Commit 1b11d98f authored by Andreas Haas's avatar Andreas Haas Committed by Commit Bot

[turbofan] Binop Instructions can have up to 5 input operands

The clusterfuzz issue crashes because VisitBinops expected only but 4
input operands but in the generated graph 5 input operands get created
The issue is fixed by increasing the size of the input operand buffer.

R=jarin@chromium.org

Bug: chromium:842501
Change-Id: I4bbb09a968e165e6f5a0a02d06eee97333f7aa38
Reviewed-on: https://chromium-review.googlesource.com/1056989Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53147}
parent 2c7e4f21
......@@ -427,7 +427,7 @@ static void VisitBinop(InstructionSelector* selector, Node* node,
Int32BinopMatcher m(node);
Node* left = m.left().node();
Node* right = m.right().node();
InstructionOperand inputs[4];
InstructionOperand inputs[5];
size_t input_count = 0;
InstructionOperand outputs[1];
size_t output_count = 0;
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-wasm-trap-handler
load('test/mjsunit/wasm/wasm-constants.js');
load('test/mjsunit/wasm/wasm-module-builder.js');
(function() {
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32);
// Generate function 1 (out of 1).
sig1 = makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]);
builder.addFunction(undefined, sig1)
.addBodyWithEnd([
// signature: i_iii
// body:
kExprI32Const, 0xe1, 0xc8, 0xd5, 0x01,
kExprI32Const, 0xe2, 0xe4, 0x00,
kExprI32Sub,
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
kExprF32Const, 0xc9, 0xc9, 0xc9, 0x00,
kExprF32Eq,
kExprI32LoadMem, 0x01, 0xef, 0xec, 0x95, 0x93, 0x07,
kExprI32Add,
kExprIf, kWasmStmt, // @30
kExprEnd, // @32
kExprI32Const, 0xc9, 0x93, 0xdf, 0xcc, 0x7c,
kExprEnd, // @39
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
assertTraps(kTrapMemOutOfBounds, _ => instance.exports.main(1, 2, 3));
})();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment