[wasm][liftoff][arm] Avoid double allocation of register is AtomicOp64

In AtomicOp64 ClearRegister is called twice to clear the registers r8 and r9. Thereby new registers may get allocated. We forgot to add the newly allocated registers to pinned after the first call to ClearRegister, which caused the same registers to be allocated again in the second ClearRegister, and thereby caused the bug. R=clemensb@chromium.org Change-Id: I0d069aea4c9438fe30c30c22406b4075ddf3e95c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170088 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#67445}

[wasm][liftoff][arm] Avoid double allocation of register is AtomicOp64
In AtomicOp64 ClearRegister is called twice to clear the registers r8 and r9. Thereby new registers may get allocated. We forgot to add the newly allocated registers to pinned after the first call to ClearRegister, which caused the same registers to be allocated again in the second ClearRegister, and thereby caused the bug. R=clemensb@chromium.org Change-Id: I0d069aea4c9438fe30c30c22406b4075ddf3e95c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2170088 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#67445}
980037ce · Andreas Haas · Commit Bot · af09a9b0 · 980037ce · 980037ce
Commit 980037ce authored Apr 28, 2020 by Andreas Haas Committed by Commit Bot Apr 28, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 0 deletions

liftoff-assembler-arm.h src/wasm/baseline/arm/liftoff-assembler-arm.h +2 -0

regress-1074586-b.js test/mjsunit/regress/wasm/regress-1074586-b.js +23 -0

No files found.
--- a/src/wasm/baseline/arm/liftoff-assembler-arm.h
+++ b/src/wasm/baseline/arm/liftoff-assembler-arm.h
@@ -705,6 +705,8 @@ inline void AtomicOp64(LiftoffAssembler* lasm, Register dst_addr,
      dst_addr, offset_reg, value_low, value_high, dst_low, dst_high);
  __ ClearRegister(dst_low, {&dst_addr, &offset_reg, &value_low, &value_high},
                   pinned);
+  pinned = pinned |
+           LiftoffRegList::ForRegs(dst_addr, offset_reg, value_low, value_high);
  __ ClearRegister(dst_high, {&dst_addr, &offset_reg, &value_low, &value_high},
                   pinned);
  pinned = pinned |

--- a/test/mjsunit/regress/wasm/regress-1074586-b.js
+++ b/test/mjsunit/regress/wasm/regress-1074586-b.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// // Use of this source code is governed by a BSD-style license that can be
+// // found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32, false, true);
+const sig = builder.addType(makeSig(
+    [kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32, kWasmI32],
+    []));
+builder.addFunction(undefined, sig).addBodyWithEnd([
+  // signature: v_iiiiifidi
+  // body:
+  kExprI32Const, 0x00,                             // i32.const
+  kExprI64Const, 0x00,                             // i64.const
+  kAtomicPrefix, kExprI64AtomicStore, 0x00, 0x00,  // i64.atomic.store64
+  kExprEnd,                                        // end @9
+]);
+builder.addExport('main', 0);
+assertDoesNotThrow(() => builder.instantiate());