commit 38af2d11a53891d36db2adc946c621e143cf63f2
author keith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Oct 11 18:47:19 2019 +0000
committer keith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Oct 11 18:47:19 2019 +0000
tree e368dcca391db0f7750fb9f79fbe2b187ae7d675
parent 55267f300cb16060ee5e7307cc3d49e9c94d4bc6

Wasm B3IRGenerator should use arguments for control data.
https://bugs.webkit.org/show_bug.cgi?id=202855

Reviewed by Yusuke Suzuki.

JSTests:

* wasm/stress/loop-more-args-than-results.js: Added.

Source/JavaScriptCore:

This was failing a test on our bots. I'm not sure how I missed
it... I also added another test for good measure.

* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::ControlData::ControlData):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@251013 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog

diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index ab30a8d..cc097b5 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,12 @@
+2019-10-11  Keith Miller  <keith_miller@apple.com>
+
+        Wasm B3IRGenerator should use arguments for control data.
+        https://bugs.webkit.org/show_bug.cgi?id=202855
+
+        Reviewed by Yusuke Suzuki.
+
+        * wasm/stress/loop-more-args-than-results.js: Added.
+
 2019-10-10  Mark Lam  <mark.lam@apple.com>
 
         Modify JSTests/stress/string-overflow-createError-*.js tests to allow an OOME result.

JSTests/wasm/stress/loop-more-args-than-results.js

diff --git a/JSTests/wasm/stress/loop-more-args-than-results.js b/JSTests/wasm/stress/loop-more-args-than-results.js
new file mode 100644
index 0000000..c4e927a
--- /dev/null
+++ b/JSTests/wasm/stress/loop-more-args-than-results.js
@@ -0,0 +1,18 @@
+import { instantiate } from "../wabt-wrapper.js";
+
+let wat = `
+(module
+  (func (export "test") (param i32) (result i32)
+    i32.const 0
+    i32.const 1
+    (loop (param i32 i32) (result i32)
+      drop
+    )
+  )
+)
+`;
+
+let instance = instantiate(wat);
+
+if (instance.exports.test() !== 0)
+    throw new Error();

Source/JavaScriptCore/ChangeLog

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 836845a..13c6cd3 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2019-10-11  Keith Miller  <keith_miller@apple.com>
+
+        Wasm B3IRGenerator should use arguments for control data.
+        https://bugs.webkit.org/show_bug.cgi?id=202855
+
+        Reviewed by Yusuke Suzuki.
+
+        This was failing a test on our bots. I'm not sure how I missed
+        it... I also added another test for good measure.
+
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::ControlData::ControlData):
+
 2019-10-10  Keith Miller  <keith_miller@apple.com>
 
         GenerateAndAllocateRegisters can trivially elide self moves at end of liveness

Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
index 8ef7078..4f01571 100644
--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
@@ -97,7 +97,7 @@
         {
             if (type == BlockType::Loop) {
                 for (unsigned i = 0; i < signature->argumentCount(); ++i)
-                    phis.append(proc.add<Value>(Phi, toB3Type(signature->returnType(i)), origin));
+                    phis.append(proc.add<Value>(Phi, toB3Type(signature->argument(i)), origin));
             } else {
                 for (unsigned i = 0; i < signature->returnCount(); ++i)
                     phis.append(proc.add<Value>(Phi, toB3Type(signature->returnType(i)), origin));