-
Andreas Haas authored
This CL fixes a bug in the code generation for I32AtomicCompareExchange in Liftoff on ia32. The problem is the inconsistency that LiftoffAssembler::PeekToRegister(...) introduces to the cache state. PeekToRegister loads the value from the value stack into a register, but does not pop the value off the stack. When the value was already stored in a register, the use counter of that register gets decreased, even though the value is still on the stack. The problem arises when this register later gets reused, which is necessary unfortunately on ia32. When SpillRegister is called for this register, all stack values that are stored in this register get written to memory. SpillRegister uses the use counter of the register to detect when the register was spilled to all stack slots that were cached by this register. However, as described above, the value stack and the use counter are inconsistent at that moment, so SpillRegister finishes early and does not spill the register to all stack values, and this causes the bug later. With this CL the decrement of the use counter gets delayed until when the value actually gets popped off the stack. R=clemensb@chromium.org Bug: chromium:1145135 Change-Id: I07cb256a7e5135dbce41b246c120650635ad2758 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2602464Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#72018}
48ead1a8
Name |
Last commit
|
Last update |
---|---|---|
.. | ||
benchmarks | ||
cctest | ||
common | ||
debugger | ||
debugging | ||
fuzzer | ||
fuzzilli | ||
inspector | ||
intl | ||
js-perf-test | ||
memory | ||
message | ||
mjsunit | ||
mkgrokdump | ||
mozilla | ||
test262 | ||
torque | ||
unittests | ||
wasm-api-tests | ||
wasm-js | ||
wasm-spec-tests | ||
webkit | ||
BUILD.gn | ||
OWNERS |