[arm] Fix constant pool hickup for huge table switch

The {cmp} instruction might add an entry to the constant pool at a time where we didn't expect any entries to be added. This can be fixed by moving the {CheckConstPool} call *after* the {cmp}. R=mslekova@chromium.org Bug: chromium:1034394 Change-Id: If075ad0b02e2973a734d70d9e58c205bd14e6a33 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1967380Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#65463}

[arm] Fix constant pool hickup for huge table switch
The {cmp} instruction might add an entry to the constant pool at a time where we didn't expect any entries to be added. This can be fixed by moving the {CheckConstPool} call *after* the {cmp}. R=mslekova@chromium.org Bug: chromium:1034394 Change-Id: If075ad0b02e2973a734d70d9e58c205bd14e6a33 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1967380Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#65463}
2d89d8a9 · Clemens Backes · Commit Bot · fa5d5647 · 2d89d8a9 · 2d89d8a9
Commit 2d89d8a9 authored Dec 16, 2019 by Clemens Backes Committed by Commit Bot Dec 16, 2019
Showing with 32 additions and 1 deletion

code-generator-arm.cc src/compiler/backend/arm/code-generator-arm.cc +2 -1

mjsunit.status test/mjsunit/mjsunit.status +1 -0

regress-1034394.js test/mjsunit/regress/regress-1034394.js +29 -0

No files found.
--- a/src/compiler/backend/arm/code-generator-arm.cc
+++ b/src/compiler/backend/arm/code-generator-arm.cc
@@ -3374,9 +3374,10 @@ void CodeGenerator::AssembleArchTableSwitch(Instruction* instr) {
  ArmOperandConverter i(this, instr);
  Register input = i.InputRegister(0);
  size_t const case_count = instr->InputCount() - 2;
+  // This {cmp} might still emit a constant pool entry.
+  __ cmp(input, Operand(case_count));
  // Ensure to emit the constant pool first if necessary.
  __ CheckConstPool(true, true);
-  __ cmp(input, Operand(case_count));
  __ BlockConstPoolFor(case_count + 2);
  __ add(pc, pc, Operand(input, LSL, 2), LeaveCC, lo);
  __ b(GetLabel(i.InputRpo(1)));

--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -367,6 +367,7 @@
  'regress/wasm/*': [SKIP],
  'regress/regress-8947': [SKIP],
  'regress/regress-9165': [SKIP],
+  'regress/regress-1034394': [SKIP],
  'regress/regress-v8-9106': [SKIP],
  'wasm/*': [SKIP],


--- a/test/mjsunit/regress/regress-1034394.js
+++ b/test/mjsunit/regress/regress-1034394.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+// Construct a big table switch. The code size will overflow 4096 bytes.
+const NUM_CASES = 3073;
+
+let body = [];
+// Add one block, so we can jump to this block or to the function end.
+body.push(kExprBlock);
+body.push(kWasmStmt);
+
+// Add the big BrTable.
+body.push(kExprLocalGet, 0);
+body.push(kExprBrTable, ...wasmSignedLeb(NUM_CASES));
+for (let i = 0; i < NUM_CASES + 1; i++) {
+  body.push(i % 2);
+}
+
+// End the block.
+body.push(kExprEnd);
+
+// Create a module for this.
+let builder = new WasmModuleBuilder();
+builder.addFunction('main', kSig_v_i).addBody(body).exportFunc();
+let instance = builder.instantiate();
+instance.exports.main(0);