deps: V8: cherry-pick 56fe020eec0c

targos · targos · commit 2657c305cb6d · 2021-07-13T08:11:50.000+02:00
Original commit message: [wasm][arm64] Always zero-extend 32 bit offsets, for realz We've already been zero-extending 32-bit offset registers since https://chromium-review.googlesource.com/c/v8/v8/+/2917612, but that patch only covered the case where offset_imm == 0. When there is a non-zero offset, we need the same fix. Bug: chromium:1224882,v8:11809 Change-Id: I1908f735929798f411346807fc4f3c79d8e04362 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2998582 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#75500} Refs: v8/v8@56fe020 Fixes: #39327 PR-URL: #39337 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/common.gypi b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.16',
+    'v8_embedder_string': '-node.17',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/wasm/baseline/arm64/liftoff-assembler-arm64.h b/deps/v8/src/wasm/baseline/arm64/liftoff-assembler-arm64.h
@@ -133,10 +133,16 @@ inline MemOperand GetMemOp(LiftoffAssembler* assm,
       return i64_offset ? MemOperand(addr.X(), offset.X())
                         : MemOperand(addr.X(), offset.W(), UXTW);
     }
-    Register tmp = temps->AcquireX();
     DCHECK_GE(kMaxUInt32, offset_imm);
-    assm->Add(tmp, offset.X(), offset_imm);
-    return MemOperand(addr.X(), tmp);
+    if (i64_offset) {
+      Register tmp = temps->AcquireX();
+      assm->Add(tmp, offset.X(), offset_imm);
+      return MemOperand(addr.X(), tmp);
+    } else {
+      Register tmp = temps->AcquireW();
+      assm->Add(tmp, offset.W(), offset_imm);
+      return MemOperand(addr.X(), tmp, UXTW);
+    }
   }
   return MemOperand(addr.X(), offset_imm);
 }
diff --git a/deps/v8/test/mjsunit/regress/wasm/regress-11809.js b/deps/v8/test/mjsunit/regress/wasm/regress-11809.js
@@ -2,11 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
-// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up --wasm-tier-mask-for-testing=2
+// Flags: --enable-testing-opcode-in-wasm --nowasm-tier-up
+// Flags: --wasm-tier-mask-for-testing=2
 
 load("test/mjsunit/wasm/wasm-module-builder.js");
 
-var instance = (function () {
+function InstanceMaker(offset) {
   var builder = new WasmModuleBuilder();
   builder.addMemory(1, 1, false /* exported */);
 
@@ -24,7 +25,7 @@ var instance = (function () {
   var two = builder.addFunction("two", kSig_v_i);
   var three = builder.addFunction("three", sig_three).addBody([]);
 
-  zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, 0]);
+  zero.addBody([kExprLocalGet, 0, kExprI32LoadMem, 0, offset]);
 
   one.addBody([
     kExprLocalGet, 7,
@@ -53,6 +54,11 @@ var instance = (function () {
     ]).exportFunc();
 
   return builder.instantiate({});
-})();
+}
 
-instance.exports.two()
+var instance = InstanceMaker(0);
+instance.exports.two();
+
+// Regression test for crbug.com/1224882.
+var instance_with_offset = InstanceMaker(4);
+instance_with_offset.exports.two();
