v8/test/mjsunit/regress/wasm/regress-9017.js

// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --liftoff --nowasm-tier-up
//
// This test is intended to make Liftoff generate code that uses a very large
// stack frame, and then try to call another function (which would write to the
// stack pointer location). On Windows, large frames need extra code to touch
// every page in order, because the OS only leaves a small guard area for the
// stack, and trying to access past that area, even into memory that was
// intentionally reserved for this thread's stack, will crash the program.

load('test/mjsunit/wasm/wasm-module-builder.js');

var builder = new WasmModuleBuilder();

var func_idx = builder.addFunction('helper', kSig_i_v)
    .addLocals({i32_count: 1})
    .addBody([
        kExprI32Const, 0x01,
    ]).index;

var large_function_body = [];
const num_temporaries = 16 * 1024;
for (let i = 0; i < num_temporaries; ++i) {
  large_function_body.push(kExprCallFunction, func_idx);
}
for (let i = 1; i < num_temporaries; ++i) {
  large_function_body.push(kExprI32Add);
}

builder.addFunction('test', kSig_i_v)
    .addBody(large_function_body)
    .exportFunc();
var module = builder.instantiate();

assertEquals(num_temporaries, module.exports.test());
Touch guard pages when allocating stack frames On Windows, expanding the stack by more than 4 KB at a time can cause access violations. This change fixes a few known cases (and includes unit tests for those), and attempts to make stack expansion more consistent overall by using the AllocateStackSpace helper method everywhere we can, even when the offset is a small constant. On arm64, there was already a consistent method for stack pointer manipulation using the Claim and Drop methods, so Claim is updated to touch every page. Bug: v8:9017 Change-Id: I2dbbceeebbdefaf45803e9b621fe83f52234a395 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1570666 Commit-Queue: Seth Brenith <seth.brenith@microsoft.com> Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/master@{#61186} 2019-05-02 17:02:14 +00:00			`// Copyright 2019 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`
			`//`
			`// Flags: --liftoff --nowasm-tier-up`
			`//`
			`// This test is intended to make Liftoff generate code that uses a very large`
			`// stack frame, and then try to call another function (which would write to the`
			`// stack pointer location). On Windows, large frames need extra code to touch`
			`// every page in order, because the OS only leaves a small guard area for the`
			`// stack, and trying to access past that area, even into memory that was`
			`// intentionally reserved for this thread's stack, will crash the program.`

			`load('test/mjsunit/wasm/wasm-module-builder.js');`

			`var builder = new WasmModuleBuilder();`

			`var func_idx = builder.addFunction('helper', kSig_i_v)`
			`.addLocals({i32_count: 1})`
			`.addBody([`
			`kExprI32Const, 0x01,`
			`]).index;`

			`var large_function_body = [];`
			`const num_temporaries = 16 * 1024;`
			`for (let i = 0; i < num_temporaries; ++i) {`
			`large_function_body.push(kExprCallFunction, func_idx);`
			`}`
			`for (let i = 1; i < num_temporaries; ++i) {`
			`large_function_body.push(kExprI32Add);`
			`}`

			`builder.addFunction('test', kSig_i_v)`
			`.addBody(large_function_body)`
			`.exportFunc();`
			`var module = builder.instantiate();`

			`assertEquals(num_temporaries, module.exports.test());`