[wasm-simd] Protected load transforms are not eliminatable

LoadTransform operators contain a LoadKind, which can be unaligned, protected, poisoned, normal. If it is protected, we cannot eliminiate that load, since we rely on the segv signal handling. So, we use partial template specialization on LoadKind::kProtected, and don't set the operator to not be eliminatable. Bug: chromium:1132461 Change-Id: If45fc6562348ffd4dbaa27058e6c5d4242f79abb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2436081 Commit-Queue: Zhi An Ng <zhin@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#70205}
2020-09-29 09:36:19 -07:00 · 2020-09-29 09:36:19 -07:00 · 98e2796555
commit 98e2796555
parent 32e2584405
3 changed files with 32 additions and 1 deletions
--- a/src/compiler/backend/instruction-selector.cc
+++ b/src/compiler/backend/instruction-selector.cc
@ -1129,6 +1129,7 @@ void InstructionSelector::VisitBlock(BasicBlock* block) {
        node->opcode() == IrOpcode::kCall ||
        node->opcode() == IrOpcode::kProtectedLoad ||
        node->opcode() == IrOpcode::kProtectedStore ||
+        node->opcode() == IrOpcode::kLoadTransform ||
 #define ADD_EFFECT_FOR_ATOMIC_OP(Opcode) \
  node->opcode() == IrOpcode::k##Opcode ||
        MACHINE_ATOMIC_OP_LIST(ADD_EFFECT_FOR_ATOMIC_OP)
--- a/src/compiler/machine-operator.cc
+++ b/src/compiler/machine-operator.cc
@ -750,7 +750,10 @@ struct ProtectedLoadOperator : public Operator1<LoadRepresentation> {
 template <LoadKind kind, LoadTransformation type>
 struct LoadTransformOperator : public Operator1<LoadTransformParameters> {
  LoadTransformOperator()
-      : Operator1(IrOpcode::kLoadTransform, Operator::kEliminatable,
+      : Operator1(IrOpcode::kLoadTransform,
+                  kind == LoadKind::kProtected
+                      ? Operator::kNoDeopt | Operator::kNoThrow
+                      : Operator::kEliminatable,
                  "LoadTransform", 2, 1, 1, 1, 1, 0,
                  LoadTransformParameters{kind, type}) {}
 };
--- a/test/mjsunit/regress/wasm/regress-1132461.js
+++ b/test/mjsunit/regress/wasm/regress-1132461.js
@ -0,0 +1,27 @@
+
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+// We load-splat a value, then drop it. Verify that the OOB load is not
+// eliminated, it should trap. This test case is simplified from the fuzzer
+// provided test case in https://crbug.com/1132461.
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(16, 32, false, true);
+builder.addFunction(undefined, makeSig([], [kWasmI32]))
+  .addBodyWithEnd([
+kExprI32Const, 0x00,
+kExprI32Const, 0x00,
+kSimdPrefix, kExprS128Load32Splat, 0x00, 0xb6, 0xec, 0xd8, 0xb1, 0x03,
+kSimdPrefix, kExprI32x4ExtractLane, 0x00,
+kExprDrop,
+kExprEnd,
+]);
+
+builder.addExport('main', 0);
+const instance = builder.instantiate();
+assertThrows(() => instance.exports.main());