[webkit-changes] [WebKit/WebKit] 5156f9: [WASM GC] Reference instructions should consume ar...

Fri, 31 Jan 2025 21:55:17 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5156f93cff547f3c9a66684be4e0d5d65897f26d
      
https://github.com/WebKit/WebKit/commit/5156f93cff547f3c9a66684be4e0d5d65897f26d
  Author: David Degazio <d_dega...@apple.com>
  Date:   2025-01-31 (Fri, 31 Jan 2025)

  Changed paths:
    A JSTests/wasm/stress/array-copy-with-constant-null.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h
    M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.h

  Log Message:
  -----------
  [WASM GC] Reference instructions should consume arguments even when operand 
is constant null
https://bugs.webkit.org/show_bug.cgi?id=283889
rdar://140774231

Reviewed by Yusuke Suzuki.

Fixes all instances where we have a WASM GC opcode that fails to call
consume() on its arguments. Generally this previously happened in the
case we detected one of the arguments was a JSNull constant.

In order to limit the impact of failing to consume(), this patch also
removes a case in BBQJIT::allocateWithHint that would blindly reuse
the existing register binding for a value. This case seems to only have
been reachable when calling allocate() on the result of a C call - a
procedure that allocates a location for its result internally. I've
replaced these redundant allocate() calls with loadIfNecessary() calls,
although we pretty much always expect the value to already be in a
register.

Finally, this patch adds debug-only verification that every value we
pop from the expression stack is consumed in BBQ. This required some
minor changes to the implementations of some instructions to ensure
we don't detect spurious errors. It was a big help in finding buggy
cases when making this patch and should help defend against such bugs
in the future.

* JSTests/wasm/stress/array-copy-with-constant-null.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableSet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableInit):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableCopy):
(JSC::Wasm::BBQJITImpl::BBQJIT::addMemoryFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addMemoryCopy):
(JSC::Wasm::BBQJITImpl::BBQJIT::addMemoryInit):
(JSC::Wasm::BBQJITImpl::BBQJIT::atomicWait):
(JSC::Wasm::BBQJITImpl::BBQJIT::atomicNotify):
(JSC::Wasm::BBQJITImpl::BBQJIT::pushArrayNewFromSegment):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayCopy):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayInitElem):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayInitData):
(JSC::Wasm::BBQJITImpl::BBQJIT::addAnyConvertExtern):
(JSC::Wasm::BBQJITImpl::BBQJIT::addExternConvertAny):
(JSC::Wasm::BBQJITImpl::BBQJIT::willParseOpcode):
(JSC::Wasm::BBQJITImpl::BBQJIT::didPopValueFromStack):
(JSC::Wasm::BBQJITImpl::BBQJIT::allocateWithHint):
(JSC::Wasm::BBQJITImpl::BBQJIT::consume):
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayNewFixed):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArraySet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNewDefault):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNew):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addRefCast):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addTableGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayNew):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayNewFixed):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArraySet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayFill):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNewDefault):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructNew):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addRefCast):
(JSC::Wasm::BBQJITImpl::BBQJIT::addBranchNull):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCallRef):
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::isCompareOpType):

Originally-landed-as: 283286.567@safari-7620-branch (8964a07ea3fb). 
rdar://143593696
Canonical link: https://commits.webkit.org/289657@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to