[wasm][liftoff][ia32][x64] Detect SIMD NaNs for fuzzing

R=clemensb@chromium.org Bug: v8:11856 Change-Id: I9764e3e2944690ed0883afdab20afd47fdd4acfa Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979605Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#75512}

[wasm][liftoff][ia32][x64] Detect SIMD NaNs for fuzzing
R=clemensb@chromium.org Bug: v8:11856 Change-Id: I9764e3e2944690ed0883afdab20afd47fdd4acfa Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2979605Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#75512}
b0bcedcc · Thibaud Michaud · V8 LUCI CQ · 7faacf76 · b0bcedcc · b0bcedcc
Commit b0bcedcc authored Jun 28, 2021 by Thibaud Michaud Committed by V8 LUCI CQ Jul 01, 2021
7 changed files
--- a/src/wasm/baseline/arm/liftoff-assembler-arm.h
+++ b/src/wasm/baseline/arm/liftoff-assembler-arm.h
@@ -4239,6 +4239,13 @@ void LiftoffAssembler::emit_set_if_nan(Register dst, DoubleRegister src,
  UNIMPLEMENTED();
 }
+void LiftoffAssembler::emit_s128_set_if_nan(Register dst, DoubleRegister src,
+                                            Register tmp_gp,
+                                            DoubleRegister tmp_fp,
+                                            ValueKind lane_kind) {
+  UNIMPLEMENTED();
+}
 void LiftoffStackSlots::Construct(int param_slots) {
  DCHECK_LT(0, slots_.size());
  SortInPushOrder();

--- a/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
+++ b/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
@@ -3242,6 +3242,13 @@ void LiftoffAssembler::emit_set_if_nan(Register dst, DoubleRegister src,
  UNIMPLEMENTED();
 }
+void LiftoffAssembler::emit_s128_set_if_nan(Register dst, DoubleRegister src,
+                                            Register tmp_gp,
+                                            DoubleRegister tmp_fp,
+                                            ValueKind lane_kind) {
+  UNIMPLEMENTED();
+}
 void LiftoffStackSlots::Construct(int param_slots) {
  DCHECK_LT(0, slots_.size());
  // The stack pointer is required to be quadword aligned.

--- a/src/wasm/baseline/ia32/liftoff-assembler-ia32.h
+++ b/src/wasm/baseline/ia32/liftoff-assembler-ia32.h
@@ -4822,6 +4822,22 @@ void LiftoffAssembler::emit_set_if_nan(Register dst, DoubleRegister src,
  bind(&ret);
 }
+void LiftoffAssembler::emit_s128_set_if_nan(Register dst, DoubleRegister src,
+                                            Register tmp_gp,
+                                            DoubleRegister tmp_fp,
+                                            ValueKind lane_kind) {
+  if (lane_kind == kF32) {
+    movaps(tmp_fp, src);
+    cmpunordps(tmp_fp, tmp_fp);
+  } else {
+    DCHECK_EQ(lane_kind, kF64);
+    movapd(tmp_fp, src);
+    cmpunordpd(tmp_fp, tmp_fp);
+  }
+  pmovmskb(tmp_gp, tmp_fp);
+  or_(Operand(dst, 0), tmp_gp);
+}
 void LiftoffStackSlots::Construct(int param_slots) {
  DCHECK_LT(0, slots_.size());
  SortInPushOrder();

--- a/src/wasm/baseline/liftoff-assembler.h
+++ b/src/wasm/baseline/liftoff-assembler.h
@@ -1458,6 +1458,11 @@ class LiftoffAssembler : public TurboAssembler {
  // Set the i32 at address dst to 1 if src is a NaN.
  inline void emit_set_if_nan(Register dst, DoubleRegister src, ValueKind kind);
+  // Set the i32 at address dst to a non-zero value if src contains a NaN.
+  inline void emit_s128_set_if_nan(Register dst, DoubleRegister src,
+                                   Register tmp_gp, DoubleRegister tmp_fp,
+                                   ValueKind lane_kind);
  ////////////////////////////////////
  // End of platform-specific part. //
  ////////////////////////////////////

--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
--- a/src/wasm/baseline/x64/liftoff-assembler-x64.h
+++ b/src/wasm/baseline/x64/liftoff-assembler-x64.h
@@ -4371,6 +4371,22 @@ void LiftoffAssembler::emit_set_if_nan(Register dst, DoubleRegister src,
  bind(&ret);
 }
+void LiftoffAssembler::emit_s128_set_if_nan(Register dst, DoubleRegister src,
+                                            Register tmp_gp,
+                                            DoubleRegister tmp_fp,
+                                            ValueKind lane_kind) {
+  if (lane_kind == kF32) {
+    movaps(tmp_fp, src);
+    cmpunordps(tmp_fp, tmp_fp);
+  } else {
+    DCHECK_EQ(lane_kind, kF64);
+    movapd(tmp_fp, src);
+    cmpunordpd(tmp_fp, tmp_fp);
+  }
+  pmovmskb(tmp_gp, tmp_fp);
+  orl(Operand(dst, 0), tmp_gp);
+}
 void LiftoffStackSlots::Construct(int param_slots) {
  DCHECK_LT(0, slots_.size());
  SortInPushOrder();

--- a/test/cctest/wasm/test-liftoff-for-fuzzing.cc
+++ b/test/cctest/wasm/test-liftoff-for-fuzzing.cc
@@ -40,6 +40,36 @@ TEST(NondeterminismUnopF64) {
  CHECK(r.HasNondeterminism());
 }
+TEST(NondeterminismUnopF32x4) {
+  WasmRunner<int32_t, float> r(TestExecutionTier::kLiftoffForFuzzing);
+  byte value = 0;
+  BUILD(r,
+        WASM_SIMD_UNOP(kExprF32x4Ceil,
+                       WASM_SIMD_F32x4_SPLAT(WASM_LOCAL_GET(value))),
+        kExprDrop, WASM_ONE);
+  CHECK(!r.HasNondeterminism());
+  r.CheckCallViaJS(1, 0.0);
+  CHECK(!r.HasNondeterminism());
+  r.CheckCallViaJS(1, std::nanf(""));
+  CHECK(r.HasNondeterminism());
+}
+TEST(NondeterminismUnopF64x2) {
+  WasmRunner<int32_t, double> r(TestExecutionTier::kLiftoffForFuzzing);
+  byte value = 0;
+  BUILD(r,
+        WASM_SIMD_UNOP(kExprF64x2Ceil,
+                       WASM_SIMD_F64x2_SPLAT(WASM_LOCAL_GET(value))),
+        kExprDrop, WASM_ONE);
+  CHECK(!r.HasNondeterminism());
+  r.CheckCallViaJS(1, 0.0);
+  CHECK(!r.HasNondeterminism());
+  r.CheckCallViaJS(1, std::nan(""));
+  CHECK(r.HasNondeterminism());
+}
 TEST(NondeterminismBinop) {
  WasmRunner<float> r(TestExecutionTier::kLiftoffForFuzzing);