Closed Bug 1858969 Opened 2 years ago Closed 2 years ago

arm32: make MacroAssembler::wasmBoundsCheck32 handle offsets >= 4096

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Platform:
ARM
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox120 --- fixed

People

(Reporter: jseward, Assigned: jseward)

Details

Attachments

(2 files)

Test case (scheme-wireworld-jsshell.zip)
36.54 KB, application/octet-stream
Details
Bug 1858969 - arm32: make MacroAssembler::wasmBoundsCheck32 handle offsets >= 4096. r=nbp.
48 bytes, text/x-phabricator-request
Details | Review

wasm baseline on arm32 can generate a load instruction with an out-of-range
immediate. Unzip the attached test case, then:

./dist/bin/js --wasm-compiler=baseline --no-threads --no-ion --wasm-gc
--wasm-function-references --wasm-tail-calls ./run.js

produces

Assertion failure: data_ == imm, at js/src/jit/arm/Assembler-arm.h:626

Assignee: nobody → jseward
Summary: arm32: wasm baseline: Assertion failure: data_ == imm, at js/src/jit/arm/Assembler-arm.h:626 → arm32: make MacroAssembler::wasmBoundsCheck32 handle offsets >= 4096

On arm32, MacroAssembler::wasmBoundsCheck32 routes the load directly to
ma_ldr, but that can't handle an offset of more than 4095. This patch
routes it via ma_dataTransferN instead, which can handle any offset.
For the small-offset case, the generated code remains unchanged.

Pushed by jseward@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/90d6f139028e arm32: make MacroAssembler::wasmBoundsCheck32 handle offsets >= 4096. r=nbp.

https://hg.mozilla.org/mozilla-central/rev/90d6f139028e

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox120: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: