[wasm][liftoff][eh] Fix unreachable delegate

Don't switch to the catch state if it is never reached. Also steal the catch state instead of splitting it since it cannot be used after a delegate instruction. R=ahaas@chromium.org Bug: chromium:1192313 Change-Id: I3967ac81e066d2146c8aa37b26a35a99ba88bdf6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2787488Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#73703}

[wasm][liftoff][eh] Fix unreachable delegate
Don't switch to the catch state if it is never reached. Also steal the catch state instead of splitting it since it cannot be used after a delegate instruction. R=ahaas@chromium.org Bug: chromium:1192313 Change-Id: I3967ac81e066d2146c8aa37b26a35a99ba88bdf6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2787488Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/master@{#73703}
806f79e4 · Thibaud Michaud · Commit Bot · 6a2ee16d · 806f79e4 · 806f79e4
Commit 806f79e4 authored Mar 25, 2021 by Thibaud Michaud Committed by Commit Bot Mar 29, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 1 deletion

liftoff-compiler.cc src/wasm/baseline/liftoff-compiler.cc +1 -1

regress1192313.js test/mjsunit/regress/wasm/regress1192313.js +30 -0

No files found.
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@@ -1189,8 +1189,8 @@ class LiftoffCompiler {
    Control* target = decoder->control_at(depth);
    DCHECK(block->is_incomplete_try());
    __ bind(&block->try_info->catch_label);
-    __ cache_state()->Split(block->try_info->catch_state);
    if (block->try_info->catch_reached) {
+      __ cache_state()->Steal(block->try_info->catch_state);
      if (depth == decoder->control_depth() - 1) {
        // Delegate to the caller, do not emit a landing pad.
        Rethrow(decoder, __ cache_state()->stack_state.back());

--- a/test/mjsunit/regress/wasm/regress1192313.js
+++ b/test/mjsunit/regress/wasm/regress1192313.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-eh --experimental-wasm-threads
+
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+(function Regress1192313() {
+  print(arguments.callee.name);
+  let builder = new WasmModuleBuilder();
+  builder.addMemory(16, 32);
+  builder.addFunction('f', kSig_i_i)
+      .addBody([
+          kExprTry, kWasmI32,
+            kExprI32Const, 0,
+            kExprI32Const, 0,
+            kExprCallFunction, 0,
+            kAtomicPrefix, kExprI32AtomicAnd8U,
+            0x00, 0xba, 0xe2, 0x81, 0xd6, 0x0b,
+          kExprCatchAll,
+            kExprTry, kWasmI32,
+              kExprI32Const, 0,
+              kExprI32Const, 0,
+              kAtomicPrefix, kExprI32AtomicAnd8U,
+              0x00, 0x85, 0x97, 0xc4, 0x5f,
+            kExprDelegate, 1,
+          kExprEnd]).exportFunc();
+  let instance = builder.instantiate();
+})();