[Liftoff] Fix corner case of register moves

If we have both f32 and f64 locals, we use the same register to hold their zero value. On stack transfers, we might thus encounter the same fp register with both the f32 and f64 type. Explicitly allow that case to happen. R=ahaas@chromium.org Bug: chromium:918917, v8:6600 Change-Id: I6937008d38853fe2bdccd9715e1a2499cf6bf7c6 Reviewed-on: https://chromium-review.googlesource.com/c/1398225 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#58623}
2019-01-08 09:21:38 +01:00 · 2019-01-08 09:21:38 +01:00 · f1fb7bca44
commit f1fb7bca44
parent 69cd305206
2 changed files with 29 additions and 7 deletions
--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@ -170,7 +170,13 @@ class StackTransferRecipe {
      return;
    }
    if (move_dst_regs_.has(dst)) {
-      DCHECK(HasRegisterMove(dst, src, type));
+      DCHECK_EQ(register_move(dst)->src, src);
+      // Non-fp registers can only occur with the exact same type.
+      DCHECK_IMPLIES(!dst.is_fp(), register_move(dst)->type == type);
+      // It can happen that one fp register holds both the f32 zero and the f64
+      // zero, as the initial value for local variables. Move the value as f64
+      // in that case.
+      if (type == kWasmF64) register_move(dst)->type = kWasmF64;
      return;
    }
    move_dst_regs_.set(dst);
@ -245,12 +251,6 @@ class StackTransferRecipe {
    return src_reg_use_count_ + reg.liftoff_code();
  }

-  bool HasRegisterMove(LiftoffRegister dst, LiftoffRegister src,
-                       ValueType type) {
-    return move_dst_regs_.has(dst) && register_move(dst)->src == src &&
-           register_move(dst)->type == type;
-  }
-
  void ExecuteMove(LiftoffRegister dst) {
    RegisterMove* move = register_move(dst);
    DCHECK_EQ(0, *src_reg_use_count(dst));
--- a/test/mjsunit/regress/wasm/regress-918917.js
+++ b/test/mjsunit/regress/wasm/regress-918917.js
@ -0,0 +1,22 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+load('test/mjsunit/wasm/wasm-constants.js');
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addFunction(undefined, kSig_v_v)
+  .addLocals({i32_count: 1}).addLocals({f32_count: 1}).addLocals({f64_count: 1})
+  .addBody([
+kExprGetLocal, 1,
+kExprGetLocal, 2,
+kExprGetLocal, 0,
+kExprIf, kWasmI32,
+  kExprI32Const, 1,
+kExprElse,
+  kExprUnreachable,
+  kExprEnd,
+kExprUnreachable
+]);
+builder.instantiate();