[liftoff] Fix bug in instance caching

In {MergeFullStackWith}, we were accidentally looking at the cached instance in the current {cache_state_} instead of the state passed as {source}. This could lead to missing reload of the instance after a conditional branch. R=thibaudm@chromium.org Bug: chromium:1179182 Change-Id: Ida3c06491f7973a183c43745159abbf6aa8a058b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2704081Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#72864}

[liftoff] Fix bug in instance caching
In {MergeFullStackWith}, we were accidentally looking at the cached instance in the current {cache_state_} instead of the state passed as {source}. This could lead to missing reload of the instance after a conditional branch. R=thibaudm@chromium.org Bug: chromium:1179182 Change-Id: Ida3c06491f7973a183c43745159abbf6aa8a058b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2704081Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#72864}
6b864361 · Clemens Backes · Commit Bot · cd76e360 · 6b864361 · 6b864361
Commit 6b864361 authored Feb 18, 2021 by Clemens Backes Committed by Commit Bot Feb 19, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 1 deletion

liftoff-assembler.cc src/wasm/baseline/liftoff-assembler.cc +1 -1

regress-1179182.js test/mjsunit/regress/wasm/regress-1179182.js +28 -0

No files found.
--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@@ -702,7 +702,7 @@ void LiftoffAssembler::MergeFullStackWith(CacheState& target,
    transfers.TransferStackSlot(target.stack_state[i], source.stack_state[i]);
  }

-  if (cache_state_.cached_instance != target.cached_instance) {
+  if (source.cached_instance != target.cached_instance) {
    // Backward jumps (to loop headers) do not have a cached instance anyway, so
    // ignore this. On forward jumps, jump reset the cached instance in the
    // target state.

--- a/test/mjsunit/regress/wasm/regress-1179182.js
+++ b/test/mjsunit/regress/wasm/regress-1179182.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(28, 32, false);
+builder.addFunction(undefined, kSig_i_v)
+  .addLocals(kWasmI32, 61)
+  .addBody([
+kExprI64Const, 0x0,  // i64.const
+kExprI32Const, 0x0,  // i32.const
+kExprIf, kWasmStmt,  // if
+  kExprI32Const, 0x0,  // i32.const
+  kExprI32LoadMem, 0x01, 0x23,  // i32.load
+  kExprBrTable, 0x01, 0x00, 0x00, // br_table
+  kExprEnd,  // end
+kExprI64SExtendI16,  // i64.extend16_s
+kExprI32Const, 0x00,  // i32.const
+kExprLocalGet, 0x00,  // local.get
+kExprI32StoreMem16, 0x00, 0x10,  // i32.store16
+kExprUnreachable,  // unreachable
+]).exportAs('main');
+const instance = builder.instantiate();
+assertThrows(instance.exports.main, WebAssembly.RuntimeError, 'unreachable');