a0ace8a8a5
In Liftoff, the result of table.grow was smi-untagged and sign-extended to a ptr-sized value. However the result is typed as i32, so the upper 32 bits should be cleared on 64 bit platforms. In particular this is observable when the value is used as an index for a memory operand, which leads to the repro in the attached issue. Match the TF behavior by untagging the value as a 32-bit int. R=clemensb@chromium.org CC=ahaas@chromium.org Bug: chromium:1251465 Change-Id: Ia57fd8a69ecb2787b42bbf8217e448976aa1dbd9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3173680 Reviewed-by: Clemens Backes <clemensb@chromium.org> Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#77044}
27 lines
881 B
JavaScript
27 lines
881 B
JavaScript
// Copyright 2021 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --wasm-staging --experimental-wasm-gc --liftoff-only
|
|
|
|
d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
const builder = new WasmModuleBuilder();
|
|
builder.addMemory(16, 32, false, false);
|
|
builder.addType(makeSig([], [kWasmI32]));
|
|
builder.addTable(kWasmFuncRef, 1, 1, undefined)
|
|
builder.addFunction(undefined, 0 /* sig */)
|
|
.addBodyWithEnd([
|
|
kExprI32Const, 0x00,
|
|
kExprI32Const, 0x00,
|
|
kExprTableGet, 0x00,
|
|
kExprI32Const, 0xff, 0x01,
|
|
kNumericPrefix, kExprTableGrow, 0x00,
|
|
kExprF32Const, 0x00, 0x00, 0x00, 0x00,
|
|
kExprF32StoreMem, 0x00, 0x01,
|
|
kExprEnd
|
|
]);
|
|
builder.addExport('main', 0);
|
|
const instance = builder.instantiate();
|
|
assertThrows(() => instance.exports.main(), WebAssembly.RuntimeError);
|