[wasm][liftoff][arm] Guarantee scratch register for spilling

Spilling a register in Liftoff require a scratch register when the
offset of the stack slot from fp is greater than 2^12. This CL adds
a check to LiftoffAssembler::Spill on arm to check that a scratch
register is available. It also fixes one case where the scratch register
was not available.

R=clemensb@chromium.org
CC=zhin@chromium.org

Bug: chromium:1075953
Change-Id: Idb2bc7e26e3d4fbd6bb0eb6c9a9b8cfd8b3c569e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2172424
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#67494}

src/wasm/baseline/arm/liftoff-assembler-arm.h

@@ -594,9 +594,11 @@ inline void AtomicOp32(
       result_reg == offset_reg) {
     result_reg = __ GetUnusedRegister(kGpReg, pinned).gp();
   }
+
   UseScratchRegisterScope temps(lasm);
   Register actual_addr = liftoff::CalculateActualAddress(
       lasm, &temps, dst_addr, offset_reg, offset_imm);
+
   __ dmb(ISH);
   Label retry;
   __ bind(&retry);
@@ -730,6 +732,7 @@ inline void AtomicOp64(LiftoffAssembler* lasm, Register dst_addr,
   }
 
   Register store_result = __ GetUnusedRegister(kGpReg, pinned).gp();
+
   UseScratchRegisterScope temps(lasm);
   Register actual_addr = liftoff::CalculateActualAddress(
       lasm, &temps, dst_addr, offset_reg, offset_imm);
@@ -961,6 +964,12 @@ void LiftoffAssembler::Move(DoubleRegister dst, DoubleRegister src,
 }
 
 void LiftoffAssembler::Spill(int offset, LiftoffRegister reg, ValueType type) {
+#ifdef DEBUG
+  // The {str} instruction needs a temp register when the immediate in the
+  // provided MemOperand does not fit into 12 bits. This happens for large stack
+  // frames. This DCHECK checks that the temp register is available when needed.
+  DCHECK(UseScratchRegisterScope{this}.CanAcquire());
+#endif
   RecordUsedSpillOffset(offset);
   MemOperand dst = liftoff::GetStackSlot(offset);
   switch (type.kind()) {

test/mjsunit/regress/wasm/regress-1075953.js

+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(1, 1, false, true);
+const sig = builder.addType(makeSig([], [kWasmI32]));
+
+builder.addFunction(undefined, sig)
+  .addLocals({i32_count: 1002}).addLocals({i64_count: 3})
+  .addBodyWithEnd([
+// signature: i_v
+// body:
+  kExprLocalGet, 0xec, 0x07,  // local.get
+  kExprLocalGet, 0xea, 0x07,  // local.set
+  kExprLocalGet, 0x17,  // local.set
+  kExprLocalGet, 0xb5, 0x01,  // local.set
+  kExprI32Const, 0x00,  // i32.const
+  kExprIf, kWasmI32,  // if @39 i32
+    kExprI32Const, 0x91, 0xe8, 0x7e,  // i32.const
+  kExprElse,  // else @45
+    kExprI32Const, 0x00,  // i32.const
+    kExprEnd,  // end @48
+  kExprIf, kWasmStmt,  // if @49
+    kExprI32Const, 0x00,  // i32.const
+    kExprI32Const, 0x00,  // i32.const
+    kAtomicPrefix, kExprI32AtomicSub, 0x01, 0x04,  // i32.atomic.sub
+    kExprDrop,
+  kExprEnd,
+  kExprUnreachable,
+kExprEnd
+]);
+
+const instance = builder.instantiate();