From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 5B13C13DF9ED; Tue, 3 Jun 2025 21:52:57 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 5B13C13DF9ED DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1748976777; bh=JlLq3QOxvYQNGIo2CYE0C5CErXqtLZML01xttYfJ6eM=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=Sa/NFEsrmMz0n3PCRYcW0JZF2RFcXiOUpcapZvjCswSUGBwfBYrV6+umbpA8T52tT WgHiAjNKV41h89kxZS7x9Cj5YegfHWADu3ibULPtkS3502KlJruOXlsZ6X4tUx9+2N P9fW67Sg4zYhG/XzgLbuR1y8OycBG5uiqvrTRoWY= Received: from send241.i.mail.ru (send241.i.mail.ru [95.163.59.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 2EA7C13DF9F3 for ; Tue, 3 Jun 2025 21:52:56 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 2EA7C13DF9F3 Received: by exim-smtp-985c69c7d-vxhm5 with esmtpa (envelope-from ) id 1uMWkp-000000009VY-0j57; Tue, 03 Jun 2025 21:52:55 +0300 To: Sergey Bronnikov Date: Tue, 3 Jun 2025 21:53:00 +0300 Message-ID: <20250603185300.19160-1-skaplun@tarantool.org> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailru-Src: smtp X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD9851146C857904EAB613FDB37BFD68671E0ECFD6CF120DF2C182A05F53808504060DBE020CC1080933DE06ABAFEAF67054AD26E971DEEB7810F4329D2DAC3201E424FBDF045C422AE X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE737AE489DBC023F2AEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB553375662BC6C8E92A5ED823534DD70D19F00D2F8C9AD898196238450E7DAF9CD612715F389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C084ED00A64A654CBE8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6BAA8CD687FCDB2EBCC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB86D1867E19FE14079C09775C1D3CA48CF3D321E7403792E342EB15956EA79C166A417C69337E82CC275ECD9A6C639B01B78DA827A17800CE76D0F27F7E6A6C418731C566533BA786AA5CC5B56E945C8DA X-C1DE0DAB: 0D63561A33F958A5169188E355A467D25002B1117B3ED6969CC2675AF24198B4C66B2B37046EC955823CB91A9FED034534781492E4B8EEAD5E26F3260102D3FBC79554A2A72441328621D336A7BC284946AD531847A6065A535571D14F44ED41 X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742DC8270968E61249B1004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D342B1F2AD168155B06637E4106877C47F6C758358B6AFCF16FFCBF1F3D61FDCE161B450CBCE189AB741D7E09C32AA3244C756B67A88946960A77DD89D51EBB7742EE60A0C9E0A56580EA455F16B58544A2557BDE0DD54B3590A5AE236DF995FB59829709634694AABAED6A17656DB59BCAD427812AF56FC65B X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVVyIuFBRopBh3/hZaCeI0E8= X-DA7885C5: E309CF7255E8A040F255D290C0D534F9D3304EFA34C154A0B2C21AF46B63FADD58DE95B7A863C1AC5B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E X-Mailru-Sender: 689FA8AB762F7393FE9E42A757851DB6AB1D688E9ACE2F64AB929F5E1863794B9CF99B9CB218F766E49D44BB4BD9522A059A1ED8796F048DB274557F927329BE89D5A3BC2B10C37545BD1C3CC395C826B4A721A3011E896F X-Mras: Ok Subject: [Tarantool-patches] [PATCH luajit] ARM64: Fix code generation for IR_SLOAD with typecheck + conversion. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall Reported by memcorrupt. (cherry picked from commit 564147f518af5a5d8985d9e09fc3a768231f4e75) The assembling of the SLOAD with typecheck and conversion from number to int misses the corresponding move for emitting conversion to the FPR during assembling. Consider the following SLOAD: | 0006 x28 > int SLOAD #4 TCI Which results in the following mcode before the patch: | ldr x28, [x3, #16] | cmp x2, x28, lsr #32 | bls 0x62d2fda0 ->0 | ; here missing the move to d31 | fcvtzs w28, d31 | scvtf d30, w28 | fcmp d30, d31 | bne 0x62d2fda0 ->0 Instead of the expected: | ldr x28, [x3, #16] | cmp x2, x28, lsr #32 | bls 0x7bacfda0 ->0 | fmov d31, x28 | fcvtzs w28, d31 | scvtf d30, w28 | fcmp d30, d31 | bne 0x7bacfda0 ->0 Due to the incorrect check of the condition inside the `asm_sload()`, which excluded the `IRSLOAD_CONVERT` flag. It may lead to inconsistent behaviour on the trace. This patch fixes the check by comparing the source and destination registers instead. