• Clemens Backes's avatar
    [wasm] Fix return value of lazy compile runtime function · 22a16bda
    Clemens Backes authored
    The Runtime_WasmCompileLazy function was returning a ptr-sized address,
    wrapped in an Object. This worked because no GC is triggered between the
    return from the runtime function and the point where we jump to the
    returned address.
    
    In a pointer-compressed world though, generated code assumes that all
    objects live in the same 4GB heap, so comparisons only compare the lower
    32 bit. On a 64-bit system, this can lead to collisions where a
    comparison determines that the returned address equals a heap object,
    even though the upper 32-bit differ.
    
    This happens occasionally in the wild, where the returned function entry
    pointer has the same lower half than the exception sentinel value. This
    leads to triggering stack unwinding (by the CEntry stub), which then
    fails (with a CHECK) because there is no pending exception.
    
    This CL fixes that by returning a Smi instead which is the offset in the
    jump table where the kWasmCompileLazy builtin should jump to. The
    builtin then gets the jump table start address from the instance object,
    adds the offset that the runtime function returned, and performs the
    jump.
    
    We do not include a regression test because this failure is very
    spurious and hard to reproduce.
    
    R=jkummerow@chromium.org
    
    Bug: chromium:1311960
    Change-Id: I5a72daf78905904f8ae8ade8630793c42e223984
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663093
    Commit-Queue: Clemens Backes <clemensb@chromium.org>
    Reviewed-by: 's avatarJakob Kummerow <jkummerow@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#80729}
    22a16bda
Name
Last commit
Last update
..
api Loading commit data...
asmjs Loading commit data...
ast Loading commit data...
base Loading commit data...
baseline Loading commit data...
bigint Loading commit data...
builtins Loading commit data...
codegen Loading commit data...
common Loading commit data...
compiler Loading commit data...
compiler-dispatcher Loading commit data...
d8 Loading commit data...
date Loading commit data...
debug Loading commit data...
deoptimizer Loading commit data...
diagnostics Loading commit data...
execution Loading commit data...
extensions Loading commit data...
flags Loading commit data...
handles Loading commit data...
heap Loading commit data...
ic Loading commit data...
init Loading commit data...
inspector Loading commit data...
interpreter Loading commit data...
json Loading commit data...
libplatform Loading commit data...
libsampler Loading commit data...
logging Loading commit data...
maglev Loading commit data...
numbers Loading commit data...
objects Loading commit data...
parsing Loading commit data...
profiler Loading commit data...
protobuf Loading commit data...
regexp Loading commit data...
roots Loading commit data...
runtime Loading commit data...
sandbox Loading commit data...
sanitizer Loading commit data...
snapshot Loading commit data...
strings Loading commit data...
tasks Loading commit data...
temporal Loading commit data...
third_party Loading commit data...
torque Loading commit data...
tracing Loading commit data...
trap-handler Loading commit data...
utils Loading commit data...
wasm Loading commit data...
web-snapshot Loading commit data...
zone Loading commit data...
DEPS Loading commit data...
DIR_METADATA Loading commit data...
OWNERS Loading commit data...