Bug 253592 - Fix result height when folding select in WasmBBQJIT
Summary: Fix result height when folding select in WasmBBQJIT
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebAssembly (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: David Degazio
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-03-08 11:55 PST by David Degazio
Modified: 2023-03-09 13:27 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Degazio 2023-03-08 11:55:27 PST 
rdar://106420016

When BBQ JIT folds a WASM select instruction (when its condition is a constant), it currently naively selects between the left and right operands and consumes whichever one wasn't selected. This works fine if the result is a constant, but it's possible for this to result in an incorrect stack height. For example, if we have:

    Select Temp(0), Temp(1), Const(1)

...then we will set the result to Temp(1), despite the fact that after all the operands of Select are popped, the result should be at height 0. To fix this, we just need to consume all operands like we do in the non-folded case, then independently push and allocate the result temp.
Comment 1 David Degazio 2023-03-08 12:02:34 PST 
Pull request: https://github.com/WebKit/WebKit/pull/11247
Comment 2 EWS 2023-03-09 13:27:14 PST 
Committed 261461@main (c0310d30906b): <https://commits.webkit.org/261461@main>

Reviewed commits have been landed. Closing PR #11247 and removing active labels.