[wasm][exnref] Implement special behavior of WA.JSTag in try_table.

sjrd · V8 LUCI CQ · commit 692f3d526a38 · 2024-04-10T18:06:29.000Z
This commit ports the changes from 4e79015 to `CatchCase`, i.e., the `try_table` instruction. In addition, it implements the same changes in Turboshaft, for which the implementation of exceptions initially came from 2c1c14d and already contained the `JSTag` handling for `CatchException`. This commit addresses part of https://issues.chromium.org/issues/333067164 but not all. Only catching with `try_table` is fixed. `throw` remains unchanged. Change-Id: I7bad031e28eaf609fb12e7706d0b6a7cc63fa09d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5435077 Commit-Queue: Thibaud Michaud <thibaudm@chromium.org> Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Cr-Commit-Position: refs/heads/main@{#93303}
diff --git a/AUTHORS b/AUTHORS
@@ -257,6 +257,7 @@ Sander Mathijs van Veen <sander@leaningtech.com>
 Sandro Santilli <strk@keybit.net>
 Sanjoy Das <sanjoy@playingwithpointers.com>
 Sam James <sam@gentoo.org>
+Sébastien Doeraene <sjrdoeraene@gmail.com>
 Seo Sanghyeon <sanxiyn@gmail.com>
 Shawn Anastasio <shawnanastasio@gmail.com>
 Shawn Presser <shawnpresser@gmail.com>
diff --git a/src/wasm/baseline/liftoff-compiler.cc b/src/wasm/baseline/liftoff-compiler.cc
@@ -1637,23 +1637,104 @@ class LiftoffCompiler {
                          wasm::ObjectAccess::ElementOffsetInTaggedFixedArray(
                              catch_case.maybe_tag.tag_imm.index));
 
+    VarState exn = __ cache_state() -> stack_state.back();
+
     CODE_COMMENT("compare tags");
-    {
-      FREEZE_STATE(frozen);
-      Label caught;
-      __ emit_cond_jump(kEqual, &caught, kRefNull, imm_tag, caught_tag.gp(),
-                        frozen);
-      // The tags don't match, merge the current state into the catch state
-      // and jump to the next handler.
-      __ MergeFullStackWith(block->try_info->catch_state);
-      __ emit_jump(&block->try_info->catch_label);
-      __ bind(&caught);
+    if (catch_case.maybe_tag.tag_imm.tag->sig->parameter_count() == 1 &&
+        catch_case.maybe_tag.tag_imm.tag->sig->GetParam(0) == kWasmExternRef) {
+      // Check for the special case where the tag is WebAssembly.JSTag and the
+      // exception is not a WebAssembly.Exception. In this case the exception is
+      // caught and pushed on the operand stack.
+      // Only perform this check if the tag signature is the same as
+      // the JSTag signature, i.e. a single externref, otherwise we know
+      // statically that it cannot be the JSTag.
+      LiftoffRegister undefined =
+          pinned.set(__ GetUnusedRegister(kGpReg, pinned));
+      __ LoadFullPointer(
+          undefined.gp(), kRootRegister,
+          IsolateData::root_slot_offset(RootIndex::kUndefinedValue));
+      LiftoffRegister js_tag = pinned.set(__ GetUnusedRegister(kGpReg, pinned));
+      LOAD_TAGGED_PTR_INSTANCE_FIELD(js_tag.gp(), NativeContext, pinned);
+      __ LoadTaggedPointer(
+          js_tag.gp(), js_tag.gp(), no_reg,
+          NativeContext::SlotOffset(Context::WASM_JS_TAG_INDEX));
+      __ LoadTaggedPointer(
+          js_tag.gp(), js_tag.gp(), no_reg,
+          wasm::ObjectAccess::ToTagged(WasmTagObject::kTagOffset));
+      {
+        LiftoffAssembler::CacheState initial_state(zone_);
+        LiftoffAssembler::CacheState end_state(zone_);
+        Label js_exception;
+        Label done;
+        Label uncaught;
+        initial_state.Split(*__ cache_state());
+        {
+          FREEZE_STATE(state_merged_explicitly);
+          // If the tag is undefined, this is not a wasm exception. Go to a
+          // different block to process the JS exception. Otherwise compare it
+          // with the expected tag.
+          __ emit_cond_jump(kEqual, &js_exception, kRefNull, caught_tag.gp(),
+                            undefined.gp(), state_merged_explicitly);
+          __ emit_cond_jump(kNotEqual, &uncaught, kRefNull, imm_tag,
+                            caught_tag.gp(), state_merged_explicitly);
+        }
+        // Case 1: A wasm exception with a matching tag.
+        CODE_COMMENT("unpack exception");
+        GetExceptionValues(decoder, __ cache_state()->stack_state.back(),
+                           catch_case.maybe_tag.tag_imm.tag);
+        // GetExceptionValues modified the cache state. Remember the new state
+        // to merge the end state of case 2 into it.
+        end_state.Steal(*__ cache_state());
+        __ emit_jump(&done);
+
+        __ bind(&js_exception);
+        __ cache_state() -> Split(initial_state);
+        {
+          FREEZE_STATE(state_merged_explicitly);
+          __ emit_cond_jump(kNotEqual, &uncaught, kRefNull, imm_tag,
+                            js_tag.gp(), state_merged_explicitly);
+        }
+        // Case 2: A JS exception, and the expected tag is JSTag.
+        // TODO(thibaudm): Can we avoid some state splitting/stealing by
+        // reserving this register earlier and not modifying the state in this
+        // block?
+        CODE_COMMENT("JS exception caught by JSTag");
+        LiftoffRegister exception = __ PeekToRegister(0, pinned);
+        __ PushRegister(kRefNull, exception);
+        // The exception is now on the stack twice: once as an implicit operand
+        // for rethrow, and once as the "unpacked" value.
+        __ MergeFullStackWith(end_state);
+        __ emit_jump(&done);
+
+        // Case 3: Either a wasm exception with a mismatching tag, or a JS
+        // exception but the expected tag is not JSTag.
+        __ bind(&uncaught);
+        __ cache_state() -> Steal(initial_state);
+        __ MergeFullStackWith(block->try_info->catch_state);
+        __ emit_jump(&block->try_info->catch_label);
+
+        __ bind(&done);
+        __ cache_state() -> Steal(end_state);
+      }
+    } else {
+      {
+        FREEZE_STATE(frozen);
+        Label caught;
+        __ emit_cond_jump(kEqual, &caught, kRefNull, imm_tag, caught_tag.gp(),
+                          frozen);
+        // The tags don't match, merge the current state into the catch state
+        // and jump to the next handler.
+        __ MergeFullStackWith(block->try_info->catch_state);
+        __ emit_jump(&block->try_info->catch_label);
+        __ bind(&caught);
+      }
+
+      CODE_COMMENT("unpack exception");
+      pinned = {};
+      GetExceptionValues(decoder, __ cache_state()->stack_state.back(),
+                         catch_case.maybe_tag.tag_imm.tag);
     }
 
-    CODE_COMMENT("unpack exception");
-    pinned = {};
-    VarState exn = __ cache_state()->stack_state.back();
-    GetExceptionValues(decoder, exn, catch_case.maybe_tag.tag_imm.tag);
     if (catch_case.kind == kCatchRef) {
       // Append the exception on the operand stack.
       DCHECK(exn.is_stack());
diff --git a/src/wasm/graph-builder-interface.cc b/src/wasm/graph-builder-interface.cc
@@ -1420,9 +1420,58 @@ class WasmGraphBuildingInterface {
     base::Vector<Value> values_without_exnref =
         catch_case.kind == kCatch ? values
                                   : values.SubVector(0, values.size() - 1);
-    CatchAndUnpackWasmException(decoder, block, exception,
-                                catch_case.maybe_tag.tag_imm.tag, caught_tag,
-                                expected_tag, values_without_exnref);
+
+    if (catch_case.maybe_tag.tag_imm.tag->sig->parameter_count() == 1 &&
+        catch_case.maybe_tag.tag_imm.tag->sig->GetParam(0) == kWasmExternRef) {
+      // Check for the special case where the tag is WebAssembly.JSTag and the
+      // exception is not a WebAssembly.Exception. In this case the exception is
+      // caught and pushed on the operand stack.
+      // Only perform this check if the tag signature is the same as
+      // the JSTag signature, i.e. a single externref, otherwise
+      // we know statically that it cannot be the JSTag.
+
+      TFNode* is_js_exn = builder_->IsExceptionTagUndefined(caught_tag);
+      auto [exn_is_js, exn_is_wasm] = builder_->BranchExpectFalse(is_js_exn);
+      SsaEnv* exn_is_js_env = Split(decoder->zone(), ssa_env_);
+      exn_is_js_env->control = exn_is_js;
+      SsaEnv* exn_is_wasm_env = Steal(decoder->zone(), ssa_env_);
+      exn_is_wasm_env->control = exn_is_wasm;
+
+      // Case 1: A wasm exception.
+      SetEnv(exn_is_wasm_env);
+      CatchAndUnpackWasmException(decoder, block, exception,
+                                  catch_case.maybe_tag.tag_imm.tag, caught_tag,
+                                  expected_tag, values_without_exnref);
+
+      // Case 2: A JS exception.
+      SetEnv(exn_is_js_env);
+      TFNode* js_tag = builder_->LoadJSTag();
+      TFNode* compare = builder_->ExceptionTagEqual(expected_tag, js_tag);
+      auto [if_catch, if_no_catch] = builder_->BranchNoHint(compare);
+      // Merge the wasm no-catch and JS no-catch paths.
+      SsaEnv* if_no_catch_env = Split(decoder->zone(), ssa_env_);
+      if_no_catch_env->control = if_no_catch;
+      SetEnv(if_no_catch_env);
+      Goto(decoder, block->try_info->catch_env);
+      // Merge the wasm catch and JS catch paths.
+      SsaEnv* if_catch_env = Steal(decoder->zone(), ssa_env_);
+      if_catch_env->control = if_catch;
+      SetEnv(if_catch_env);
+      Goto(decoder, block->block_env);
+
+      // The final env is a merge of case 1 and 2. The unpacked value is a Phi
+      // of the unpacked value (case 1) and the exception itself (case 2).
+      SetEnv(block->block_env);
+      TFNode* phi_inputs[] = {values[0].node, exception,
+                              block->block_env->control};
+      TFNode* ref = builder_->Phi(wasm::kWasmExternRef, 2, phi_inputs);
+      SetAndTypeNode(&values[0], ref);
+    } else {
+      CatchAndUnpackWasmException(decoder, block, exception,
+                                  catch_case.maybe_tag.tag_imm.tag, caught_tag,
+                                  expected_tag, values_without_exnref);
+    }
+
     if (catch_case.kind == kCatchRef) {
       DCHECK_EQ(values.last().type, kWasmExnRef);
       values.last().node = block->try_info->exception;
diff --git a/src/wasm/turboshaft-graph-interface.cc b/src/wasm/turboshaft-graph-interface.cc
@@ -3013,9 +3013,10 @@ class TurboshaftGraphBuildingInterface : public WasmGraphBuilderBase {
       BrOrRet(decoder, catch_case.br_imm.depth);
       return;
     }
+    V<NativeContext> native_context = instance_cache_.native_context();
     V<WasmTagObject> caught_tag = V<WasmTagObject>::Cast(
         CallBuiltinThroughJumptable<BuiltinCallDescriptor::WasmGetOwnProperty>(
-            decoder, instance_cache_.native_context(),
+            decoder, native_context,
             {block->exception, LOAD_ROOT(wasm_exception_tag_symbol)}));
     V<FixedArray> instance_tags =
         LOAD_IMMUTABLE_INSTANCE_FIELD(trusted_instance_data(), TagsTable,
@@ -3025,17 +3026,70 @@ class TurboshaftGraphBuildingInterface : public WasmGraphBuilderBase {
     TSBlock* if_catch = __ NewBlock();
     TSBlock* if_no_catch = NewBlockWithPhis(decoder, nullptr);
     SetupControlFlowEdge(decoder, if_no_catch);
+
+    // If the tags don't match we continue with the next tag by setting the
+    // no-catch environment as the new {block->false_or_loop_or_catch_block}
+    // here.
