-
Clemens Backes authored
The Runtime_WasmCompileLazy function was returning a ptr-sized address, wrapped in an Object. This worked because no GC is triggered between the return from the runtime function and the point where we jump to the returned address. In a pointer-compressed world though, generated code assumes that all objects live in the same 4GB heap, so comparisons only compare the lower 32 bit. On a 64-bit system, this can lead to collisions where a comparison determines that the returned address equals a heap object, even though the upper 32-bit differ. This happens occasionally in the wild, where the returned function entry pointer has the same lower half than the exception sentinel value. This leads to triggering stack unwinding (by the CEntry stub), which then fails (with a CHECK) because there is no pending exception. This CL fixes that by returning a Smi instead which is the offset in the jump table where the kWasmCompileLazy builtin should jump to. The builtin then gets the jump table start address from the instance object, adds the offset that the runtime function returned, and performs the jump. We do not include a regression test because this failure is very spurious and hard to reproduce. R=jkummerow@chromium.org Bug: chromium:1311960 Change-Id: I5a72daf78905904f8ae8ade8630793c42e223984 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3663093 Commit-Queue: Clemens Backes <clemensb@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#80729}
22a16bda
Name |
Last commit
|
Last update |
---|---|---|
.. | ||
builtins-arm64.cc |