[turbofan][arm64] The input count for selects is not fixed

The existing code assumes that the number of inputs is fixed to 4.
However, the fuzzer says that at least 5 inputs are also possible.
This CL makes the number of inputs more flexible.

CC=sam.parker@arm.com

Bug: chromium:1197393
Change-Id: I487ac96570b96f04b4d0a47065e7b383ba39016f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821435Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73917}

src/compiler/backend/arm64/code-generator-arm64.cc

@@ -2985,14 +2985,20 @@ void CodeGenerator::AssembleArchSelect(Instruction* instr,
   MachineRepresentation rep =
     LocationOperand::cast(instr->OutputAt(0))->representation();
   Condition cc = FlagsConditionToCondition(condition);
-  DCHECK_EQ(instr->InputCount(), 4);
+  // We don't now how many inputs were consumed by the condition, so we have to
+  // calculate the indices of the last two inputs.
+  DCHECK_GE(instr->InputCount(), 2);
+  size_t true_value_index = instr->InputCount() - 2;
+  size_t false_value_index = instr->InputCount() - 1;
   if (rep == MachineRepresentation::kFloat32) {
-    __ Fcsel(i.OutputFloat32Register(), i.InputFloat32Register(2),
-             i.InputFloat32Register(3), cc);
+    __ Fcsel(i.OutputFloat32Register(),
+             i.InputFloat32Register(true_value_index),
+             i.InputFloat32Register(false_value_index), cc);
   } else {
     DCHECK_EQ(rep, MachineRepresentation::kFloat64);
-    __ Fcsel(i.OutputFloat64Register(), i.InputFloat64Register(2),
-             i.InputFloat64Register(3), cc);
+    __ Fcsel(i.OutputFloat64Register(),
+             i.InputFloat64Register(true_value_index),
+             i.InputFloat64Register(false_value_index), cc);
   }
 }
 

src/compiler/backend/arm64/instruction-selector-arm64.cc

@@ -452,7 +452,7 @@ void VisitBinop(InstructionSelector* selector, Node* node,
                 InstructionCode opcode, ImmediateMode operand_mode,
                 FlagsContinuation* cont) {
   Arm64OperandGenerator g(selector);
-  InstructionOperand inputs[4];
+  InstructionOperand inputs[5];
   size_t input_count = 0;
   InstructionOperand outputs[1];
   size_t output_count = 0;

test/mjsunit/regress/wasm/regress-1197393.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addType(makeSig([kWasmI32, kWasmI64, kWasmF64, kWasmI64], []));
+builder.addType(makeSig([kWasmF64], [kWasmF64]));
+// Generate function 1 (out of 2).
+builder.addFunction(undefined, 0 /* sig */)
+  .addBodyWithEnd([
+// signature: v_ildl
+// body:
+kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f,  // f64.const
+kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f,  // f64.const
+kExprLocalGet, 0x00,  // local.get
+kExprI32Const, 0x82, 0x7f,  // i32.const
+kExprI32DivS,  // i32.div_s
+kExprSelect,  // select
+kExprCallFunction, 0x01,  // call function #1: d_d
+kExprDrop,  // drop
+kExprEnd,  // end @29
+]);
+// Generate function 2 (out of 2).
+builder.addFunction(undefined, 1 /* sig */)
+  .addBodyWithEnd([
+// signature: d_d
+// body:
+kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf0, 0x3f,  // f64.const
+kExprEnd,  // end @10
+]);
+const instance = builder.instantiate();