[wasm][bug] Remove deleted WasmModule from typing cache

WasmModules were not removed from the global type judgement cache when
they were deleted. This created problems if another module got allocated
in the same location as a previously deleted module, by creating false
positive cache hits. This CL fixes this issue by removing WasmModule
from the cache as part of its destructor.

Bug: v8:11700
Change-Id: I4948e361dd681040807f35d759b647d1bce585dc
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2859863
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74370}

src/wasm/wasm-module.cc

@@ -24,6 +24,7 @@
 #include "src/wasm/wasm-js.h"
 #include "src/wasm/wasm-objects-inl.h"
 #include "src/wasm/wasm-result.h"
+#include "src/wasm/wasm-subtyping.h"
 
 namespace v8 {
 namespace internal {
@@ -199,6 +200,8 @@ std::ostream& operator<<(std::ostream& os, const WasmFunctionName& name) {
 WasmModule::WasmModule(std::unique_ptr<Zone> signature_zone)
     : signature_zone(std::move(signature_zone)) {}
 
+WasmModule::~WasmModule() { DeleteCachedTypeJudgementsForModule(this); }
+
 bool IsWasmCodegenAllowed(Isolate* isolate, Handle<Context> context) {
   // TODO(wasm): Once wasm has its own CSP policy, we should introduce a
   // separate callback that includes information about the module about to be

src/wasm/wasm-module.h

@@ -347,6 +347,7 @@ struct V8_EXPORT_PRIVATE WasmModule {
 
   explicit WasmModule(std::unique_ptr<Zone> signature_zone = nullptr);
   WasmModule(const WasmModule&) = delete;
+  ~WasmModule();
   WasmModule& operator=(const WasmModule&) = delete;
 };
 

src/wasm/wasm-subtyping.cc

@@ -91,6 +91,26 @@ class TypeJudgementCache {
     type_equivalence_cache_.erase(
         std::make_tuple(type1, type2, module1, module2));
   }
+  void delete_module(const WasmModule* module) {
+    for (auto iterator = type_equivalence_cache_.begin();
+         iterator != type_equivalence_cache_.end();) {
+      if (std::get<2>(*iterator) == module ||
+          std::get<3>(*iterator) == module) {
+        iterator = type_equivalence_cache_.erase(iterator);
+      } else {
+        iterator++;
+      }
+    }
+    for (auto iterator = subtyping_cache_.begin();
+         iterator != subtyping_cache_.end();) {
+      if (std::get<2>(*iterator) == module ||
+          std::get<3>(*iterator) == module) {
+        iterator = subtyping_cache_.erase(iterator);
+      } else {
+        iterator++;
+      }
+    }
+  }
 
  private:
   Zone zone_;
@@ -435,6 +455,14 @@ V8_NOINLINE bool EquivalentTypes(ValueType type1, ValueType type2,
                            module2);
 }
 
+void DeleteCachedTypeJudgementsForModule(const WasmModule* module) {
+  // Accessing the caches for subtyping and equivalence from multiple background
+  // threads is protected by a lock.
+  base::RecursiveMutexGuard type_cache_access(
+      TypeJudgementCache::instance()->type_cache_mutex());
+  TypeJudgementCache::instance()->delete_module(module);
+}
+
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8

src/wasm/wasm-subtyping.h

@@ -93,6 +93,10 @@ V8_INLINE bool IsHeapSubtypeOf(uint32_t subtype_index, uint32_t supertype_index,
                      ValueType::Ref(supertype_index, kNonNullable), module);
 }
 
+// Call this function in {module}'s destructor to avoid spurious cache hits in
+// case another WasmModule gets allocated in the same address later.
+void DeleteCachedTypeJudgementsForModule(const WasmModule* module);
+
 }  // namespace wasm
 }  // namespace internal
 }  // namespace v8

test/mjsunit/mjsunit.status

@@ -325,9 +325,6 @@
 
   # BUG(v8:11240)
   'regress/regress-v8-9267-1': [SKIP],
-
-  # BUG(v8:11700)
-  'wasm/reference-globals': [SKIP],
 }],  # 'gc_stress'
 
 ##############################################################################