cb6218cab0
We did not handle conflicts between regular register moves and the cached instance / cached memory start correctly. This could lead to us overwriting a regular register when restoring the cached instance, which results in either crashes or miscalculations afterwards. R=ahaas@chromium.org Bug: chromium:1217064 Change-Id: Icd4b08b97a47726108a50d51b3a7ba410d132f98 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3003158 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#75602}
33 lines
1.7 KiB
JavaScript
33 lines
1.7 KiB
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
load('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
const builder = new WasmModuleBuilder();
|
|
builder.addMemory(16, 32, false);
|
|
builder.addType(makeSig([kWasmI32, kWasmI32, kWasmI32], [kWasmI32]));
|
|
builder.addFunction(undefined, 0 /* sig */).addBody([
|
|
kExprI64Const, 0x7a, // i64.const
|
|
kExprI64Const, 0x42, // i64.const
|
|
kExprI64Const, 0xb4, 0xbd, 0xeb, 0xb5, 0x72, // i64.const
|
|
kExprI32Const, 0x37, // i32.const
|
|
kExprI32Const, 0x67, // i32.const
|
|
kExprI32Const, 0x45, // i32.const
|
|
kExprLoop, 0, // loop
|
|
kExprLocalGet, 0, // local.get
|
|
kExprBrIf, 1, // br_if depth=1
|
|
kExprLocalGet, 1, // local.get
|
|
kExprLocalGet, 0, // local.get
|
|
kExprMemorySize, 0, // memory.size
|
|
kExprLocalTee, 0, // local.tee
|
|
kExprLocalGet, 0, // local.get
|
|
kExprBrIf, 0, // br_if depth=0
|
|
kExprUnreachable, // unreachable
|
|
kExprEnd, // end
|
|
kExprUnreachable, // unreachable
|
|
]);
|
|
builder.addExport('main', 0);
|
|
const instance = builder.instantiate();
|
|
assertEquals(16, instance.exports.main(0, 0, 0));
|