[wasm] Fix stack args in CWasmEntry stub

The particular combination of (1) having callee-saved registers in the stub per the C++ calling convention, (2) passing arguments to the callee on the stack, and (3) that callee throwing an exception, caused the saved registers to be restored to bogus values. To fix this, the stack unwinder needs to compute the stub's frame size correctly (i.e. without stack parameters). Bug: chromium:1007608 Change-Id: Iadd99f10764f49f9e3c620c05723e09172c73cf7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847352Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#64160}

[wasm] Fix stack args in CWasmEntry stub
The particular combination of (1) having callee-saved registers in the stub per the C++ calling convention, (2) passing arguments to the callee on the stack, and (3) that callee throwing an exception, caused the saved registers to be restored to bogus values. To fix this, the stack unwinder needs to compute the stub's frame size correctly (i.e. without stack parameters). Bug: chromium:1007608 Change-Id: Iadd99f10764f49f9e3c620c05723e09172c73cf7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1847352Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#64160}
f1e5488a · Jakob Kummerow · Commit Bot · ce3f0187 · f1e5488a · f1e5488a
Commit f1e5488a authored Oct 08, 2019 by Jakob Kummerow Committed by Commit Bot Oct 08, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 1 deletion

isolate.cc src/execution/isolate.cc +6 -1

regress-crbug-1007608.js test/mjsunit/regress/wasm/regress-crbug-1007608.js +26 -0

No files found.
--- a/src/execution/isolate.cc
+++ b/src/execution/isolate.cc
@@ -1683,8 +1683,13 @@ Object Isolate::UnwindAndFindHandler() {
        int return_offset = static_cast<int>(frame->pc() - instruction_start);
        int handler_offset = table.LookupReturn(return_offset);
        DCHECK_NE(-1, handler_offset);
+        // Compute the stack pointer from the frame pointer. This ensures that
+        // argument slots on the stack are dropped as returning would.
+        Address return_sp = frame->fp() +
+                            StandardFrameConstants::kFixedFrameSizeAboveFp -
+                            code.stack_slots() * kSystemPointerSize;
        return FoundHandler(Context(), instruction_start, handler_offset,
-                            code.constant_pool(), frame->sp(), frame->fp());
+                            code.constant_pool(), return_sp, frame->fp());
      }

      case StackFrame::WASM_COMPILED: {

--- a/test/mjsunit/regress/wasm/regress-crbug-1007608.js
+++ b/test/mjsunit/regress/wasm/regress-crbug-1007608.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Bug is in the C-to-Wasm entry, used e.g. by the Wasm interpreter.
+// Flags: --wasm-interpret-all
+
+load("test/mjsunit/wasm/wasm-module-builder.js");
+
+let argc = 7;
+let builder = new WasmModuleBuilder();
+let types = new Array(argc).fill(kWasmI32);
+let sig = makeSig(types, []);
+let body = [];
+for (let i = 0; i < argc; ++i) {
+  body.push(kExprGetLocal, i);
+}
+body.push(kExprCallFunction, 0);
+builder.addImport('', 'f', sig);
+builder.addFunction("main", sig).addBody(body).exportAs('main');
+let instance = builder.instantiate({
+  '': {
+    'f': function() { throw "don't crash"; }
+  }
+});
+assertThrows(instance.exports.main);