[ia32][wasm] Load sqrtpd inputs into register first
Disallow memory operands on sqrtpd, because the stack is not properly
aligned.
R=ahaas@chromium.org
Fixed: 384549252
Change-Id: I154b74cfa3efd40e646ea9eb0c5f417660a73ad1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6170991
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#98075}
diff --git a/src/compiler/backend/ia32/instruction-selector-ia32.cc b/src/compiler/backend/ia32/instruction-selector-ia32.cc
index 3a3f79d..a536327 100644
--- a/src/compiler/backend/ia32/instruction-selector-ia32.cc
+++ b/src/compiler/backend/ia32/instruction-selector-ia32.cc
@@ -1811,7 +1811,6 @@
V(Word32Popcnt, kIA32Popcnt) \
V(SignExtendWord8ToInt32, kIA32Movsxbl) \
V(SignExtendWord16ToInt32, kIA32Movsxwl) \
- IF_WASM(V, F64x2Sqrt, kIA32F64x2Sqrt)
#define RO_WITH_TEMP_OP_T_LIST(V) V(ChangeUint32ToFloat64, kIA32Uint32ToFloat64)
@@ -1841,7 +1840,8 @@
IF_WASM(V, F64x2Floor, kIA32F64x2Round | MiscField::encode(kRoundDown)) \
IF_WASM(V, F64x2Trunc, kIA32F64x2Round | MiscField::encode(kRoundToZero)) \
IF_WASM(V, F64x2NearestInt, \
- kIA32F64x2Round | MiscField::encode(kRoundToNearest))
+ kIA32F64x2Round | MiscField::encode(kRoundToNearest)) \
+ IF_WASM(V, F64x2Sqrt, kIA32F64x2Sqrt)
#define RRO_FLOAT_OP_T_LIST(V) \
V(Float32Add, kFloat32Add) \
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
index 0d4656d..5e8248b 100644
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -2147,6 +2147,7 @@
'regress/wasm/regress-379414135': [SKIP],
'regress/wasm/regress-379811148': [SKIP],
'regress/wasm/regress-381120595': [SKIP],
+ 'regress/wasm/regress-384549252': [SKIP],
'regress/wasm/regress-crbug-1338980': [SKIP],
'regress/wasm/regress-crbug-1355070': [SKIP],
'regress/wasm/regress-crbug-1356718': [SKIP],
diff --git a/test/mjsunit/regress/wasm/regress-384549252.js b/test/mjsunit/regress/wasm/regress-384549252.js
new file mode 100644
index 0000000..8c6ac8f
--- /dev/null
+++ b/test/mjsunit/regress/wasm/regress-384549252.js
@@ -0,0 +1,30 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --no-liftoff --no-enable-sse4-2
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+let $sig0 = builder.addType(makeSig([], [kWasmF64, kWasmF64]));
+let $array2 = builder.addArray(kWasmI32, false, kNoSuperType, true);
+let $f = builder.addFunction('f', $sig0)
+ .addLocals(kWasmS128, 1) // $var0
+ .addBody([
+ kExprI32Const, 57,
+ kGCPrefix, kExprArrayNewDefault, $array2,
+ kGCPrefix, kExprArrayLen,
+ kExprLoop, kWasmVoid,
+ kExprLocalGet, 0, // $var0
+ ...SimdInstr(kExprF64x2Sqrt),
+ kSimdPrefix, kExprI32x4ExtractLane, 2,
+ kExprBrIf, 0,
+ kExprUnreachable,
+ kExprEnd,
+ kExprUnreachable,
+ ]).exportFunc();
+
+const instance = builder.instantiate({});
+
+assertTraps(kTrapUnreachable, instance.exports.f);
