wasmToJS): JIT now emits a null check when needed
Identifier: 301765.394@safari-7623-branch
Canonical link:
https://commits.webkit.org/298234.479@mcatanzaro/webkitglib/2.50-security
Commit: 791fabbcf2cc55eee1e4bcbe02dc13519d8bbeaf
https://github.com/WebKit/WebKit/commit/791fabbcf2cc55eee1e4bcbe02dc13519d8bbeaf
Author: Shu-yu Guo <[email protected]>
Date: 2026-03-10 (Tue, 10 Mar 2026)
Changed paths:
A JSTests/stress/ftl-valuerepreduction-double-undefined.js
M Source/JavaScriptCore/dfg/DFGMultiGetByOffsetData.h
M Source/JavaScriptCore/dfg/DFGValueRepReductionPhase.cpp
Log Message:
-----------
Cherry-pick 301765.399@safari-7623-branch (d32d4c76087a).
https://bugs.webkit.org/show_bug.cgi?id=305064
[JSC] Convert MultiGetByOffsetMethod constants to double if needed
https://bugs.webkit.org/show_bug.cgi?id=305064
rdar://167109771
Reviewed by Keith Miller and Yusuke Suzuki.
FTL's ValueRep reduction phase can convert MultiGetByOffset nodes to
NodeResultDouble with non-Number constant values in its cases. These
constants
are non-Cells and should be converted to Numbers.
Test: JSTests/stress/ftl-valuerepreduction-double-undefined.js
Identifier: 301765.399@safari-7623-branch
Canonical link:
https://commits.webkit.org/298234.480@mcatanzaro/webkitglib/2.50-security
Compare: https://github.com/WebKit/WebKit/compare/6958658e0f86...791fabbcf2cc
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
