[compiler] Disable inlining of JS-to-Wasm wrappers inside try/catch

The inlining of JS-to-Wasm wrappers can fail inside try/catch because
the IR built by WasmWrapperGraphBuilder::BuildJSToWasmWrapper does not
always set the correct control outputs in the call node.
This patch disables inlining inside try/catch to work around this issue.

Bug: chromium:1168386
Change-Id: I1b43bdb044b38d95c2d309290e228a86ba1513a3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2639927
Reviewed-by: Andreas Haas <ahaas@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Paolo Severini <paolosev@microsoft.com>
Cr-Commit-Position: refs/heads/master@{#72191}

src/compiler/js-call-reducer.cc

@@ -3461,6 +3461,11 @@ Reduction JSCallReducer::ReduceCallWasmFunction(
     return NoChange();
   }
 
+  // TODO(paolosev@microsoft.com): Enable inlining for calls in try/catch.
+  if (NodeProperties::IsExceptionalCall(node)) {
+    return NoChange();
+  }
+
   const wasm::FunctionSig* wasm_signature = shared.wasm_function_signature();
   if (!CanInlineJSToWasmCall(wasm_signature)) {
     return NoChange();

test/mjsunit/regress/wasm/regress-crbug-1168386.js

@@ -0,0 +1,26 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --interrupt-budget=100
+
+function __f_0(__v_8) {
+    var __v_9 = "mod_";
+    var __v_10 = eval(
+    'function Module(stdlib, foreign, heap) {\n' +
+    ' "use asm";\n' +
+    ' function ' + __v_9 + '(dividend) {\n' +
+    '  dividend = dividend | 0;\n' +
+    '  return ((dividend | 0) % ' + __v_8 + ') | 0;\n'
+    + ' }\n' +
+    ' return { f: ' + __v_9 + '}\n'
+    + '}; Module');
+  return __v_10().f;
+}
+try {
+  const __v_5 = -1;
+  const __v_6 = __f_0(1);
+  for (var __v_7 = 0; __v_7 < 100; __v_7++) {
+    __v_7 % __v_5 |  __v_6();
+  }
+} catch (e) {}