electron/patches/v8/m126-lts_liftoff_fix_clobbered_scratch_register.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Clemens Backes <[email protected]>
Date: Fri, 15 Nov 2024 16:00:15 +0100
Subject: Fix clobbered scratch register

`GetMemOp` returns an `Operand` which can contain `kScratchRegister`. We
should hence not clobber that register until after the last use of the
`Operand`.

This CL changes the scratch register to `kScratchRegister2` which has
much fewer uses, and in particular none which collides with `GetMemOp`.

[email protected]

(cherry picked from commit 57a017e611a5abfb0e4b59f6de028bc4070a3615)

Fixed: 378779897, 378701682
Change-Id: Id1ed25edfe76200d069ac2ab54e5000eed313c8f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6022072
Reviewed-by: Matthias Liedtke <[email protected]>
Commit-Queue: Clemens Backes <[email protected]>
Cr-Original-Commit-Position: refs/heads/main@{#97224}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6056706
Reviewed-by: Clemens Backes <[email protected]>
Commit-Queue: Gyuyoung Kim (xWF) <[email protected]>
Reviewed-by: Daniel Lehmann <[email protected]>
Cr-Commit-Position: refs/branch-heads/12.6@{#82}
Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}

diff --git a/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h b/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h
index b20867d7ec2a5724653ebe9baca8c8949d70cd74..be01772c27382e2c10314777e4058cf326327ba3 100644
--- a/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h
+++ b/src/wasm/baseline/x64/liftoff-assembler-x64-inl.h
@@ -50,6 +50,8 @@ constexpr Operand kInstanceDataOperand =
 
 constexpr Operand kOSRTargetSlot = GetStackSlot(kOSRTargetOffset);
 
+// Note: The returned Operand might contain {kScratchRegister2}; make sure not
+// to clobber that until after the last use of the Operand.
 inline Operand GetMemOp(LiftoffAssembler* assm, Register addr,
                         Register offset_reg, uintptr_t offset_imm,
                         ScaleFactor scale_factor = times_1) {
@@ -60,7 +62,7 @@ inline Operand GetMemOp(LiftoffAssembler* assm, Register addr,
                : Operand(addr, offset_reg, scale_factor, offset_imm32);
   }
   // Offset immediate does not fit in 31 bits.
-  Register scratch = kScratchRegister;
+  Register scratch = kScratchRegister2;
   assm->MacroAssembler::Move(scratch, offset_imm);
   if (offset_reg != no_reg) assm->addq(scratch, offset_reg);
   return Operand(addr, scratch, scale_factor, 0);
diff --git a/test/mjsunit/regress/wasm/regress-378779897.js b/test/mjsunit/regress/wasm/regress-378779897.js
new file mode 100644
index 0000000000000000000000000000000000000000..fed1bc807165e1b9e83195a2df30aac33a544470
--- /dev/null
+++ b/test/mjsunit/regress/wasm/regress-378779897.js
@@ -0,0 +1,22 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(49149);
+
+builder.addFunction('main', kSig_i_v).addBody([
+  ...wasmI32Const(-1118406780),
+  ...wasmI32Const(-1),
+  kAtomicPrefix, kExprI32AtomicOr8U, 0, 0
+]).exportFunc();
+
+let instance;
+try {
+  instance = builder.instantiate();
+} catch (e) {
+  assertException(e, RangeError, /Out of memory/);
+}
+if (instance) instance.exports.main();