Skip to content

Commit bc82a56

Browse files
jakobkummerowV8 LUCI CQ
jakobkummerow
authored and
V8 LUCI CQ
committed
[wasm][turbofan] Fix br_on_non_null typing
This is a follow up to crrev.com/c/5826664: rather than dropping the TypeGuard entirely, we must insert it in the right position. Fixed: 368241691 Change-Id: I80ac9c2c2ba060a39fd46d52aff661e4d2a4608a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5872855 Commit-Queue: Matthias Liedtke <[email protected]> Auto-Submit: Jakob Kummerow <[email protected]> Reviewed-by: Matthias Liedtke <[email protected]> Cr-Commit-Position: refs/heads/main@{#96195}
1 parent 164c2ed commit bc82a56

File tree

2 files changed

+45
-1
lines changed

2 files changed

+45
-1
lines changed

src/wasm/graph-builder-interface.cc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1206,14 +1206,15 @@ class WasmGraphBuildingInterface {
12061206

12071207
void BrOnNonNull(FullDecoder* decoder, const Value& ref_object, Value* result,
12081208
uint32_t depth, bool /* drop_null_on_fallthrough */) {
1209-
result->node = ref_object.node;
12101209
SsaEnv* false_env = ssa_env_;
12111210
SsaEnv* true_env = Split(decoder->zone(), false_env);
12121211
false_env->SetNotMerged();
12131212
std::tie(false_env->control, true_env->control) =
12141213
builder_->BrOnNull(ref_object.node, ref_object.type);
12151214
builder_->SetControl(false_env->control);
12161215
ScopedSsaEnv scoped_env(this, true_env);
1216+
// Make sure the TypeGuard has the right Control dependency.
1217+
SetAndTypeNode(result, builder_->TypeGuard(ref_object.node, result->type));
12171218
BrOrRet(decoder, depth);
12181219
}
12191220

test/mjsunit/regress/wasm/regress-368241691.js

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
// Copyright 2024 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Flags: --allow-natives-syntax
6+
7+
d8.file.execute("test/mjsunit/wasm/wasm-module-builder.js");
8+
9+
let builder = new WasmModuleBuilder();
10+
11+
let struct0 = builder.addStruct([makeField(kWasmI32, true)]);
12+
let return_struct0 = builder.addType(makeSig([], [wasmRefType(struct0)]));
13+
14+
builder.addFunction("makeStruct", return_struct0)
15+
.exportFunc()
16+
.addBody([
17+
kExprI32Const, 42,
18+
kGCPrefix, kExprStructNew, struct0,
19+
]);
20+
21+
let callee = builder.addFunction("callee", makeSig([wasmRefType(struct0)], [kWasmI32]))
22+
.addBody([
23+
kExprLocalGet, 0,
24+
kGCPrefix, kExprStructGet, struct0, 0,
25+
]);
26+
27+
builder.addFunction("main", makeSig([wasmRefNullType(struct0)], [kWasmI32]))
28+
.exportFunc()
29+
.addBody([
30+
kExprBlock, return_struct0,
31+
kExprLocalGet, 0,
32+
kExprBrOnNonNull, 0,
33+
kExprUnreachable,
34+
kExprEnd,
35+
kExprCallFunction, callee.index,
36+
]);
37+
38+
let instance = builder.instantiate();
39+
let obj = instance.exports.makeStruct();
40+
41+
instance.exports.main(obj);
42+
%WasmTierUpFunction(instance.exports.main);
43+
assertEquals(42, instance.exports.main(obj));

0 commit comments

Comments
 (0)