[webkit-changes] [WebKit/WebKit] 0acf64: [JSC] IPInt PC move should be recorded one for pre...

Fri, 13 Mar 2026 17:10:50 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 0acf64e0c0c305a120676415b888dd3d70cad1ae
      
https://github.com/WebKit/WebKit/commit/0acf64e0c0c305a120676415b888dd3d70cad1ae
  Author: Robert Jenner <[email protected]>
  Date:   2026-03-13 (Fri, 13 Mar 2026)

  Changed paths:
    A JSTests/wasm/stress/ipint-variable-length-gc-opcodes.js
    M Source/JavaScriptCore/llint/InPlaceInterpreter64.asm
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    A Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h
    M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmIPIntGenerator.h
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp

  Log Message:
  -----------
  [JSC] IPInt PC move should be recorded one for prefixed opcodes
https://bugs.webkit.org/show_bug.cgi?id=305813
rdar://168478682

Reviewed by Keith Miller and Dan Hecht.

Prefixed opcodes in IPInt (GC, SIMD, etc.) have subsequent sub-opcode to
dispatch actual instruction. However this sub-opcode is encoded via
VarUInt32 LEB. This means that opcode can have multiple different ways
to be encoded (e.g. one value can be represeted via 2 byte, 3 byte,
etc.). As a result, we should not use advancePC(constant) since
instruction is variable-length. This patch fixes the issue using
advancePC(constant).

Test: JSTests/wasm/stress/ipint-variable-length-gc-opcodes.js

* JSTests/wasm/stress/ipint-variable-length-gc-opcodes.js: Added.
(createRedundantLEB128):
(encodeVarUInt32):
(testRefI31RedundantEncoding):
(testI31GetRedundantEncoding):
(testArrayLenRedundantEncoding):
(testArrayFillRedundantEncoding):
(testArrayCopyRedundantEncoding):
(testExternAnyConvertRedundantEncoding):
* Source/JavaScriptCore/llint/InPlaceInterpreter64.asm:
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDConstant):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDExtractLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDReplaceLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addConstant): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addExtractLane): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addReplaceLane): Deleted.
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDConstant):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDExtractLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addSIMDReplaceLane):
(JSC::Wasm::BBQJITImpl::BBQJIT::addConstant): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addExtractLane): Deleted.
(JSC::Wasm::BBQJITImpl::BBQJIT::addReplaceLane): Deleted.
* Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp:
(JSC::Wasm::ConstExprGenerator::addSIMDConstant):
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser<Context>::simd):
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp:
(JSC::Wasm::IPIntGenerator::addSIMDSplat):
(JSC::Wasm::IPIntGenerator::addSIMDShuffle):
(JSC::Wasm::IPIntGenerator::addSIMDShift):
(JSC::Wasm::IPIntGenerator::addSIMDExtmul):
(JSC::Wasm::IPIntGenerator::addSIMDConstant):
(JSC::Wasm::IPIntGenerator::addSIMDExtractLane):
(JSC::Wasm::IPIntGenerator::addSIMDReplaceLane):
(JSC::Wasm::IPIntGenerator::addSIMDI_V):
(JSC::Wasm::IPIntGenerator::addSIMDV_V):
(JSC::Wasm::IPIntGenerator::addSIMDBitwiseSelect):
(JSC::Wasm::IPIntGenerator::addSIMDRelOp):
(JSC::Wasm::IPIntGenerator::addSIMDV_VV):
(JSC::Wasm::IPIntGenerator::addRefI31):
(JSC::Wasm::IPIntGenerator::addI31GetS):
(JSC::Wasm::IPIntGenerator::addI31GetU):
(JSC::Wasm::IPIntGenerator::addArrayLen):
(JSC::Wasm::IPIntGenerator::addArrayFill):
(JSC::Wasm::IPIntGenerator::addArrayCopy):
(JSC::Wasm::IPIntGenerator::addAnyConvertExtern):
(JSC::Wasm::IPIntGenerator::addExternConvertAny):
(JSC::Wasm::IPIntGenerator::addExtractLane): Deleted.
(JSC::Wasm::IPIntGenerator::addReplaceLane): Deleted.
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.h:
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::addSIMDConstant):
(JSC::Wasm::OMGIRGenerator::addSIMDExtractLane):
(JSC::Wasm::OMGIRGenerator::addSIMDReplaceLane):
(JSC::Wasm::OMGIRGenerator::addExtractLane): Deleted.
(JSC::Wasm::OMGIRGenerator::addReplaceLane): Deleted.

Originally-landed-as: 301765.432@safari-7623-branch (37d2b52a42b9). 
rdar://170270707
Canonical link: https://commits.webkit.org/309247@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to