Commit 1135c0fc authored by Manos Koukoutos's avatar Manos Koukoutos Committed by V8 LUCI CQ

[wasm-gc][liftoff] Check for null before calling CallRefIC

Bug: v8:7748, chromium:1364036
Change-Id: I0263a21671fc602127aaae3b3ce022190be91407
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899295Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83274}
parent 08cbf4e4
...@@ -7261,10 +7261,11 @@ class LiftoffCompiler { ...@@ -7261,10 +7261,11 @@ class LiftoffCompiler {
ValueKind kIntPtrKind = kPointerKind; ValueKind kIntPtrKind = kPointerKind;
LiftoffRegList pinned; LiftoffRegList pinned;
LiftoffRegister func_ref = pinned.set(__ PopToRegister(pinned));
LiftoffRegister vector = pinned.set(__ GetUnusedRegister(kGpReg, pinned)); LiftoffRegister vector = pinned.set(__ GetUnusedRegister(kGpReg, pinned));
LiftoffAssembler::VarState funcref = MaybeEmitNullCheck(decoder, func_ref.gp(), pinned, func_ref_type);
__ cache_state()->stack_state.end()[-1]; LiftoffAssembler::VarState func_ref_var(kRef, func_ref, 0);
if (funcref.is_reg()) pinned.set(funcref.reg());
__ Fill(vector, liftoff::kFeedbackVectorOffset, kPointerKind); __ Fill(vector, liftoff::kFeedbackVectorOffset, kPointerKind);
LiftoffAssembler::VarState vector_var(kPointerKind, vector, 0); LiftoffAssembler::VarState vector_var(kPointerKind, vector, 0);
LiftoffRegister index = pinned.set(__ GetUnusedRegister(kGpReg, pinned)); LiftoffRegister index = pinned.set(__ GetUnusedRegister(kGpReg, pinned));
...@@ -7279,9 +7280,9 @@ class LiftoffCompiler { ...@@ -7279,9 +7280,9 @@ class LiftoffCompiler {
CallRuntimeStub(WasmCode::kCallRefIC, CallRuntimeStub(WasmCode::kCallRefIC,
MakeSig::Returns(kPointerKind, kPointerKind) MakeSig::Returns(kPointerKind, kPointerKind)
.Params(kPointerKind, kIntPtrKind, kPointerKind), .Params(kPointerKind, kIntPtrKind, kPointerKind),
{vector_var, index_var, funcref}, decoder->position()); {vector_var, index_var, func_ref_var},
decoder->position());
__ cache_state()->stack_state.pop_back(1); // Drop funcref.
target_reg = LiftoffRegister(kReturnRegister0).gp(); target_reg = LiftoffRegister(kReturnRegister0).gp();
instance_reg = LiftoffRegister(kReturnRegister1).gp(); instance_reg = LiftoffRegister(kReturnRegister1).gp();
......
...@@ -1207,6 +1207,10 @@ ...@@ -1207,6 +1207,10 @@
# Baseline tests don't make sense with optimization stressing. # Baseline tests don't make sense with optimization stressing.
'baseline/*': [SKIP], 'baseline/*': [SKIP],
# This test uses --wasm-speculative-inlining which is incompatible with
# stressing.
'regress/wasm/regress-1364036': [SKIP],
}], # variant == stress }], # variant == stress
############################################################################## ##############################################################################
......
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --wasm-speculative-inlining --experimental-wasm-typed-funcref
d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
const builder = new WasmModuleBuilder();
builder.addType(kSig_i_i);
builder.addFunction("main", kSig_i_i)
.addBody([kExprI32Const, 0x00, kExprRefNull, 0x01, kExprCallRef, 0x01])
.exportFunc();
let instance = builder.instantiate();
assertTraps(WebAssembly.RuntimeError, () => instance.exports.main());
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment