[Backport] Security bug 1204071

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2869986: Fix f64x2 min max to use registers We don't have memory alignment yet, so using memory operands will cause segv if we try to access the unaligned operands (on non-AVX systems). The fix here is kept simple (the logic can be cleaned up a bit and optimized to not use unique registers), in order to keep the cherry-pick and back-merge as small and safe as possible. Bug: chromium:1204071 Change-Id: Ieda23dcc097a06c6db20b952d7061708c3be0d24 Reviewed-by: Bill Budge <[email protected]> Commit-Queue: Zhi An Ng <[email protected]> Cr-Commit-Position: refs/heads/master@{#74363} Reviewed-by: Michal Klocek <[email protected]>
qt · May 26, 2021 · 96953e1 · 96953e1
1 parent 5353de1
commit 96953e1
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/chromium/v8/src/compiler/backend/ia32/instruction-selector-ia32.cc b/chromium/v8/src/compiler/backend/ia32/instruction-selector-ia32.cc
@@ -2199,7 +2199,7 @@ void InstructionSelector::VisitF64x2Min(Node* node) {
   IA32OperandGenerator g(this);
   InstructionOperand temps[] = {g.TempSimd128Register()};
   InstructionOperand operand0 = g.UseUniqueRegister(node->InputAt(0));
-  InstructionOperand operand1 = g.UseUnique(node->InputAt(1));
+  InstructionOperand operand1 = g.UseUniqueRegister(node->InputAt(1));
 
   if (IsSupported(AVX)) {
     Emit(kIA32F64x2Min, g.DefineAsRegister(node), operand0, operand1,
@@ -2214,7 +2214,7 @@ void InstructionSelector::VisitF64x2Max(Node* node) {
   IA32OperandGenerator g(this);
   InstructionOperand temps[] = {g.TempSimd128Register()};
   InstructionOperand operand0 = g.UseUniqueRegister(node->InputAt(0));
-  InstructionOperand operand1 = g.UseUnique(node->InputAt(1));
+  InstructionOperand operand1 = g.UseUniqueRegister(node->InputAt(1));
   if (IsSupported(AVX)) {
     Emit(kIA32F64x2Max, g.DefineAsRegister(node), operand0, operand1,
          arraysize(temps), temps);