[wasm] Fix typing for unreachable AssertNonNull

Performing the "swap with TypeCast" input optimization causes inconsistent types for unreachable AssertNonNull instructions (that should inherit that TypeCast's <bot> type). Fixed: v8:12945 Change-Id: Ie51cd6531267a2828c6aac92948edda5c2a5db37 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693708 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#80989}

[wasm] Fix typing for unreachable AssertNonNull
Performing the "swap with TypeCast" input optimization causes inconsistent types for unreachable AssertNonNull instructions (that should inherit that TypeCast's <bot> type). Fixed: v8:12945 Change-Id: Ie51cd6531267a2828c6aac92948edda5c2a5db37 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3693708 Commit-Queue: Manos Koukoutos <manoskouk@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Manos Koukoutos <manoskouk@chromium.org> Cr-Commit-Position: refs/heads/main@{#80989}
4dd8d76b · Jakob Kummerow · V8 LUCI CQ · 6aa14b71 · 4dd8d76b · 4dd8d76b
Commit 4dd8d76b authored Jun 07, 2022 by Jakob Kummerow Committed by V8 LUCI CQ Jun 08, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 1 deletion

wasm-typer.cc src/compiler/wasm-typer.cc +2 -1

regress-12945.js test/mjsunit/regress/wasm/regress-12945.js +44 -0

No files found.
--- a/src/compiler/wasm-typer.cc
+++ b/src/compiler/wasm-typer.cc
@@ -113,7 +113,8 @@ Reduction WasmTyper::Reduce(Node* node) {
        // unlock more optimizations later.
        // We are implementing this in the typer so we can retype the nodes.
        if (control->opcode() == IrOpcode::kWasmTypeCast && effect == object &&
-            control == object) {
+            control == object &&
+            !NodeProperties::GetType(object).AsWasm().type.is_bottom()) {
          Node* initial_object = NodeProperties::GetValueInput(object, 0);
          Node* previous_control = NodeProperties::GetControlInput(object);
          Node* previous_effect = NodeProperties::GetEffectInput(object);

--- a/test/mjsunit/regress/wasm/regress-12945.js
+++ b/test/mjsunit/regress/wasm/regress-12945.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-gc --allow-natives-syntax
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+let builder = new WasmModuleBuilder();
+let i32_field = makeField(kWasmI32, true);
+let supertype = builder.addStruct([i32_field]);
+let sub1 = builder.addStruct([i32_field, i32_field], supertype);
+let sub2 = builder.addStruct([i32_field, makeField(kWasmF64, true)], supertype);
+let sig = makeSig([wasmOptRefType(supertype)], [kWasmI32]);
+
+let callee = builder.addFunction("callee", sig).addBody([
+  kExprLocalGet, 0,
+  kGCPrefix, kExprRefTestStatic, sub1,
+  kExprIf, kWasmVoid,
+  kExprLocalGet, 0,
+  kGCPrefix, kExprRefCastStatic, sub1,
+  kGCPrefix, kExprStructGet, sub1, 0,
+  kExprReturn,
+  kExprElse,
+  kExprLocalGet, 0,
+  kGCPrefix, kExprRefCastStatic, sub2,
+  // This {ref.as_non_null} initially believes that it operates on a
+  // (ref null sub2), and when getting inlined into {crash} realizes
+  // that its actual type is {bottom} because this branch is unreachable.
+  kExprRefAsNonNull,
+  kGCPrefix, kExprStructGet, sub2, 0,
+  kExprReturn,
+  kExprEnd,
+  kExprI32Const, 42,
+]);
+
+builder.addFunction("crash", kSig_i_v).addBody([
+  kGCPrefix, kExprStructNewDefault, sub1,
+  kExprCallFunction, callee.index,
+]).exportFunc();
+
+let instance = builder.instantiate();
+let crash = instance.exports.crash;
+while (%IsLiftoffFunction(crash)) crash();