• Seth Brenith's avatar
    [wasm][arm64] Fix crash on atomic cmpxchg with large offset · e1fff28b
    Seth Brenith authored
    Liftoff can currently run out of registers when compiling an atomic
    compare-exchange instruction. In order to see this crash, the following
    conditions must be met:
    
    - The offset in the instruction doesn't fit in a 12-bit immediate
    - Either FLAG_untrusted_code_mitigations is false, or trap handlers are
      enabled, so that AddMemoryMasking decides to do nothing
    
    The fix proposed in this CL is just to defer allocation of a temporary
    register until after CalculateActualAddress has finished, because it
    might have also needed a temporary register.
    
    Change-Id: I28225614dcdbe2bcc9e52208f1e806baac89c5f1
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2488840
    Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
    Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#70687}
    e1fff28b
Name
Last commit
Last update
..
embenchen Loading commit data...
OWNERS Loading commit data...
adapter-frame.js Loading commit data...
add-getters.js Loading commit data...
anyfunc.js Loading commit data...
asm-wasm-copy.js Loading commit data...
asm-wasm-deopt.js Loading commit data...
asm-wasm-exception-in-tonumber.js Loading commit data...
asm-wasm-expr.js Loading commit data...
asm-wasm-f32.js Loading commit data...
asm-wasm-f64.js Loading commit data...
asm-wasm-heap.js Loading commit data...
asm-wasm-i32.js Loading commit data...
asm-wasm-imports.js Loading commit data...
asm-wasm-literals.js Loading commit data...
asm-wasm-math-intrinsic.js Loading commit data...
asm-wasm-memory.js Loading commit data...
asm-wasm-names.js Loading commit data...
asm-wasm-stack.js Loading commit data...
asm-wasm-stdlib.js Loading commit data...
asm-wasm-switch.js Loading commit data...
asm-wasm-u32.js Loading commit data...
asm-wasm.js Loading commit data...
asm-with-wasm-off.js Loading commit data...
async-compile.js Loading commit data...
atomics-non-shared.js Loading commit data...
atomics-stress.js Loading commit data...
atomics.js Loading commit data...
atomics64-stress.js Loading commit data...
bigint-i64-to-imported-js-func.js Loading commit data...
bigint.js Loading commit data...
bounds-check-64bit.js Loading commit data...
bounds-check-turbofan.js Loading commit data...
bulk-memory.js Loading commit data...
call-ref.js Loading commit data...
calls.js Loading commit data...
code-space-exhaustion.js Loading commit data...
compare-exchange-stress.js Loading commit data...
compare-exchange64-stress.js Loading commit data...
compilation-hints-async-compilation.js Loading commit data...
compilation-hints-decoder.js Loading commit data...
compilation-hints-ignored.js Loading commit data...
compilation-hints-lazy-validation.js Loading commit data...
compilation-hints-streaming-compilation.js Loading commit data...
compilation-hints-streaming-lazy-validation.js Loading commit data...
compilation-hints-sync-compilation.js Loading commit data...
compilation-limits-asm.js Loading commit data...
compilation-limits.js Loading commit data...
compiled-module-management.js Loading commit data...
compiled-module-serialization.js Loading commit data...
data-segments.js Loading commit data...
disable-trap-handler.js Loading commit data...
disallow-codegen.js Loading commit data...
divrem-trap.js Loading commit data...
empirical_max_memory.js Loading commit data...
ensure-wasm-binaries-up-to-date.js Loading commit data...
errors.js Loading commit data...
exceptions-export.js Loading commit data...
exceptions-externref.js Loading commit data...
exceptions-global.js Loading commit data...
exceptions-import.js Loading commit data...
exceptions-rethrow.js Loading commit data...
exceptions-shared.js Loading commit data...
exceptions-simd.js Loading commit data...
exceptions-utils.js Loading commit data...
exceptions.js Loading commit data...
export-global.js Loading commit data...
export-identity.js Loading commit data...
export-mutable-global.js Loading commit data...
export-table.js Loading commit data...
expose-wasm.js Loading commit data...
externref-globals-liftoff.js Loading commit data...
externref-globals.js Loading commit data...
externref-liftoff.js Loading commit data...
externref-table.js Loading commit data...
externref.js Loading commit data...
ffi-error.js Loading commit data...
ffi.js Loading commit data...
float-constant-folding.js Loading commit data...
function-names.js Loading commit data...
function-prototype.js Loading commit data...
futex.js Loading commit data...
gc-buffer.js Loading commit data...
gc-frame.js Loading commit data...
gc-memory.js Loading commit data...
gc-stress.js Loading commit data...
generic-wrapper.js Loading commit data...
globals-import-export-identity.js Loading commit data...
globals.js Loading commit data...
