-
Milad Fa authored
Port 22a16bda Original Commit Message: The Runtime_WasmCompileLazy function was returning a ptr-sized address, wrapped in an Object. This worked because no GC is triggered between the return from the runtime function and the point where we jump to the returned address. In a pointer-compressed world though, generated code assumes that all objects live in the same 4GB heap, so comparisons only compare the lower 32 bit. On a 64-bit system, this can lead to collisions where a comparison determines that the returned address equals a heap object, even though the upper 32-bit differ. This happens occasionally in the wild, where the returned function entry pointer has the same lower half than the exception sentinel value. This leads to triggering stack unwinding (by the CEntry stub), which then fails (with a CHECK) because there is no pending exception. This CL fixes that by returning a Smi instead which is the offset in the jump table where the kWasmCompileLazy builtin should jump to. The builtin then gets the jump table start address from the instance object, adds the offset that the runtime function returned, and performs the jump. We do not include a regression test because this failure is very spurious and hard to reproduce. R=clemensb@chromium.org, joransiu@ca.ibm.com, junyan@redhat.com, midawson@redhat.com BUG= LOG=N Change-Id: I92907b97a9d44d8cf42bb356ef350a22f7c5d5e1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3666249 Commit-Queue: Milad Farazmand <mfarazma@redhat.com> Reviewed-by:
Clemens Backes <clemensb@chromium.org> Reviewed-by:
Junliang Yan <junyan@redhat.com> Cr-Commit-Position: refs/heads/main@{#80752}
68ae81bf
