[vm/compiler] Fix bug in unboxed constant spilling

aartbik · commit-bot@chromium.org · commit a40fd6a976d3 · 2018-11-08T19:03:22.000Z
Rationale: Subtle but disastrous, spilling unboxed integers in arm64 and x64 would store the value as smi, detected as a nasty off by one error in flutter code. flutter/flutter#23879 #35091 Change-Id: I07d71727de8574ebd7d3ec3610d517d7903972f0 Reviewed-on: https://dart-review.googlesource.com/c/83565 Commit-Queue: Aart Bik <ajcbik@google.com> Reviewed-by: Siva Annamalai <asiva@google.com> Reviewed-by: Martin Kustermann <kustermann@google.com> Reviewed-by: Vyacheslav Egorov <vegorov@google.com> Reviewed-by: Alexander Markov <alexmarkov@google.com>
diff --git a/runtime/vm/compiler/backend/il_arm64.cc b/runtime/vm/compiler/backend/il_arm64.cc
@@ -320,8 +320,7 @@ void ConstantInstr::EmitMoveToLocation(FlowGraphCompiler* compiler,
   if (destination.IsRegister()) {
     if (representation() == kUnboxedInt32 ||
         representation() == kUnboxedInt64) {
-      const int64_t value = value_.IsSmi() ? Smi::Cast(value_).Value()
-                                           : Mint::Cast(value_).value();
+      const int64_t value = Integer::Cast(value_).AsInt64Value();
       __ LoadImmediate(destination.reg(), value);
     } else {
       ASSERT(representation() == kTagged);
@@ -346,9 +345,12 @@ void ConstantInstr::EmitMoveToLocation(FlowGraphCompiler* compiler,
     ASSERT(destination.IsStackSlot());
     ASSERT(tmp != kNoRegister);
     const intptr_t dest_offset = destination.ToStackSlotOffset();
-    if (value_.IsSmi() && representation() == kUnboxedInt32) {
-      __ LoadImmediate(tmp, static_cast<int32_t>(Smi::Cast(value_).Value()));
+    if (representation() == kUnboxedInt32 ||
+        representation() == kUnboxedInt64) {
+      const int64_t value = Integer::Cast(value_).AsInt64Value();
+      __ LoadImmediate(tmp, value);
     } else {
+      ASSERT(representation() == kTagged);
       __ LoadObject(tmp, value_);
     }
     __ StoreToOffset(tmp, destination.base_reg(), dest_offset);
diff --git a/runtime/vm/compiler/backend/il_x64.cc b/runtime/vm/compiler/backend/il_x64.cc
@@ -291,8 +291,7 @@ void ConstantInstr::EmitMoveToLocation(FlowGraphCompiler* compiler,
   if (destination.IsRegister()) {
     if (representation() == kUnboxedInt32 ||
         representation() == kUnboxedInt64) {
-      const int64_t value = value_.IsSmi() ? Smi::Cast(value_).Value()
-                                           : Mint::Cast(value_).value();
+      const int64_t value = Integer::Cast(value_).AsInt64Value();
       if (value == 0) {
         __ xorl(destination.reg(), destination.reg());
       } else {
@@ -322,10 +321,12 @@ void ConstantInstr::EmitMoveToLocation(FlowGraphCompiler* compiler,
     __ movsd(destination.ToStackSlotAddress(), XMM0);
   } else {
     ASSERT(destination.IsStackSlot());
-    if (value_.IsSmi() && representation() == kUnboxedInt32) {
-      __ movl(destination.ToStackSlotAddress(),
-              Immediate(Smi::Cast(value_).Value()));
+    if (representation() == kUnboxedInt32 ||
+        representation() == kUnboxedInt64) {
+      const int64_t value = Integer::Cast(value_).AsInt64Value();
+      __ movq(destination.ToStackSlotAddress(), Immediate(value));
     } else {
+      ASSERT(representation() == kTagged);
       __ StoreObject(destination.ToStackSlotAddress(), value_);
     }
   }
diff --git a/tests/language_2/vm/regress_flutter_23879_test.dart b/tests/language_2/vm/regress_flutter_23879_test.dart
@@ -0,0 +1,72 @@
+// Copyright (c) 2018, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+// Bug in unboxed int spilling (https://github.com/flutter/flutter/issues/23879).
+//
+// VMOptions=--deterministic
+
+import "package:expect/expect.dart";
+
+List<int> list = new List<int>(10);
+
+List<int> expected_values = [null, 152, 168, 184, 200, 216, 232, 248, 264, 280];
+
+int count = 0;
+
+bool getNext() {
+  return ++count <= 9;
+}
+
+int foo() {
+  int a = 1;
+  int b = 2;
+  int c = 3;
+  int d = 4;
+  int e = 5;
+  int f = 6;
+  int g = 7;
+  int h = 8;
+  int i = 9;
+  int j = 10;
+  int k = 11;
+  int l = 12;
+  int m = 13;
+  int n = 14;
+  int o = 15;
+  int p = 16;
+  count = 0;
+  int componentIndex = 1;
+  while (getNext()) {
+    // Make spilling likely.
+    a++;
+    b++;
+    c++;
+    d++;
+    e++;
+    f++;
+    g++;
+    h++;
+    i++;
+    j++;
+    k++;
+    l++;
+    m++;
+    n++;
+    o++;
+    p++;
+    list[componentIndex] =
+        a + b + c + d + e + f + g + h + i + j + k + l + m + n + o + p;
+    componentIndex++;
+  }
+  return componentIndex;
+}
+
+void main() {
+  int x = foo();
+  Expect.equals(10, x);
+  Expect.equals(10, count);
+  for (int i = 0; i < 10; i++) {
+    Expect.equals(expected_values[i], list[i]);
+  }
+}
