[wasm] Initialize new jump table correct for lazy compilation

If a new jump table is created and lazy compilation is enabled, we need to initialize the new jump table with jumps to the lazy compile table. R=ahaas@chromium.org Bug: chromium:1016515 Change-Id: I5749470d4a08af903a6a4da13dbe5454ee6db309 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1873687 Reviewed-by: Andreas Haas <ahaas@chromium.org> Commit-Queue: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/master@{#64462}
2019-10-22 13:01:21 +02:00 · 2019-10-22 13:01:21 +02:00 · 369f1ffb42
commit 369f1ffb42
parent 9362df561d
2 changed files with 31 additions and 3 deletions
--- a/src/wasm/wasm-code-manager.cc
+++ b/src/wasm/wasm-code-manager.cc
@ -1282,11 +1282,19 @@ void NativeModule::AddCodeSpace(
  if (jump_table && !is_first_code_space) {
    // Patch the new jump table(s) with existing functions. If this is the first
    // code space, there cannot be any functions that have been compiled yet.
+    const CodeSpaceData& new_code_space_data = code_space_data_.back();
    for (uint32_t slot_index = 0; slot_index < num_wasm_functions;
         ++slot_index) {
-      if (!code_table_[slot_index]) continue;
-      PatchJumpTableLocked(code_space_data_.back(), slot_index,
-                           code_table_[slot_index]->instruction_start());
+      if (code_table_[slot_index]) {
+        PatchJumpTableLocked(new_code_space_data, slot_index,
+                             code_table_[slot_index]->instruction_start());
+      } else if (lazy_compile_table_) {
+        Address lazy_compile_target =
+            lazy_compile_table_->instruction_start() +
+            JumpTableAssembler::LazyCompileSlotIndexToOffset(slot_index);
+        PatchJumpTableLocked(new_code_space_data, slot_index,
+                             lazy_compile_target);
+      }
    }
  }
 }
--- a/test/mjsunit/regress/wasm/regress-1016515.js
+++ b/test/mjsunit/regress/wasm/regress-1016515.js
@ -0,0 +1,20 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --wasm-lazy-compilation
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+var builder = new WasmModuleBuilder();
+var func = builder.addFunction('func', kSig_i_v).addBody([kExprI32Const, 1]);
+var body = [];
+for (let i = 0; i < 200; ++i) {
+    body.push(kExprCallFunction, func.index);
+}
+for (let i = 1; i < 200; ++i) {
+    body.push(kExprI32Add);
+}
+builder.addFunction('test', kSig_i_v).addBody(body).exportFunc();
+var instance = builder.instantiate();
+instance.exports.test();