[wasm-gc][arm] Fix call_direct feedback collection

...for very large feedback vector indices. Fixed: v8:13118 Change-Id: I38f1507ffe29e63ae58fd6436dffec7d0d610f95 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3791247 Reviewed-by: Andreas Haas <ahaas@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#82110}
2022-07-29 17:03:18 +02:00 · 2022-07-29 17:03:18 +02:00 · 32217caa20
commit 32217caa20
parent d15d49b09d
4 changed files with 31 additions and 0 deletions
--- a/src/wasm/baseline/arm/liftoff-assembler-arm.h
+++ b/src/wasm/baseline/arm/liftoff-assembler-arm.h
@ -1906,6 +1906,16 @@ bool LiftoffAssembler::emit_i64_popcnt(LiftoffRegister dst,
 }

 void LiftoffAssembler::IncrementSmi(LiftoffRegister dst, int offset) {
+  if (!is_int12(offset)) {
+    // For large offsets, ldr/str will need a scratch register, but we need
+    // the single available scratch register here. So fold the offset into the
+    // base address.
+    // Note: if we ever want to use this function for callers that don't want
+    // {dst} to get clobbered, we could spill it to the stack and restore it
+    // later.
+    add(dst.gp(), dst.gp(), Operand(offset));
+    offset = 0;
+  }
  UseScratchRegisterScope temps(this);
  Register scratch = temps.Acquire();
  ldr(scratch, MemOperand(dst.gp(), offset));
--- a/src/wasm/baseline/liftoff-assembler.h
+++ b/src/wasm/baseline/liftoff-assembler.h
@ -803,6 +803,7 @@ class LiftoffAssembler : public TurboAssembler {
      emit_i32_sari(dst.gp(), dst.gp(), kSmiTagSize);
    }
  }
+  // Warning: may clobber {dst} on some architectures!
  inline void IncrementSmi(LiftoffRegister dst, int offset);
  inline void Load(LiftoffRegister dst, Register src_addr, Register offset_reg,
                   uintptr_t offset_imm, LoadType type,
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@ -7023,6 +7023,7 @@ class LiftoffCompiler {
        __ IncrementSmi(vector,
                        wasm::ObjectAccess::ElementOffsetInTaggedFixedArray(
                            static_cast<int>(vector_slot)));
+        // Warning: {vector} may be clobbered by {IncrementSmi}!
      }
      // A direct call within this module just gets the current instance.
      __ PrepareCall(&sig, call_descriptor);
--- a/test/mjsunit/regress/wasm/regress-13118.js
+++ b/test/mjsunit/regress/wasm/regress-13118.js
@ -0,0 +1,19 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+let builder = new WasmModuleBuilder();
+
+let callee = builder.addFunction('callee', kSig_v_v).addBody([kExprNop]);
+
+let body = [];
+for (let i = 0; i < 600; i++) {
+  body.push(kExprCallFunction, callee.index);
+}
+
+builder.addFunction('main', kSig_v_v).exportFunc().addBody(body);
+
+let instance = builder.instantiate();
+instance.exports.main();