Commit d750358a authored by Jakob Kummerow's avatar Jakob Kummerow Committed by V8 LUCI CQ

[wasm] Fix instance caching after br_table

The tier-up check in any backwards jumps in a br_table list cause the
instance to get cached if it wasn't cached before. When the branch is
not taken, we must not rely on this caching to have happened.
This is a variant of crbug.com/1314184.

Fixed: chromium:1338075
Change-Id: Id511e98f29ec13f0a38b5595ceb4a607c58b92a4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3716478
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: 's avatarAndreas Haas <ahaas@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81279}
parent ca9d53e3
...@@ -2678,7 +2678,18 @@ class LiftoffCompiler { ...@@ -2678,7 +2678,18 @@ class LiftoffCompiler {
__ jmp(label.get()); __ jmp(label.get());
} else { } else {
__ bind(label.get()); __ bind(label.get());
BrOrRet(decoder, br_depth, 0); if (dynamic_tiering()) {
// {BrOrRet} caches the instance, which is only valid for the branch
// taken. On fallthrough, we must forget this state change.
// (See comment in {BrIf} above, this is a variant of
// crbug.com/1314184.)
LiftoffAssembler::CacheState old_cache_state;
old_cache_state.Split(*__ cache_state());
BrOrRet(decoder, br_depth, 0);
__ cache_state()->Steal(old_cache_state);
} else {
BrOrRet(decoder, br_depth, 0);
}
} }
} }
......
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
let builder = new WasmModuleBuilder();
builder.addMemory(1, 10, true);
builder.addFunction("crash", kSig_i_i)
.exportFunc()
.addLocals(kWasmI32, 10)
.addBody([
kExprBlock, kWasmVoid,
kExprLoop, kWasmVoid,
kExprLoop, kWasmVoid,
kExprLocalGet, 1,
kExprLocalGet, 2,
kExprLocalGet, 3,
kExprLocalGet, 4,
kExprLocalGet, 5,
kExprLocalGet, 6,
kExprLocalGet, 7,
kExprLocalGet, 8,
kExprLocalGet, 9,
kExprLocalGet, 10,
kExprDrop,
kExprDrop,
kExprDrop,
kExprDrop,
kExprDrop,
kExprDrop,
kExprDrop,
kExprDrop,
kExprDrop,
kExprDrop,
kExprLocalGet, 0,
kExprI32Const, 1,
kExprI32Sub,
kExprLocalTee, 0,
kExprBrTable, 2, 2, 1, 0,
kExprBr, 0,
kExprEnd, // loop
kExprEnd, // loop
kExprEnd, // block
kExprLocalGet, 0,
])
let instance = builder.instantiate();
let result = instance.exports.crash(5);
console.log(result);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment