[Liftoff] Fix stack slot initialization on arm and arm64

It turns out that because we are *subtracting* from fp, we need to *subtract less* to get a higher address. Who knew. R=jkummerow@chromium.org Bug: v8:9830, chromium:1014798 Change-Id: I5b9782dd0be27f4c3efbd306ec6c3450b249cb55 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864933Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64321}

[Liftoff] Fix stack slot initialization on arm and arm64
It turns out that because we are *subtracting* from fp, we need to *subtract less* to get a higher address. Who knew. R=jkummerow@chromium.org Bug: v8:9830, chromium:1014798 Change-Id: I5b9782dd0be27f4c3efbd306ec6c3450b249cb55 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1864933Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64321}
7d09b270 · Clemens Backes · Commit Bot · a1a45f4c · 7d09b270 · 7d09b270
Commit 7d09b270 authored Oct 16, 2019 by Clemens Backes Committed by Commit Bot Oct 16, 2019
3 changed files
--- a/src/wasm/baseline/arm/liftoff-assembler-arm.h
+++ b/src/wasm/baseline/arm/liftoff-assembler-arm.h
@@ -660,7 +660,7 @@ void LiftoffAssembler::FillStackSlotsWithZero(uint32_t index, uint32_t count) {
    push(r1);
    push(r2);
    sub(r1, fp, Operand(liftoff::GetStackSlotOffset(last_stack_slot)));
-    sub(r2, fp, Operand(liftoff::GetStackSlotOffset(index) + kStackSlotSize));
+    sub(r2, fp, Operand(liftoff::GetStackSlotOffset(index) - kStackSlotSize));

    Label loop;
    bind(&loop);

--- a/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
+++ b/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
@@ -420,7 +420,7 @@ void LiftoffAssembler::FillStackSlotsWithZero(uint32_t index, uint32_t count) {
    // Use x0 for start address (inclusive), x1 for end address (exclusive).
    Push(x1, x0);
    Sub(x0, fp, Operand(liftoff::GetStackSlotOffset(last_stack_slot)));
-    Sub(x1, fp, Operand(liftoff::GetStackSlotOffset(index) + kStackSlotSize));
+    Sub(x1, fp, Operand(liftoff::GetStackSlotOffset(index) - kStackSlotSize));

    Label loop;
    bind(&loop);

--- a/test/mjsunit/regress/wasm/regress-1014798.js
+++ b/test/mjsunit/regress/wasm/regress-1014798.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addFunction('main', kSig_i_iii)
+    .addLocals({f32_count: 4})
+    .addLocals({i64_count: 1})
+    .addLocals({f32_count: 2})
+    .addBodyWithEnd([
+      kExprI64Const, 0,
+      kExprLocalGet, 3,
+      kExprI64SConvertF32,
+      kExprI64Ne,
+      kExprEnd,  // @17
+    ]).exportFunc();
+const instance = builder.instantiate();
+assertEquals(0, instance.exports.main(1, 2, 3));