From 897d4e86b677da05feca2143d6fbb6d0c12188c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 10 Jul 2021 08:23:33 +0200 Subject: [PATCH] deps: V8: cherry-pick 56fe020eec0c Original commit message: [wasm][arm64] Always zero-extend 32 bit offsets, for realz We've already been zero-extending 32-bit offset registers since https://chromium-review.googlesource.com/c/v8/v8/+/2917612, but that patch only covered the case where offset_imm == 0. When there is a non-zero offset, we need the same fix. Bug: chromium:1224882,v8:11809 Change-Id: I1908f735929798f411346807fc4f3c79d8e04362 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2998582 Commit-Queue: Jakob Kummerow Reviewed-by: Clemens Backes Cr-Commit-Position: refs/heads/master@{#75500} Refs: https://github.com/v8/v8/commit/56fe020eec0c35e9816590114b1d80836a504156 Fixes: https://github.com/nodejs/node/issues/39327 PR-URL: https://github.com/nodejs/node/pull/39337 Reviewed-By: Matteo Collina Reviewed-By: James M Snell --- common.gypi | 2 +- .../baseline/arm64/liftoff-assembler-arm64.h | 12 +++++++++--- .../test/mjsunit/regress/wasm/regress-11809.js | 16 +++++++++++----- 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/common.gypi b/common.gypi index aa42c69f96391b..a7c109075f645c 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.14', + 'v8_embedder_string': '-node.15', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/wasm/baseline/arm64/liftoff-assembler-arm64.h b/deps/v8/src/wasm/baseline/arm64/liftoff-assembler-arm64.h index ed1070444e18ad..9639a6ffd43137 100644 --- a/deps/v8/src/wasm/baseline/arm64/liftoff-assembler-arm64.h +++ b/deps/v8/src/wasm/baseline/arm64/liftoff-assembler-arm64.h @@ -133,10 +133,16 @@ inline MemOperand GetMemOp(LiftoffAssembler* assm, return i64_offset ? MemOperand(addr.X(), offset.X()) : MemOperand(addr.X(), offset.W(), UXTW); } - Register tmp = temps->AcquireX(); DCHECK_GE(kMaxUInt32, offset_imm); - assm->Add(tmp, offset.X(), offset_imm); - return MemOperand(addr.X(), tmp); + if (i64_offset) { + Register tmp = temps->AcquireX(); + assm->Add(tmp, offset.X(), offset_imm); + return MemOperand(addr.X(), tmp); + } else { + Register tmp = temps->AcquireW(); + assm->Add(tmp, offset.W(), offset_imm); + return MemOperand(addr.X(), tmp, UXTW); + } } return MemOperand(addr.X(), offset_imm); } diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-11809.js b/deps/v8/test/mjsunit/regress/wasm/regress-11809.js index 890e26c609e151..eef8c291f6e6db 100644 --- a/deps/v8/test/mjsunit/regress/wasm/regress-11809.js +++ b/deps/v8/test/mjsunit/regress/wasm/regress-11809.js @@ -2,11 +2,12 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // -// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up --wasm-tier-mask-for-testing=2 +// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up +// Flags: --wasm-tier-mask-for-testing=2 load("test/mjsunit/wasm/wasm-module-builder.js"); -var instance = (function () { +function InstanceMaker(offset) { var builder = new WasmModuleBuilder(); builder.addMemory(1, 1, false /* exported */); @@ -24,7 +25,7 @@ var instance = (function () { var two = builder.addFunction("two", kSig_v_i); var three = builder.addFunction("three", sig_three).addBody([]); - zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, 0]); + zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, offset]); one.addBody([ kExprLocalGet, 7, @@ -53,6 +54,11 @@ var instance = (function () { ]).exportFunc(); return builder.instantiate({}); -})(); +} -instance.exports.two() +var instance = InstanceMaker(0); +instance.exports.two(); + +// Regression test for crbug.com/1224882. +var instance_with_offset = InstanceMaker(4); +instance_with_offset.exports.two();