[wasm-gc] Fix ref.is_null in Liftoff

When constant-folding the test based on static types in the function body decoder, we have to ensure Liftoff's value stack is properly updated. Fixed: chromium:1172912 Change-Id: I618992608882b850a8a4bce0b267ce456e4c2a40 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2664447Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#72482}

[wasm-gc] Fix ref.is_null in Liftoff
When constant-folding the test based on static types in the function body decoder, we have to ensure Liftoff's value stack is properly updated. Fixed: chromium:1172912 Change-Id: I618992608882b850a8a4bce0b267ce456e4c2a40 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2664447Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#72482}
26653f89 · Jakob Kummerow · Commit Bot · 3ee7b5c6 · 26653f89 · 26653f89
Commit 26653f89 authored Feb 01, 2021 by Jakob Kummerow Committed by Commit Bot Feb 02, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 0 deletions

function-body-decoder-impl.h src/wasm/function-body-decoder-impl.h +1 -0

regress-crbug-1172912.js test/mjsunit/regress/wasm/regress-crbug-1172912.js +49 -0

No files found.
--- a/src/wasm/function-body-decoder-impl.h
+++ b/src/wasm/function-body-decoder-impl.h
@@ -2941,6 +2941,7 @@ class WasmFullDecoder : public WasmDecoder<validate> {
        // We are in unreachable code, the return value does not matter.
      case ValueType::kRef:
        // For non-nullable references, the result is always false.
+        CALL_INTERFACE_IF_REACHABLE(Drop);
        CALL_INTERFACE_IF_REACHABLE(I32Const, result, 0);
        return 1;
      default:

--- a/test/mjsunit/regress/wasm/regress-crbug-1172912.js
+++ b/test/mjsunit/regress/wasm/regress-crbug-1172912.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --experimental-wasm-reftypes --experimental-wasm-typed-funcref
+let raw = new Uint8Array([
+  0x00, 0x61, 0x73, 0x6d,  // wasm magic
+  0x01, 0x00, 0x00, 0x00,  // wasm version
+  0x01,  // section: types
+  0x05,  // section length
+  0x01,  // types count
+  0x60,  // function type
+  0x00,  // param count
+  0x01,  // return count
+  0x7f,  // i32
+  0x03,  // section: functions
+  0x02,  // section size: 2
+  0x01,  // function count: 1
+  0x00,  // sig index: 0
+  0x07,  // section: exports
+  0x08,  // section size
+  0x01,  // exports count
+  0x04,  // name length: 4
+  0x6d, 0x61, 0x69, 0x6e,  // name: "main"
+  0x00,  // export kind: function
+  0x00,  // export function index: 0
+  0x0a,  // section: code
+  0x0d,  // section length
+  0x01,  // functions count: 1
+  0x0b,  // body size
+  0x00,  // locals count
+  0xd2, 0x00,  // ref.func 0
+  0xd1,  // ref.is_null
+  0x04, 0x40,  // if [void]
+  0x05,  // else
+  0x0b,  // end
+  0x41, 0x2a,  // i32.const: 42
+  0x0b,  // end
+]);
+let buff = raw.buffer;
+let mod = new WebAssembly.Module(buff);
+let inst = new WebAssembly.Instance(mod);
+let result = inst.exports.main();
+assertEquals(42, result);