[wasm-gc] SubtypeCheck for rtt without depth in Liftoff

Bug: v8:7748
Change-Id: Id84459c496f7e57b36c3acd13a91d39b7e9fb15f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2676630Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72594}

src/builtins/wasm.tq

@@ -278,6 +278,23 @@ transitioning builtin WasmAllocateObjectWrapper(implicit context: Context)(
   return wrapper;
 }
 
+builtin WasmSubtypeCheck(objectSupertypes: FixedArray, rtt: Map): int32 {
+  const rttSupertypeLength: Smi =
+      %RawDownCast<WasmTypeInfo>(
+          rtt.constructor_or_back_pointer_or_native_context)
+          .supertypes.length;
+
+  if (objectSupertypes.length <= rttSupertypeLength) {
+    return 0;
+  }
+
+  const supertype: Map = %RawDownCast<Map>(
+      LoadFixedArrayElement(objectSupertypes, rttSupertypeLength));
+
+  if (supertype == rtt) return 1;
+  return 0;
+}
+
 builtin WasmInt32ToNumber(value: int32): Number {
   return ChangeInt32ToTagged(value);
 }

src/wasm/baseline/liftoff-compiler.cc

@@ -4521,18 +4521,33 @@ class LiftoffCompiler {
     if (rtt.type.has_depth()) {
       __ emit_i32_cond_jumpi(kUnsignedLessEqual, no_match, list_length.gp(),
                              rtt.type.depth());
+      // Step 4: load the candidate list slot into {tmp1}, and compare it.
+      __ LoadTaggedPointer(
+          tmp1.gp(), tmp1.gp(), no_reg,
+          wasm::ObjectAccess::ElementOffsetInTaggedFixedArray(rtt.type.depth()),
+          pinned);
+      __ emit_cond_jump(kUnequal, no_match, rtt.type, tmp1.gp(), rtt_reg.gp());
     } else {
-      unsupported(decoder, kGC, "rtt without depth");
+      // Preserve {obj_reg} across the call.
+      LiftoffRegList saved_regs = LiftoffRegList::ForRegs(obj_reg);
+      __ PushRegisters(saved_regs);
+      WasmCode::RuntimeStubId target = WasmCode::kWasmSubtypeCheck;
+      compiler::CallDescriptor* call_descriptor =
+          GetBuiltinCallDescriptor<WasmSubtypeCheckDescriptor>(
+              compilation_zone_);
+      ValueType sig_reps[] = {kWasmI32, kWasmAnyRef, rtt.type};
+      FunctionSig sig(1, 2, sig_reps);
+      LiftoffAssembler::VarState rtt_state(kPointerValueType, rtt_reg, 0);
+      LiftoffAssembler::VarState tmp1_state(kPointerValueType, tmp1, 0);
+      __ PrepareBuiltinCall(&sig, call_descriptor, {tmp1_state, rtt_state});
+      __ CallRuntimeStub(target);
+      DefineSafepoint();
+      __ PopRegisters(saved_regs);
+      __ Move(tmp1.gp(), kReturnRegister0, kWasmI32);
+      __ emit_i32_cond_jumpi(kEqual, no_match, tmp1.gp(), 0);
     }
 
-    // Step 4: load the candidate list slot into {tmp1}, and compare it.
-    __ LoadTaggedPointer(
-        tmp1.gp(), tmp1.gp(), no_reg,
-        wasm::ObjectAccess::ElementOffsetInTaggedFixedArray(rtt.type.depth()),
-        pinned);
-    __ emit_cond_jump(kUnequal, no_match, rtt.type, tmp1.gp(), rtt_reg.gp());
     // Fall through to {match}.
-
     __ bind(&match);
     return obj_reg;
   }

src/wasm/wasm-code-manager.h

@@ -85,7 +85,8 @@ struct WasmModule;
   V(ToNumber)                            \
   V(WasmAllocateArrayWithRtt)            \
   V(WasmAllocateRtt)                     \
-  V(WasmAllocateStructWithRtt)
+  V(WasmAllocateStructWithRtt)           \
+  V(WasmSubtypeCheck)
 
 // Sorted, disjoint and non-overlapping memory regions. A region is of the
 // form [start, end). So there's no [start, end), [end, other_end),

test/cctest/wasm/test-gc.cc

@@ -868,8 +868,8 @@ TEST(BasicRtt) {
   tester.CheckResult(kRefCast, 43);
 }
 
-TEST(NoDepthRtt) {
-  WasmGCTester tester;
+WASM_EXEC_TEST(NoDepthRtt) {
+  WasmGCTester tester(execution_tier);
 
   const byte type_index = tester.DefineStruct({F(wasm::kWasmI32, true)});
   const byte subtype_index =