[wasm][turbofan] Pass correct instance when inlining JsToWasm wrappers

It is possible to inline a JSToWasm wrapper that directly calls a WasmToJS wrapper. In this case we need to make sure that the instance we pass is a WasmApiFunctionRef, not a WasmInstanceObject. Bug: chromium:1271456 Change-Id: I684a769922895860a43c73ba43c2598c9bda4b64 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3293423 Commit-Queue: Paolo Severini <paolosev@microsoft.com> Reviewed-by: Andreas Haas <ahaas@chromium.org> Cr-Commit-Position: refs/heads/main@{#78031}
2021-11-22 12:03:31 -08:00 · 2021-11-22 12:03:31 -08:00 · 9324d7fd21
commit 9324d7fd21
parent d315657ef5
2 changed files with 35 additions and 1 deletions
--- a/src/compiler/wasm-compiler.cc
+++ b/src/compiler/wasm-compiler.cc
@ -6742,8 +6742,11 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
        // Call to a wasm function defined in this module.
        // The (cached) call target is the jump table slot for that function.
        args[0] = BuildLoadCallTargetFromExportedFunctionData(function_data);
+        Node* instance_node = gasm_->LoadFromObject(
+            MachineType::TaggedPointer(), function_data,
+            wasm::ObjectAccess::ToTagged(WasmFunctionData::kRefOffset));
        BuildWasmCall(sig_, base::VectorOf(args), base::VectorOf(rets),
-                      wasm::kNoCodePosition, nullptr, frame_state);
+                      wasm::kNoCodePosition, instance_node, frame_state);
      }
    }

--- a/test/mjsunit/regress/wasm/regress-1271456.js
+++ b/test/mjsunit/regress/wasm/regress-1271456.js
@ -0,0 +1,31 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-inline-js-wasm-calls
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+// Instantiate a module that exports an imported function
+// (module
+//   (func $import0 (import "e" "f"))
+//   (export "f" (func $import0))
+// )
+const builder = new WasmModuleBuilder();
+const sig_index = builder.addType(kSig_v_v);
+builder.addImport('e', 'f', sig_index);
+builder.addExport('f', 0);
+let instance = builder.instantiate(
+    {e: {f: function() {}}}
+);
+
+// Invoke the JS function exported by the Wasm module
+const f = instance.exports['f'];
+function invoke_vv(index) {
+  return f();
+}
+
+%PrepareFunctionForOptimization(invoke_vv);
+invoke_vv(0);
+%OptimizeFunctionOnNextCall(invoke_vv);
+invoke_vv(0);