[webkit-changes] [WebKit/WebKit] a6f42d: [JSC] BBQJIT tail call shuffle should detect overl...

[Vassili Bykov]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a6f42da10166a940ded9fdaa2018012470362516
      
https://github.com/WebKit/WebKit/commit/a6f42da10166a940ded9fdaa2018012470362516
  Author: Vassili Bykov <v_by...@apple.com>
  Date:   2026-06-12 (Fri, 12 Jun 2026)

  Changed paths:
    A JSTests/wasm/stress/tail-call-v128-ref-stack-overlap.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.h

  Log Message:
  -----------
  [JSC] BBQJIT tail call shuffle should detect overlapping stack slots
https://bugs.webkit.org/show_bug.cgi?id=312288
rdar://174490087

Reviewed by Dan Hecht.

Because in a tail call the caller and the callee frames overlap, 
BBQJIT::emitTailCall()
uses emitShuffle() to orchestrate the copying of call arguments into their 
destination
locations in such a way that if a caller temp resides in the callee argument 
space and is
itself passed as an argument, it is not clobbered before it's been moved to its 
final
location.

The move hazard detection in emitShuffleMove() compares stack locations by 
offset only
(via Location::operator==). The core assumption here is that source and 
destination values
with different base addresses never overlap, so a write to a destination 
address A never
clobbers a source value at address B.

This assumption does not always hold. Caller temps (source values) are always 
16-byte
aligned regardless of value type. Callee arguments (destination values) are 
packed
contiguously. If an i64 argument at address B is followed by a v128 argument, 
the v128
argument occupies the address range [B+8, B+24). This range overlaps two temp 
slots with
ranges [B, B+16) and [B+16, B+32). Because hazard detection currently only 
considers the
base address, this overlap will go unnoticed and the shuffle may write the v128 
argument
before the values in the overlapping source slots have been moved.

This patch adds Location::overlaps() method which considers actual ranges for 
Stack and
StackArgument locations. The method replaces Location::operator==() for hazard 
detection.

The new method is also used in destination uniqueness assertion in emitShuffle.

Test: JSTests/wasm/stress/tail-call-v128-ref-stack-overlap.js

Originally-landed-as: 305413.670@safari-7624-branch (73c288dd8c72). 
rdar://176058891
Canonical link: https://commits.webkit.org/315129@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications