Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c628c3c9d8ee39917b275755a3c671e2f05fc73f
https://github.com/WebKit/WebKit/commit/c628c3c9d8ee39917b275755a3c671e2f05fc73f
Author: Keith Miller <[email protected]>
Date: 2026-04-23 (Thu, 23 Apr 2026)
Changed paths:
A JSTests/wasm/stress/wide-arithmetic-const-inputs.js
A JSTests/wasm/stress/wide-arithmetic-unreachable.js
M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
M Source/JavaScriptCore/wasm/WasmFunctionParser.h
Log Message:
-----------
Crash/SIGILL/SIGSEGV when using wide-arithmetic instructions
rdar://175356222
https://bugs.webkit.org/show_bug.cgi?id=313006
Reviewed by Yusuke Suzuki.
BBQ JIT's wide arithmetic instructions (add128, sub128, mul_wide_s,
mul_wide_u) called loadIfNecessary() on their operands, which asserts
that the value is not a constant. When wasm code feeds i64.const values
into these instructions, the assertion fires and release builds emit
garbage code, causing traps or crashes.
Use materializeToGPR() instead, which handles both constant and
non-constant values by materializing constants into scratch registers.
Also add the wide arithmetic opcodes to parseUnreachableExpression()
so they are properly skipped in dead code after return/unreachable,
rather than hitting "invalid extended 0xfc op".
Also, fix an issue when rhs conflicts with eax on X86 that would produce
incorrect results.
Tests: JSTests/wasm/stress/wide-arithmetic-const-inputs.js
JSTests/wasm/stress/wide-arithmetic-unreachable.js
Canonical link: https://commits.webkit.org/311856@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
