AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[wasm] Fix reachability tracking for folded branches

Browse Source 
When we can eliminate a branch-on-type instruction based on statically
available type information and replace it with an unconditional branch,
we have to mark the rest of the current block as unreachable.

Change-Id: I9b8cc2f8e76da0b1b7cdf72b150ec675e9aae1a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3490931
Reviewed-by: Manos Koukoutos <manoskouk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79288}
This commit is contained in:
Jakob Kummerow 2022-02-25 15:32:38 +01:00 committed by V8 LUCI CQ
parent 730d826e7d
commit 51e819824d
2 changed files with 88 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/wasm/function-body-decoder-impl.h
View File

@ -2756,6 +2756,9 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
if (V8_LIKELY(current_code_reachable_and_ok_)) {
CALL_INTERFACE(Forward, ref_object, stack_value(1));
CALL_INTERFACE(BrOrRet, imm.depth, 0);
// We know that the following code is not reachable, but according
// to the spec it technically is. Set it to spec-only reachable.
SetSucceedingCodeDynamicallyUnreachable();
c->br_merge()->reached = true;
}
break;
@ -4533,7 +4536,9 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
CALL_INTERFACE(AssertNull, obj, &value);
} else {
CALL_INTERFACE(Trap, TrapReason::kTrapIllegalCast);
EndControl();
// We know that the following code is not reachable, but according
// to the spec it technically is. Set it to spec-only reachable.
SetSucceedingCodeDynamicallyUnreachable();
}
} else {
CALL_INTERFACE(RefCast, obj, rtt, &value);
@ -4595,24 +4600,28 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
? kWasmBottom
: ValueType::Ref(rtt.type.ref_index(), kNonNullable));
Push(result_on_branch);
// The {value_on_branch} parameter we pass to the interface must
// be pointer-identical to the object on the stack, so we can't
// reuse {result_on_branch} which was passed-by-value to {Push}.
Value* value_on_branch = stack_value(1);
if (!VALIDATE(TypeCheckBranch<true>(c, 0))) return 0;
if (V8_LIKELY(current_code_reachable_and_ok_)) {
// This logic ensures that code generation can assume that functions
// can only be cast to function types, and data objects to data types.
if (V8_UNLIKELY(TypeCheckAlwaysSucceeds(obj, rtt))) {
CALL_INTERFACE(Drop); // rtt
CALL_INTERFACE(Forward, obj, value_on_branch);
// The branch will still not be taken on null.
if (obj.type.is_nullable()) {
CALL_INTERFACE(BrOnNonNull, obj, branch_depth.depth);
} else {
CALL_INTERFACE(BrOrRet, branch_depth.depth, 0);
// We know that the following code is not reachable, but according
// to the spec it technically is. Set it to spec-only reachable.
SetSucceedingCodeDynamicallyUnreachable();
}
c->br_merge()->reached = true;
} else if (V8_LIKELY(!TypeCheckAlwaysFails(obj, rtt))) {
// The {value_on_branch} parameter we pass to the interface must
// be pointer-identical to the object on the stack, so we can't
// reuse {result_on_branch} which was passed-by-value to {Push}.
Value* value_on_branch = stack_value(1);
CALL_INTERFACE(BrOnCast, obj, rtt, value_on_branch,
branch_depth.depth);
c->br_merge()->reached = true;
@ -4768,7 +4777,9 @@ class WasmFullDecoder : public WasmDecoder<validate, decoding_mode> {
arg.type.heap_representation(), \
this->module_)) { \
CALL_INTERFACE(Trap, TrapReason::kTrapIllegalCast); \
EndControl(); \
/* We know that the following code is not reachable, but according */ \
/* to the spec it technically is. Set it to spec-only reachable. */ \
SetSucceedingCodeDynamicallyUnreachable(); \
} else { \
CALL_INTERFACE(RefAs##h_type, arg, &result); \
} \

71
test/mjsunit/regress/wasm/regress-inlining-throw.js Normal file
View File

@ -0,0 +1,71 @@
// Copyright 2022 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tier up quickly to save time:
// Flags: --wasm-tiering-budget=100 --experimental-wasm-gc
d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
var builder = new WasmModuleBuilder();
builder.setNominal();
let supertype = builder.addStruct([makeField(kWasmI32, true)]);
let subtype = builder.addStruct(
[makeField(kWasmI32, true), makeField(kWasmI32, true)], supertype);
let unused_type = builder.addStruct(
[makeField(kWasmI32, true), makeField(kWasmF64, true)], supertype);
let sig = makeSig([wasmOptRefType(supertype)], [kWasmI32]);
let callee1 = builder.addFunction('callee1', sig).addBody([
kExprBlock, kWasmRef, subtype,
kExprLocalGet, 0,
kGCPrefix, kExprBrOnCastStatic, 0, subtype,
kGCPrefix, kExprRefCastStatic, unused_type,
kGCPrefix, kExprStructGet, unused_type, 0,
kExprReturn,
kExprEnd,
kGCPrefix, kExprStructGet, subtype, 1
]);
let callee2 = builder.addFunction('callee2', sig).addBody([
kExprBlock, kWasmRef, subtype,
kExprLocalGet, 0,
kGCPrefix, kExprBrOnCastStatic, 0, subtype,
kExprUnreachable,
kExprReturn,
kExprEnd,
kGCPrefix, kExprStructGet, subtype, 1
]);
let callee3 = builder.addFunction('callee3', sig).addBody([
kExprBlock, kWasmRef, supertype,
kExprLocalGet, 0,
kExprBrOnNonNull, 0,
kExprUnreachable,
kExprReturn,
kExprEnd,
kGCPrefix, kExprRefCastStatic, subtype,
kGCPrefix, kExprStructGet, subtype, 1
]);
function MakeCaller(name, callee) {
builder.addFunction(name, kSig_i_v)
.addBody([
kExprI32Const, 10, kExprI32Const, 42,
kGCPrefix, kExprStructNew, subtype,
kExprCallFunction, callee.index
])
.exportFunc();
}
MakeCaller("main1", callee1);
MakeCaller("main2", callee2);
MakeCaller("main3", callee3);
var module = builder.instantiate();
for (let i = 0; i < 100; i++) {
assertEquals(42, module.exports.main1());
assertEquals(42, module.exports.main2());
assertEquals(42, module.exports.main3());
}