[turbofan] Adjust spill slot range for multi-value return

Safepoint maps record all spill slots that contain a tagged value. The introduction of multi-value return changed the stack frame layout though and the calculation of spill slots has not been adjusted accordingly. This CL adjusts the creation of safepoints now to work for multi-value returns as well. R=neis@chromium.org Bug: v8:11206 Change-Id: Id623dbc28b976dcf625ac78738e03e642fafbb36 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2569762 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71591}

[turbofan] Adjust spill slot range for multi-value return
Safepoint maps record all spill slots that contain a tagged value. The introduction of multi-value return changed the stack frame layout though and the calculation of spill slots has not been adjusted accordingly. This CL adjusts the creation of safepoints now to work for multi-value returns as well. R=neis@chromium.org Bug: v8:11206 Change-Id: Id623dbc28b976dcf625ac78738e03e642fafbb36 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2569762 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71591}
5ee2bee3 · Andreas Haas · Commit Bot · fbc7de74 · 5ee2bee3 · 5ee2bee3
Commit 5ee2bee3 authored Dec 03, 2020 by Andreas Haas Committed by Commit Bot Dec 03, 2020
Showing with 62 additions and 6 deletions

code-generator.cc src/compiler/backend/code-generator.cc +2 -3

frame.cc src/compiler/frame.cc +4 -2

frame.h src/compiler/frame.h +1 -1

regress-11206.js test/mjsunit/regress/wasm/regress-11206.js +55 -0

No files found.
--- a/src/compiler/backend/code-generator.cc
+++ b/src/compiler/backend/code-generator.cc
@@ -553,8 +553,7 @@ bool CodeGenerator::IsNextInAssemblyOrder(RpoNumber block) const {
 void CodeGenerator::RecordSafepoint(ReferenceMap* references,
                                    Safepoint::DeoptMode deopt_mode) {
  Safepoint safepoint = safepoints()->DefineSafepoint(tasm(), deopt_mode);
-  int stackSlotToSpillSlotDelta =
-      frame()->GetTotalFrameSlotCount() - frame()->GetSpillSlotCount();
+  int frame_header_offset = frame()->GetFixedSlotCount();
  for (const InstructionOperand& operand : references->reference_operands()) {
    if (operand.IsStackSlot()) {
      int index = LocationOperand::cast(operand).index();
@@ -564,7 +563,7 @@ void CodeGenerator::RecordSafepoint(ReferenceMap* references,
      // and therefore don't work with the SafepointTable currently, but
      // we also don't need to worry about them, since the GC has special
      // knowledge about those fields anyway.
-      if (index < stackSlotToSpillSlotDelta) continue;
+      if (index < frame_header_offset) continue;
      safepoint.DefinePointerSlot(index);
    }
  }

--- a/src/compiler/frame.cc
+++ b/src/compiler/frame.cc
@@ -18,8 +18,11 @@ Frame::Frame(int fixed_frame_size_in_slots)
      allocated_registers_(nullptr),
      allocated_double_registers_(nullptr) {}

-int Frame::AlignFrame(int alignment) {
+void Frame::AlignFrame(int alignment) {
  int alignment_slots = alignment / kSystemPointerSize;
+  // In the calculations below we assume that alignment_slots is a power of 2.
+  DCHECK(base::bits::IsPowerOfTwo(alignment_slots));
+
  // We have to align return slots separately, because they are claimed
  // separately on the stack.
  int return_delta =
@@ -34,7 +37,6 @@ int Frame::AlignFrame(int alignment) {
      spill_slot_count_ += delta;
    }
  }
-  return delta;
 }

 void FrameAccessState::MarkHasFrame(bool state) {

--- a/src/compiler/frame.h
+++ b/src/compiler/frame.h
@@ -146,7 +146,7 @@ class V8_EXPORT_PRIVATE Frame : public ZoneObject {
    }
  }

-  int AlignFrame(int alignment = kDoubleSize);
+  void AlignFrame(int alignment = kDoubleSize);

  int ReserveSpillSlots(size_t slot_count) {
    DCHECK_EQ(0, spill_slot_count_);

--- a/test/mjsunit/regress/wasm/regress-11206.js
+++ b/test/mjsunit/regress/wasm/regress-11206.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-mv --expose-gc --stress-compaction
+// Flags: --stress-scavenge=16
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+(function TestReturnOddNumberOfReturns() {
+  let builder = new WasmModuleBuilder();
+  let void_sig = builder.addType(kSig_v_v);
+  let mv_sig = builder.addType(
+      makeSig([], [kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32]));
+
+  let gc_index = builder.addImport('q', 'gc', void_sig);
+  builder.addFunction('main', mv_sig)
+      .addBodyWithEnd([
+        kExprCallFunction, gc_index,
+        kExprI32Const, 1,
+        kExprI32Const, 2,
+        kExprI32Const, 3,
+        kExprI32Const, 4,
+        kExprI32Const, 5,
+        kExprEnd
+      ])
+      .exportFunc();
+
+  let instance = builder.instantiate({q: {gc: gc}});
+
+  instance.exports.main();
+})();
+
+(function TestReturnEvenNumberOfReturns() {
+  let builder = new WasmModuleBuilder();
+  let void_sig = builder.addType(kSig_v_v);
+  let mv_sig =
+      builder.addType(makeSig([], [kWasmI32, kWasmI32, kWasmI32, kWasmI32]));
+
+  let gc_index = builder.addImport('q', 'gc', void_sig);
+  builder.addFunction('main', mv_sig)
+      .addBodyWithEnd([
+        kExprCallFunction, gc_index,
+        kExprI32Const, 1,
+        kExprI32Const, 2,
+        kExprI32Const, 3,
+        kExprI32Const, 4,
+        kExprEnd
+      ])
+      .exportFunc();
+
+  let instance = builder.instantiate({q: {gc: gc}});
+
+  instance.exports.main();
+})();