[wasm-gc][liftoff] Check for null before calling CallRefIC

Bug: v8:7748, chromium:1364036
Change-Id: I0263a21671fc602127aaae3b3ce022190be91407
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899295
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Manos Koukoutos <manoskouk@chromium.org>
Cr-Commit-Position: refs/heads/main@{#83274}

src/wasm/baseline/liftoff-compiler.cc

@@ -7261,10 +7261,11 @@ class LiftoffCompiler {
       ValueKind kIntPtrKind = kPointerKind;
 
       LiftoffRegList pinned;
+      LiftoffRegister func_ref = pinned.set(__ PopToRegister(pinned));
       LiftoffRegister vector = pinned.set(__ GetUnusedRegister(kGpReg, pinned));
-      LiftoffAssembler::VarState funcref =
-          __ cache_state()->stack_state.end()[-1];
-      if (funcref.is_reg()) pinned.set(funcref.reg());
+      MaybeEmitNullCheck(decoder, func_ref.gp(), pinned, func_ref_type);
+      LiftoffAssembler::VarState func_ref_var(kRef, func_ref, 0);
+
       __ Fill(vector, liftoff::kFeedbackVectorOffset, kPointerKind);
       LiftoffAssembler::VarState vector_var(kPointerKind, vector, 0);
       LiftoffRegister index = pinned.set(__ GetUnusedRegister(kGpReg, pinned));
@@ -7279,9 +7280,9 @@ class LiftoffCompiler {
       CallRuntimeStub(WasmCode::kCallRefIC,
                       MakeSig::Returns(kPointerKind, kPointerKind)
                           .Params(kPointerKind, kIntPtrKind, kPointerKind),
-                      {vector_var, index_var, funcref}, decoder->position());
+                      {vector_var, index_var, func_ref_var},
+                      decoder->position());
 
-      __ cache_state()->stack_state.pop_back(1);  // Drop funcref.
       target_reg = LiftoffRegister(kReturnRegister0).gp();
       instance_reg = LiftoffRegister(kReturnRegister1).gp();
 

test/mjsunit/mjsunit.status

@@ -1207,6 +1207,10 @@
 
   # Baseline tests don't make sense with optimization stressing.
   'baseline/*': [SKIP],
+
+  # This test uses --wasm-speculative-inlining which is incompatible with
+  # stressing.
+  'regress/wasm/regress-1364036': [SKIP],
 }],  # variant == stress
 
 ##############################################################################

test/mjsunit/regress/wasm/regress-1364036.js

@@ -0,0 +1,17 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-speculative-inlining --experimental-wasm-typed-funcref
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addType(kSig_i_i);
+builder.addFunction("main", kSig_i_i)
+  .addBody([kExprI32Const, 0x00, kExprRefNull, 0x01, kExprCallRef, 0x01])
+  .exportFunc();
+
+let instance = builder.instantiate();
+
+assertTraps(WebAssembly.RuntimeError, () => instance.exports.main());