[webkit-changes] [WebKit/WebKit] c410d5: [JSC] Wasm: fix exceptions with inlining between S...

Thu, 18 Dec 2025 09:11:18 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c410d58148a69bd4a4c5093c2820d5a988de0420
      
https://github.com/WebKit/WebKit/commit/c410d58148a69bd4a4c5093c2820d5a988de0420
  Author: Dan Hecht <[email protected]>
  Date:   2025-12-18 (Thu, 18 Dec 2025)

  Changed paths:
    A JSTests/wasm/stress/simd-inline-exceptions.js
    M Source/JavaScriptCore/assembler/MacroAssembler.cpp
    M Source/JavaScriptCore/assembler/MacroAssembler.h
    M Source/JavaScriptCore/assembler/MacroAssemblerARM64.cpp
    M Source/JavaScriptCore/assembler/MacroAssemblerARMv7.cpp
    M Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.cpp
    M Source/JavaScriptCore/assembler/MacroAssemblerX86_64.cpp
    M Source/JavaScriptCore/assembler/ProbeContext.h
    M Source/JavaScriptCore/dfg/DFGOSRExit.cpp
    M Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmContext.cpp
    M Source/JavaScriptCore/wasm/WasmContext.h
    M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
    M Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.h

  Log Message:
  -----------
  [JSC] Wasm: fix exceptions with inlining between SIMD and non-SIMD functions
rdar://163013486
https://bugs.webkit.org/show_bug.cgi?id=301380

Reviewed by Yusuke Suzuki.

Currently, OSR and exception scratch buffer entries are sized dependent
on whether the function uses SIMD or not. When OMG inlines a function,
the caller and callee make independent choices about the size of
the scratch buffer entry for the catch entry points and throw/call
patchpoints. This is not correct when the catch site and throw/call site
disagree since the buffer will be misinterpreted.

Let's fix this and simplify things by just having a single size for
scratch buffer entries large enough to fit vectors. As a consequence,
also combine the SIMD and non-SIMD probe code that always saves/restores
vector-width FPRs.

Test: JSTests/wasm/stress/simd-inline-exceptions.js
* JSTests/wasm/stress/simd-inline-exceptions.js: Added.
(async testSIMDInlinedIntoNonSIMD):
(async testNonSIMDInlinedIntoSIMD):
* Source/JavaScriptCore/assembler/MacroAssembler.cpp:
(JSC::MacroAssembler::probeDebugSIMD): Deleted.
* Source/JavaScriptCore/assembler/MacroAssembler.h:
* Source/JavaScriptCore/assembler/MacroAssemblerARM64.cpp:
(JSC::MacroAssembler::probe):
* Source/JavaScriptCore/assembler/MacroAssemblerARMv7.cpp:
(JSC::MacroAssembler::probe):
* Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.cpp:
(JSC::MacroAssembler::probe):
* Source/JavaScriptCore/assembler/MacroAssemblerX86_64.cpp:
(JSC::MacroAssembler::probe):
* Source/JavaScriptCore/assembler/ProbeContext.h:
(JSC::Probe::CPUState::fpr):
(JSC::Probe::CPUState::fpr const):
(JSC::Probe::Context::fpr):
(): Deleted.
* Source/JavaScriptCore/dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addLoopOSREntrypoint):
(JSC::Wasm::BBQJITImpl::BBQJIT::makeStackMap):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitLoopTierUpCheckAndOSREntryData):
* Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::work):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmContext.cpp:
(JSC::Wasm::Context::scratchBufferForSize):
* Source/JavaScriptCore/wasm/WasmContext.h:
(JSC::Wasm::Context::scratchBufferSlotsPerValue): Deleted.
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::buildEntryBufferForLoopOSR):
(JSC::IPInt::WASM_IPINT_EXTERN_CPP_DECL):
* Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h:
(JSC::Wasm::buildEntryBufferForCatch):
(JSC::Wasm::buildEntryBufferForCatchSIMD): Deleted.
(JSC::Wasm::buildEntryBufferForCatchNoSIMD): Deleted.
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::OMGIRGenerator):
(JSC::Wasm::OMGIRGenerator::insertEntrySwitch):
(JSC::Wasm::OMGIRGenerator::addArguments):
(JSC::Wasm::OMGIRGenerator::loadFromScratchBuffer):
(JSC::Wasm::OMGIRGenerator::addLoop):
(JSC::Wasm::prepareForTailCallImpl):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::OMGIRGenerator):
(JSC::Wasm::OMGIRGenerator::insertEntrySwitch):
(JSC::Wasm::OMGIRGenerator::addArguments):
(JSC::Wasm::prepareForTailCallImpl):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::loadValuesIntoBuffer):
(JSC::Wasm::doOSREntry):
(JSC::Wasm::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmOperations.h:

Originally-landed-as: 301765.112@safari-7623-branch (bd8fd327ea0b). 
rdar://166338130
Canonical link: https://commits.webkit.org/304684@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to