[wasm] Fix direct call tag computation during serialization.

This makes sure the reverse tag translation of direct call targets to respective call tags is properly performed. Otherwise all direct call end up being deserialized to call the function with index '0'. Ooops! R=clemensh@chromium.org TEST=mjsunit/wasm/compiled-module-serialization BUG=chromium:857049 Change-Id: I37c1ee72b000daec87efdeed08d60a067b1a1b0c Reviewed-on: https://chromium-review.googlesource.com/1120256Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#54124}

[wasm] Fix direct call tag computation during serialization.
This makes sure the reverse tag translation of direct call targets to respective call tags is properly performed. Otherwise all direct call end up being deserialized to call the function with index '0'. Ooops! R=clemensh@chromium.org TEST=mjsunit/wasm/compiled-module-serialization BUG=chromium:857049 Change-Id: I37c1ee72b000daec87efdeed08d60a067b1a1b0c Reviewed-on: https://chromium-review.googlesource.com/1120256Reviewed-by: Clemens Hammacher <clemensh@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#54124}
870e81a2 · Michael Starzinger · Commit Bot · c888293c · 870e81a2 · 870e81a2
Commit 870e81a2 authored Jul 02, 2018 by Michael Starzinger Committed by Commit Bot Jul 02, 2018
4 changed files
--- a/src/wasm/wasm-code-manager.cc
+++ b/src/wasm/wasm-code-manager.cc
@@ -689,7 +689,8 @@ Address NativeModule::GetCallTargetForFunction(uint32_t func_index) const {
         slot_idx * JumpTableAssembler::kJumpTableSlotSize;
 }

-uint32_t NativeModule::GetFunctionIndexFromJumpTableSlot(Address slot_address) {
+uint32_t NativeModule::GetFunctionIndexFromJumpTableSlot(
+    Address slot_address) const {
  DCHECK(is_jump_table_slot(slot_address));
  uint32_t offset =
      static_cast<uint32_t>(slot_address - jump_table_->instruction_start());

--- a/src/wasm/wasm-code-manager.h
+++ b/src/wasm/wasm-code-manager.h
@@ -281,7 +281,7 @@ class V8_EXPORT_PRIVATE NativeModule final {
    return jump_table_->contains(address);
  }

-  uint32_t GetFunctionIndexFromJumpTableSlot(Address slot_address);
+  uint32_t GetFunctionIndexFromJumpTableSlot(Address slot_address) const;

  // Transition this module from code relying on trap handlers (i.e. without
  // explicit memory bounds checks) to code that does not require trap handlers

--- a/src/wasm/wasm-serialization.cc
+++ b/src/wasm/wasm-serialization.cc
@@ -225,8 +225,7 @@ class V8_EXPORT_PRIVATE NativeModuleSerializer {
  const NativeModule* const native_module_;
  bool write_called_;

-  // wasm code targets reverse lookup
-  std::map<Address, uint32_t> wasm_targets_lookup_;
+  // Reverse lookup tables for embedded addresses.
  std::map<Address, uint32_t> wasm_stub_targets_lookup_;
  std::map<Address, uint32_t> reference_table_lookup_;

@@ -328,7 +327,8 @@ void NativeModuleSerializer::WriteCode(const WasmCode* code, Writer* writer) {
    switch (mode) {
      case RelocInfo::WASM_CALL: {
        Address orig_target = orig_iter.rinfo()->wasm_call_address();
-        uint32_t tag = wasm_targets_lookup_[orig_target];
+        uint32_t tag =
+            native_module_->GetFunctionIndexFromJumpTableSlot(orig_target);
        SetWasmCalleeTag(iter.rinfo(), tag);
      } break;
      case RelocInfo::WASM_STUB_CALL: {

--- a/test/mjsunit/wasm/compiled-module-serialization.js
+++ b/test/mjsunit/wasm/compiled-module-serialization.js
@@ -309,3 +309,46 @@ load("test/mjsunit/wasm/wasm-module-builder.js");
  assertTraps(
      kTrapMemOutOfBounds, _ => instance.exports.main(kPageSize - 3));
 })();
+
+(function DirectCallAfterSerialization() {
+  print(arguments.callee.name);
+  const builder = new WasmModuleBuilder();
+  var fun1 = builder.addFunction('fun1', kSig_i_v)
+      .addBody([kExprI32Const, 23]);
+  var fun2 = builder.addFunction('fun2', kSig_i_v)
+      .addBody([kExprI32Const, 42]);
+  builder.addFunction('main', kSig_i_v)
+      .addBody([kExprCallFunction, fun1.index,
+                kExprCallFunction, fun2.index,
+                kExprI32Add])
+      .exportFunc();
+
+  var wire_bytes = builder.toBuffer();
+  var module = new WebAssembly.Module(wire_bytes);
+  var buffer = %SerializeWasmModule(module);
+  module = %DeserializeWasmModule(buffer, wire_bytes);
+  var instance = new WebAssembly.Instance(module);
+
+  assertEquals(65, instance.exports.main());
+})();
+
+(function ImportCallAfterSerialization() {
+  print(arguments.callee.name);
+  const builder = new WasmModuleBuilder();
+  var fun_import = builder.addImport("", "my_import", kSig_i_v);
+  var fun = builder.addFunction('fun', kSig_i_v)
+      .addBody([kExprI32Const, 23]);
+  builder.addFunction('main', kSig_i_v)
+      .addBody([kExprCallFunction, fun.index,
+                kExprCallFunction, fun_import,
+                kExprI32Add])
+      .exportFunc();
+
+  var wire_bytes = builder.toBuffer();
+  var module = new WebAssembly.Module(wire_bytes);
+  var buffer = %SerializeWasmModule(module);
+  module = %DeserializeWasmModule(buffer, wire_bytes);
+  var instance = new WebAssembly.Instance(module, {"": {my_import: () => 42 }});
+
+  assertEquals(65, instance.exports.main());
+})();