Commit 9f56f37e authored by Zhi An Ng's avatar Zhi An Ng Committed by Commit Bot

[ia32][wasm-simd] Fix s128select

In https://crrev.com/c/2591859 we changed the way we generate code for
v128.select, which assumes that all inputs are registers. We did not
update the instruction selector with this new constraint.

Fixed: chromium:1161954
Bug: v8:11282
Change-Id: I5fc9a0315873a3e795078997d87aa92d4c8bddfe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2603764
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: 's avatarBill Budge <bbudge@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71904}
parent 72f3270b
...@@ -2476,14 +2476,14 @@ void InstructionSelector::VisitS128Zero(Node* node) { ...@@ -2476,14 +2476,14 @@ void InstructionSelector::VisitS128Zero(Node* node) {
void InstructionSelector::VisitS128Select(Node* node) { void InstructionSelector::VisitS128Select(Node* node) {
IA32OperandGenerator g(this); IA32OperandGenerator g(this);
InstructionOperand operand0 = g.UseRegister(node->InputAt(0));
InstructionOperand operand1 = g.UseRegister(node->InputAt(1));
InstructionOperand operand2 = g.UseRegister(node->InputAt(2)); InstructionOperand operand2 = g.UseRegister(node->InputAt(2));
if (IsSupported(AVX)) { if (IsSupported(AVX)) {
// AVX supports unaligned memory operands, so Use here is okay. Emit(kAVXS128Select, g.DefineAsRegister(node), operand0, operand1,
Emit(kAVXS128Select, g.DefineAsRegister(node), g.Use(node->InputAt(0)), operand2);
g.Use(node->InputAt(1)), operand2);
} else { } else {
Emit(kSSES128Select, g.DefineSameAsFirst(node), Emit(kSSES128Select, g.DefineSameAsFirst(node), operand0, operand1,
g.UseRegister(node->InputAt(0)), g.UseRegister(node->InputAt(1)),
operand2); operand2);
} }
} }
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-staging
// This test is manually reduced from a fuzzer test case at
// https://crbug.com/1161954. This exercises a bug in IA32 instruction
// selection for v128.select, in the AVX case it was too flexible and allowed
// the input operands to be slots, but the code-gen required them to be
// registers.
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
// Generate function 1 (out of 1).
builder.addFunction(undefined, kSig_i_v)
.addBodyWithEnd([
// signature: i_v
// body:
kExprI32Const, 0x37, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xb9, 0xf2, 0xd8, 0x01, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprS128AndNot, // s128.andnot
kExprI32Const, 0xb2, 0xf2, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xf2, 0x82, 0x02, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprF64x2Max, 0x01, // f64x2.max
kSimdPrefix, kExprI16x8Add, 0x01, // i16x8.add
kSimdPrefix, kExprS128Or, // s128.or
kSimdPrefix, kExprI8x16Neg, // i8x16.neg
kExprI32Const, 0x8e, 0x1c, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x9d, 0x26, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xf0, 0xe0, 0x01, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kExprI32Const, 0xff, 0xfb, 0x03, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x93, 0x26, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x9d, 0x26, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI8x16GtU, // i8x16.gt_u
kExprI32Const, 0xf0, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI16x8Mul, 0x01, // i16x8.mul
kSimdPrefix, kExprF32x4Ge, // f32x4.ge
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kExprI32Const, 0x00, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0xc1, 0x8e, 0x35, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x0d, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprI32x4Ne, // i32x4.ne
kSimdPrefix, kExprF32x4Ge, // f32x4.ge
kSimdPrefix, kExprI8x16LeS, // i8x16.le_s
kExprI32Const, 0xc1, 0x8e, 0x35, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kExprI32Const, 0x0d, // i32.const
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
kSimdPrefix, kExprS128Select, // s128.select
kSimdPrefix, kExprF64x2Div, 0x01, // f64x2.div
kSimdPrefix, kExprF64x2ExtractLane, 0x00, // f64x2.extract_lane
kNumericPrefix, kExprI32SConvertSatF64, // i32.trunc_sat_f64_s
kExprEnd, // end @142
]);
builder.addExport('main', 0);
const instance = builder.instantiate();
print(instance.exports.main());
...@@ -573,6 +573,7 @@ let kExprI32x4ExtractLane = 0x1b; ...@@ -573,6 +573,7 @@ let kExprI32x4ExtractLane = 0x1b;
let kExprI32x4ReplaceLane = 0x1c; let kExprI32x4ReplaceLane = 0x1c;
let kExprI64x2ReplaceLane = 0x1e; let kExprI64x2ReplaceLane = 0x1e;
let kExprF32x4ReplaceLane = 0x20; let kExprF32x4ReplaceLane = 0x20;
let kExprF64x2ExtractLane = 0x21;
let kExprF64x2ReplaceLane = 0x22; let kExprF64x2ReplaceLane = 0x22;
let kExprI8x16Eq = 0x23; let kExprI8x16Eq = 0x23;
let kExprI8x16Ne = 0x24; let kExprI8x16Ne = 0x24;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment