v8/test/mjsunit/regress/wasm/regress-864509.js
Clemens Hammacher 16af1baac4 [Liftoff] Zero-extend i32 stack parameters
i32 stack parameters can be loaded by Turbofan as 64-bit value, hence
they would not be zero extended. If this loaded value is then passed to
Liftoff (which assumes zero-extended i32 values), we could use it for
memory accesses, which would be out of bounds.

R=mstarzinger@chromium.org

Bug: chromium:864509, v8:6600
Change-Id: I0f45a269b1fb1c2befc2e6bc660c559a88323767
Reviewed-on: https://chromium-review.googlesource.com/1140168
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54500}
2018-07-17 16:59:14 +00:00

63 lines
2.6 KiB
JavaScript

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --liftoff --no-wasm-tier-up --no-future --wasm-tier-mask-for-testing=2
load('test/mjsunit/wasm/wasm-constants.js');
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addMemory(1, 1);
// First function is Liftoff. The first parameter is used as memory offset.
builder.addFunction(undefined, kSig_v_i).addBody([
kExprGetLocal, 0, // get_local 0
kExprI32Const, 0, // i32.const 0
kExprI32StoreMem, 0, 0, // i32.store offset=0
]);
// Second function is Turbofan. It loads the sixth parameter from the stack
// into a register for the first argument. Even though it's a 32-bit value, it
// is loaded as 64-bit value on x64.
builder.addFunction(undefined, makeSig(new Array(6).fill(kWasmI32), []))
.addBody([
kExprGetLocal, 5, // get_local 5
kExprCallFunction, 0 // call 0
]);
// The third function is Liftoff again. A value is spilled on the stack as i32,
// then used as a call argument, passed via the stack. The full 64-bit are
// copied on the stack, even though just 32-bit were written before. Hence, the
// stack slot is not zero-extended.
const gen_i32_code = [
kExprTeeLocal, 0, // tee_local 0
kExprGetLocal, 0, // get_local 0
kExprI32Const, 1, // i32.const 1
kExprI32Add // i32.add --> 2nd param
];
builder.addFunction(undefined, kSig_v_v).addLocals({i32_count: 1}).addBody([
// Generate six values on the stack, then six more to force the other six on
// the stack.
...wasmI32Const(0), // i32.const 0
...wasmI32Const(1), // i32.const 1
kExprI32Add, // i32.add --> 1st param
...gen_i32_code, // --> 2nd param
...gen_i32_code, // --> 3rd param
...gen_i32_code, // --> 4th param
...gen_i32_code, // --> 5th param
...gen_i32_code, // --> 6th param
...gen_i32_code, // --> garbage
...gen_i32_code, // --> garbage
...gen_i32_code, // --> garbage
...gen_i32_code, // --> garbage
...gen_i32_code, // --> garbage
...gen_i32_code, // --> garbage
kExprDrop, // drop garbage
kExprDrop, // drop garbage
kExprDrop, // drop garbage
kExprDrop, // drop garbage
kExprDrop, // drop garbage
kExprDrop, // drop garbage
kExprCallFunction, 1 // call 1
]).exportAs('three');
const instance = builder.instantiate();
instance.exports.three();