[wasm-gc] Fix endless loop in WasmGCOperatorReducer

When the control-flow aware type of a Node doesn't actually change, then we shouldn't claim that it did (which causes later re-visiting of the node). Fixed: v8:13061 Change-Id: I064cedf3721a79844bfc36ad3142428bdfbaf891 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3760675 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Auto-Submit: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#81700}
2022-07-13 17:58:45 +02:00 · 2022-07-13 17:58:45 +02:00 · 1609ffa8b3
commit 1609ffa8b3
parent 5f0e6a10f3
2 changed files with 34 additions and 0 deletions
--- a/src/compiler/wasm-gc-operator-reducer.cc
+++ b/src/compiler/wasm-gc-operator-reducer.cc
@ -79,6 +79,11 @@ Node* WasmGCOperatorReducer::SetType(Node* node, wasm::ValueType type) {
 Reduction WasmGCOperatorReducer::UpdateNodeAndAliasesTypes(
    Node* state_owner, ControlPathTypes parent_state, Node* node,
    wasm::TypeInModule type, bool in_new_block) {
+  ControlPathTypes previous_knowledge = GetState(state_owner);
+  if (!previous_knowledge.IsEmpty()) {
+    NodeWithType current_info = previous_knowledge.LookupState(node);
+    if (current_info.IsSet() && current_info.type == type) return NoChange();
+  }
  Node* current = node;
  ControlPathTypes current_state = parent_state;
  while (current != nullptr) {
--- a/test/mjsunit/regress/wasm/regress-13061.js
+++ b/test/mjsunit/regress/wasm/regress-13061.js
@ -0,0 +1,29 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-gc --no-liftoff
+
+d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
+
+let builder = new WasmModuleBuilder();
+
+builder.addFunction('repro', kSig_v_v)
+  .exportFunc()
+  .addLocals(wasmRefNullType(kWasmDataRef), 1)
+  .addBody([
+    kExprI32Const, 0,
+    kExprIf, kWasmVoid,
+      kExprLoop, kWasmVoid,
+        kExprCallFunction, 0,
+        kExprLocalGet, 0,
+        kExprRefAsNonNull,
+        kExprLocalSet, 0,
+        kExprI32Const, 0,
+        kExprBrIf, 0,
+      kExprEnd,
+    kExprEnd,
+  ]);
+
+let instance = builder.instantiate();
+instance.exports.repro();