[wasm] Don't overwrite register in atomic.notify if it is still used

In atomic.notify we overwrote the register which stored the index, without checking if it was still in use or not. R=clemensb@chromium.org Bug: v8:10898 Change-Id: I59ed7a2c1f1342ff4252e3c4d33822111caee82c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2426616 Reviewed-by: Clemens Backes <clemensb@chromium.org> Commit-Queue: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/master@{#70125}
2020-09-24 19:57:04 +02:00 · 2020-09-24 19:57:04 +02:00 · 4af3a33327
commit 4af3a33327
parent b728ad817e
2 changed files with 53 additions and 2 deletions
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@ -3307,7 +3307,14 @@ class LiftoffCompiler {

    uint32_t offset = imm.offset;
    index = AddMemoryMasking(index, &offset, &pinned);
-    if (offset) __ emit_i32_addi(index, index, offset);
+    Register index_plus_offset = index;
+    if (offset) {
+      if (__ cache_state()->is_used(LiftoffRegister(index))) {
+        index_plus_offset =
+            pinned.set(__ GetUnusedRegister(kGpReg, pinned)).gp();
+      }
+      __ emit_i32_addi(index_plus_offset, index, offset);
+    }

    // TODO(ahaas): Use PrepareCall to prepare parameters.
    __ SpillAllRegisters();
@ -3316,7 +3323,7 @@ class LiftoffCompiler {
    DCHECK_EQ(0, descriptor.GetStackParameterCount());
    DCHECK_EQ(2, descriptor.GetRegisterParameterCount());
    __ ParallelRegisterMove(
-        {{descriptor.GetRegisterParameter(0), index, kWasmI32},
+        {{descriptor.GetRegisterParameter(0), index_plus_offset, kWasmI32},
         {descriptor.GetRegisterParameter(1), count, kWasmI32}});

    __ CallRuntimeStub(WasmCode::kWasmAtomicNotify);
--- a/test/mjsunit/regress/wasm/regress-10898.js
+++ b/test/mjsunit/regress/wasm/regress-10898.js
@ -0,0 +1,44 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(1, 1, false, true);
+builder.addDataSegment(2, [0x12, 0x00, 0x1c]);
+builder.addDataSegment(17,
+    [0x00, 0x00, 0x96, 0x00, 0x00, 0x00, 0xc2, 0x00, 0xb33, 0x03, 0xf6, 0x0e]);
+builder.addDataSegment(41,
+    [0x00, 0xdb, 0xa6, 0xa6, 0x00, 0xe9, 0x1c, 0x06, 0xac]);
+builder.addDataSegment(57, [0x00, 0x00, 0x00, 0x00, 0xda, 0xc0, 0xbe]);
+builder.addType(makeSig([kWasmI32], [kWasmI32]));
+builder.addType(makeSig([kWasmF32], [kWasmF32]));
+builder.addType(makeSig([kWasmF64], [kWasmF64]));
+// Generate function 1 (out of 3).
+builder.addFunction(undefined, 0 /* sig */)
+  .addBodyWithEnd([
+// signature: i_i
+// body:
+kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+kExprF32Const, 0x00, 0x00, 0x00, 0x00,  // f32.const
+kExprF32Le,  // f32.le
+kExprLocalTee, 0x00,  // local.tee
+kExprI32Const, 0xff, 0x00,  // i32.const
+kAtomicPrefix, kExprAtomicNotify, 0x02, 0x03,  // atomic.notify
+kExprI32LoadMem16S, 0x00, 0x02,  // i32.load16_s
+kExprIf, kWasmStmt,  // if @28
+  kExprLocalGet, 0x00,  // local.get
+  kExprReturn,  // return
+kExprElse,  // else @33
+  kExprUnreachable,  // unreachable
+  kExprEnd,  // end @35
+kExprUnreachable,  // unreachable
+kExprEnd,  // end @37
+]);
+builder.addExport('func_194', 0);
+let instance = builder.instantiate();
+
+assertEquals(1, instance.exports.func_194(0));