[maglev] Add character to set of saved registers in StringAt

... otherwise AllocateRaw can call the allocation builtin, that can trigger a GC and read the character as a pointer. Bug: v8:7700, v8:13397 Change-Id: If4e15fc8bfe0f94c53fe77022b18d5d4a6168702 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3964754 Reviewed-by: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#83826}
2022-10-20 17:14:23 +02:00 · 2022-10-20 17:14:23 +02:00 · fb84e6c437
commit fb84e6c437
parent d1dcdd9a21
1 changed files with 11 additions and 5 deletions
--- a/src/maglev/maglev-ir.cc
+++ b/src/maglev/maglev-ir.cc
@ -2000,10 +2000,17 @@ void StringAt::GenerateCode(MaglevAssembler* masm,
  __ JumpToDeferredIf(
      greater,
      [](MaglevAssembler* masm, ZoneLabelRef done, Register character,
-         StringAt* node) {
+         Register scratch1, StringAt* node) {
        Register result_string = ToRegister(node->result());
        RegisterSnapshot save_registers = node->register_snapshot();
-        __ Push(character);  // Spill character before inlined allocation.
+        // If {character} alias with {result_string}, use the second scratch
+        // register.
+        if (character == result_string) {
+          DCHECK_NE(scratch1, character);
+          __ Move(scratch1, character);
+          character = scratch1;
+        }
+        save_registers.live_registers.set(character);
        AllocateRaw(masm, save_registers, result_string,
                    SeqTwoByteString::SizeFor(1));
        __ LoadRoot(kScratchRegister, RootIndex::kStringMap);
@ -2014,12 +2021,11 @@ void StringAt::GenerateCode(MaglevAssembler* masm,
            Immediate(Name::kEmptyHashField));
        __ StoreTaggedField(FieldOperand(result_string, String::kLengthOffset),
                            Immediate(1));
-        __ Pop(kScratchRegister);  // Restore character.
        __ movw(FieldOperand(result_string, SeqTwoByteString::kHeaderSize),
-                kScratchRegister);
+                character);
        __ jmp(*done);
      },
-      done, character, this);
+      done, character, scratch1, this);

  // Load one byte string from a predefined/cached table.
  __ bind(&cached_one_byte_string);