[wasm] Fix instance caching with dynamic tiering

After the runtime call for dynamic tiering, the instance cache is
invalidated. This was assumed to be done in {SpillAllRegisters}, but the
instance is still being accessed after that call, so the instance cache
register might still be set after the runtime call.

R=ahaas@chromium.org

Bug: chromium:1179065
Change-Id: I375e7c388e5a74789050e374db50d21c2efe27e2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2714544Reviewed-by: Andreas Haas <ahaas@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72958}

src/wasm/baseline/liftoff-compiler.cc

@@ -824,6 +824,10 @@ class LiftoffCompiler {
       __ emit_cond_jump(kUnequal, &no_tierup, kWasmI32,
                         old_number_of_calls.gp());
       TierUpFunction(decoder);
+      // After the runtime call, the instance cache register is clobbered (we
+      // reset it already in {SpillAllRegisters} above, but then we still access
+      // the instance afterwards).
+      __ cache_state()->ClearCachedInstanceRegister();
       __ bind(&no_tierup);
     }
 

test/mjsunit/regress/wasm/regress-1179065.js

+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-staging --wasm-dynamic-tiering
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addMemory(1, 10);
+builder.addFunction('load', kSig_i_i).addBody([
+  // signature: i_i
+  // body:
+  kExprLocalGet, 0,       // local.get
+  kExprI32LoadMem, 0, 0,  // i32.load_mem
+]).exportFunc();
+const instance = builder.instantiate();
+// Call multiple times to trigger dynamic tiering.
+for (let i = 0; i < 20; ++i) {
+  instance.exports.load(1);
+}