253592 – Fix result height when folding select in WasmBBQJIT

RESOLVED FIXED 253592

Fix result height when folding select in WasmBBQJIT

https://bugs.webkit.org/show_bug.cgi?id=253592

Summary Fix result height when folding select in WasmBBQJIT

David Degazio

Reported 2023-03-08 11:55:27 PST

rdar://106420016 When BBQ JIT folds a WASM select instruction (when its condition is a constant), it currently naively selects between the left and right operands and consumes whichever one wasn't selected. This works fine if the result is a constant, but it's possible for this to result in an incorrect stack height. For example, if we have: Select Temp(0), Temp(1), Const(1) ...then we will set the result to Temp(1), despite the fact that after all the operands of Select are popped, the result should be at height 0. To fix this, we just need to consume all operands like we do in the non-folded case, then independently push and allocate the result temp.

Attachments
Add attachment proposed patch, testcase, etc.

David Degazio

Comment 1 2023-03-08 12:02:34 PST

Pull request: https://github.com/WebKit/WebKit/pull/11247

EWS

Comment 2 2023-03-09 13:27:14 PST

Committed 261461@main (c0310d30906b): <https://commits.webkit.org/261461@main> Reviewed commits have been landed. Closing PR #11247 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebAssembly

Assignee

David Degazio

Reported

2023-03-08 11:55 PST

Modified

2023-03-09 13:27 PST History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks