[arm64][liftoff] Fix trap handling on load lane

This fixes the registered {protected_load_pc} to (always) point to the actual load instruction. If {dst != src} we would emit a register move before the load, and the trap handler would then not recognize the PC where the signal occurs, leading to a segfault. R=thibaudm@chromium.org Bug: chromium:1242300, v8:12018 Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#76642}

[arm64][liftoff] Fix trap handling on load lane
This fixes the registered {protected_load_pc} to (always) point to the actual load instruction. If {dst != src} we would emit a register move before the load, and the trap handler would then not recognize the PC where the signal occurs, leading to a segfault. R=thibaudm@chromium.org Bug: chromium:1242300, v8:12018 Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#76642}
1786f8d7 · Clemens Backes · V8 LUCI CQ · dc81345f · 1786f8d7 · 1786f8d7
Commit 1786f8d7 authored Sep 02, 2021 by Clemens Backes Committed by V8 LUCI CQ Sep 02, 2021
Showing with 27 additions and 2 deletions

liftoff-assembler-arm64.h src/wasm/baseline/arm64/liftoff-assembler-arm64.h +1 -1

mjsunit.status test/mjsunit/mjsunit.status +2 -1

regress-1242300.js test/mjsunit/regress/wasm/regress-1242300.js +24 -0

No files found.
--- a/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
+++ b/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
@@ -1707,13 +1707,13 @@ void LiftoffAssembler::LoadLane(LiftoffRegister dst, LiftoffRegister src,
  UseScratchRegisterScope temps(this);
  MemOperand src_op{
      liftoff::GetEffectiveAddress(this, &temps, addr, offset_reg, offset_imm)};
-  *protected_load_pc = pc_offset();

  MachineType mem_type = type.mem_type();
  if (dst != src) {
    Mov(dst.fp().Q(), src.fp().Q());
  }

+  *protected_load_pc = pc_offset();
  if (mem_type == MachineType::Int8()) {
    ld1(dst.fp().B(), laneidx, src_op);
  } else if (mem_type == MachineType::Int16()) {

--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -1478,8 +1478,9 @@

 ##############################################################################
 ['variant == instruction_scheduling or variant == stress_instruction_scheduling', {
-  # BUG(12018): This test currently fails with --turbo-instruction-scheduling.
+  # BUG(12018): These tests currently fail with --turbo-instruction-scheduling.
  'regress/wasm/regress-1231950': [SKIP],
+  'regress/wasm/regress-1242300': [SKIP],
 }],  # variant == instruction_scheduling or variant == stress_instruction_scheduling

 ################################################################################

--- a/test/mjsunit/regress/wasm/regress-1242300.js
+++ b/test/mjsunit/regress/wasm/regress-1242300.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32);
+builder.addFunction(undefined, kSig_i_iii)
+  .addBody([
+    kExprI32Const, 0x7f,  // i32.const
+    kExprI32Const, 0x1e,  // i32.const
+    kSimdPrefix, kExprI8x16Splat,  // i8x16.splat
+    kExprI32Const, 0,  // i32.const
+    kSimdPrefix, kExprI8x16Splat,  // i8x16.splat
+    kExprI32Const, 0,  // i32.const
+    kSimdPrefix, kExprI8x16Splat,  // i8x16.splat
+    kSimdPrefix, kExprS128Select,  // s128.select
+    kSimdPrefix, kExprS128Load32Lane, 0x00, 0x89, 0xfe, 0x03, 0x00,  // s128.load32_lane
+    kExprUnreachable,
+]);
+builder.addExport('main', 0);
+const instance = builder.instantiate();
+assertTraps(kTrapMemOutOfBounds, () => instance.exports.main(1, 2, 3));