Bug 277413
| Summary: | Regression in Wasm::BBQJIT::setGlobal on armv7 | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Max Rottenkolber <maximilian> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Max Rottenkolber
The commit
commit b7de8d58745394254579958957e487a7a38b4b0b
Author: Keith Miller <keith_miller@apple.com>
Date: Wed Jul 24 13:43:11 2024 -0700
Merge Wasm::Instance into JSWebAssemblyInstance
introduces a regression that breaks Wasm::BBQJIT::setGlobal on armv7.
Specifically it emits a write barrier on a uninitialized register filled with garbage, causing its contents to be considered a cell by the GC. The fix is as follows:
diff --git a/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp b/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
index 7bc4ef514e19..7e5eee53e64d 100644
--- a/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
+++ b/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
@@ -312,7 +312,7 @@ PartialResult WARN_UNUSED_RETURN BBQJIT::setGlobal(uint32_t index, Value value)
emitMove(value, Location::fromGlobal(offset));
consume(value);
if (isRefType(type))
- emitWriteBarrier(wasmScratchGPR);
+ emitWriteBarrier(GPRInfo::wasmContextInstancePointer);
break;
}
case Wasm::GlobalInformation::BindingMode::Portable: {
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/133371110>
EWS
Committed 282521@main (5e9259f3fd5d): <https://commits.webkit.org/282521@main>
Reviewed commits have been landed. Closing PR #31530 and removing active labels.