10dc8ef0bc
This is a reland of 1786f8d770
. It turned
out that also x64 is broken, and only for TurboFan. Both is fixed now.
Original change's description:
> [arm64][liftoff] Fix trap handling on load lane
>
> This fixes the registered {protected_load_pc} to (always) point to the
> actual load instruction. If {dst != src} we would emit a register move
> before the load, and the trap handler would then not recognize the PC
> where the signal occurs, leading to a segfault.
>
> R=thibaudm@chromium.org
>
> Bug: chromium:1242300, v8:12018
> Change-Id: I3ed2a8307e353fd85a7ddedf6ecb73e90a112d32
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3136454
> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
> Commit-Queue: Clemens Backes <clemensb@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#76642}
Bug: chromium:1242300, v8:12018
Change-Id: I79284ab9815f5363f759569d98c8c4b52d48e738
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3140609
Reviewed-by: Thibaud Michaud <thibaudm@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76698}
25 lines
950 B
JavaScript
25 lines
950 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
load('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
const builder = new WasmModuleBuilder();
|
|
builder.addMemory(16, 32);
|
|
builder.addFunction(undefined, kSig_i_iii)
|
|
.addBody([
|
|
kExprI32Const, 0x7f, // i32.const
|
|
kExprI32Const, 0x1e, // i32.const
|
|
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
|
|
kExprI32Const, 0, // i32.const
|
|
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
|
|
kExprI32Const, 0, // i32.const
|
|
kSimdPrefix, kExprI8x16Splat, // i8x16.splat
|
|
kSimdPrefix, kExprS128Select, // s128.select
|
|
kSimdPrefix, kExprS128Load32Lane, 0x00, 0x89, 0xfe, 0x03, 0x00, // s128.load32_lane
|
|
kExprUnreachable,
|
|
]);
|
|
builder.addExport('main', 0);
|
|
const instance = builder.instantiate();
|
|
assertTraps(kTrapMemOutOfBounds, () => instance.exports.main(1, 2, 3));
|