[Liftoff] Fix corner case of register moves

If we have both f32 and f64 locals, we use the same register to hold their zero value. On stack transfers, we might thus encounter the same fp register with both the f32 and f64 type. Explicitly allow that case to happen. R=ahaas@chromium.org Bug: chromium:918917, v8:6600 Change-Id: I6937008d38853fe2bdccd9715e1a2499cf6bf7c6 Reviewed-on: https://chromium-review.googlesource.com/c/1398225Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#58623}

[Liftoff] Fix corner case of register moves
If we have both f32 and f64 locals, we use the same register to hold their zero value. On stack transfers, we might thus encounter the same fp register with both the f32 and f64 type. Explicitly allow that case to happen. R=ahaas@chromium.org Bug: chromium:918917, v8:6600 Change-Id: I6937008d38853fe2bdccd9715e1a2499cf6bf7c6 Reviewed-on: https://chromium-review.googlesource.com/c/1398225Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#58623}
f1fb7bca · Clemens Hammacher · Commit Bot · 69cd3052 · f1fb7bca · f1fb7bca
Commit f1fb7bca authored Jan 08, 2019 by Clemens Hammacher Committed by Commit Bot Jan 08, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 7 deletions

liftoff-assembler.cc src/wasm/baseline/liftoff-assembler.cc +7 -7

regress-918917.js test/mjsunit/regress/wasm/regress-918917.js +22 -0

No files found.
--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@@ -170,7 +170,13 @@ class StackTransferRecipe {
      return;
    }
    if (move_dst_regs_.has(dst)) {
-      DCHECK(HasRegisterMove(dst, src, type));
+      DCHECK_EQ(register_move(dst)->src, src);
+      // Non-fp registers can only occur with the exact same type.
+      DCHECK_IMPLIES(!dst.is_fp(), register_move(dst)->type == type);
+      // It can happen that one fp register holds both the f32 zero and the f64
+      // zero, as the initial value for local variables. Move the value as f64
+      // in that case.
+      if (type == kWasmF64) register_move(dst)->type = kWasmF64;
      return;
    }
    move_dst_regs_.set(dst);
@@ -245,12 +251,6 @@ class StackTransferRecipe {
    return src_reg_use_count_ + reg.liftoff_code();
  }

-  bool HasRegisterMove(LiftoffRegister dst, LiftoffRegister src,
-                       ValueType type) {
-    return move_dst_regs_.has(dst) && register_move(dst)->src == src &&
-           register_move(dst)->type == type;
-  }
-
  void ExecuteMove(LiftoffRegister dst) {
    RegisterMove* move = register_move(dst);
    DCHECK_EQ(0, *src_reg_use_count(dst));

--- a/test/mjsunit/regress/wasm/regress-918917.js
+++ b/test/mjsunit/regress/wasm/regress-918917.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addFunction(undefined, kSig_v_v)
+  .addLocals({i32_count: 1}).addLocals({f32_count: 1}).addLocals({f64_count: 1})
+  .addBody([
+kExprGetLocal, 1,
+kExprGetLocal, 2,
+kExprGetLocal, 0,
+kExprIf, kWasmI32,
+  kExprI32Const, 1,
+kExprElse,
+  kExprUnreachable,
+  kExprEnd,
+kExprUnreachable
+]);
+builder.instantiate();