[wasm-simd] Fix OpcodeLength of load splat/extend ops

Move load splat and load extend ops into the list of SIMD memory opcodes, since they similarly take an i32 and an memarg. This fixes the OpcodeLength calculation in function-body-decoder-impl.h. And in turn, fixes the mjsunit test code that the fuzzer generates. See the regress-1055692.js file for the weird S8x16LoadSplat followed by 2 kExprUnreachable, where the kExprUnreachable really is a memarg {0x0, 0x0}. This bug was caught by the fuzzer, and that was the generated test (with small fixes to add kExprDrop), so leaving it as it is. Bug: chromium:1055692 Change-Id: I743b6beb82350b5fea22c8dd10b546a02741cfed Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071401Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/heads/master@{#66439}

[wasm-simd] Fix OpcodeLength of load splat/extend ops
Move load splat and load extend ops into the list of SIMD memory opcodes, since they similarly take an i32 and an memarg. This fixes the OpcodeLength calculation in function-body-decoder-impl.h. And in turn, fixes the mjsunit test code that the fuzzer generates. See the regress-1055692.js file for the weird S8x16LoadSplat followed by 2 kExprUnreachable, where the kExprUnreachable really is a memarg {0x0, 0x0}. This bug was caught by the fuzzer, and that was the generated test (with small fixes to add kExprDrop), so leaving it as it is. Bug: chromium:1055692 Change-Id: I743b6beb82350b5fea22c8dd10b546a02741cfed Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071401Reviewed-by: Deepti Gandluri <gdeepti@chromium.org> Commit-Queue: Zhi An Ng <zhin@chromium.org> Cr-Commit-Position: refs/heads/master@{#66439}
a67a16aa · Ng Zhi An · Commit Bot · f9dc259a · a67a16aa · a67a16aa
Commit a67a16aa authored Feb 25, 2020 by Ng Zhi An Committed by Commit Bot Feb 26, 2020
Showing with 47 additions and 11 deletions

wasm-opcodes.h src/wasm/wasm-opcodes.h +11 -11

regress-1055692.js test/mjsunit/regress/wasm/regress-1055692.js +35 -0

wasm-module-builder.js test/mjsunit/wasm/wasm-module-builder.js +1 -0

No files found.
--- a/src/wasm/wasm-opcodes.h
+++ b/src/wasm/wasm-opcodes.h
@@ -265,7 +265,17 @@ bool IsJSCompatibleSignature(const FunctionSig* sig, const WasmFeatures&);

 #define FOREACH_SIMD_MEM_OPCODE(V) \
  V(S128LoadMem, 0xfd00, s_i)      \
-  V(S128StoreMem, 0xfd01, v_is)
+  V(S128StoreMem, 0xfd01, v_is)    \
+  V(S8x16LoadSplat, 0xfdc2, s_i)   \
+  V(S16x8LoadSplat, 0xfdc3, s_i)   \
+  V(S32x4LoadSplat, 0xfdc4, s_i)   \
+  V(S64x2LoadSplat, 0xfdc5, s_i)   \
+  V(I16x8Load8x8S, 0xfdd2, s_i)    \
+  V(I16x8Load8x8U, 0xfdd3, s_i)    \
+  V(I32x4Load16x4S, 0xfdd4, s_i)   \
+  V(I32x4Load16x4U, 0xfdd5, s_i)   \
+  V(I64x2Load32x2S, 0xfdd6, s_i)   \
+  V(I64x2Load32x2U, 0xfdd7, s_i)

 #define FOREACH_SIMD_MASK_OPERAND_OPCODE(V) V(S8x16Shuffle, 0xfd03, s_ss)

@@ -420,10 +430,6 @@ bool IsJSCompatibleSignature(const FunctionSig* sig, const WasmFeatures&);
  V(F32x4SConvertI32x4, 0xfdaf, s_s)     \
  V(F32x4UConvertI32x4, 0xfdb0, s_s)     \
  V(S8x16Swizzle, 0xfdc0, s_ss)          \
-  V(S8x16LoadSplat, 0xfdc2, s_i)         \
-  V(S16x8LoadSplat, 0xfdc3, s_i)         \
-  V(S32x4LoadSplat, 0xfdc4, s_i)         \
-  V(S64x2LoadSplat, 0xfdc5, s_i)         \
  V(I8x16SConvertI16x8, 0xfdc6, s_ss)    \
  V(I8x16UConvertI16x8, 0xfdc7, s_ss)    \
  V(I16x8SConvertI32x4, 0xfdc8, s_ss)    \
@@ -436,12 +442,6 @@ bool IsJSCompatibleSignature(const FunctionSig* sig, const WasmFeatures&);
  V(I32x4SConvertI16x8High, 0xfdcf, s_s) \
  V(I32x4UConvertI16x8Low, 0xfdd0, s_s)  \
  V(I32x4UConvertI16x8High, 0xfdd1, s_s) \
-  V(I16x8Load8x8S, 0xfdd2, s_s)          \
-  V(I16x8Load8x8U, 0xfdd3, s_s)          \
-  V(I32x4Load16x4S, 0xfdd4, s_s)         \
-  V(I32x4Load16x4U, 0xfdd5, s_s)         \
-  V(I64x2Load32x2S, 0xfdd6, s_s)         \
-  V(I64x2Load32x2U, 0xfdd7, s_s)         \
  V(S128AndNot, 0xfdd8, s_ss)            \
  V(I8x16RoundingAverageU, 0xfdd9, s_ss) \
  V(I16x8RoundingAverageU, 0xfdda, s_ss) \

--- a/test/mjsunit/regress/wasm/regress-1055692.js
+++ b/test/mjsunit/regress/wasm/regress-1055692.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging --wasm-interpret-all --experimental-wasm-simd
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32, false);
+builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
+// Generate function 1 (out of 1).
+builder.addFunction(undefined, 0 /* sig */)
+  .addBodyWithEnd([
+// signature: i_iii
+// body:
+kExprI32Const, 0x75,  // i32.const
+kExprI32Const, 0x74,  // i32.const
+kExprI32Const, 0x18,  // i32.const
+kSimdPrefix, kExprS8x16LoadSplat,  // s8x16.load_splat
+kExprUnreachable,  // unreachable
+kExprUnreachable,  // unreachable
+kExprI32Const, 0x6f,  // i32.const
+kExprI32Const, 0x7f,  // i32.const
+kExprI32Const, 0x6f,  // i32.const
+kExprDrop,
+kExprDrop,
+kExprDrop,
+kExprDrop,
+kExprDrop,
+kExprEnd,  // end @18
+]);
+builder.addExport('main', 0);
+const instance = builder.instantiate();
+print(instance.exports.main(1, 2, 3));
--- a/test/mjsunit/wasm/wasm-module-builder.js
+++ b/test/mjsunit/wasm/wasm-module-builder.js
@@ -476,6 +476,7 @@ let kExprS1x8AnyTrue = 0x63;
 let kExprS1x4AllTrue = 0x75;
 let kExprI32x4Add = 0x79;
 let kExprF32x4Min = 0x9e;
+let kExprS8x16LoadSplat = 0xc2;

 // Compilation hint constants.
 let kCompilationHintStrategyDefault = 0x00;