Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c18d1e3571f490235aa624c1593e7d1289ea7ba6
https://github.com/WebKit/WebKit/commit/c18d1e3571f490235aa624c1593e7d1289ea7ba6
Author: Keith Miller <[email protected]>
Date: 2026-06-04 (Thu, 04 Jun 2026)
Changed paths:
A JSTests/wasm/stress/omg-indirect-tail-call-late-input-clobber.js
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
Log Message:
-----------
[Wasm] OMG tail call patchpoint needs to clobber late pinned registers.
https://bugs.webkit.org/show_bug.cgi?id=316227
rdar://178479084
Reviewed by Justin Michaud and Dan Hecht.
312691@main switched OMG's tail-call shuffle to a parallel-move algorithm and
constrained
the boxed callee plus stack-bound outgoing arguments as LateColdAny so B3 was
free to
place them in callee-save registers. 312795@main moved cross-instance
pinned-register
restoration off the caller side and into the tail-call patchpoint itself,
reloading
wasmBaseMemoryPointer and wasmBoundsCheckingSizeRegister from the callee
instance before
prepareForCall->run() runs the shuffle. The combination is unsafe on a
return_call_ref/return_call_indirect: those late inputs are still live across
the
context-switch reload, but I removed line that marked the pinned registers as
late
clobbers. Thus, B3 could allocate one of them to a pinned register and the
reload would
overwrite the value before the shuffle consumed it.
Declare RegisterSet::wasmPinnedRegisters() as a late clobber on the root-tail
path in
OMGIRGenerator::emitIndirectCall so B3 keeps live late inputs out of those
registers.
Test: JSTests/wasm/stress/omg-indirect-tail-call-late-input-clobber.js
Canonical link: https://commits.webkit.org/314548@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