graceful_shutdown.js Loading commit data...
graceful_shutdown_during_tierup.js Loading commit data...
grow-huge-memory.js Loading commit data...
grow-memory-detaching.js Loading commit data...
grow-memory-in-branch.js Loading commit data...
grow-memory-in-call.js Loading commit data...
grow-memory-in-loop.js Loading commit data...
grow-memory.js Loading commit data...
grow-shared-memory.js Loading commit data...
huge-memory.js Loading commit data...
huge-typedarray.js Loading commit data...
import-function.js Loading commit data...
import-memory.js Loading commit data...
import-mutable-global.js Loading commit data...
import-table.js Loading commit data...
imported-function-types.js Loading commit data...
incrementer.wasm Loading commit data...
indirect-call-non-zero-table.js Loading commit data...
indirect-calls.js Loading commit data...
indirect-sig-mismatch.js Loading commit data...
indirect-tables.js Loading commit data...
instance-gc.js Loading commit data...
instance-memory-gc-stress.js Loading commit data...
instantiate-module-basic.js Loading commit data...
instantiate-run-basic.js Loading commit data...
js-api.js Loading commit data...
large-offset.js Loading commit data...
lazy-compilation.js Loading commit data...
liftoff-simd-params.js Loading commit data...
liftoff-trap-handler.js Loading commit data...
liftoff.js Loading commit data...
loop-rotation.js Loading commit data...
many-modules.js Loading commit data...
many-parameters.js Loading commit data...
memory-external-call.js Loading commit data...
memory-instance-validation.js Loading commit data...
memory-size.js Loading commit data...
memory.js Loading commit data...
memory_1gb_oob.js Loading commit data...
memory_2gb_oob.js Loading commit data...
memory_4gb_oob.js Loading commit data...
module-memory.js Loading commit data...
multi-table-element-section.js Loading commit data...
multi-value-simd.js Loading commit data...
multi-value.js Loading commit data...
multiple-code-spaces.js Loading commit data...
mutable-globals.js Loading commit data...
names.js Loading commit data...
origin-trial-flags.js Loading commit data...
parallel_compilation.js Loading commit data...
params.js Loading commit data...
print-code.js Loading commit data...
receiver.js Loading commit data...
reference-globals.js Loading commit data...
reference-tables.js Loading commit data...
return-calls.js Loading commit data...
serialize-lazy-module.js Loading commit data...
shared-arraybuffer-worker-simple-gc.js Loading commit data...
shared-memory-gc-stress.js Loading commit data...
shared-memory-worker-explicit-gc-stress.js Loading commit data...
shared-memory-worker-gc-stress.js Loading commit data...
shared-memory-worker-gc.js Loading commit data...
shared-memory-worker-simple-gc.js Loading commit data...
shared-memory-worker-stress.js Loading commit data...
shared-memory.js Loading commit data...
simd-call.js Loading commit data...
simd-errors.js Loading commit data...
simd-globals.js Loading commit data...
stack.js Loading commit data...
stackwalk.js Loading commit data...
start-function.js Loading commit data...
streaming-api.js Loading commit data...
streaming-compile.js Loading commit data...
streaming-error-position.js Loading commit data...
streaming-trap-location.js Loading commit data...
table-access.js Loading commit data...
table-copy-externref.js Loading commit data...
table-copy.js Loading commit data...
table-fill.js Loading commit data...
table-get.js Loading commit data...
table-grow-from-wasm.js Loading commit data...
table-grow.js Loading commit data...
table-limits.js Loading commit data...
table.js Loading commit data...
test-wasm-module-builder.js Loading commit data...
tier-down-to-liftoff.js Loading commit data...
tier-up-testing-flag.js Loading commit data...
trap-location.js Loading commit data...
type-reflection-with-exnref.js Loading commit data...
type-reflection-with-externref.js Loading commit data...
type-reflection-with-mv.js Loading commit data...
type-reflection.js Loading commit data...
typed-funcref.js Loading commit data...
unicode-validation.js Loading commit data...
unicode.js Loading commit data...
unreachable-validation.js Loading commit data...
unreachable.js Loading commit data...
user-properties-common.js Loading commit data...
user-properties-constructed.js Loading commit data...
user-properties-exported.js Loading commit data...
user-properties-module.js Loading commit data...
user-properties-reexport.js Loading commit data...
verify-module-basic-errors.js Loading commit data...
wasm-api-overloading.js Loading commit data...
wasm-default.js Loading commit data...
wasm-dynamic-tiering.js Loading commit data...
wasm-math-intrinsic.js Loading commit data...
wasm-module-builder.js Loading commit data...
wasm-object-api.js Loading commit data...
worker-memory.js Loading commit data...
worker-module.js Loading commit data...