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#11278 --- Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-917-arm64-sload-typecheck-conversion Related issues: * https://github.com/LuaJIT/LuaJIT/issues/917 * https://github.com/tarantool/tarantool/issues/11278 src/lj_asm_arm64.h | 2 +- ...-arm64-sload-typecheck-conversion.test.lua | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 test/tarantool-tests/lj-917-arm64-sload-typecheck-conversion.test.lua diff --git a/src/lj_asm_arm64.h b/src/lj_asm_arm64.h index 9b27473c..6c7b011f 100644 --- a/src/lj_asm_arm64.h +++ b/src/lj_asm_arm64.h @@ -1177,7 +1177,7 @@ dotypecheck: tmp = ra_scratch(as, allow); rset_clear(allow, tmp); } - if (ra_hasreg(dest) && irt_isnum(t) && !(ir->op2 & IRSLOAD_CONVERT)) + if (ra_hasreg(dest) && tmp != dest) emit_dn(as, A64I_FMOV_D_R, (dest & 31), tmp); /* Need type check, even if the load result is unused. */ asm_guardcc(as, irt_isnum(t) ? CC_LS : CC_NE); diff --git a/test/tarantool-tests/lj-917-arm64-sload-typecheck-conversion.test.lua b/test/tarantool-tests/lj-917-arm64-sload-typecheck-conversion.test.lua new file mode 100644 index 00000000..9cf5cda0 --- /dev/null +++ b/test/tarantool-tests/lj-917-arm64-sload-typecheck-conversion.test.lua @@ -0,0 +1,58 @@ +local tap = require('tap') +-- Test file to demonstrate the incorrect JIT assembling of +-- `IR_SLOAD` with typecheck and conversion to integer from +-- number. +-- See also https://github.com/LuaJIT/LuaJIT/issues/917. +local test = tap.test('lj-917-arm64-sload-typecheck-conversion'):skipcond({ + ['Test requires JIT enabled'] = not jit.status(), +}) + +test:plan(1) + +jit.opt.start('hotloop=1') + +local results = {} + +-- Use the following mathematics on a huge number not fitting into +-- an int to be sure that all 3 control numbers (start, stop, +-- step) of the loop should be non-integers to avoid fallback to +-- the `lj_vmeta_for()` and narrowing in the `lj_meta_for()` +-- (see for details). +local NOT_INT = 2 ^ 32 + +-- The interesting for us SLOAD is the loading of the start index: +-- | 0006 x28 > int SLOAD #4 TCI +-- +-- Which results in the following mcode before the patch: +-- | ldr x28, [x3, #16] +-- | cmp x2, x28, lsr #32 +-- | bls 0x62d2fda0 ->0 +-- | ; here missing the move to d31 +-- | fcvtzs w28, d31 +-- | scvtf d30, w28 +-- | fcmp d30, d31 +-- | bne 0x62d2fda0 ->0 +-- +-- Instead of the expected: +-- | ldr x28, [x3, #16] +-- | cmp x2, x28, lsr #32 +-- | bls 0x7bacfda0 ->0 +-- | fmov d31, x28 +-- | fcvtzs w28, d31 +-- | scvtf d30, w28 +-- | fcmp d30, d31 +-- | bne 0x7bacfda0 ->0 + +-- At this moment d31 contains the value of the `step`, so `step` +-- should be >= `stop` to obtain inconsistency (the too early loop +-- end with the last `i` value equals to `step`). +-- The resulting loop is: +-- | for i = -4, -1, 1 do +for i = -4 + NOT_INT * 0, -1 + NOT_INT * 0, 1 + NOT_INT * 0 do + results[-i] = true +end + +-- Expected {true, true, true, true}, since -4 is a start. +test:samevalues(results, 'correct SLOAD TC assembling') + +test:done(true) -- 2.49.0