Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d7c68bba90b9e4911ea149d946e42bd0bae9a4cc
https://github.com/WebKit/WebKit/commit/d7c68bba90b9e4911ea149d946e42bd0bae9a4cc
Author: Dan Hecht <[email protected]>
Date: 2026-01-04 (Sun, 04 Jan 2026)
Changed paths:
M Source/JavaScriptCore/b3/air/AirAllocateRegistersByGreedy.cpp
Log Message:
-----------
[JSC] GreedyRegAlloc: fix asserts with overlapping tmps coalesced to a pinned
register
https://bugs.webkit.org/show_bug.cgi?id=304912
rdar://167516099
Reviewed by Yusuke Suzuki.
If two tmps are both coalesced to the same pinned register and have
overlapping lifetimes, asserts will fire. The wasm compiler does not
generate code like this but it's legal Air code and testair generates it.
Two problems:
1. assign() expects that the live range of a tmp being assigned to a
register does not overlap with the live ranges of any other tmps
already assigned to that register. With pinned register coalescing
this is not true since the allocator handles coalescing of tmp copies
where lifetimes overlap (but with no conflicting defs).
The fix is to just record the register assignment but don't track
RegRanges for pinned registers since they are meaningless anyway
(pinned registers are always alive) and the underlying IntervalSet
datastructure cannot handle overlapping ranges by design.
2. validateAssignments() needs to understand pinned coalescing of
multiple tmps with overlapping live ranges.
Testing: fixes the asserts in testair testArgumentRegPinned*
Canonical link: https://commits.webkit.org/305096@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
