nodejs/deps/v8/test/mjsunit/regress/wasm/regress-361862737.js

// Copyright 2024 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');

// This test case reproduces a case in Turbofan where the WasmTyper was
// flip-flopping between two different states never reaching a fix point.
const builder = new WasmModuleBuilder();
let $array1 = builder.addArray(kWasmI16, true, kNoSuperType, true);
let loopSig = builder.addType(makeSig([kWasmFuncRef], []));
let funcEndless = builder.addFunction('funcEndless', kSig_v_v).exportFunc()
  .addLocals(kWasmFuncRef, 1)  // $var0
  .addBody([
    kExprRefNull, kFuncRefCode,
    kExprLoop, loopSig,
      kExprLocalTee, 0,  // $var0
      kExprBrOnNonNull, 0,
      kExprLocalGet, 0,  // $var0
      kExprRefAsNonNull,
      kExprBrOnNonNull, 0,
    kExprEnd,

    // Use something with a gc prefix to enable the WasmTyper.
    kExprRefNull, $array1,
    kGCPrefix, kExprArrayLen,
    kExprDrop,
  ]);

const instance = builder.instantiate();
assertTraps(kTrapNullDereference, () => instance.exports.funcEndless(null));
deps: patch V8 to 12.8.374.31 Refs: https://github.com/v8/v8/compare/12.8.374.22...12.8.374.31 PR-URL: https://github.com/nodejs/node/pull/54682 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Jiawen Geng <technicalcute@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 2024-09-09 18:20:23 +02:00			`// Copyright 2024 the V8 project authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be`
			`// found in the LICENSE file.`

			`d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');`

			`// This test case reproduces a case in Turbofan where the WasmTyper was`
			`// flip-flopping between two different states never reaching a fix point.`
			`const builder = new WasmModuleBuilder();`
			`let $array1 = builder.addArray(kWasmI16, true, kNoSuperType, true);`
			`let loopSig = builder.addType(makeSig([kWasmFuncRef], []));`
			`let funcEndless = builder.addFunction('funcEndless', kSig_v_v).exportFunc()`
			`.addLocals(kWasmFuncRef, 1) // $var0`
			`.addBody([`
			`kExprRefNull, kFuncRefCode,`
			`kExprLoop, loopSig,`
			`kExprLocalTee, 0, // $var0`
			`kExprBrOnNonNull, 0,`
			`kExprLocalGet, 0, // $var0`
			`kExprRefAsNonNull,`
			`kExprBrOnNonNull, 0,`
			`kExprEnd,`

			`// Use something with a gc prefix to enable the WasmTyper.`
			`kExprRefNull, $array1,`
			`kGCPrefix, kExprArrayLen,`
			`kExprDrop,`
			`]);`

			`const instance = builder.instantiate();`
			`assertTraps(kTrapNullDereference, () => instance.exports.funcEndless(null));`