[webkit-changes] [WebKit/WebKit] 192a3b: [JSC] BBQ should not assume Int32 operands are Str...

Wed, 17 Dec 2025 20:52:02 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 192a3bc81f586f6d9a13f11268d343fec348dae4
      
https://github.com/WebKit/WebKit/commit/192a3bc81f586f6d9a13f11268d343fec348dae4
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-12-17 (Wed, 17 Dec 2025)

  Changed paths:
    A JSTests/wasm/stress/zero-clear-bbq-address.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.h

  Log Message:
  -----------
  [JSC] BBQ should not assume Int32 operands are StrictInt32
https://bugs.webkit.org/show_bug.cgi?id=301634
rdar://163201617

Reviewed by Yijia Huang and Dan Hecht.

OMG wasm call and wasm return are using Patchpoint, but these arguments
do not guarantee that Int32 is StrictInt32. But doing it causes massive
performance regression in JetStream3. This makes sense: in most of
cases, Int32 high bits do not matter since users are doing Int32
arithmetics and that ignores high bits. The current "def" side
zero-clearing is too inefficient since B3 is tracking zero-clear def in
Air. And it attempts to remove them when possible. So if "use" side does
zero-clearing, then B3 can optimize it (removing or hoisting). But "def"
side takes this cost early, and B3 cannot do anything when it is
transfered at a function call boundary (arguments and return values).

This is a reverse course of rdar://149685355. BBQ should not assume
Int32's high bits are cleared. Current approach is pessimising OMG to get
a bit cleaner BBQ for this very particular opcodes, and this is not great.
BBQ should ensure that whenever Int32 is used as a pointer-width, BBQ
should zero-extend, and all DFG / FTL are already doing so.

* JSTests/wasm/stress/zero-clear-bbq-address.js: Added.
(main):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::emitAllocateGCArrayUninitialized):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.h:
(JSC::Wasm::BBQJITImpl::BBQJIT::emitCheckAndPrepareAndMaterializePointerApply):

Originally-landed-as: 301765.193@safari-7623-branch (e94cf07c8a92). 
rdar://166337135
Canonical link: https://commits.webkit.org/304646@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to