[arm64] We must not overwrite registers for binop results that are used in frame states.

The ARM64 instruction selector can generate code like this negs w0, w1 b.vs deopt but then reference the old value of w0 in the frame state, which will obviously lead to wrong results. R=jarin@chromium.org BUG=v8:5158 Review-Url: https://codereview.chromium.org/2103793002 Cr-Commit-Position: refs/heads/master@{#37322}

[arm64] We must not overwrite registers for binop results that are used in frame states.
The ARM64 instruction selector can generate code like this negs w0, w1 b.vs deopt but then reference the old value of w0 in the frame state, which will obviously lead to wrong results. R=jarin@chromium.org BUG=v8:5158 Review-Url: https://codereview.chromium.org/2103793002 Cr-Commit-Position: refs/heads/master@{#37322}
29da5460 · bmeurer · Commit bot · 3bc6cc4f · 29da5460 · 29da5460
Commit 29da5460 authored Jun 28, 2016 by bmeurer Committed by Commit bot Jun 28, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 4 deletions

instruction-selector-arm64.cc src/compiler/arm64/instruction-selector-arm64.cc +17 -4

regress-5158.js test/mjsunit/compiler/regress-5158.js +16 -0

No files found.
--- a/src/compiler/arm64/instruction-selector-arm64.cc
+++ b/src/compiler/arm64/instruction-selector-arm64.cc
@@ -360,18 +360,24 @@ void VisitBinop(InstructionSelector* selector, Node* node,
  } else if (TryMatchAnyShift(selector, node, right_node, &opcode,
                              !is_add_sub)) {
    Matcher m_shift(right_node);
-    inputs[input_count++] = g.UseRegisterOrImmediateZero(left_node);
+    inputs[input_count++] = cont->IsDeoptimize()
+                                ? g.UseRegister(left_node)
+                                : g.UseRegisterOrImmediateZero(left_node);
    inputs[input_count++] = g.UseRegister(m_shift.left().node());
    inputs[input_count++] = g.UseImmediate(m_shift.right().node());
  } else if (can_commute && TryMatchAnyShift(selector, node, left_node, &opcode,
                                             !is_add_sub)) {
    if (must_commute_cond) cont->Commute();
    Matcher m_shift(left_node);
-    inputs[input_count++] = g.UseRegisterOrImmediateZero(right_node);
+    inputs[input_count++] = cont->IsDeoptimize()
+                                ? g.UseRegister(right_node)
+                                : g.UseRegisterOrImmediateZero(right_node);
    inputs[input_count++] = g.UseRegister(m_shift.left().node());
    inputs[input_count++] = g.UseImmediate(m_shift.right().node());
  } else {
-    inputs[input_count++] = g.UseRegisterOrImmediateZero(left_node);
+    inputs[input_count++] = cont->IsDeoptimize()
+                                ? g.UseRegister(left_node)
+                                : g.UseRegisterOrImmediateZero(left_node);
    inputs[input_count++] = g.UseRegister(right_node);
  }

@@ -381,7 +387,14 @@ void VisitBinop(InstructionSelector* selector, Node* node,
  }

  if (!IsComparisonField::decode(properties)) {
-    outputs[output_count++] = g.DefineAsRegister(node);
+    if (cont->IsDeoptimize()) {
+      // If we can deoptimize as a result of the binop, we need to make sure
+      // that the deopt inputs are not overwritten by the binop result. One way
+      // to achieve that is to declare the output register as same-as-first.
+      outputs[output_count++] = g.DefineSameAsFirst(node);
+    } else {
+      outputs[output_count++] = g.DefineAsRegister(node);
+    }
  }

  if (cont->IsSet()) {

--- a/test/mjsunit/compiler/regress-5158.js
+++ b/test/mjsunit/compiler/regress-5158.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(x) {
+  x = +x;
+  return (x > 0) ? x : 0 - x;
+}
+
+foo(1);
+foo(-1);
+foo(0);
+%OptimizeFunctionOnNextCall(foo);
+assertEquals(2147483648, foo(-2147483648));