electron/patches/v8/cherry-pick-ba6cab40612d.patch

93 lines
3.8 KiB
Diff
Raw Normal View History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jakob Kummerow <jkummerow@chromium.org>
Date: Thu, 13 Jun 2024 12:26:46 +0200
Subject: Merged: [wasm][liftoff][arm64] Fix DropExceptionValueAtOffset
We cannot exit the iteration early, we must update all entries
in the cache state.
Fixed: 343748812
(cherry picked from commit 910cb91733dc47b8f4a3dc9f1ca640b728f97aad)
Change-Id: Ib342467f35360baaa14cd098b258bd1acf4189a7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5626023
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.6@{#32}
Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
diff --git a/src/wasm/baseline/liftoff-assembler.cc b/src/wasm/baseline/liftoff-assembler.cc
index 821b6b80495849129c2c499302ac393278f72e92..e1ca7bebdc8408e21715dd0fc9861a474b989bcc 100644
--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
@@ -430,12 +430,13 @@ void LiftoffAssembler::DropExceptionValueAtOffset(int offset) {
slot != end; ++slot) {
*slot = *(slot + 1);
stack_offset = NextSpillOffset(slot->kind(), stack_offset);
- // Padding could allow us to exit early.
- if (slot->offset() == stack_offset) break;
- if (slot->is_stack()) {
- MoveStackValue(stack_offset, slot->offset(), slot->kind());
+ // Padding could cause some spill offsets to remain the same.
+ if (slot->offset() != stack_offset) {
+ if (slot->is_stack()) {
+ MoveStackValue(stack_offset, slot->offset(), slot->kind());
+ }
+ slot->set_offset(stack_offset);
}
- slot->set_offset(stack_offset);
}
cache_state_.stack_state.pop_back();
}
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
index f797279ecaf7645061418ee86839df50c4e881a2..1b4e980e90e158fd3a078650ef9b02244cc550fe 100644
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -1708,6 +1708,7 @@
'regress/wasm/regress-326156493': [SKIP],
'regress/wasm/regress-326894018': [SKIP],
'regress/wasm/regress-329032153': [SKIP],
+ 'regress/wasm/regress-343748812': [SKIP],
'regress/wasm/regress-crbug-1338980': [SKIP],
'regress/wasm/regress-crbug-1355070': [SKIP],
'regress/wasm/regress-crbug-1356718': [SKIP],
diff --git a/test/mjsunit/regress/wasm/regress-343748812.js b/test/mjsunit/regress/wasm/regress-343748812.js
new file mode 100644
index 0000000000000000000000000000000000000000..8dc456c413665e97c5f8e48f95a65370cf051753
--- /dev/null
+++ b/test/mjsunit/regress/wasm/regress-343748812.js
@@ -0,0 +1,30 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+let $sig0 = builder.addType(kSig_v_v);
+let $sig7 = builder.addType(
+ makeSig([], [ kWasmExternRef, kWasmS128, kWasmExternRef ]));
+let $func0 = builder.addImport('imports', 'func0', $sig0);
+builder.addFunction("main", $sig0).exportFunc()
+ .addLocals(kWasmExternRef, 3)
+ .addBody([
+ kExprTry, $sig7,
+ kExprCallFunction, $func0,
+ kExprUnreachable,
+ kExprCatchAll,
+ kExprRefNull, kExternRefCode,
+ ...wasmS128Const([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]),
+ kExprRefNull, kExternRefCode,
+ kExprEnd,
+ kExprDrop,
+ kExprDrop,
+ kExprDrop,
+ ]);
+
+var instance = builder.instantiate({'imports': { 'func0': () => {} }});
+
+assertThrows(instance.exports.main, WebAssembly.RuntimeError, /unreachable/);