From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 6390E13FA2B2;
	Wed, 11 Jun 2025 19:01:39 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 6390E13FA2B2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1749657699; bh=A9AB4jq4oXv/t3ZZe4k0ZghFGvFo73qXQf/t0wYZym8=;
	h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=BNGYGTSv14Hf+sPYOCO7iNDuf5KVlYYOJTN0o4k7dzqx31BBOlB1oBpN4l6jBSW0P
	 WzjjavZKY7TWVkcrzNVkvADh24qct4We187iQc4LFFoA6qMPQ3toDHok9jPgHVSlxO
	 /J55RFFlp+JXUG4sh+5WwBJnCPG1dG6NOvUlGg80=
Received: from send128.i.mail.ru (send128.i.mail.ru [89.221.237.223])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id D9C67469990
 for <tarantool-patches@dev.tarantool.org>;
 Wed, 11 Jun 2025 19:01:38 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org D9C67469990
Received: by exim-smtp-85b97957d7-b764w with esmtpa (envelope-from
 <skaplun@tarantool.org>)
 id 1uPNtR-00000000Cr7-3abA; Wed, 11 Jun 2025 19:01:38 +0300
To: Sergey Bronnikov <sergeyb@tarantool.org>
Date: Wed, 11 Jun 2025 19:01:42 +0300
Message-ID: <20250611160142.19383-1-skaplun@tarantool.org>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Mailru-Src: smtp
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD909B82214CC9889170BE0B50625C535576E4D105B574000C800894C459B0CD1B99DC6A1C4BE6A52980578E6996F38341330D5D3B60E6A8351E6DBA3326FB996B71BB59B39F4C00062
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7BA0D57D3459E5640EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB553375668906014A252870FC49D1358DD046BE7680BFA9CCBC984BB7B333106DB627A8E3389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C045A75973B56231AD8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6042F1592492B88C6CC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB86D1867E19FE14079C09775C1D3CA48CF3D321E7403792E342EB15956EA79C166A417C69337E82CC275ECD9A6C639B01B78DA827A17800CE72F88032165008D51731C566533BA786AA5CC5B56E945C8DA
X-C1DE0DAB: 0D63561A33F958A5AA84AEE46E2315285002B1117B3ED696E0B0DDBF27E2F535B48B7A7F94616420823CB91A9FED034534781492E4B8EEADF4F3DF47829F65C7C79554A2A72441328621D336A7BC284946AD531847A6065A535571D14F44ED41
X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF77DD89D51EBB7742D3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF85E649F456D60441BF994CDAD933A8A3C2D082A9F8CFE7F48B962F97941A4F2D3066587AC4ADAE821D3122CD40B080D2275C686CCD11D9F49605C1A85A96085F27A809F6C67304635F4332CA8FE04980913E6812662D5F2A5EAB5682573093F7837F15F2B5E4A70B33F2C28C22F508233FCF178C6DD14203
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVSykAyseJQ6/oko991HpBWk=
X-DA7885C5: 1564AE71271A1DB5F255D290C0D534F96CF606D1670066AF82BF117FF3F62464D2F1A986D885364E5B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E
X-Mailru-Sender: 689FA8AB762F7393FE9E42A757851DB6DFF1971056070DD6063228622789B11700959E94F254BD62E49D44BB4BD9522A059A1ED8796F048DB274557F927329BE89D5A3BC2B10C37545BD1C3CC395C826B4A721A3011E896F
X-Mras: Ok
Subject: [Tarantool-patches] [PATCH luajit] ARM64: Fix LDP code generation.
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org>
Reply-To: Sergey Kaplun <skaplun@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

From: Mike Pall <mike>

Thanks to Zhongwei Yao.

(cherry picked from commit 9493acc1a28f15b0ac4453e716f33436186c7acd)

When fusing two LDR (STR) instructions to the single LDP (STP)
instruction, the arm64 emitter shifts the offset value to encode the
immediate. In the case when the offset is negative, the resulting field
value exceeds the 7-bit length of the immediate, see [1]. This results
in the invalid instruction decoding.

This patch fixes this by masking the value with the 7-bit-width mask
`0x7f`.

Sergey Kaplun:
* added the description and the test for the problem

[1]: https://developer.arm.com/documentation/ddi0602/2025-03/Base-Instructions/LDP--Load-pair-of-registers-

Part of tarantool/tarantool#11278
---

Related issues:
* https://github.com/LuaJIT/LuaJIT/pull/1028
* https://github.com/tarantool/tarantool/issues/11278
Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1028-ldr-fusion-to-ldp-negative-offset

 src/lj_emit_arm64.h                           |  2 +-
 ...ldr-fusion-to-ldp-negative-offset.test.lua | 45 +++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 test/tarantool-tests/lj-1028-ldr-fusion-to-ldp-negative-offset.test.lua

diff --git a/src/lj_emit_arm64.h b/src/lj_emit_arm64.h
index e1a9d3e4..30cd3505 100644
--- a/src/lj_emit_arm64.h
+++ b/src/lj_emit_arm64.h
@@ -143,7 +143,7 @@ static void emit_lso(ASMState *as, A64Ins ai, Reg rd, Reg rn, int64_t ofs)
       goto nopair;
     }
     if (ofsm >= (int)((unsigned int)-64<<sc) && ofsm <= (63<<sc)) {
-      *as->mcp = aip | A64F_N(rn) | ((ofsm >> sc) << 15) |
+      *as->mcp = aip | A64F_N(rn) | (((ofsm >> sc) & 0x7f) << 15) |
 	(ai ^ ((ai == A64I_LDRx || ai == A64I_STRx) ? 0x50000000 : 0x90000000));
       return;
     }
diff --git a/test/tarantool-tests/lj-1028-ldr-fusion-to-ldp-negative-offset.test.lua b/test/tarantool-tests/lj-1028-ldr-fusion-to-ldp-negative-offset.test.lua
new file mode 100644
index 00000000..1ba28449
--- /dev/null
+++ b/test/tarantool-tests/lj-1028-ldr-fusion-to-ldp-negative-offset.test.lua
@@ -0,0 +1,45 @@
+local tap = require('tap')
+local ffi = require('ffi')
+
+-- This test demonstrates LuaJIT's incorrect emitting of LDP
+-- instruction with negative offset fused from LDR on arm64.
+-- See also https://github.com/LuaJIT/LuaJIT/pull/1028.
+local test = tap.test('lj-1028-ldr-fusion-to-ldp-negative-offset'):skipcond({
+  ['Test requires JIT enabled'] = not jit.status(),
+})
+
+test:plan(1)
+
+-- Amount of iterations to compile and start the trace.
+local N_ITERATIONS = 4
+
+ffi.cdef[[
+  typedef struct data {
+    int32_t m1;
+    int32_t m2;
+  } data;
+]]
+
+local data_arr = ffi.new('data[' .. N_ITERATIONS .. ']')
+
+local const_data_ptr = ffi.typeof('const data *')
+local data = ffi.cast(const_data_ptr, data_arr)
+
+local results = {}
+
+jit.opt.start('hotloop=1')
+
+for i = 1, N_ITERATIONS do
+  -- Pair loading from the negative offset generates an invalid
+  -- instruction on AArch64 before this patch.
+  local field = data[i - 1]
+  local m1 = field.m1
+  local m2 = field.m2
+
+  -- Use loaded values to avoid DCE.
+  results[i] = m1 + m2
+end
+
+test:samevalues(results, 'no invalid instruction')
+
+test:done(true)
-- 
2.49.0