AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
fc91261600
v8/test/mjsunit/wasm/simd-i64x2-mul.js
Ng Zhi An 7514db4b60 [wasm-simd][liftoff][x64][ia32] Fix i64x2.mul codegen 
We are overwriting rhs when dst == rhs && dst != lhs. This is not a
problem on TurboFan because we specify unique registers and dst == lhs
in the instruction-selector.

The fix is to use the helper EmitSimdCommutativeBinOp, which will check
for dst == rhs (pmuludq is commutative).

Bug: v8:11612
Change-Id: I38c3a2b7f3c7bcf2d7e8faec1a67f0814d44ed20
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2798527
Commit-Queue: Zhi An Ng <zhin@chromium.org>
Reviewed-by: Deepti Gandluri <gdeepti@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73780}
2021-04-01 17:22:24 +00:00

40 lines
1.4 KiB
JavaScript
Raw Blame History

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --no-enable-avx
load('test/mjsunit/wasm/wasm-module-builder.js');
// Carefully hand-crafted test case to exercie a codegen bug in Liftoff. In
// i64x2.mul, non-AVX case, we will overwrite rhs if dst == rhs. The intention
// is to do dst = lhs * rhs, but if dst == rhs && dst != lhs, we will overwrite
// dst (and hence rhs) with lhs, effectively doing lhs^2.
const builder = new WasmModuleBuilder();
builder.addMemory(16, 32);
builder.addFunction(undefined, kSig_l_v)
.addBody([
kExprI64Const, 0,
kSimdPrefix, kExprI64x2Splat,
kExprI64Const, 1,
kSimdPrefix, kExprI64x2Splat,
kExprI64Const, 2,
kSimdPrefix, kExprI64x2Splat,
kExprCallFunction, 1,
]);
let sig = makeSig([kWasmS128, kWasmS128, kWasmS128], [kWasmI64]);
builder.addFunction(undefined, sig)
.addLocals(kWasmS128, 10)
.addBody([
kExprLocalGet, 2, // This is 2 (lhs).
kExprI64Const, 4, // This is 4 (rhs).
kSimdPrefix, kExprI64x2Splat,
kSimdPrefix, kExprI64x2Mul, 0x01, // The bug will write 2 to rhs.
kSimdPrefix, kExprI64x2ExtractLane, 0,
]);
builder.addExport('main', 0);
const module = builder.instantiate();
// Should be 2 * 4, the buggy codegen will give 2 * 2 instead.
assertEquals(8n, module.exports.main());
Reference in New Issue View Git Blame Copy Permalink