[wasm][liftoff] Fix multi-return regalloc issue

R=ahaas@chromium.org Bug: chromium:1294384 Change-Id: Iaf20d01b00966ef3dc0c8b38f520663b8ca75f8b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451715Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#79027}

[wasm][liftoff] Fix multi-return regalloc issue
R=ahaas@chromium.org Bug: chromium:1294384 Change-Id: Iaf20d01b00966ef3dc0c8b38f520663b8ca75f8b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451715Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#79027}
eee88ca0 · Thibaud Michaud · V8 LUCI CQ · cf7234cc · eee88ca0 · eee88ca0
Commit eee88ca0 authored Feb 10, 2022 by Thibaud Michaud Committed by V8 LUCI CQ Feb 10, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 98 additions and 0 deletions

liftoff-assembler.cc src/wasm/baseline/liftoff-assembler.cc +7 -0

regress-1294384.js test/mjsunit/regress/wasm/regress-1294384.js +91 -0

No files found.
--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@@ -1160,6 +1160,12 @@ void LiftoffAssembler::MoveToReturnLocations(
  }

  // Slow path for multi-return.
+  // We sometimes allocate a register to perform stack-to-stack moves, which can
+  // cause a spill in the cache state. Conservatively save and restore the
+  // original state in case it is needed after the current instruction
+  // (conditional branch).
+  CacheState saved_state;
+  saved_state.Split(*cache_state());
  int call_desc_return_idx = 0;
  DCHECK_LE(sig->return_count(), cache_state_.stack_height());
  VarState* slots = cache_state_.stack_state.end() - sig->return_count();
@@ -1210,6 +1216,7 @@ void LiftoffAssembler::MoveToReturnLocations(
      }
    }
  }
+  cache_state()->Steal(saved_state);
 }

 #ifdef ENABLE_SLOW_DCHECKS

--- a/test/mjsunit/regress/wasm/regress-1294384.js
+++ b/test/mjsunit/regress/wasm/regress-1294384.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging --experimental-wasm-gc
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addType(makeSig([], [kWasmI32]));
+builder.addType(makeSig([kWasmF64, kWasmF32, kWasmF32, kWasmF32,
+                         kWasmF32, kWasmF64, kWasmF64],
+                        [kWasmF32, kWasmF32, kWasmF32, kWasmF32, kWasmF32,
+                         kWasmF32, kWasmF32, kWasmF32, kWasmF32, kWasmF32]));
+
+// Generate function 1 (out of 2).
+// signature: i_iii
+builder.addFunction(undefined, 0 /* sig */)
+  .addBody([
+    // body:
+    kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // f64.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // f64.const
+    kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  // f64.const
+    kExprCallFunction, 0x01,
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprI32SConvertF32]);  // i32.trunc_f32_s
+
+// Generate function 2 (out of 2).
+builder.addFunction(undefined, 1 /* sig */)
+  .addBody([
+    // body:
+    kExprF32Const, 0x04, 0x04, 0x05, 0x04,  // f32.const
+    kExprLoop, 0x40,  // loop @24
+      kExprEnd,  // end @26
+    kExprF32Ceil,  // f32.ceil
+    kExprF32Const, 0x08, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprI32Const, 0x00,  // i32.const
+    kExprBrIf, 0x00,  // br_if depth=0
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprDrop,  // drop
+    kExprF32Ceil,  // f32.ceil
+    kExprF32Ceil,  // f32.ceil
+    kExprF32Const, 0xed, 0xed, 0xed, 0xed,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x65, 0x73, 0x61, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+    kExprI64Const, 0x00,  // i64.const
+    kExprF32SConvertI64]);  // f32.convert_i64_s
+
+builder.addExport('main', 0);
+const instance = builder.instantiate();
+assertEquals(1, instance.exports.main());