[maglev] Fix CheckJSDataViewBounds clobbered argument

If the register allocator assigns kJavaScriptCallArgCountRegister to {object}, we were clobbering the object, before pushing it to the stack. Additionally, we use PushReverse instead of Push to indicate that kDataViewPrototypeGetByteLength has a JS call convention (arguments are reversed). This is a no-op for x64, but it guarantees the correct order of the padding in arm64. Fixed: chromium:1406456 Bug: v8:7700, v8:13645 Change-Id: Ia9126ff5315ab4ab08ae733f138a1e0cb2d021a2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4156053 Auto-Submit: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#85227}
2023-01-11 15:07:45 +01:00 · 2023-01-11 15:07:45 +01:00 · 169bdfe408
commit 169bdfe408
parent 8dd716db16
3 changed files with 19 additions and 2 deletions
--- a/src/maglev/arm64/maglev-ir-arm64.cc
+++ b/src/maglev/arm64/maglev-ir-arm64.cc
@ -1438,9 +1438,9 @@ void CheckJSDataViewBounds::GenerateCode(MaglevAssembler* masm,
          // TODO(v8:7700): Inline DataViewPrototypeGetByteLength or create a
          // different builtin that does not re-check the DataView object.
          SaveRegisterStateForCall save_register_state(masm, snapshot);
+          __ PushReverse(object);
          __ Mov(kContextRegister, masm->native_context().object());
          __ Mov(kJavaScriptCallArgCountRegister, 1);
-          __ Push(object);
          __ CallBuiltin(Builtin::kDataViewPrototypeGetByteLength);
        }
        __ SmiUntag(byte_length, kReturnRegister0);
--- a/src/maglev/x64/maglev-ir-x64.cc
+++ b/src/maglev/x64/maglev-ir-x64.cc
@ -536,9 +536,9 @@ void CheckJSDataViewBounds::GenerateCode(MaglevAssembler* masm,
          // TODO(v8:7700): Inline DataViewPrototypeGetByteLength or create a
          // different builtin that does not re-check the DataView object.
          SaveRegisterStateForCall save_register_state(masm, snapshot);
+          __ PushReverse(object);
          __ Move(kContextRegister, masm->native_context().object());
          __ Move(kJavaScriptCallArgCountRegister, 1);
-          __ Push(object);
          __ CallBuiltin(Builtin::kDataViewPrototypeGetByteLength);
        }
        __ SmiUntag(byte_length, kReturnRegister0);
--- a/test/mjsunit/maglev/regress-1406456.js
+++ b/test/mjsunit/maglev/regress-1406456.js
@ -0,0 +1,17 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev --harmony-rab-gsab
+
+function foo() {
+    const buffer = new SharedArrayBuffer(1395, {
+        "maxByteLength": 2110270,
+    });
+    const data = new DataView(buffer);
+    data.setInt16();
+}
+%PrepareFunctionForOptimization(foo);
+foo();
+%OptimizeMaglevOnNextCall(foo);
+foo();