Commit 720218c2 authored by Clemens Hammacher's avatar Clemens Hammacher Committed by Commit Bot

[Liftoff][arm64] Fix i64 constants passed via stack

We need to push the sign-extended constant instead of just the lower 32
bits. Otherwise, the callee might read stale data from the stack.

Bug: chromium:854011, v8:6600

R=ahaas@chromium.org
CC=rodolph.perfetta@arm.com

Change-Id: Iafcfd6ba9532771615b41215fb4d1a2b85ce5623
Reviewed-on: https://chromium-review.googlesource.com/1124683Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54185}
parent ca4a8f9e
...@@ -958,12 +958,26 @@ void LiftoffStackSlots::Construct() { ...@@ -958,12 +958,26 @@ void LiftoffStackSlots::Construct() {
poke_offset); poke_offset);
break; break;
case LiftoffAssembler::VarState::KIntConst: { case LiftoffAssembler::VarState::KIntConst: {
switch (slot.src_.type()) {
case kWasmI32: {
UseScratchRegisterScope temps(asm_); UseScratchRegisterScope temps(asm_);
Register scratch = temps.AcquireW(); Register scratch = temps.AcquireW();
asm_->Mov(scratch, slot.src_.i32_const()); asm_->Mov(scratch, slot.src_.i32_const());
asm_->Poke(scratch, poke_offset); asm_->Poke(scratch, poke_offset);
break; break;
} }
case kWasmI64: {
UseScratchRegisterScope temps(asm_);
Register scratch = temps.AcquireX();
asm_->Mov(scratch, int64_t{slot.src_.i32_const()});
asm_->Poke(scratch, poke_offset);
break;
}
default:
UNREACHABLE();
}
break;
}
} }
slot_index++; slot_index++;
} }
......
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-constants.js');
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addFunction('main', kSig_d_d)
.addBody([
// Call with param 0 (converted to i64), to fill the stack with non-zero
// values.
kExprGetLocal, 0, kExprI64SConvertF64, // arg 0
kExprGetLocal, 0, kExprI64SConvertF64, // arg 1
kExprGetLocal, 0, kExprI64SConvertF64, // arg 2
kExprGetLocal, 0, kExprI64SConvertF64, // arg 3
kExprGetLocal, 0, kExprI64SConvertF64, // arg 4
kExprGetLocal, 0, kExprI64SConvertF64, // arg 5
kExprGetLocal, 0, kExprI64SConvertF64, // arg 6
kExprGetLocal, 0, kExprI64SConvertF64, // arg 7
kExprCallFunction, 1, // call #1
// Now call with 0 constants.
// The bug was that they were written out as i32 values, thus the upper 32
// bit were the previous values on that stack memory.
kExprI64Const, 0, // i64.const 0 [0]
kExprI64Const, 0, // i64.const 0 [1]
kExprI64Const, 0, // i64.const 0 [2]
kExprI64Const, 0, // i64.const 0 [3]
kExprI64Const, 0, // i64.const 0 [4]
kExprI64Const, 0, // i64.const 0 [5]
kExprI64Const, 0, // i64.const 0 [6]
kExprI64Const, 0, // i64.const 0 [7]
kExprCallFunction, 1, // call #1
// Return the sum of the two returned values.
kExprF64Add
])
.exportFunc();
builder.addFunction(undefined, makeSig(new Array(8).fill(kWasmI64), [kWasmF64]))
.addBody([
kExprGetLocal, 7, // get_local 7 (last parameter)
kExprF64SConvertI64, // f64.convert_s/i64
]);
const instance = builder.instantiate();
const big_num_1 = 2 ** 48;
const big_num_2 = 2 ** 56 / 3;
assertEquals(big_num_1, instance.exports.main(big_num_1));
assertEquals(big_num_2, instance.exports.main(big_num_2));
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment