[Liftoff] Fix stack slot overwrite

On ia32, the upper "half stack slot" must be located above the lower half stack slot (in absolute address), hence the index is "2 * index - 1" instead of "2 * index + 1". Note that the index describes the negative offset from the stack pointer. R=titzer@chromium.org Bug: v8:7579 Change-Id: If207af405b126ab30043432d7934273e6e2a5330 Reviewed-on: https://chromium-review.googlesource.com/973301 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#52116}

[Liftoff] Fix stack slot overwrite
On ia32, the upper "half stack slot" must be located above the lower half stack slot (in absolute address), hence the index is "2 * index - 1" instead of "2 * index + 1". Note that the index describes the negative offset from the stack pointer. R=titzer@chromium.org Bug: v8:7579 Change-Id: If207af405b126ab30043432d7934273e6e2a5330 Reviewed-on: https://chromium-review.googlesource.com/973301 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#52116}
8bb41e8d · Clemens Hammacher · Commit Bot · 23812633 · 8bb41e8d · 8bb41e8d
Commit 8bb41e8d authored Mar 21, 2018 by Clemens Hammacher Committed by Commit Bot Mar 21, 2018
4 changed files
--- a/src/wasm/baseline/ia32/liftoff-assembler-ia32.h
+++ b/src/wasm/baseline/ia32/liftoff-assembler-ia32.h
@@ -351,7 +351,7 @@ void LiftoffAssembler::Spill(uint32_t index, LiftoffRegister reg,
      break;
    case kWasmI64:
      mov(dst, reg.low_gp());
-      mov(liftoff::GetHalfStackSlot(2 * index + 1), reg.high_gp());
+      mov(liftoff::GetHalfStackSlot(2 * index - 1), reg.high_gp());
      break;
    case kWasmF32:
      movss(dst, reg.fp());
@@ -375,7 +375,7 @@ void LiftoffAssembler::Spill(uint32_t index, WasmValue value) {
      int32_t low_word = value.to_i64();
      int32_t high_word = value.to_i64() >> 32;
      mov(dst, Immediate(low_word));
-      mov(liftoff::GetHalfStackSlot(2 * index + 1), Immediate(high_word));
+      mov(liftoff::GetHalfStackSlot(2 * index - 1), Immediate(high_word));
      break;
    }
    default:
@@ -393,7 +393,7 @@ void LiftoffAssembler::Fill(LiftoffRegister reg, uint32_t index,
      break;
    case kWasmI64:
      mov(reg.low_gp(), src);
-      mov(reg.high_gp(), liftoff::GetHalfStackSlot(2 * index + 1));
+      mov(reg.high_gp(), liftoff::GetHalfStackSlot(2 * index - 1));
      break;
    case kWasmF32:
      movss(reg.fp(), src);
@@ -1000,7 +1000,7 @@ void LiftoffAssembler::PushCallerFrameSlot(const VarState& src,
        DCHECK_EQ(kLowWord, half);
        push(liftoff::GetHalfStackSlot(2 * src_index - 1));
      }
-      push(liftoff::GetHalfStackSlot(2 * src_index +
+      push(liftoff::GetHalfStackSlot(2 * src_index -
                                     (half == kLowWord ? 0 : 1)));
      break;
    case VarState::kRegister:

--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@@ -205,7 +205,7 @@ class StackTransferRecipe {
    DCHECK_EQ(kWasmI64, src.type());
    switch (src.loc()) {
      case VarState::kStack:
-        LoadI64HalfStackSlot(dst, 2 * index + (half == kLowWord ? 0 : 1));
+        LoadI64HalfStackSlot(dst, 2 * index - (half == kLowWord ? 0 : 1));
        break;
      case VarState::kRegister: {
        LiftoffRegister src_half =

--- a/src/wasm/baseline/liftoff-assembler.h
+++ b/src/wasm/baseline/liftoff-assembler.h
@@ -361,6 +361,9 @@ class LiftoffAssembler : public TurboAssembler {
  inline void Spill(uint32_t index, LiftoffRegister, ValueType);
  inline void Spill(uint32_t index, WasmValue);
  inline void Fill(LiftoffRegister, uint32_t index, ValueType);
+  // Only used on 32-bit systems: Fill a register from a "half stack slot", i.e.
+  // 4 bytes on the stack holding half of a 64-bit value. The two half_indexes
+  // corresponding to slot {index} are {2*index} and {2*index-1}.
  inline void FillI64Half(Register, uint32_t half_index);

  // i32 binops.

--- a/test/mjsunit/regress/wasm/regress-7579.js
+++ b/test/mjsunit/regress/wasm/regress-7579.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+// Generate function 1 (out of 2).
+sig0 = makeSig([], [kWasmI32]);
+builder.addFunction(undefined, sig0)
+  .addBody([
+    kExprI64Const, 0xc8, 0xda, 0x9c, 0xbc, 0xf8, 0xf0, 0xe1, 0xc3, 0x87, 0x7f,
+    kExprLoop, kWasmF64,
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      ...wasmF64Const(0),
+      kExprCallFunction, 0x01,
+      ...wasmF64Const(0),
+      kExprEnd,
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    ...wasmF64Const(0),
+    kExprCallFunction, 0x01,
+    kExprI64Const, 0xb9, 0xf2, 0xe4, 0x01,
+    kExprI64LtS]);
+// Generate function 2 (out of 2).
+sig1 = makeSig(new Array(12).fill(kWasmF64), []);
+builder.addFunction(undefined, sig1).addBody([]);
+builder.addExport('main', 0);
+const instance = builder.instantiate();
+assertEquals(1, instance.exports.main());
+
+const builder2 = new WasmModuleBuilder();
+sig0 = makeSig([], [kWasmI32]);
+builder2.addFunction(undefined, sig0).addLocals({i64_count: 1}).addBody([
+  kExprLoop, kWasmI32,     // loop i32
+  kExprGetLocal, 0,        // get_local 3
+  kExprF32SConvertI64,     // f32.sconvert/i64
+  kExprI32ReinterpretF32,  // i32.reinterpret/f32
+  kExprEnd                 // end
+]);
+builder2.addExport('main', 0);
+const instance2 = builder2.instantiate();
+assertEquals(0, instance2.exports.main());