RESOLVED FIXED277413
Regression in Wasm::BBQJIT::setGlobal on armv7 
https://bugs.webkit.org/show_bug.cgi?id=277413
Summary Regression in Wasm::BBQJIT::setGlobal on armv7
Max Rottenkolber
Reported 2024-07-31 02:58:45 PDT
The commit commit b7de8d58745394254579958957e487a7a38b4b0b Author: Keith Miller <keith_miller@apple.com> Date: Wed Jul 24 13:43:11 2024 -0700 Merge Wasm::Instance into JSWebAssemblyInstance introduces a regression that breaks Wasm::BBQJIT::setGlobal on armv7. Specifically it emits a write barrier on a uninitialized register filled with garbage, causing its contents to be considered a cell by the GC. The fix is as follows: diff --git a/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp b/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp index 7bc4ef514e19..7e5eee53e64d 100644 --- a/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp +++ b/Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp @@ -312,7 +312,7 @@ PartialResult WARN_UNUSED_RETURN BBQJIT::setGlobal(uint32_t index, Value value) emitMove(value, Location::fromGlobal(offset)); consume(value); if (isRefType(type)) - emitWriteBarrier(wasmScratchGPR); + emitWriteBarrier(GPRInfo::wasmContextInstancePointer); break; } case Wasm::GlobalInformation::BindingMode::Portable: {
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-08-07 02:59:13 PDT
<rdar://problem/133371110>
EWS
Comment 2 2024-08-20 15:18:52 PDT
Committed 282521@main (5e9259f3fd5d): <https://commits.webkit.org/282521@main> Reviewed commits have been landed. Closing PR #31530 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.