[wasm] GC should ignore unboxed stack parameters in WASM frames.

R=mstarzinger@chromium.org,bradnelson@chromium.org BUG= Review URL: https://codereview.chromium.org/1782613003 Cr-Commit-Position: refs/heads/master@{#34682}
2016-03-10 07:13:34 -08:00 · 2016-03-10 07:13:34 -08:00 · a42b24514e
commit a42b24514e
parent 01589fe708
2 changed files with 78 additions and 1 deletions
--- a/src/frames.cc
+++ b/src/frames.cc
@ -743,7 +743,10 @@ void StandardFrame::IterateCompiledFrame(ObjectVisitor* v) const {
  safepoint_bits += kNumSafepointRegisters >> kBitsPerByteLog2;

  // Visit the rest of the parameters.
-  v->VisitPointers(parameters_base, parameters_limit);
+  if (!is_js_to_wasm() && !is_wasm()) {
+    // Non-WASM frames have tagged values as parameters.
+    v->VisitPointers(parameters_base, parameters_limit);
+  }

  // Visit pointer spill slots and locals.
  for (unsigned index = 0; index < stack_slots; index++) {
--- a/test/mjsunit/wasm/gc-frame.js
+++ b/test/mjsunit/wasm/gc-frame.js
@ -0,0 +1,74 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-wasm --expose-gc
+
+load("test/mjsunit/wasm/wasm-constants.js");
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+function makeFFI(func, t) {
+  var builder = new WasmModuleBuilder();
+
+  var sig_index = builder.addSignature([t,t,t,t,t,t,t,t,t,t,t]);
+  builder.addImport("func", sig_index);
+  // Try to create a frame with lots of spilled values and parameters
+  // on the stack to try to catch GC bugs in the reference maps for
+  // the different parts of the stack.
+  builder.addFunction("main", sig_index)
+    .addBody([
+      kExprCallImport, 0,       // --
+      kExprGetLocal, 0,         // --
+      kExprGetLocal, 1,         // --
+      kExprGetLocal, 2,         // --
+      kExprGetLocal, 3,         // --
+      kExprGetLocal, 4,         // --
+      kExprGetLocal, 5,         // --
+      kExprGetLocal, 6,         // --
+      kExprGetLocal, 7,         // --
+      kExprGetLocal, 8,         // --
+      kExprGetLocal, 9,         // --
+      kExprCallImport, 0,       // --
+      kExprGetLocal, 0,         // --
+      kExprGetLocal, 1,         // --
+      kExprGetLocal, 2,         // --
+      kExprGetLocal, 3,         // --
+      kExprGetLocal, 4,         // --
+      kExprGetLocal, 5,         // --
+      kExprGetLocal, 6,         // --
+      kExprGetLocal, 7,         // --
+      kExprGetLocal, 8,         // --
+      kExprGetLocal, 9          // --
+    ])                          // --
+    .exportFunc();
+
+  return builder.instantiate({func: func}).exports.main;
+}
+
+
+function print10(a, b, c, d, e, f, g, h, i) {
+  print(a + ",", b + ",", c + ",", d + ",", e + ",", f + ",", g + ",", h + ",", i);
+  gc();
+  print(a + ",", b + ",", c + ",", d + ",", e + ",", f + ",", g + ",", h + ",", i);
+}
+
+(function I32Test() {
+  var main = makeFFI(print10, kAstI32);
+  for (var i = 1; i < 0xFFFFFFF; i <<= 2) {
+    main(i - 1, i, i + 2, i + 3, i + 4, i + 5, i + 6, i + 7, i + 8);
+  }
+})();
+
+(function F32Test() {
+  var main = makeFFI(print10, kAstF32);
+  for (var i = 1; i < 2e+30; i *= -157) {
+    main(i - 1, i, i + 2, i + 3, i + 4, i + 5, i + 6, i + 7, i + 8);
+  }
+})();
+
+(function I32Test() {
+  var main = makeFFI(print10, kAstF64);
+  for (var i = 1; i < 2e+80; i *= -1137) {
+    main(i - 1, i, i + 2, i + 3, i + 4, i + 5, i + 6, i + 7, i + 8);
+  }
+})();