Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7b43a563bdda9384d9d6c5b6cd73daa7ea822907
https://github.com/WebKit/WebKit/commit/7b43a563bdda9384d9d6c5b6cd73daa7ea822907
Author: Marcus Plutowski <[email protected]>
Date: 2026-03-20 (Fri, 20 Mar 2026)
Changed paths:
M Source/bmalloc/bmalloc/BAssert.h
M Source/bmalloc/libpas/src/libpas/pas_mte.h
M Source/bmalloc/libpas/src/libpas/pas_page_malloc.c
M Source/bmalloc/libpas/src/libpas/pas_segregated_page.c
M Source/bmalloc/libpas/src/libpas/pas_utils.c
M Source/bmalloc/libpas/src/libpas/pas_utils.h
Log Message:
-----------
[libpas] Unify PAS_ASSERT behavior
https://bugs.webkit.org/show_bug.cgi?id=310082
rdar://172722059
Reviewed by Dan Hecht.
Previously, there were two distinct behaviors for this macro on Darwin.
1. PAS_ASSERT with two or more arguments would store the __LINE__
and subsequent arguments in registers, then properly execute `brk 0xc471`
to crash.
2. PAS_ASSERT with one argument would do none of that, and fall
through to __builtin_unreachable() on the assumption that it would
be implemented as a trap.
The actual benefit of #2 seems to be minimal, if anything, while
having the downside of obfuscating crash logs (among other things).
Barring some horrific unforseen perf regression, this seems like the
obvious thing to do.
Here's some example asm before/after
(in this case, pas_segregated_page_switch_lock_slow)
before:
```
JavaScriptCore`pas_segregated_page_switch_lock_slow:
0x104686b70 <+0>: pacibsp
0x104686b74 <+4>: sub sp, sp, #0x30
0x104686b78 <+8>: stp x20, x19, [sp, #0x10]
0x104686b7c <+12>: stp x29, x30, [sp, #0x20]
0x104686b80 <+16>: add x29, sp, #0x20
0x104686b84 <+20>: str x1, [sp, #0x8]
0x104686b88 <+24>: cmp x1, x2
0x104686b8c <+28>: b.eq 0x104686c20 ; <+176> [inlined]
pas_assertion_failed at pas_utils.h:248:5
0x104686b90 <+32>: mov x20, x2
0x104686b94 <+36>: mov x19, x0
0x104686b98 <+40>: cbz x1, 0x104686bbc ; <+76> [inlined]
os_unfair_lock_trylock_inline at lock_private.h:784:20
0x104686b9c <+44>: mrs x8, TPIDRRO_EL0
...
0x104686c0c <+156>: ldr x0, [sp, #0x8]
0x104686c10 <+160>: ldp x29, x30, [sp, #0x20]
0x104686c14 <+164>: ldp x20, x19, [sp, #0x10]
0x104686c18 <+168>: add sp, sp, #0x30
0x104686c1c <+172>: retab
-> 0x104686c20 <+176>: brk #0x1
```
after:
```
JavaScriptCore`pas_segregated_page_switch_lock_slow:
0x1045d688c <+0>: pacibsp
0x1045d6890 <+4>: sub sp, sp, #0x30
0x1045d6894 <+8>: stp x20, x19, [sp, #0x10]
0x1045d6898 <+12>: stp x29, x30, [sp, #0x20]
0x1045d689c <+16>: add x29, sp, #0x20
0x1045d68a0 <+20>: str x1, [sp, #0x8]
0x1045d68a4 <+24>: cmp x1, x2
0x1045d68a8 <+28>: b.eq 0x1045d693c ; <+176> [inlined]
pas_assertion_failed_noreturn_silencer0 at pas_utils.h:314:5
0x1045d68ac <+32>: mov x20, x2
0x1045d68b0 <+36>: mov x19, x0
0x1045d68b4 <+40>: cbz x1, 0x1045d68d8 ; <+76> [inlined]
os_unfair_lock_trylock_inline at lock_private.h:784:20
0x1045d68b8 <+44>: mrs x8, TPIDRRO_EL0
...
0x1045d6928 <+156>: ldr x0, [sp, #0x8]
0x1045d692c <+160>: ldp x29, x30, [sp, #0x20]
0x1045d6930 <+164>: ldp x20, x19, [sp, #0x10]
0x1045d6934 <+168>: add sp, sp, #0x30
0x1045d6938 <+172>: retab
-> 0x1045d693c <+176>: bl 0x104732c60 ; set_up_range.cold.16 at
pas_designated_intrinsic_heap.c
```
The only inline impact is that the `brk` is replaced with a `bl` to
out-of-line code that handles the actual register fiddling.
Unfortunately, this does require obviating some of 309224@main, as these
non-inline functions fall afoul of TAPI's checks for
symbol-availability, as it'd be libpas.a that contains the symbol and
not bmalloc per se. There are ways to get around that but they're pretty
disruptive, so for now we'll have to go without __LINE__ information for
BAssert. This isn't a regression since BAssert was only wired up to the
single-argument PAS_ASSERT, which as we've seen, did not actually
implement that desired behavior.
Canonical link: https://commits.webkit.org/309669@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
