[wasm] Fix deopt loop with cross-instance call_indirect

danleh · V8 LUCI CQ · commit a497308a56b4 · 2024-11-13T11:07:07.000Z
See discussion in https://crrev.com/c/6011089 for context. Bug: 335082212, 377744184 Change-Id: I52ce0ff2636650a644cc4daa6b606a7b2172a826 Fixed: 378584789 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6011807 Commit-Queue: Daniel Lehmann <dlehmann@chromium.org> Reviewed-by: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#97149}
diff --git a/src/builtins/wasm.tq b/src/builtins/wasm.tq
@@ -708,7 +708,9 @@ macro UpdateCallRefOrIndirectIC(
     // The "ic::IsMegamorphic(firstSlot)" case doesn't need to do anything.
   } else {
     // Monomorphic miss.
-    dcheck(Is<WasmFuncRef>(firstSlot) || Is<Smi>(firstSlot));
+    dcheck(
+        Is<WasmFuncRef>(firstSlot) || Is<Smi>(firstSlot) ||
+        IsUndefined(firstSlot));
     const newEntries = UnsafeCast<FixedArray>(AllocateFixedArray(
         ElementsKind::PACKED_ELEMENTS, 4, AllocationFlag::kNone));
     newEntries.objects[0] = firstSlot;
@@ -753,19 +755,15 @@ builtin CallRefIC(
 builtin CallIndirectIC(
     vector: FixedArray, vectorIndex: int32, target: WasmCodePointer,
     implicitArg: WasmTrustedInstanceData|WasmImportData): TargetAndImplicitArg {
-  // We increase the call counter for the target, regardless of whether the
-  // instance (in `implicitArg`) matches the current instance or not.
-  // Technically this overcounts feedback of cross-instance, same module
-  // functions, but in practice this is rare enough to not be worth the added
-  // branch here.
-  // Background: For correctness, we can only execute the inlined function's
-  // code if the instance of the (pre-inlining) call target is equal to the
-  // instance of the currently executing caller, see Turboshaft codegen.
-
-  const truncatedTarget =
-      SmiTag(Signed(Convert<uintptr>(target) & kSmiMaxValue));
+  // If this is a cross-instance call, don't track the precise target (we can
+  // only correctly inline same-instance calls anyway). Mark it as `Undefined`,
+  // so that we can prevent a deopt loop, see `TransitiveTypeFeedbackProcessor`.
+  const instance = LoadInstanceDataFromFrame();
+  const truncatedTargetOrCrossInstance = TaggedEqual(implicitArg, instance) ?
+      SmiTag(Signed(Convert<uintptr>(target) & kSmiMaxValue)) :
+      Undefined;
   UpdateCallRefOrIndirectIC(
-      vector, Convert<intptr>(vectorIndex), truncatedTarget);
+      vector, Convert<intptr>(vectorIndex), truncatedTargetOrCrossInstance);
 
   return TargetAndImplicitArg{target: target, implicit_arg: implicitArg};
 }
diff --git a/src/wasm/module-compiler.cc b/src/wasm/module-compiler.cc
@@ -1355,7 +1355,7 @@ class FeedbackMaker {
   void AddCallRefCandidate(Tagged<WasmFuncRef> funcref, int count) {
     Tagged<WasmInternalFunction> internal_function =
         Cast<WasmFuncRef>(funcref)->internal(isolate_);
-    // Only consider wasm function declared in this instance.
+    // Discard cross-instance calls, as we can only inline same-instance code.
     if (internal_function->implicit_arg() != instance_data_) {
       has_non_inlineable_targets_ = true;
       return;
@@ -1368,7 +1368,16 @@ class FeedbackMaker {
     AddCall(internal_function->function_index(), count);
   }
 
-  void AddCallIndirectCandidate(Tagged<Smi> target_truncated_smi, int count) {
+  void AddCallIndirectCandidate(Tagged<Object> target_truncated_obj,
+                                int count) {
+    // Discard cross-instance calls, as we can only inline same-instance code.
+    bool is_cross_instance_call = IsUndefined(target_truncated_obj);
+    if (is_cross_instance_call) {
+      has_non_inlineable_targets_ = true;
+      return;
+    }
+    Tagged<Smi> target_truncated_smi = Cast<Smi>(target_truncated_obj);
+
     // We need to map a truncated call target back to a function index.
     // Generally there may be multiple jump tables if code spaces are far apart
     // (to ensure that direct calls can always use a near call to the closest
@@ -1494,21 +1503,22 @@ void TransitiveTypeFeedbackProcessor::ProcessFunction(int func_index) {
 
