[wasm][arm64] Always zero-extend 32 bit offsets, for realz

We've already been zero-extending 32-bit offset registers since https://chromium-review.googlesource.com/c/v8/v8/+/2917612, but that patch only covered the case where offset_imm == 0. When there is a non-zero offset, we need the same fix. Bug: chromium:1224882,v8:11809 Change-Id: I1908f735929798f411346807fc4f3c79d8e04362 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2998582 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#75500}
2021-06-30 21:18:48 +02:00 · 2021-06-30 21:18:48 +02:00 · 56fe020eec
commit 56fe020eec
parent fa58f8ef0f
2 changed files with 20 additions and 8 deletions
--- a/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
+++ b/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
@ -133,10 +133,16 @@ inline MemOperand GetMemOp(LiftoffAssembler* assm,
      return i64_offset ? MemOperand(addr.X(), offset.X())
                        : MemOperand(addr.X(), offset.W(), UXTW);
    }
-    Register tmp = temps->AcquireX();
    DCHECK_GE(kMaxUInt32, offset_imm);
-    assm->Add(tmp, offset.X(), offset_imm);
-    return MemOperand(addr.X(), tmp);
+    if (i64_offset) {
+      Register tmp = temps->AcquireX();
+      assm->Add(tmp, offset.X(), offset_imm);
+      return MemOperand(addr.X(), tmp);
+    } else {
+      Register tmp = temps->AcquireW();
+      assm->Add(tmp, offset.W(), offset_imm);
+      return MemOperand(addr.X(), tmp, UXTW);
+    }
  }
  return MemOperand(addr.X(), offset_imm);
 }
--- a/test/mjsunit/regress/wasm/regress-11809.js
+++ b/test/mjsunit/regress/wasm/regress-11809.js
@ -2,11 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
-// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up --wasm-tier-mask-for-testing=2
+// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up
+// Flags: --wasm-tier-mask-for-testing=2

 load("test/mjsunit/wasm/wasm-module-builder.js");

-var instance = (function () {
+function InstanceMaker(offset) {
  var builder = new WasmModuleBuilder();
  builder.addMemory(1, 1, false /* exported */);

@ -24,7 +25,7 @@ var instance = (function () {
  var two = builder.addFunction("two", kSig_v_i);
  var three = builder.addFunction("three", sig_three).addBody([]);

-  zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, 0]);
+  zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, offset]);

  one.addBody([
    kExprLocalGet, 7,
@ -53,6 +54,11 @@ var instance = (function () {
    ]).exportFunc();

  return builder.instantiate({});
-})();
+}

-instance.exports.two()
+var instance = InstanceMaker(0);
+instance.exports.two();
+
+// Regression test for crbug.com/1224882.
+var instance_with_offset = InstanceMaker(4);
+instance_with_offset.exports.two();