chore: cherry-pick 3 changes from 1-M126 (#42617)

* chore: [30-x-y] cherry-pick 3 changes from 1-M126 * 8b400f9b7d66 from v8 * ba6cab40612d from v8 * 93c3cf1c787f from DirectXShaderCompiler * chore: update patches --------- Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
2024-06-24 06:05:52 -07:00 · 2024-06-24 06:05:52 -07:00 · 427b4aa273
commit 427b4aa273
parent 6a9ae16d76
5 changed files with 505 additions and 0 deletions
--- a/patches/v8/.patches
+++ b/patches/v8/.patches
@ -1,2 +1,4 @@
 chore_allow_customizing_microtask_policy_per_context.patch
 deps_add_v8_object_setinternalfieldfornodecore.patch
+cherry-pick-8b400f9b7d66.patch
+cherry-pick-ba6cab40612d.patch
--- a/patches/v8/cherry-pick-8b400f9b7d66.patch
+++ b/patches/v8/cherry-pick-8b400f9b7d66.patch
@ -0,0 +1,98 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Kummerow <jkummerow@chromium.org>
+Date: Thu, 6 Jun 2024 16:44:37 +0200
+Subject: Merged: [wasm] Enforce maximum number of canonicalized types
+
+Storing canonical indices in ValueTypes doesn't work well if the
+canonical index is too large.
+
+Fixed: 344608204
+(cherry picked from commit 422cdc5eddcadb53b8eafb099722fb211a35739e)
+
+Change-Id: Id281d6a38e8f2c64c42352f2d3dd3df54e289525
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5625825
+Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
+Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
+Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
+Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
+Cr-Commit-Position: refs/branch-heads/12.6@{#30}
+Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
+Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
+
+diff --git a/src/wasm/canonical-types.cc b/src/wasm/canonical-types.cc
+index b45a40a5da9c772623471dbc11fb45242d2053d0..7c6a4072f15d3dbb073bd1fe4760cf6ae92e4985 100644
+--- a/src/wasm/canonical-types.cc
+++ b/src/wasm/canonical-types.cc
+@@ -4,6 +4,7 @@
+ 
+ #include "src/wasm/canonical-types.h"
+ 
+#include "src/init/v8.h"
+ #include "src/wasm/std-object-sizes.h"
+ #include "src/wasm/wasm-engine.h"
+ 
+@@ -20,6 +21,19 @@ TypeCanonicalizer::TypeCanonicalizer() {
+   AddPredefinedArrayType(kPredefinedArrayI16Index, kWasmI16);
+ }
+ 
+// We currently store canonical indices in {ValueType} instances, so they
+// must fit into the range of valid module-relative (non-canonical) type
+// indices.
+// TODO(jkummerow): Raise this limit, to make long-lived WasmEngines scale
+// better. Plan: stop constructing ValueTypes from canonical type indices.
+static constexpr size_t kMaxCanonicalTypes = kV8MaxWasmTypes;
+
+void TypeCanonicalizer::CheckMaxCanonicalIndex() const {
+  if (canonical_supertypes_.size() > kMaxCanonicalTypes) {
+    V8::FatalProcessOutOfMemory(nullptr, "too many canonicalized types");
+  }
+}
+
+ void TypeCanonicalizer::AddRecursiveGroup(WasmModule* module, uint32_t size) {
+   AddRecursiveGroup(module, size,
+                     static_cast<uint32_t>(module->types.size() - size));
+@@ -60,6 +74,7 @@ void TypeCanonicalizer::AddRecursiveGroup(WasmModule* module, uint32_t size,
+   uint32_t first_canonical_index =
+       static_cast<uint32_t>(canonical_supertypes_.size());
+   canonical_supertypes_.resize(first_canonical_index + size);
+  CheckMaxCanonicalIndex();
+   for (uint32_t i = 0; i < size; i++) {
+     CanonicalType& canonical_type = group.types[i];
+     // Compute the canonical index of the supertype: If it is relative, we
+@@ -106,6 +121,7 @@ void TypeCanonicalizer::AddRecursiveSingletonGroup(WasmModule* module,
+   uint32_t first_canonical_index =
+       static_cast<uint32_t>(canonical_supertypes_.size());
+   canonical_supertypes_.resize(first_canonical_index + 1);
+  CheckMaxCanonicalIndex();
+   CanonicalType& canonical_type = group.type;
+   // Compute the canonical index of the supertype: If it is relative, we
+   // need to add {first_canonical_index}.
+@@ -151,6 +167,7 @@ uint32_t TypeCanonicalizer::AddRecursiveGroup(const FunctionSig* sig) {
+   group.type.is_relative_supertype = false;
+   canonical_singleton_groups_.emplace(group, canonical_index);
+   canonical_supertypes_.emplace_back(kNoSuperType);
+  CheckMaxCanonicalIndex();
+   return canonical_index;
+ }
+ 
+@@ -167,6 +184,7 @@ void TypeCanonicalizer::AddPredefinedArrayType(uint32_t index,
+   group.type.is_relative_supertype = false;
+   canonical_singleton_groups_.emplace(group, index);
+   canonical_supertypes_.emplace_back(kNoSuperType);
+  DCHECK_LE(canonical_supertypes_.size(), kMaxCanonicalTypes);
+ }
+ 
+ ValueType TypeCanonicalizer::CanonicalizeValueType(
+diff --git a/src/wasm/canonical-types.h b/src/wasm/canonical-types.h
+index e2b65e5a35030781b59abdd0f7aebe105754c1f3..c5dd6e8bf156908f6080f16234b7a24d1042f026 100644
+--- a/src/wasm/canonical-types.h
+++ b/src/wasm/canonical-types.h
+@@ -164,6 +164,8 @@ class TypeCanonicalizer {
+   ValueType CanonicalizeValueType(const WasmModule* module, ValueType type,
+                                   uint32_t recursive_group_start) const;
+ 
+  void CheckMaxCanonicalIndex() const;
+
+   std::vector<uint32_t> canonical_supertypes_;
+   // Maps groups of size >=2 to the canonical id of the first type.
