Commit 97b89b6a authored by QiuJi's avatar QiuJi Committed by V8 LUCI CQ

[wasm] Check for WasmExportedFunction before cast

{WasmInternalFunction::external} might return a function that is not
a WasmExportedFunction, at which point the code in ProcessTypeFeedback
fails.

See crrev.com/c/3277878 for context.

Bug: v8:12436
Change-Id: I447710cfa2dbdb64cba27922da85871d18bc79a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3303613Reviewed-by: 's avatarManos Koukoutos <manoskouk@chromium.org>
Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78126}
parent 5c47acfc
...@@ -1253,7 +1253,9 @@ std::vector<CallSiteFeedback> ProcessTypeFeedback( ...@@ -1253,7 +1253,9 @@ std::vector<CallSiteFeedback> ProcessTypeFeedback(
static_cast<int>(instance->module()->num_imported_functions); static_cast<int>(instance->module()->num_imported_functions);
for (int i = 0; i < feedback.length(); i += 2) { for (int i = 0; i < feedback.length(); i += 2) {
Object value = feedback.get(i); Object value = feedback.get(i);
if (value.IsWasmInternalFunction()) { if (value.IsWasmInternalFunction() &&
WasmExportedFunction::IsWasmExportedFunction(
WasmInternalFunction::cast(value).external())) {
// Monomorphic. Mark the target for inlining if it's defined in the // Monomorphic. Mark the target for inlining if it's defined in the
// same module. // same module.
WasmExportedFunction target = WasmExportedFunction::cast( WasmExportedFunction target = WasmExportedFunction::cast(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment