Parameters to throw alias with stack elements in WASM LLInt

https://bugs.webkit.org/show_bug.cgi?id=256818 rdar://108036137 Reviewed by Yusuke Suzuki. Correctly computes stack offsets when materializing the operands of a wasm_throw instruction in the WasmLLIntGenerator by counting relative to the stack height before the operands were popped as opposed to after. * JSTests/wasm/stress/throw-multiple-values.js: Added. (async test): * JSTests/wasm/stress/throw-with-live-value-on-stack.js: Added. (async test): * Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp: (JSC::Wasm::LLIntGenerator::addThrow): Originally-landed-as: 259548.762@safari-7615-branch (7fb3ced). rdar://108036137 Canonical link: https://commits.webkit.org/266447@main
WebKit · Jul 31, 2023 · ad8dd02 · ad8dd02
1 parent 41dcd0b
commit ad8dd02
Show file tree

Hide file tree

Showing 3 changed files with 59 additions and 1 deletion.
diff --git a/JSTests/wasm/stress/throw-multiple-values.js b/JSTests/wasm/stress/throw-multiple-values.js
@@ -0,0 +1,31 @@
+import { instantiate } from "../wabt-wrapper.js";
+import * as assert from "../assert.js";
+
+let wat = `
+(module
+    (global i32 i32.const 42)
+    (tag (param i32 i32 i32))
+
+    (func (export "test") (param i32 i32 i32) (result i32)
+        global.get 0
+        local.get 0
+        local.get 1
+        local.get 2
+        try (param i32 i32 i32) (result i32)
+            throw 0
+        catch 0
+            i32.add
+            i32.add
+        end
+        i32.add
+    )
+)
+`;
+
+async function test() {
+    const instance = await instantiate(wat, {}, { exceptions: true });
+    const { test } = instance.exports;
+    assert.eq(test(1, 2, 3), 48);
+}
+
+assert.asyncTest(test());
diff --git a/JSTests/wasm/stress/throw-with-live-value-on-stack.js b/JSTests/wasm/stress/throw-with-live-value-on-stack.js
@@ -0,0 +1,27 @@
+import { instantiate } from "../wabt-wrapper.js";
+import * as assert from "../assert.js";
+
+let wat = `
+(module
+    (global i32 i32.const 42)
+    (tag (param i32))
+
+    (func (export "test") (param i32) (result i32)
+        global.get 0
+        local.get 0
+        try (param i32)
+            throw 0
+        catch 0
+            br 0
+        end
+    )
+)
+`;
+
+async function test() {
+    const instance = await instantiate(wat, {}, { exceptions: true });
+    const { test } = instance.exports;
+    assert.eq(test(41), 42);
+}
+
+assert.asyncTest(test());
diff --git a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
@@ -1247,7 +1247,7 @@ auto LLIntGenerator::addThrow(unsigned exceptionIndex, Vector<ExpressionType>& a
     // delayed moves, but the wasm_throw opcode expects all the arguments to be contiguous
     // in the stack. The reason we don't call materializeConstantsAndLocals here is that
     // it expects a stack, not a vector of ExpressionType arguments.
-    walkExpressionStack(args, [&](VirtualRegister& arg, VirtualRegister slot) {
+    walkExpressionStack(args, m_stackSize + args.size(), [&](VirtualRegister& arg, VirtualRegister slot) {
         if (arg == slot)
             return;
         WasmMov::emit(this, slot, arg);