[wasm-simd][x64][ia32] Fix I64x2ShrS

We were overwriting the shift Register, instead, we should be using the
tmp_shift register.

Bug: chromium:1242689
Change-Id: I732c9c1f8a43401ce003b22893db9e39dfac3817
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3116115
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76466}

src/codegen/shared-ia32-x64/macro-assembler-shared-ia32-x64.cc

@@ -805,8 +805,8 @@ void SharedTurboAssembler::I64x2ShrS(XMMRegister dst, XMMRegister src,
 
   // Shift modulo 64.
   Move(tmp_shift, shift);
-  And(shift, Immediate(0x3F));
-  Movd(xmm_shift, shift);
+  And(tmp_shift, Immediate(0x3F));
+  Movd(xmm_shift, tmp_shift);
 
   if (!CpuFeatures::IsSupported(AVX) && (dst != src)) {
     Movapd(dst, src);

test/mjsunit/mjsunit.status

@@ -1440,6 +1440,7 @@
   'regress/wasm/regress-1187831': [SKIP],
   'regress/wasm/regress-1199662': [SKIP],
   'regress/wasm/regress-1231950': [SKIP],
+  'regress/wasm/regress-1242689': [SKIP],
 }],  # no_simd_hardware == True
 
 ##############################################################################

test/mjsunit/regress/wasm/regress-1242689.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// This test case is minified from a clusterfuzz generated test. It exercises a
+// bug in I64x2ShrS where the codegen was overwriting a input Register
+// containing the shift value.
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+
+// Generate function 1 (out of 1).
+builder.addFunction("main", kSig_i_v)
+  .addBodyWithEnd([
+    // signature: i_iii
+    // body:
+    kExprI32Const, 0x00,  // i32.const
+    kSimdPrefix, kExprI8x16Splat,  // i8x16.splat
+    kExprI32Const, 0xee, 0xc6, 0x01,  // i32.const, 25454 (0x636e)
+    kSimdPrefix, kExprI8x16Splat,  // i8x16.splat
+    kSimdPrefix, kExprI8x16ExtractLaneS, 0x00,  // i8x16.extract_lane_s
+    kSimdPrefix, kExprI64x2ShrS, 0x01,  // i64x2.shr_s
+    kSimdPrefix, kExprI8x16ExtractLaneS, 0x00,  // i8x16.extract_lane_s
+    kExprI32Const, 0xee, 0xc6, 0x01,  // i32.const, 0x636e
+    kSimdPrefix, kExprI8x16Splat,  // i8x16.splat
+    kSimdPrefix, kExprI8x16ExtractLaneS, 0x00,  // i8x16.extract_lane_s
+    kExprI32Const, 0x00,  // i32.const
+    kExprSelect,  // select
+    kExprEnd,  // end @48
+]).exportFunc();
+
+const instance = builder.instantiate();
+print(instance.exports.main());