Skip to content

Commit

Permalink
deps: V8: cherry-pick 56fe020eec0c
Browse files Browse the repository at this point in the history
Original commit message:

    [wasm][arm64] Always zero-extend 32 bit offsets, for realz

    We've already been zero-extending 32-bit offset registers since
    https://chromium-review.googlesource.com/c/v8/v8/+/2917612,
    but that patch only covered the case where offset_imm == 0.
    When there is a non-zero offset, we need the same fix.

    Bug: chromium:1224882,v8:11809
    Change-Id: I1908f735929798f411346807fc4f3c79d8e04362
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2998582
    Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
    Reviewed-by: Clemens Backes <clemensb@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#75500}

Refs: v8/v8@56fe020

Fixes: #39327

PR-URL: #39337
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
targos authored and BethGriggs committed Jul 29, 2021
1 parent 2393fae commit e6b84df
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 9 deletions.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.14',
'v8_embedder_string': '-node.15',

##### V8 defaults for Node.js #####

Expand Down
12 changes: 9 additions & 3 deletions deps/v8/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
Original file line number Diff line number Diff line change
Expand Up @@ -133,10 +133,16 @@ inline MemOperand GetMemOp(LiftoffAssembler* assm,
return i64_offset ? MemOperand(addr.X(), offset.X())
: MemOperand(addr.X(), offset.W(), UXTW);
}
Register tmp = temps->AcquireX();
DCHECK_GE(kMaxUInt32, offset_imm);
assm->Add(tmp, offset.X(), offset_imm);
return MemOperand(addr.X(), tmp);
if (i64_offset) {
Register tmp = temps->AcquireX();
assm->Add(tmp, offset.X(), offset_imm);
return MemOperand(addr.X(), tmp);
} else {
Register tmp = temps->AcquireW();
assm->Add(tmp, offset.W(), offset_imm);
return MemOperand(addr.X(), tmp, UXTW);
}
}
return MemOperand(addr.X(), offset_imm);
}
Expand Down
16 changes: 11 additions & 5 deletions deps/v8/test/mjsunit/regress/wasm/regress-11809.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,12 @@
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up --wasm-tier-mask-for-testing=2
// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up
// Flags: --wasm-tier-mask-for-testing=2

load("test/mjsunit/wasm/wasm-module-builder.js");

var instance = (function () {
function InstanceMaker(offset) {
var builder = new WasmModuleBuilder();
builder.addMemory(1, 1, false /* exported */);

Expand All @@ -24,7 +25,7 @@ var instance = (function () {
var two = builder.addFunction("two", kSig_v_i);
var three = builder.addFunction("three", sig_three).addBody([]);

zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, 0]);
zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, offset]);

one.addBody([
kExprLocalGet, 7,
Expand Down Expand Up @@ -53,6 +54,11 @@ var instance = (function () {
]).exportFunc();

return builder.instantiate({});
})();
}

instance.exports.two()
var instance = InstanceMaker(0);
instance.exports.two();

// Regression test for crbug.com/1224882.
var instance_with_offset = InstanceMaker(4);
instance_with_offset.exports.two();

0 comments on commit e6b84df

Please sign in to comment.