Pchen0/electron @ 8-x-y

Branch: 8-x-y

1-3-x

1-4-x

1-5-x

1-6-x

1-7-x

1-8-x

10-x-y

11-x-y

12-x-y

13-x-y

14-x-y

15-x-y

16-x-y

17-x-y

18-x-y

19-x-y

2-0-x

2-1-x

20-x-y

21-x-y

22-x-y

23-x-y

24-x-y

25-x-y

26-x-y

27-x-y

28-x-y

29-x-y

3-0-x

3-1-x

30-x-y

31-x-y

32-x-y

33-x-y

34-x-y

35-x-y

36-x-y

4-0-x

4-1-x

4-2-x

5-0-x

6-0-x

6-1-x

7-0-x

7-1-x

7-2-x

7-3-x

8-x-y

9-x-y

actions-mac-test

alice-fix-open-external-bug

alice-prototype-same-site

alice-remove-import

appveyor-node2017-bake

better-console-message

build/preserve-patch-line-endings

build/remove-fs-extra-devdep--31-x-y

bump-appveyor-image

bump-appveyor-image-node-18

check-mnt

cherry-pick/33-x-y/chromium/df77f100c3c2

cherry-pick/33-x-y/v8/20d9a7f760c0

cherry-pick/33-x-y/v8/3fdedec45691

cherry-pick/main/chromium/013961609785

cherry-pick/security/29-x-y/release-1-m121

cherry-pick/security/30-x-y/2-m127-to-2-m129

cherry-pick/security/30-x-y/2-m129

cherry-pick/security/32-x-y/3-m126

cherry-pick/security/33-x-y/3-m129

chore/add-domain-is-check

chore/comment-out-unused-arg-names

chore/eslint-code-blocks

chore/prefer-as-const

chromium-lts-31-x-y

circle-windows

clavin/remove-unused-spellcheck-srcs

clavin/smooth-corner-rounding

close-windows-harder

codesign-fix

confirm-bg-color-corruption

custom-error-pages

dd-tests

delete-src-artifacts-when-done

dependabot/github_actions/main/actions/setup-node-4.3.0

dependabot/npm_and_yarn/main/eslint-plugin-unicorn-56.0.1

dependabot/npm_and_yarn/main/markdownlint-cli2-0.17.2

dip-screen-rect-linux

display_id-to-displayId

docs/deprecate-null-session

docs/win-asar

dsanders11/test-mdx-docs

enable-read-write-svg

enable-report-specs

eslint-code-blocks-test

esm-loading-pkg-json

feat/enable-extension

feat/frame-copy-image

feat/gamescope-overlay

feat/resync-default-font-list

feat/toggle-extensions

fix-browser-view-drag-remove

fix-drag-drop-crash

fix-ensure-win-close

fix-frameless-frame

fix-ipc-race-2

fix-lint

fix-message-port-crash

fix-message-port-serialize-issue

fix-same-party-cookie-patch

fix-service-worker-registration-24

fix-setbg-wcv

fix-user-agent

fix-util-proc-crash

fix-visibilitystate-webview

fix/Wunsafe-buffer-usage-warning

fix/actionable-submenu-accels

fix/capture-window-on-top

fix/ipc-callback-crash

fix/webrequest-checks

fixup-win-release-checkout

flake-fix

fps-patch

get-recent-documents

get-resource-usage

gh-actions-fixup-publish

gh-actions-mac-publish

gh-actions-publish-both-question-mark

gh-actions-publish-linux

gh-actions-split-publish-jobs

gh-macos-publish

gha

gha-lin-test

gxu-add-handlers

gxu-frame-eviction-patch

hardfalcon-26-x-y_simdutf-3.2.9

legacymainresolvefix

lf-patch-test

line-numbers-wildcard

m1-tests-x64

m1-x64

main

miniak/browser-view-apis

miniak/deprecate-event-sender

miniak/document-idle

miniak/drop-macos-10.13-10.14-support

miniak/frozen-intrinsics

miniak/get-user-default-from-suite

miniak/gpu-info-update

miniak/ipc-renderer-internal

miniak/listen-url-slash

miniak/prefer-switch

miniak/set-window-open-handler-features

miniak/unicorn-prefer

mp-33-x-y-appveyor-node-20-17

net-no-response-error

no-onwindowshow

node-20.17-appveyor

pdf-tests

perf/avoid-double-map-lookup-in-ElectronComponentExtensionResourceManager

perf/avoid-double-map-lookup-in-WebContents.DevToolsIndexPath()

