REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm...
authorjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 4 Jan 2017 01:14:59 +0000 (01:14 +0000)
committerjfbastien@apple.com <jfbastien@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 4 Jan 2017 01:14:59 +0000 (01:14 +0000)
https://bugs.webkit.org/show_bug.cgi?id=166669
<rdar://problem/29856455>

Reviewed by Saam Barati.

Bug #165282 added wasm -> wasm calls, but caused crashes in
release builds because the pinned registers are also callee-saved
and were being clobbered. B3 didn't see itself clobbering them
when no memory was used, and therefore omitted a restore.

This was causing the C++ code in callWebAssemblyFunction to crash
because $r12 was 0, and it expected it to have its value prior to
the call.

* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::createJSToWasmWrapper):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@210259 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

index 21d3d43..6d0a772 100644 (file)
@@ -1,3 +1,23 @@
+2017-01-03  JF Bastien  <jfbastien@apple.com>
+
+        REGRESSION (r210244): Release JSC Stress test failure: wasm.yaml/wasm/js-api/wasm-to-wasm.js.default-wasm
+        https://bugs.webkit.org/show_bug.cgi?id=166669
+        <rdar://problem/29856455>
+
+        Reviewed by Saam Barati.
+
+        Bug #165282 added wasm -> wasm calls, but caused crashes in
+        release builds because the pinned registers are also callee-saved
+        and were being clobbered. B3 didn't see itself clobbering them
+        when no memory was used, and therefore omitted a restore.
+
+        This was causing the C++ code in callWebAssemblyFunction to crash
+        because $r12 was 0, and it expected it to have its value prior to
+        the call.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+
 2017-01-03  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Address failures under LayoutTests/inspector/debugger/stepping
index 80d7003..cc69363 100644 (file)
@@ -1064,6 +1064,16 @@ static void createJSToWasmWrapper(VM& vm, CompilationContext& compilationContext
     // Move the arguments into place.
     Value* result = wasmCallingConvention().setupCall(proc, block, origin, arguments, toB3Type(signature->returnType()), [&] (PatchpointValue* patchpoint) {
         CompilationContext* context = &compilationContext;
+
+        // wasm -> wasm calls clobber pinned registers unconditionally. This JS -> wasm transition must therefore restore these pinned registers (which are usually callee-saved) to account for this.
+        const PinnedRegisterInfo* pinnedRegs = &PinnedRegisterInfo::get();
+        RegisterSet clobbers;
+        clobbers.set(pinnedRegs->baseMemoryPointer);
+        for (auto info : pinnedRegs->sizeRegisters)
+            clobbers.set(info.sizeRegister);
+        patchpoint->effects.writesPinned = true;
+        patchpoint->clobber(clobbers);
+
         patchpoint->setGenerator([context] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
             AllowMacroScratchRegisterUsage allowScratch(jit);