ecb3afcaed
When spilling a value to the stack, make sure to fill it as the same type later. Otherwise, we might load garbage from the stack and violate the assumption that the upper 32 bits of a 64 bit register are zero if it currently holds a 32 bit value. R=titzer@chromium.org Bug: v8:7353, v8:6600 Change-Id: I7f2b1b31b7f3c13aa152c682cb59400fb5a3ebf0 Reviewed-on: https://chromium-review.googlesource.com/880682 Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Reviewed-by: Ben Titzer <titzer@chromium.org> Cr-Commit-Position: refs/heads/master@{#50797}
30 lines
943 B
JavaScript
30 lines
943 B
JavaScript
// Copyright 2018 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --wasm-lazy-compilation
|
|
|
|
load('test/mjsunit/wasm/wasm-constants.js');
|
|
load('test/mjsunit/wasm/wasm-module-builder.js');
|
|
|
|
const builder = new WasmModuleBuilder();
|
|
builder.addMemory(16, 32);
|
|
builder.addFunction('grow', kSig_i_i).addBody([
|
|
kExprGetLocal, 0,
|
|
kExprGrowMemory, 0,
|
|
]).exportFunc();
|
|
builder.addFunction('main', kSig_i_i).addBody([
|
|
...wasmI32Const(0x41),
|
|
kExprSetLocal, 0,
|
|
// Enter loop, such that values are spilled to the stack.
|
|
kExprLoop, kWasmStmt,
|
|
kExprEnd,
|
|
// Reload value. This must be loaded as 32 bit value.
|
|
kExprGetLocal, 0,
|
|
kExprI32LoadMem, 0, 0,
|
|
]).exportFunc();
|
|
const instance = builder.instantiate();
|
|
// Execute grow, such that the stack contains garbage data afterwards.
|
|
instance.exports.grow(1);
|
|
instance.exports.main();
|