OwnedByAddressingOperand should also allow uses by ProtectedLoad

ProtectedLoad/ProtectedStore opcodes are used in WebAssembly to represent memory accesses. Since they are not part of the allowed opcodes in OwnedByAddressingOperand it is not possible to take advantage of addressing modes to encode common patterns for the pointer input value. R=jarin@chromium.org Bug: v8:8508 Change-Id: Ic62bf13fed7b1d86afb112d9aa59cd7073a28e72 Reviewed-on: https://chromium-review.googlesource.com/c/1354458 Commit-Queue: Andreas Haas <ahaas@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#58237}
2018-12-10 18:35:16 +01:00 · 2018-12-10 18:35:16 +01:00 · 5f6b780374
commit 5f6b780374
parent 3dbb374938
3 changed files with 27 additions and 0 deletions
--- a/1
+++ b/1
@ -39,6 +39,7 @@ Cloudflare, Inc. <*@cloudflare.com>
 Aaron Bieber <deftly@gmail.com>
 Abdulla Kamar <abdulla.kamar@gmail.com>
 Akinori MUSHA <knu@FreeBSD.org>
+Alessandro Pignotti <alessandro@leaningtech.com>
 Alex Kodat <akodat@rocketsoftware.com>
 Alexander Botero-Lowry <alexbl@FreeBSD.org>
 Alexander Karpinsky <homm86@gmail.com>
--- a/src/compiler/node-matchers.h
+++ b/src/compiler/node-matchers.h
@ -678,11 +678,13 @@ struct BaseWithIndexAndDisplacementMatcher {
      switch (from->opcode()) {
        case IrOpcode::kLoad:
        case IrOpcode::kPoisonedLoad:
+        case IrOpcode::kProtectedLoad:
        case IrOpcode::kInt32Add:
        case IrOpcode::kInt64Add:
          // Skip addressing uses.
          break;
        case IrOpcode::kStore:
+        case IrOpcode::kProtectedStore:
          // If the stored value is this node, it is not an addressing use.
          if (from->InputAt(2) == node) return false;
          // Otherwise it is used as an address and skipped.
--- a/test/mjsunit/wasm/bounds-check-turbofan.js
+++ b/test/mjsunit/wasm/bounds-check-turbofan.js
@ -0,0 +1,24 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(1, undefined, false);
+builder.addFunction('load', kSig_i_i)
+    .addBody([
+        kExprGetLocal, 0,
+    kExprI32LoadMem, 0, 100])
+    .exportFunc();
+
+const module = builder.instantiate();
+%WasmTierUpFunction(module, 0);
+// 100 is added as part of the load instruction above
+// Last valid address (64k - 100 - 4)
+assertEquals(0, module.exports.load(0x10000 - 100 - 4));
+// First invalid address (64k - 100)
+assertTraps(kTrapMemOutOfBounds, _ => { module.exports.load(0x10000 - 100);});