[wasm] Fix wrong comparison in liftoff for callref

The comparison of an external pointer used `kRef` here which is the ValueKind for Wasm GC references. As those references are only 32 bits on pointer-compressed builds, a 32-bit-comparison is used. (This was introduced with change https://crrev.com/c/4016816.) If the pointer has the 32 least signficant bits zeroed out, it assumes that the callref target is a WasmJSFunction looking in the code table for this index for the JS function. As it is a wasm function, it has a trap handler registered there causing the call to trap instead. Fix: v8:13534 Change-Id: I35474e1eaeeefff3cbe5bec9c6ede470688a0ce6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4106850 Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/main@{#84853}
2022-12-14 17:47:13 +01:00 · 2022-12-14 17:47:13 +01:00 · 86d44a8c2b
commit 86d44a8c2b
parent 89f82e97d5
1 changed files with 1 additions and 1 deletions
--- a/src/wasm/baseline/liftoff-compiler.cc
+++ b/src/wasm/baseline/liftoff-compiler.cc
@ -7528,7 +7528,7 @@ class LiftoffCompiler {

      LiftoffRegister null_address = temp;
      __ LoadConstant(null_address, WasmValue::ForUintPtr(0));
-      __ emit_cond_jump(kUnequal, &perform_call, kRef, target.gp(),
+      __ emit_cond_jump(kUnequal, &perform_call, kIntPtrKind, target.gp(),
                        null_address.gp(), frozen);
      // The cached target can only be null for WasmJSFunctions.
      __ LoadTaggedPointer(