Modified: branches/safari-609.1.20.1-branch/JSTests/ChangeLog (256975 => 256976)
--- branches/safari-609.1.20.1-branch/JSTests/ChangeLog 2020-02-19 23:38:03 UTC (rev 256975)
+++ branches/safari-609.1.20.1-branch/JSTests/ChangeLog 2020-02-19 23:38:08 UTC (rev 256976)
@@ -1,3 +1,39 @@
+2020-02-19 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r256766. rdar://problem/59576813
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * wasm/regress/regress-256665.js: Added.
+ (f):
+
+ Source/_javascript_Core:
+
+ When generating the call IC, we should select the callee saves using BoundsChecking mode in order
+ to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
+ register when calling the Wasm LLInt through the call IC.
+
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::calleeSaves const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256766 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-17 Tadeu Zagallo <tzaga...@apple.com>
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ * wasm/regress/regress-256665.js: Added.
+ (f):
+
2020-02-03 Russell Epstein <repst...@apple.com>
Cherry-pick r255529. rdar://problem/59098310
Added: branches/safari-609.1.20.1-branch/JSTests/wasm/regress/regress-256665.js (0 => 256976)
--- branches/safari-609.1.20.1-branch/JSTests/wasm/regress/regress-256665.js (rev 0)
+++ branches/safari-609.1.20.1-branch/JSTests/wasm/regress/regress-256665.js 2020-02-19 23:38:08 UTC (rev 256976)
@@ -0,0 +1,12 @@
+//@ requireOptions("--useConcurrentJIT=false", "--jitPolicyScale=0")
+
+function f() {
+ var buffer = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 6, 1, 96, 1, 127, 1, 127, 3, 2, 1, 0, 5, 3, 1, 0, 0, 7, 8, 1, 4, 108, 111, 97, 100, 0, 0, 10, 9, 1, 7, 0, 32, 0, 40, 0, 100, 11]);
+ var module = new WebAssembly.Module(buffer);
+ var instance = new WebAssembly.Instance(module);
+ try { instance.exports.load(0x10000 - 100 - 4); } catch (e) {}
+ (555)[0];
+}
+
+f();
+f();
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/ChangeLog (256975 => 256976)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/ChangeLog 2020-02-19 23:38:03 UTC (rev 256975)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/ChangeLog 2020-02-19 23:38:08 UTC (rev 256976)
@@ -1,3 +1,43 @@
+2020-02-19 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r256766. rdar://problem/59576813
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * wasm/regress/regress-256665.js: Added.
+ (f):
+
+ Source/_javascript_Core:
+
+ When generating the call IC, we should select the callee saves using BoundsChecking mode in order
+ to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
+ register when calling the Wasm LLInt through the call IC.
+
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::calleeSaves const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256766 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-17 Tadeu Zagallo <tzaga...@apple.com>
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ When generating the call IC, we should select the callee saves using BoundsChecking mode in order
+ to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
+ register when calling the Wasm LLInt through the call IC.
+
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::calleeSaves const):
+
2020-02-14 Russell Epstein <repst...@apple.com>
Cherry-pick r256498. rdar://problem/59478929
Modified: branches/safari-609.1.20.1-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp (256975 => 256976)
--- branches/safari-609.1.20.1-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2020-02-19 23:38:03 UTC (rev 256975)
+++ branches/safari-609.1.20.1-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2020-02-19 23:38:08 UTC (rev 256976)
@@ -161,7 +161,8 @@
RegisterSet WebAssemblyFunction::calleeSaves() const
{
- return Wasm::PinnedRegisterInfo::get().toSave(instance()->memoryMode());
+ // Pessimistically save callee saves in BoundsChecking mode since the LLInt always bounds checks
+ return Wasm::PinnedRegisterInfo::get().toSave(Wasm::MemoryMode::BoundsChecking);
}
RegisterAtOffsetList WebAssemblyFunction::usedCalleeSaveRegisters() const