ARM64: Fix IR_SLOAD assembly.

Reported by Gate88.

(cherry picked from commit 6c4826f)

The issue is in the case when IR SLOAD is unused on a trace, it persists
only for typecheck, and has the `num` type. In this case, the `dest`
register is `RID_NONE`. Hence, the `fmov` instruction is emitted
unconditionally, where the destination register is `d0` (`RID_NONE &
31`). So, the value of this register is spoiled. If it holds any value
evaluated before and used after this SLOAD, it leads to incorrect
behaviour.

So the emitted assembly for the aforementioned SLOAD looks like the
following:
| ldr   x27, [x7, LuaJIT#24]
| cmp   x0, x27, lsr LuaJIT#32
| bls   0x67d7f4f0    ->0
| fmov  d0, x27           ; this spoils d0

Instead of the following:
| ldr   x27, [x7, LuaJIT#24]
| cmp   x0, x27, lsr LuaJIT#32
| bls   0x6a91f4e8    ->0

This patch adds the check that the register is in use before emitting
the instruction.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#11278

Reviewed-by: Sergey Bronnikov <[email protected]>
Signed-off-by: Sergey Kaplun <[email protected]>

Author: Mike Pall

src/lj_asm_arm64.h

@@ -1177,7 +1177,7 @@ static void asm_sload(ASMState *as, IRIns *ir)
       tmp = ra_scratch(as, allow);
       rset_clear(allow, tmp);
     }
-    if (irt_isnum(t) && !(ir->op2 & IRSLOAD_CONVERT))
+    if (ra_hasreg(dest) && irt_isnum(t) && !(ir->op2 & IRSLOAD_CONVERT))
       emit_dn(as, A64I_FMOV_D_R, (dest & 31), tmp);
     /* Need type check, even if the load result is unused. */
     asm_guardcc(as, irt_isnum(t) ? CC_LS : CC_NE);

test/tarantool-tests/lj-903-arm64-unused-number-sload-typecheck.test.lua

@@ -0,0 +1,45 @@
+local tap = require('tap')
+-- Test file to demonstrate the incorrect JIT assembling of unused
+-- `IR_SLOAD` with number type on arm64.
+-- See also https://github.com/LuaJIT/LuaJIT/issues/903.
+local test = tap.test('lj-903-arm64-unused-number-sload-typecheck'):skipcond({
+  ['Test requires JIT enabled'] = not jit.status(),
+})
+
+test:plan(1)
+
+-- Just use any different numbers (but not integers to avoid
+-- integer IR type).
+local SLOT = 0.1
+local MARKER_VALUE = 4.2
+-- XXX: Special mapping to avoid folding and removing always true
+-- comparison.
+local anchor = {marker = MARKER_VALUE}
+
+-- Special function to inline on trace to generate SLOAD
+-- typecheck.
+local function sload_unused(x)
+  return x
+end
+
+-- The additional wrapper to use stackslots in the function.
+local function test_sload()
+  local sload = SLOT
+  for _ = 1, 4 do
+    -- This line should use the `d0` register.
+    local marker = anchor.marker - MARKER_VALUE
+    -- This generates unused IR_SLOAD with typecheck (number).
+    -- Before the patch, it occasionally overwrites the `d0`
+    -- register and causes the execution of the branch.
+    sload_unused(sload)
+    if marker ~= 0 then
+      return false
+    end
+  end
+  return true
+end
+
+jit.opt.start('hotloop=1')
+test:ok(test_sload(), 'correct SLOAD assembling')
+
+test:done(true)