Modified: branches/safari-609.1.20.0-branch/JSTests/ChangeLog (256959 => 256960)
--- branches/safari-609.1.20.0-branch/JSTests/ChangeLog 2020-02-19 23:07:54 UTC (rev 256959)
+++ branches/safari-609.1.20.0-branch/JSTests/ChangeLog 2020-02-19 23:07:57 UTC (rev 256960)
@@ -1,5 +1,41 @@
2020-02-19 Russell Epstein <repst...@apple.com>
+ Cherry-pick r256766. rdar://problem/59551706
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * wasm/regress/regress-256665.js: Added.
+ (f):
+
+ Source/_javascript_Core:
+
+ When generating the call IC, we should select the callee saves using BoundsChecking mode in order
+ to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
+ register when calling the Wasm LLInt through the call IC.
+
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::calleeSaves const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256766 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-17 Tadeu Zagallo <tzaga...@apple.com>
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ * wasm/regress/regress-256665.js: Added.
+ (f):
+
+2020-02-19 Russell Epstein <repst...@apple.com>
+
Cherry-pick r256698. rdar://problem/59551715
Unreviewed: fix broken tests added in r256665
Added: branches/safari-609.1.20.0-branch/JSTests/wasm/regress/regress-256665.js (0 => 256960)
--- branches/safari-609.1.20.0-branch/JSTests/wasm/regress/regress-256665.js (rev 0)
+++ branches/safari-609.1.20.0-branch/JSTests/wasm/regress/regress-256665.js 2020-02-19 23:07:57 UTC (rev 256960)
@@ -0,0 +1,12 @@
+//@ requireOptions("--useConcurrentJIT=false", "--jitPolicyScale=0")
+
+function f() {
+ var buffer = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 6, 1, 96, 1, 127, 1, 127, 3, 2, 1, 0, 5, 3, 1, 0, 0, 7, 8, 1, 4, 108, 111, 97, 100, 0, 0, 10, 9, 1, 7, 0, 32, 0, 40, 0, 100, 11]);
+ var module = new WebAssembly.Module(buffer);
+ var instance = new WebAssembly.Instance(module);
+ try { instance.exports.load(0x10000 - 100 - 4); } catch (e) {}
+ (555)[0];
+}
+
+f();
+f();
Modified: branches/safari-609.1.20.0-branch/Source/_javascript_Core/ChangeLog (256959 => 256960)
--- branches/safari-609.1.20.0-branch/Source/_javascript_Core/ChangeLog 2020-02-19 23:07:54 UTC (rev 256959)
+++ branches/safari-609.1.20.0-branch/Source/_javascript_Core/ChangeLog 2020-02-19 23:07:57 UTC (rev 256960)
@@ -1,5 +1,45 @@
2020-02-19 Russell Epstein <repst...@apple.com>
+ Cherry-pick r256766. rdar://problem/59551706
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * wasm/regress/regress-256665.js: Added.
+ (f):
+
+ Source/_javascript_Core:
+
+ When generating the call IC, we should select the callee saves using BoundsChecking mode in order
+ to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
+ register when calling the Wasm LLInt through the call IC.
+
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::calleeSaves const):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@256766 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-02-17 Tadeu Zagallo <tzaga...@apple.com>
+
+ [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register
+ https://bugs.webkit.org/show_bug.cgi?id=207849
+
+ Reviewed by Mark Lam.
+
+ When generating the call IC, we should select the callee saves using BoundsChecking mode in order
+ to obey to the calling conventions described in r256665. Currently, we won't restore the memory size
+ register when calling the Wasm LLInt through the call IC.
+
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::calleeSaves const):
+
+2020-02-19 Russell Epstein <repst...@apple.com>
+
Cherry-pick r256665. rdar://problem/59551715
[WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
Modified: branches/safari-609.1.20.0-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp (256959 => 256960)
--- branches/safari-609.1.20.0-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2020-02-19 23:07:54 UTC (rev 256959)
+++ branches/safari-609.1.20.0-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2020-02-19 23:07:57 UTC (rev 256960)
@@ -161,7 +161,8 @@
RegisterSet WebAssemblyFunction::calleeSaves() const
{
- return Wasm::PinnedRegisterInfo::get().toSave(instance()->memoryMode());
+ // Pessimistically save callee saves in BoundsChecking mode since the LLInt always bounds checks
+ return Wasm::PinnedRegisterInfo::get().toSave(Wasm::MemoryMode::BoundsChecking);
}
RegisterAtOffsetList WebAssemblyFunction::usedCalleeSaveRegisters() const