From 923d32606db3695c72488a1e79a9eed613e4d94d Mon Sep 17 00:00:00 2001
From: Andreas Haas <ahaas@chromium.org>
Date: Mon, 26 Apr 2021 11:58:32 +0200
Subject: [PATCH] [wasm][ia32] Spill result register of CompareExchange before
 using it

R=clemensb@chromium.org

Bug: chromium:1196837
Change-Id: I8945e25be12155482e1feefe1cfd980a94b0488d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2850646
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74180}
---
 src/wasm/baseline/liftoff-compiler.cc        |  1 +
 test/mjsunit/regress/wasm/regress-1196837.js | 39 ++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 test/mjsunit/regress/wasm/regress-1196837.js

diff --git a/src/wasm/baseline/liftoff-compiler.cc b/src/wasm/baseline/liftoff-compiler.cc
index a4000a9821..f933466a73 100644
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@@ -4262,6 +4262,7 @@ class LiftoffCompiler {
     __ DropValues(1);
 
     LiftoffRegister result = expected;
+    if (__ cache_state()->is_used(result)) __ SpillRegister(result);
 
     // We already added the index to addr, so we can just pass no_reg to the
     // assembler now.
diff --git a/test/mjsunit/regress/wasm/regress-1196837.js b/test/mjsunit/regress/wasm/regress-1196837.js
new file mode 100644
index 0000000000..5c4a354ad6
--- /dev/null
+++ b/test/mjsunit/regress/wasm/regress-1196837.js
@@ -0,0 +1,39 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32, false);
+builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
+builder.addFunction(undefined, 0 /* sig */)
+  .addBodyWithEnd([
+// signature: i_iii
+// body:
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x00,
+kExprMemoryGrow, 0x00,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x00,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprLocalGet, 0x00,
+kAtomicPrefix, kExprI32AtomicCompareExchange16U, 0x00, 0x7a,
+kExprLocalGet, 0x01,
+kExprReturnCall, 0x00,
+kExprEnd,
+]);
+builder.addExport('main', 0);
+const instance = builder.instantiate();
+assertTraps(kTrapUnalignedAccess, () => instance.exports.main(0, 0, 0));