[maglev] Fix unbalanced push in deferred write barrier

We check page flags in the deferred write barrier, and bail out early if pointers to that page are not interesting. Make sure that the slot register saving happens after that early bailout, to avoid unbalanced push/pop. To avoid bugs like this in the future, add a stack size check as a prefix to every node's code gen. Bug: v8:7700 Change-Id: I54a00fcbc843d473a1ca1e6cf3d852a0c60621c0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3769695Reviewed-by: Igor Sheludko <ishell@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#81780}

[maglev] Fix unbalanced push in deferred write barrier
We check page flags in the deferred write barrier, and bail out early if pointers to that page are not interesting. Make sure that the slot register saving happens after that early bailout, to avoid unbalanced push/pop. To avoid bugs like this in the future, add a stack size check as a prefix to every node's code gen. Bug: v8:7700 Change-Id: I54a00fcbc843d473a1ca1e6cf3d852a0c60621c0 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3769695Reviewed-by: Igor Sheludko <ishell@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#81780}
035982c6 · Leszek Swirski · V8 LUCI CQ · c08756d0 · 035982c6 · 035982c6
Commit 035982c6 authored Jul 18, 2022 by Leszek Swirski Committed by V8 LUCI CQ Jul 18, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 4 deletions

maglev-code-generator.cc src/maglev/maglev-code-generator.cc +9 -0

maglev-ir.cc src/maglev/maglev-ir.cc +5 -4

No files found.
--- a/src/maglev/maglev-code-generator.cc
+++ b/src/maglev/maglev-code-generator.cc
@@ -131,6 +131,15 @@ class MaglevCodeGeneratingNodeProcessor {
      __ RecordComment(ss.str());
    }

+    if (FLAG_debug_code) {
+      __ movq(kScratchRegister, rbp);
+      __ subq(kScratchRegister, rsp);
+      __ cmpq(kScratchRegister,
+              Immediate(code_gen_state_->stack_slots() * kSystemPointerSize +
+                        StandardFrameConstants::kFixedFrameSizeFromFp));
+      __ Assert(equal, AbortReason::kStackAccessBelowStackPointer);
+    }
+
    // Emit Phi moves before visiting the control node.
    if (std::is_base_of<UnconditionalControlNode, NodeT>::value) {
      EmitBlockEndGapMoves(node->template Cast<UnconditionalControlNode>(),

--- a/src/maglev/maglev-ir.cc
+++ b/src/maglev/maglev-ir.cc
@@ -1001,16 +1001,17 @@ void StoreTaggedFieldWithWriteBarrier::GenerateCode(
         StoreTaggedFieldWithWriteBarrier* node) {
        ASM_CODE_COMMENT_STRING(code_gen_state->masm(),
                                "Write barrier slow path");
+        __ CheckPageFlag(value, kScratchRegister,
+                         MemoryChunk::kPointersToHereAreInterestingMask, zero,
+                         return_label);
+
        Register slot_reg = WriteBarrierDescriptor::SlotAddressRegister();
        RegList saved;
        if (node->register_snapshot().live_registers.has(slot_reg)) {
          saved.set(slot_reg);
        }
-        __ PushAll(saved);

-        __ CheckPageFlag(value, kScratchRegister,
-                         MemoryChunk::kPointersToHereAreInterestingMask, zero,
-                         return_label);
+        __ PushAll(saved);
        __ leaq(slot_reg, FieldOperand(object, node->offset()));

        SaveFPRegsMode const save_fp_mode =