+   std::unordered_map<CanonicalGroup, uint32_t, base::hash<CanonicalGroup>>
--- a/patches/v8/cherry-pick-ba6cab40612d.patch
+++ b/patches/v8/cherry-pick-ba6cab40612d.patch
@ -0,0 +1,92 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jakob Kummerow <jkummerow@chromium.org>
+Date: Thu, 13 Jun 2024 12:26:46 +0200
+Subject: Merged: [wasm][liftoff][arm64] Fix DropExceptionValueAtOffset
+
+We cannot exit the iteration early, we must update all entries
+in the cache state.
+
+Fixed: 343748812
+(cherry picked from commit 910cb91733dc47b8f4a3dc9f1ca640b728f97aad)
+
+Change-Id: Ib342467f35360baaa14cd098b258bd1acf4189a7
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5626023
+Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
+Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
+Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
+Auto-Submit: Jakob Kummerow <jkummerow@chromium.org>
+Cr-Commit-Position: refs/branch-heads/12.6@{#32}
+Cr-Branched-From: 3c9fa12db3183a6f4ea53d2675adb66ea1194529-refs/heads/12.6.228@{#2}
+Cr-Branched-From: 981bb15ba4dbf9e2381dfc94ec2c4af0b9c6a0b6-refs/heads/main@{#93835}
+
+diff --git a/src/wasm/baseline/liftoff-assembler.cc b/src/wasm/baseline/liftoff-assembler.cc
+index 821b6b80495849129c2c499302ac393278f72e92..e1ca7bebdc8408e21715dd0fc9861a474b989bcc 100644
+--- a/src/wasm/baseline/liftoff-assembler.cc
+++ b/src/wasm/baseline/liftoff-assembler.cc
+@@ -430,12 +430,13 @@ void LiftoffAssembler::DropExceptionValueAtOffset(int offset) {
+        slot != end; ++slot) {
+     *slot = *(slot + 1);
+     stack_offset = NextSpillOffset(slot->kind(), stack_offset);
+-    // Padding could allow us to exit early.
+-    if (slot->offset() == stack_offset) break;
+-    if (slot->is_stack()) {
+-      MoveStackValue(stack_offset, slot->offset(), slot->kind());
+    // Padding could cause some spill offsets to remain the same.
+    if (slot->offset() != stack_offset) {
+      if (slot->is_stack()) {
+        MoveStackValue(stack_offset, slot->offset(), slot->kind());
+      }
+      slot->set_offset(stack_offset);
+     }
+-    slot->set_offset(stack_offset);
+   }
+   cache_state_.stack_state.pop_back();
+ }
+diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
+index f797279ecaf7645061418ee86839df50c4e881a2..1b4e980e90e158fd3a078650ef9b02244cc550fe 100644
+--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
+@@ -1708,6 +1708,7 @@
+   'regress/wasm/regress-326156493': [SKIP],
+   'regress/wasm/regress-326894018': [SKIP],
+   'regress/wasm/regress-329032153': [SKIP],
+  'regress/wasm/regress-343748812': [SKIP],
+   'regress/wasm/regress-crbug-1338980': [SKIP],
+   'regress/wasm/regress-crbug-1355070': [SKIP],
+   'regress/wasm/regress-crbug-1356718': [SKIP],
+diff --git a/test/mjsunit/regress/wasm/regress-343748812.js b/test/mjsunit/regress/wasm/regress-343748812.js
+new file mode 100644
+index 0000000000000000000000000000000000000000..8dc456c413665e97c5f8e48f95a65370cf051753
+--- /dev/null
+++ b/test/mjsunit/regress/wasm/regress-343748812.js
+@@ -0,0 +1,30 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+let $sig0 = builder.addType(kSig_v_v);
+let $sig7 = builder.addType(
+    makeSig([], [ kWasmExternRef, kWasmS128, kWasmExternRef ]));
+let $func0 = builder.addImport('imports', 'func0', $sig0);
+builder.addFunction("main", $sig0).exportFunc()
+  .addLocals(kWasmExternRef, 3)
+  .addBody([
+    kExprTry, $sig7,
+      kExprCallFunction, $func0,
+      kExprUnreachable,
+    kExprCatchAll,
+      kExprRefNull, kExternRefCode,
+      ...wasmS128Const([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]),
+      kExprRefNull, kExternRefCode,
+    kExprEnd,
+    kExprDrop,
+    kExprDrop,
+    kExprDrop,
+  ]);
+
+var instance = builder.instantiate({'imports': { 'func0': () => {} }});
+
+assertThrows(instance.exports.main, WebAssembly.RuntimeError, /unreachable/);