[turbofan] Fix unsafe out-of-bounds check for checked loads/stores.

BUG=chromium:443744
LOG=y
TEST=mjsunit/compiler/regress-443744
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/804993004

Cr-Commit-Position: refs/heads/master@{#25901}

src/compiler/arm64/code-generator-arm64.cc

@@ -176,9 +176,9 @@ class Arm64OperandConverter FINAL : public InstructionOperandConverter {
 
 namespace {
 
-class OutOfLineLoadFloat32 FINAL : public OutOfLineCode {
+class OutOfLineLoadNaN32 FINAL : public OutOfLineCode {
  public:
-  OutOfLineLoadFloat32(CodeGenerator* gen, DoubleRegister result)
+  OutOfLineLoadNaN32(CodeGenerator* gen, DoubleRegister result)
       : OutOfLineCode(gen), result_(result) {}
 
   void Generate() FINAL {
@@ -190,9 +190,9 @@ class OutOfLineLoadFloat32 FINAL : public OutOfLineCode {
 };
 
 
-class OutOfLineLoadFloat64 FINAL : public OutOfLineCode {
+class OutOfLineLoadNaN64 FINAL : public OutOfLineCode {
  public:
-  OutOfLineLoadFloat64(CodeGenerator* gen, DoubleRegister result)
+  OutOfLineLoadNaN64(CodeGenerator* gen, DoubleRegister result)
       : OutOfLineCode(gen), result_(result) {}
 
   void Generate() FINAL {
@@ -204,9 +204,9 @@ class OutOfLineLoadFloat64 FINAL : public OutOfLineCode {
 };
 
 
-class OutOfLineLoadInteger FINAL : public OutOfLineCode {
+class OutOfLineLoadZero FINAL : public OutOfLineCode {
  public:
-  OutOfLineLoadInteger(CodeGenerator* gen, Register result)
+  OutOfLineLoadZero(CodeGenerator* gen, Register result)
       : OutOfLineCode(gen), result_(result) {}
 
   void Generate() FINAL { __ Mov(result_, 0); }
@@ -218,53 +218,59 @@ class OutOfLineLoadInteger FINAL : public OutOfLineCode {
 }  // namespace
 
 
-#define ASSEMBLE_CHECKED_LOAD_FLOAT(width)                           \
-  do {                                                               \
-    auto result = i.OutputFloat##width##Register();                  \
-    auto offset = i.InputRegister32(0);                              \
-    auto length = i.InputOperand32(1);                               \
-    __ Cmp(offset, length);                                          \
-    auto ool = new (zone()) OutOfLineLoadFloat##width(this, result); \
-    __ B(hs, ool->entry());                                          \
-    __ Ldr(result, i.MemoryOperand(2));                              \
-    __ Bind(ool->exit());                                            \
+#define ASSEMBLE_CHECKED_LOAD_FLOAT(width)                         \
+  do {                                                             \
+    auto result = i.OutputFloat##width##Register();                \
+    auto buffer = i.InputRegister(0);                              \
+    auto offset = i.InputRegister32(1);                            \
+    auto length = i.InputOperand32(2);                             \
+    __ Cmp(offset, length);                                        \
+    auto ool = new (zone()) OutOfLineLoadNaN##width(this, result); \
+    __ B(hs, ool->entry());                                        \
+    __ Ldr(result, MemOperand(buffer, offset, UXTW));              \
+    __ Bind(ool->exit());                                          \
   } while (0)
 
 
-#define ASSEMBLE_CHECKED_LOAD_INTEGER(asm_instr)                \
-  do {                                                          \
-    auto result = i.OutputRegister32();                         \
-    auto offset = i.InputRegister32(0);                         \
-    auto length = i.InputOperand32(1);                          \
-    __ Cmp(offset, length);                                     \
-    auto ool = new (zone()) OutOfLineLoadInteger(this, result); \
-    __ B(hs, ool->entry());                                     \
-    __ asm_instr(result, i.MemoryOperand(2));                   \
-    __ Bind(ool->exit());                                       \
+#define ASSEMBLE_CHECKED_LOAD_INTEGER(asm_instr)             \
+  do {                                                       \
+    auto result = i.OutputRegister32();                      \
+    auto buffer = i.InputRegister(0);                        \
+    auto offset = i.InputRegister32(1);                      \
+    auto length = i.InputOperand32(2);                       \
+    __ Cmp(offset, length);                                  \
+    auto ool = new (zone()) OutOfLineLoadZero(this, result); \
+    __ B(hs, ool->entry());                                  \
+    __ asm_instr(result, MemOperand(buffer, offset, UXTW));  \
+    __ Bind(ool->exit());                                    \
   } while (0)
 