perf/avoid-double-map-lookup-in-WebFrameMain-ctor

perf/avoid-map-temporaries-in-IsDevToolsFileSystemAdded

perf/avoid-redundant-map-lookup-when-creating-ElectronBrowserContext

perf/avoid-redundant-map-lookups-in-GlobalShortcut

perf/use-NewFromUtf8Literal-for-literals

perf/use-v8-eternal-for-immortal-globals

permission-v2

ppontes/restore-force-lf-for-patches

ppontes/restore-force-lf-for-patches-split

pr/31571

printing-rework

qpt

re-add-occluded

re-enable-thin-lto

re-enable-thin-lto-node-22

refactor/UvTaskRunner

refactor/aggregate-RootView-main_view_

refactor/avoid-deprecated-WIDGET_OWNS_NATIVE_WIDGET

refactor/extension-registrar

refactor/gin-span

refactor/migrate-to-crypto-hash

refactor/prefer-span-over-node-buffer-api

refactor/put-empty-virtual-function-definitions-in-header

refactor/reduce-use-of-AdaptCallbackForRepeating

refactor/remove-unnecessary-template-type-in-EmitEvent()

replace-browserview-merge-check

replace-browserview-update

req-origin-ses

resource-allowlist

restore-window-state

revert-44516-doc/fix-apostrophe-typos

revert-destroy-url-loader-wrapper

revert-domainis-refactor

revert-dxDiagNodeData

revert-wayland-generic-capturer

robo/add_wpt_testing

robo/enable_spare_renderer

robo/support_url_property_fetch_response

roll-mantle

roller/chromium/36-x-y

roller/chromium/main

roller/node/34-x-y

roller/orb/continuousauth/npm/main

roller/orb/electronjs/node/main

same-party-patch

sckp

sckp-chrome-upstream

sckp-k

sckp-macos15

security/29-x-y/0-m126

security/29-x-y/2-m124

single-check

slow-same-party-revert

spike-storage-access-api

split-ipc-renderer

support-dip-screen-conversion-linux

support-system-context-menu-linux

switch-check

tabs-onupdated

test-bake-image

test-macos

test-menu-accelerators

test-mksnapshot-compile

test-patch-lf

test-patch-roll

test/native-click

test/osr-colors

testing-nan-patch

thumb-cap

timeout-never-click-fix

trop/29-x-y-bp-fix-wco-maximize-button-visibility-when-non-maximizable-1712824186798

trop/30-x-y-bp-fix-wco-maximize-button-visibility-when-non-maximizable-1712824180841

trop/31-x-y-bp-build-remove-appveyor-bake-1739909097137

trop/32-x-y-bp-build-remove-appveyor-bake-1739909098763

trop/32-x-y-bp-chore-add-process-memory-limit-details-in-parition_alloc-oom-handler-1730720959588

trop/33-x-y-bp-build-remove-appveyor-bake-1739909100722

trop/33-x-y-bp-fix-destroy-url-loader-wrapper-when-js-env-exits-1732033976533

trop/34-x-y-bp-build-remove-appveyor-bake-1739909097719

trop/34-x-y-bp-fix-webcontents-printtopdf-with-cross-process-subframes-1742908615986

trop/34-x-y-bp-perf-don-t-wait-for-thumbnails-if-they-were-not-requested-on-macos-1742901653464

trop/35-x-y-bp-build-fixup-release-builds-1742842528613

trop/35-x-y-bp-fix-oob-string-read-when-parsing-node_options-1742898799929

trop/35-x-y-bp-fix-webcontents-printtopdf-with-cross-process-subframes-1742908615377

trop/35-x-y-bp-refactor-add-electronbrowsercontext-getdefaultbrowsercontext--1742219011551

trop/36-x-y-bp-fix-webcontents-printtopdf-with-cross-process-subframes-1742908616946

trop/36-x-y-bp-perf-don-t-wait-for-thumbnails-if-they-were-not-requested-on-macos-1742901658374

try-fix-applescript

try-remove-embedder-exception-patch--34-x-y

try-remove-timeout

use-custom-upterm-server

utility-process-wrapper-check

wayland-roll-tests

wfm-cross-origin

win-cross

windows-runner-2

windows-runner-big

writing-tools

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Thibaud Michaud <[email protected]>
Date: Thu, 15 Oct 2020 12:45:34 +0200
Subject: Merged: [codegen] Skip invalid optimization in tail calls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Preparing for tail call is usually done by emitting the gap moves and
then moving the stack pointer to its new position. An optimization
consists in moving the stack pointer first and transforming some of the
moves into pushes. In the attached case it looks like this (arm):

138  add sp, sp, #40
13c  str r6, [sp, #-4]!
140  str r6, [sp, #-4]!
144  str r6, [sp, #-4]!
148  str r6, [sp, #-4]!
14c  str r6, [sp, #-4]!
...
160  vldr d1, [sp - 4*3]

The last line is a gap reload, but because the stack pointer was already
moved, the slot is now below the stack pointer. This is invalid and
triggers this DCHECK:

Fatal error in ../../v8/src/codegen/arm/assembler-arm.cc, line 402
Debug check failed: 0 <= offset (0 vs. -12).