     block->false_or_loop_or_catch_block = if_no_catch;
-    __ Branch(ConditionWithHint(__ TaggedEqual(caught_tag, expected_tag)),
-              if_catch, block->false_or_loop_or_catch_block);
-    __ Bind(if_catch);
-    if (catch_case.kind == kCatchRef) {
-      UnpackWasmException(decoder, block->exception,
-                          values.SubVector(0, values.size() - 1));
-      values.last().op = block->exception;
+
+    if (catch_case.maybe_tag.tag_imm.tag->sig->parameter_count() == 1 &&
+        catch_case.maybe_tag.tag_imm.tag->sig->GetParam(0) == kWasmExternRef) {
+      // Check for the special case where the tag is WebAssembly.JSTag and the
+      // exception is not a WebAssembly.Exception. In this case the exception is
+      // caught and pushed on the operand stack.
+      // Only perform this check if the tag signature is the same as
+      // the JSTag signature, i.e. a single externref, otherwise
+      // we know statically that it cannot be the JSTag.
+      V<Word32> caught_tag_undefined =
+          __ TaggedEqual(caught_tag, LOAD_ROOT(UndefinedValue));
+      Label<Object> if_catch(&asm_);
+      Label<> no_catch_merge(&asm_);
+
+      IF (UNLIKELY(caught_tag_undefined)) {
+        V<Object> tag_object = __ Load(
+            native_context, LoadOp::Kind::TaggedBase(),
+            MemoryRepresentation::TaggedPointer(),
+            NativeContext::OffsetOfElementAt(Context::WASM_JS_TAG_INDEX));
+        V<Object> js_tag = __ Load(tag_object, LoadOp::Kind::TaggedBase(),
+                                   MemoryRepresentation::TaggedPointer(),
+                                   WasmTagObject::kTagOffset);
+        GOTO_IF(__ TaggedEqual(expected_tag, js_tag), if_catch,
+                block->exception);
+        GOTO(no_catch_merge);
+      } ELSE {
+        IF (__ TaggedEqual(caught_tag, expected_tag)) {
+          if (catch_case.kind == kCatchRef) {
+            UnpackWasmException(decoder, block->exception,
+                                values.SubVector(0, values.size() - 1));
+            values.last().op = block->exception;
+          } else {
+            UnpackWasmException(decoder, block->exception, values);
+          }
+          GOTO(if_catch, values[0].op);
+        }
+        GOTO(no_catch_merge);
+      }
+
+      BIND(no_catch_merge);
+      __ Goto(if_no_catch);
+
+      BIND(if_catch, caught_exception);
+      // The first unpacked value is the exception itself in the case of a JS
+      // exception.
+      values[0].op = caught_exception;
     } else {
-      UnpackWasmException(decoder, block->exception, values);
+      __ Branch(ConditionWithHint(__ TaggedEqual(caught_tag, expected_tag)),
+                if_catch, if_no_catch);
+      __ Bind(if_catch);
+      if (catch_case.kind == kCatchRef) {
+        UnpackWasmException(decoder, block->exception,
+                            values.SubVector(0, values.size() - 1));
+        values.last().op = block->exception;
+      } else {
+        UnpackWasmException(decoder, block->exception, values);
+      }
     }
+
     BrOrRet(decoder, catch_case.br_imm.depth);
 
     bool is_last = &catch_case == &block->catch_cases.last();
diff --git a/test/mjsunit/wasm/exnref-api.js b/test/mjsunit/wasm/exnref-api.js
diff --git a/test/mjsunit/wasm/exnref.js b/test/mjsunit/wasm/exnref.js
