Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 11eaa3910d44873a96f8998832aaf4bee9ba4917
https://github.com/WebKit/WebKit/commit/11eaa3910d44873a96f8998832aaf4bee9ba4917
Author: Shu-yu Guo <[email protected]>
Date: 2025-11-18 (Tue, 18 Nov 2025)
Changed paths:
A JSTests/wasm/stress/omg-tail-call-clobber-scratch-register.js
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
Log Message:
-----------
[JSC] Fix spilling macro scratch reg in OMG tail calls
https://bugs.webkit.org/show_bug.cgi?id=298496
rdar://158613168
Reviewed by Mark Lam.
OMG does manual saving of the MacroAssembler scratch register when preparing
the frame for tail calls, because it uses it as a temp and it may interfere
with an input GPR. This logic is currently wrong in several ways:
- In assert-enabled builds, the register is spilled after it is already
clobbered.
- In assert-enabled builds, the stack spill location is overwritten before it
is restored.
- The spill offset is relative to the original SP, and it is restored relative
to the new SP after the frame is set up for the tail call.
This PR fixes these and adds the following modest safeguards:
- For tail call patchpoints that have an AnyRegister input, disallow
MacroAssembler scratch register usage by default so that after prepareCall,
it is not accidentally clobbered in case it is an input GPR.
- Explicitly disallow scratch usage before saving and after restoring the
scratch register in prepareTailCallImpl. Stack clobbering is rewritten
to accommodate.
Originally-landed-as: 297297.410@safari-7622-branch (cf7eb4a4e9c4).
rdar://164214668
Canonical link: https://commits.webkit.org/303198@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