A comment already explains that we skip the optimization if the gap
contains stack moves to prevent this, but the code only checks for
non-FP slots. This is fixed by replacing "source.IsStackSlot()" with
"source.IsAnyStackSlot()":

108  vldr d1, [sp + 4*2]
...
118  str r0, [sp, #+36]
11c  str r0, [sp, #+32]
120  str r0, [sp, #+28]
124  str r0, [sp, #+24]
128  str r0, [sp, #+20]
...
134  add sp, sp, #20

TBR=[email protected]

(cherry picked from commit 7506e063d0d7fb00e4b9c06735c91e1953296867)

Change-Id: I66ed6187755af956e245207e940c83ea0697a5e6
Bug: chromium:1137608
No-Try: true
No-Presubmit: true
No-Tree-Checks: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2505976
Reviewed-by: Thibaud Michaud <[email protected]>
Commit-Queue: Thibaud Michaud <[email protected]>
Cr-Commit-Position: refs/branch-heads/8.6@{#42}
Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

diff --git a/src/compiler/backend/code-generator.cc b/src/compiler/backend/code-generator.cc
index 36231c61e09839b3394b78b4f4715daa3023caf4..c0162012eb2747fb6b64c35f336198d0bf75a4ab 100644
--- a/src/compiler/backend/code-generator.cc
+++ b/src/compiler/backend/code-generator.cc
@@ -564,8 +564,8 @@ void CodeGenerator::GetPushCompatibleMoves(Instruction* instr,
         // then the full gap resolver must be used since optimization with
         // pushes don't participate in the parallel move and might clobber
         // values needed for the gap resolve.
-        if (source.IsStackSlot() && LocationOperand::cast(source).index() >=
-                                        first_push_compatible_index) {
+        if (source.IsAnyStackSlot() && LocationOperand::cast(source).index() >=
+                                           first_push_compatible_index) {
           pushes->clear();
           return;
         }
diff --git a/test/mjsunit/regress/wasm/regress-1137608.js b/test/mjsunit/regress/wasm/regress-1137608.js
new file mode 100644
index 0000000000000000000000000000000000000000..5011dced2f70ffbe2b6096a4e1863f434c8898a8
--- /dev/null
+++ b/test/mjsunit/regress/wasm/regress-1137608.js
@@ -0,0 +1,46 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --no-liftoff --experimental-wasm-return-call --experimental-wasm-threads
+
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+(function Regress1137608() {
+  print(arguments.callee.name);
+  let builder = new WasmModuleBuilder();
+  let sig0 = builder.addType(kSig_i_iii);
+  let sig1 = builder.addType(makeSig([kWasmF64, kWasmF64, kWasmI32,
+        kWasmI32, kWasmI32, kWasmF32, kWasmI32, kWasmF64, kWasmI32, kWasmF32,
+        kWasmI32, kWasmF32, kWasmI32, kWasmF64, kWasmI32], [kWasmI32]));
+  let main = builder.addFunction("main", sig0)
+      .addBody([
+        kExprI64Const, 0,
+        kExprF64UConvertI64,
+        kExprF64Const, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x00, 0x00,
+        kExprF64Const, 0x30, 0x30, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00,
+        kExprF64Mul,
+        kExprI32Const, 0,
+        kExprF64Const, 0x30, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        kExprF64StoreMem, 0x00, 0xb0, 0xe0, 0xc0, 0x81, 0x03,
+        kExprI32Const, 0,
+        kExprI32Const, 0,
+        kExprI32Const, 0,
+        kExprF32Const, 0x00, 0x00, 0x00, 0x00,
+        kExprI32Const, 0,
+        kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        kExprI32Const, 0,
+        kExprF32Const, 0x00, 0x00, 0x00, 0x00,
+        kExprI32Const, 0,
+        kExprF32Const, 0x00, 0x00, 0x00, 0x00,
+        kExprI32Const, 0,
+        kExprF64Const, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        kExprI32Const, 0,
+        kExprI32Const, 2,
+        kExprReturnCallIndirect, sig1, kTableZero]).exportFunc();
+  builder.addFunction("f", sig1).addBody([kExprI32Const, 0]);
+  builder.addTable(kWasmAnyFunc, 4, 4);
+  builder.addMemory(16, 32, false, true);
+  let module = new WebAssembly.Module(builder.toBuffer());
+  let instance = new WebAssembly.Instance(module);
+})();

cherry-pick-8c725f7b5bbf.patch 5.2 KB Permalink History Raw

cherry-pick-8c725f7b5bbf.patch 5.2 KB

Permalink History Raw