S390:[crankshaft] Sign-ext key before array access

The 'key' value being passed into an array access should be sign-extended on 64-bit platforms before being used to index into memory. Otherwise, garbage in the upper 32-bits may result in a segmentation fault. Minor fix to DoFlooringDivI to enforce 32-bit operations for calculation. R=jyan@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com BUG= Review URL: https://codereview.chromium.org/1822103002 Cr-Commit-Position: refs/heads/master@{#35000}

S390:[crankshaft] Sign-ext key before array access
The 'key' value being passed into an array access should be sign-extended on 64-bit platforms before being used to index into memory. Otherwise, garbage in the upper 32-bits may result in a segmentation fault. Minor fix to DoFlooringDivI to enforce 32-bit operations for calculation. R=jyan@ca.ibm.com,michael_dawson@ca.ibm.com,mbrandy@us.ibm.com BUG= Review URL: https://codereview.chromium.org/1822103002 Cr-Commit-Position: refs/heads/master@{#35000}
bdcefb9d · joransiu · Commit bot · f0d88f90 · bdcefb9d · bdcefb9d
Commit bdcefb9d authored Mar 22, 2016 by joransiu Committed by Commit bot Mar 22, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 2 deletions

lithium-codegen-s390.cc src/crankshaft/s390/lithium-codegen-s390.cc +17 -2

macro-assembler-s390.h src/s390/macro-assembler-s390.h +6 -0

No files found.
--- a/src/crankshaft/s390/lithium-codegen-s390.cc
+++ b/src/crankshaft/s390/lithium-codegen-s390.cc
@@ -1278,7 +1278,7 @@ void LCodeGen::DoFlooringDivI(LFlooringDivI* instr) {
  __ beq(&done, Label::kNear);

  // We performed a truncating division. Correct the result.
-  __ SubP(result, result, Operand(1));
+  __ Sub32(result, result, Operand(1));
  __ bind(&done);
 }

@@ -4226,7 +4226,22 @@ void LCodeGen::DoStoreKeyedFixedArray(LStoreKeyed* instr) {
    if (hinstr->key()->representation().IsSmi()) {
      __ SmiToPtrArrayOffset(scratch, key);
    } else {
-      __ ShiftLeftP(scratch, key, Operand(kPointerSizeLog2));
+      if (instr->hydrogen()->IsDehoisted()) {
+#if V8_TARGET_ARCH_S390X
+        // If array access is dehoisted, the key, being an int32, can contain
+        // a negative value, as needs to be sign-extended to 64-bit for
+        // memory access.
+        __ lgfr(key, key);
+#endif
+        __ ShiftLeftP(scratch, key, Operand(kPointerSizeLog2));
+      } else {
+        // Small optimization to reduce pathlength.  After Bounds Check,
+        // the key is guaranteed to be non-negative.  Leverage RISBG,
+        // which also performs zero-extension.
+        __ risbg(scratch, key, Operand(32 - kPointerSizeLog2),
+                 Operand(63 - kPointerSizeLog2), Operand(kPointerSizeLog2),
+                 true);
+      }
    }
  }


--- a/src/s390/macro-assembler-s390.h
+++ b/src/s390/macro-assembler-s390.h
@@ -1588,6 +1588,12 @@ class MacroAssembler : public Assembler {
    if (isSmi) {
      SmiToArrayOffset(dst, src, elementSizeLog2);
    } else {
+#if V8_TARGET_ARCH_S390X
+      // src (key) is a 32-bit integer.  Sign extension ensures
+      // upper 32-bit does not contain garbage before being used to
+      // reference memory.
+      lgfr(src, src);
+#endif
      ShiftLeftP(dst, src, Operand(elementSizeLog2));
    }
  }