Changeset 210259 in webkit


Ignore:
Timestamp:
Jan 3, 2017 5:14:59 PM (7 years ago)
Author:
jfbastien@apple.com
Message:

REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
https://bugs.webkit.org/show_bug.cgi?id=166669
<rdar://problem/29856455>

Reviewed by Saam Barati.

Bug #165282 added wasm -> wasm calls, but caused crashes in
release builds because the pinned registers are also callee-saved
and were being clobbered. B3 didn't see itself clobbering them
when no memory was used, and therefore omitted a restore.

This was causing the C++ code in callWebAssemblyFunction to crash
because $r12 was 0, and it expected it to have its value prior to
the call.

  • wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::createJSToWasmWrapper):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r210251 r210259  
     12017-01-03  JF Bastien  <jfbastien@apple.com>
     2
     3        REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
     4        https://bugs.webkit.org/show_bug.cgi?id=166669
     5        <rdar://problem/29856455>
     6
     7        Reviewed by Saam Barati.
     8
     9        Bug #165282 added wasm -> wasm calls, but caused crashes in
     10        release builds because the pinned registers are also callee-saved
     11        and were being clobbered. B3 didn't see itself clobbering them
     12        when no memory was used, and therefore omitted a restore.
     13
     14        This was causing the C++ code in callWebAssemblyFunction to crash
     15        because $r12 was 0, and it expected it to have its value prior to
     16        the call.
     17
     18        * wasm/WasmB3IRGenerator.cpp:
     19        (JSC::Wasm::createJSToWasmWrapper):
     20
    1212017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
    222

  • trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

    r210229 r210259  
    10651065    Value* result = wasmCallingConvention().setupCall(proc, block, origin, arguments, toB3Type(signature->returnType()), [&] (PatchpointValue* patchpoint) {
    10661066        CompilationContext* context = &compilationContext;
     1067
     1068        // wasm -> wasm calls clobber pinned registers unconditionally. This JS -> wasm transition must therefore restore these pinned registers (which are usually callee-saved) to account for this.
     1069        const PinnedRegisterInfo* pinnedRegs = &PinnedRegisterInfo::get();
     1070        RegisterSet clobbers;
     1071        clobbers.set(pinnedRegs->baseMemoryPointer);
     1072        for (auto info : pinnedRegs->sizeRegisters)
     1073            clobbers.set(info.sizeRegister);
     1074        patchpoint->effects.writesPinned = true;
     1075        patchpoint->clobber(clobbers);
     1076
    10671077        patchpoint->setGenerator([context] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
    10681078            AllowMacroScratchRegisterUsage allowScratch(jit);
Note: See TracChangeset for help on using the changeset viewer.