AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
a0e66bca78
v8/test/mjsunit/regress/wasm/regress-7366.js
Clemens Hammacher ad98ba7773 [Liftoff] Fix register spilling on stack transfer 
When moving arguments for calls into the right registers and stack
slots, we were sometimes overwriting stack slots which would still be
used later to load arguments from. This is because we popped the (wasm)
value stack before executing the register moves, hence the stack
transfer would think the values are not being used any more and reuse
the stack slots.
With this CL, we only pop the arguments from the stack after executing
the stack transfer.

R=ahaas@chromium.org

Bug: v8:7366, v8:6600
Change-Id: I3aa5126c82634fd281959075e91e73465c39abaa
Reviewed-on: https://chromium-review.googlesource.com/883802
Commit-Queue: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50853}
2018-01-24 19:42:48 +00:00

34 lines
1.3 KiB
JavaScript
Raw Blame History

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
load('test/mjsunit/wasm/wasm-constants.js');
load('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addFunction(undefined, kSig_i_iii).addBody([
// Return the sum of all arguments.
kExprGetLocal, 0, kExprGetLocal, 1, kExprGetLocal, 2, kExprI32Add, kExprI32Add
]);
const sig = builder.addType(kSig_i_iii);
builder.addFunction(undefined, kSig_i_iii)
.addBody([
...wasmI32Const(1), // i32.const 0x1
kExprSetLocal, 0, // set_local 0
...wasmI32Const(4), // i32.const 0x1
kExprSetLocal, 1, // set_local 1
...wasmI32Const(16), // i32.const 0x1
kExprSetLocal, 2, // set_local 2
kExprLoop, kWasmStmt, // loop
kExprEnd, // end
kExprGetLocal, 0, // get_local 0
kExprGetLocal, 1, // get_local 1
kExprGetLocal, 2, // get_local 2
kExprI32Const, 0, // i32.const 0 (func index)
kExprCallIndirect, sig, 0, // call indirect
])
.exportAs('main');
builder.appendToTable([0]);
const instance = builder.instantiate();
assertEquals(21, instance.exports.main());
Reference in New Issue View Git Blame Copy Permalink