   // For each entry in {call_targets}, there are two {Object} slots in the
   // {feedback} vector:
+  // +--------------------------+-----------------------+-------------------+
+  // |        Call Type         |   Feedback: Entry 1   |      Entry 2      |
   // +-------------------------+-----------------------+-------------------+
-  // |        Call Type        |   Feedback: Entry 1   |      Entry 2      |
-  // +-------------------------+-----------------------+-------------------+
-  // | direct                  | Smi(count)            | Smi(0), unused    |
-  // +-------------------------+-----------------------+-------------------+
-  // | ref, uninitialized      | Smi(0)                | Smi(0)            |
-  // | ref, monomorphic        | WasmFuncRef(target)   | Smi(count>0)      |
-  // | ref, polymorphic        | FixedArray            | Undefined         |
-  // | ref, megamorphic        | MegamorphicSymbol     | Undefined         |
-  // +-------------------------+-----------------------+-------------------+
-  // | indirect, uninitialized | Smi(0)                | Smi(0)            |
-  // | indirect, monomorphic   | Smi(truncated_target) | Smi(count>0)      |
-  // | indirect, polymorphic   | FixedArray            | Undefined         |
-  // | indirect, megamorphic   | MegamorphicSymbol     | Undefined         |
-  // +-------------------------+-----------------------+-------------------+
+  // | direct                   | Smi(count)            | Smi(0), unused    |
+  // +--------------------------+-----------------------+-------------------+
+  // | ref, uninitialized       | Smi(0)                | Smi(0)            |
+  // | ref, monomorphic         | WasmFuncRef(target)   | Smi(count>0)      |
+  // | ref, polymorphic         | FixedArray            | Undefined         |
+  // | ref, megamorphic         | MegamorphicSymbol     | Undefined         |
+  // +--------------------------+-----------------------+-------------------+
+  // | indirect, uninitialized  | Smi(0)                | Smi(0)            |
+  // | indirect, monomorphic    | Smi(truncated_target) | Smi(count>0)      |
+  // | indirect, wrong instance | Undefined             | Smi(count>0)      |
+  // | indirect, polymorphic    | FixedArray            | Undefined         |
+  // | indirect, megamorphic    | MegamorphicSymbol     | Undefined         |
+  // +--------------------------+-----------------------+-------------------+
   // The FixedArray entries for the polymorphic cases look like the monomorphic
   // entries in the feedback vector itself.
   // See {UpdateCallRefOrIndirectIC} in {wasm.tq} for how this is written.
@@ -1543,11 +1553,11 @@ void TransitiveTypeFeedbackProcessor::ProcessFunction(int func_index) {
       DCHECK_EQ(sentinel_or_target, FunctionTypeFeedback::kCallRef);
       int count = Smi::ToInt(second_slot);
       fm.AddCallRefCandidate(Cast<WasmFuncRef>(first_slot), count);
-    } else if (IsSmi(first_slot)) {
+    } else if (IsSmi(first_slot) || IsUndefined(first_slot)) {
       // Monomorphic call_indirect.
       DCHECK_EQ(sentinel_or_target, FunctionTypeFeedback::kCallIndirect);
       int count = Smi::ToInt(second_slot);
-      fm.AddCallIndirectCandidate(Cast<Smi>(first_slot), count);
+      fm.AddCallIndirectCandidate(first_slot, count);
     } else if (IsFixedArray(first_slot)) {
       // Polymorphic call_ref or call_indirect.
       Tagged<FixedArray> polymorphic = Cast<FixedArray>(first_slot);
@@ -1563,7 +1573,7 @@ void TransitiveTypeFeedbackProcessor::ProcessFunction(int func_index) {
       } else {
         DCHECK_EQ(sentinel_or_target, FunctionTypeFeedback::kCallIndirect);
         for (int j = 0; j < checked_polymorphic_length; j += 2) {
-          Tagged<Smi> target = Cast<Smi>(polymorphic->get(j));
+          Tagged<Object> target = polymorphic->get(j);
           int count = Smi::ToInt(polymorphic->get(j + 1));
           fm.AddCallIndirectCandidate(target, count);
         }
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
@@ -86,9 +86,6 @@
   'regress/proto-transition-regress': [SKIP],
   'regress/regress-357651585': [SKIP],
 
-  # https://crbug.com/378584789: deopt loop with cross-instance call_indirect
-  'wasm/deopt/deopt-multi-instance-call-indirect': [SKIP],
-
   ##############################################################################
   # Tests where variants make no sense.
   'd8/enable-tracing': [PASS, NO_VARIANTS],