 
-#define ASSEMBLE_CHECKED_STORE_FLOAT(width)                       \
-  do {                                                            \
-    auto offset = i.InputRegister32(0);                           \
-    auto length = i.InputOperand32(1);                            \
-    __ Cmp(offset, length);                                       \
-    Label done;                                                   \
-    __ B(hs, &done);                                              \
-    __ Str(i.InputFloat##width##Register(2), i.MemoryOperand(3)); \
-    __ Bind(&done);                                               \
+#define ASSEMBLE_CHECKED_STORE_FLOAT(width)          \
+  do {                                               \
+    auto buffer = i.InputRegister(0);                \
+    auto offset = i.InputRegister32(1);              \
+    auto length = i.InputOperand32(2);               \
+    auto value = i.InputFloat##width##Register(3);   \
+    __ Cmp(offset, length);                          \
+    Label done;                                      \
+    __ B(hs, &done);                                 \
+    __ Str(value, MemOperand(buffer, offset, UXTW)); \
+    __ Bind(&done);                                  \
   } while (0)
 
 
-#define ASSEMBLE_CHECKED_STORE_INTEGER(asm_instr)           \
-  do {                                                      \
-    auto offset = i.InputRegister32(0);                     \
-    auto length = i.InputOperand32(1);                      \
-    __ Cmp(offset, length);                                 \
-    Label done;                                             \
-    __ B(hs, &done);                                        \
-    __ asm_instr(i.InputRegister32(2), i.MemoryOperand(3)); \
-    __ Bind(&done);                                         \
+#define ASSEMBLE_CHECKED_STORE_INTEGER(asm_instr)          \
+  do {                                                     \
+    auto buffer = i.InputRegister(0);                      \
+    auto offset = i.InputRegister32(1);                    \
+    auto length = i.InputOperand32(2);                     \
+    auto value = i.InputRegister32(3);                     \
+    __ Cmp(offset, length);                                \
+    Label done;                                            \
+    __ B(hs, &done);                                       \
+    __ asm_instr(value, MemOperand(buffer, offset, UXTW)); \
+    __ Bind(&done);                                        \
   } while (0)
 
 

src/compiler/arm64/instruction-selector-arm64.cc

@@ -390,10 +390,8 @@ void InstructionSelector::VisitCheckedLoad(Node* node) {
       UNREACHABLE();
       return;
   }
-  InstructionOperand* offset_operand = g.UseRegister(offset);
-  Emit(opcode | AddressingModeField::encode(kMode_MRR),
-       g.DefineAsRegister(node), offset_operand, g.UseRegister(length),
-       g.UseRegister(buffer), offset_operand);
+  Emit(opcode, g.DefineAsRegister(node), g.UseRegister(buffer),
+       g.UseRegister(offset), g.UseOperand(length, kArithmeticImm));
 }
 
 
@@ -425,10 +423,8 @@ void InstructionSelector::VisitCheckedStore(Node* node) {
       UNREACHABLE();
       return;
   }
-  InstructionOperand* offset_operand = g.UseRegister(offset);
-  Emit(opcode | AddressingModeField::encode(kMode_MRR), nullptr, offset_operand,
-       g.UseRegister(length), g.UseRegister(value), g.UseRegister(buffer),
-       offset_operand);
+  Emit(opcode, nullptr, g.UseRegister(buffer), g.UseRegister(offset),
+       g.UseOperand(length, kArithmeticImm), g.UseRegister(value));
 }
 
 

test/mjsunit/compiler/regress-443744.js

+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var m = (function(stdlib, foreign, heap) {
+  "use asm";
+  var MEM = new stdlib.Uint8Array(heap);
+  function f(x) {
+    x = x | 0;
+    MEM[x] = 0;
+  }
+  return {f: f};
+})(this, {}, new ArrayBuffer(1));
+m.f(-926416896 * 32 * 1024);