deps: V8: cherry-pick 5f1342c20b59

Liedtke · guybedford · commit 9568ca75145a · 2026-04-16T16:43:45.000-07:00
Original commit message: [wasm][exnref] Fix broken abstract casts ref.test, ref.cast, br_on_cast, br_on_cast_fail allow arbitrary heap types, so they also allow exnref and noexnref. This CL also fixes the missing type checks in the js to wasm wrapper. Bug: v8:14398 Change-Id: Ieefb9a8e99d3d7a4b175db60f55b7fa9a96c5203 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5372489 Reviewed-by: Thibaud Michaud <thibaudm@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#92867} Refs: v8/v8@5f1342c
diff --git a/common.gypi b/common.gypi
@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.39',
+    'v8_embedder_string': '-node.40',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/compiler/turboshaft/wasm-lowering-reducer.h b/deps/v8/src/compiler/turboshaft/wasm-lowering-reducer.h
@@ -556,7 +556,8 @@ class WasmLoweringReducer : public Next {
       // The none-types only perform a null check. They need no control flow.
       if (to_rep == wasm::HeapType::kNone ||
           to_rep == wasm::HeapType::kNoExtern ||
-          to_rep == wasm::HeapType::kNoFunc) {
+          to_rep == wasm::HeapType::kNoFunc ||
+          to_rep == wasm::HeapType::kNoExn) {
         result = __ IsNull(object, config.from);
         break;
       }
@@ -628,7 +629,8 @@ class WasmLoweringReducer : public Next {
       // The none-types only perform a null check.
       if (to_rep == wasm::HeapType::kNone ||
           to_rep == wasm::HeapType::kNoExtern ||
-          to_rep == wasm::HeapType::kNoFunc) {
+          to_rep == wasm::HeapType::kNoFunc ||
+          to_rep == wasm::HeapType::kNoExn) {
         __ TrapIfNot(__ IsNull(object, config.from), OpIndex::Invalid(),
                      TrapId::kTrapIllegalCast);
         break;
diff --git a/deps/v8/src/compiler/wasm-compiler.cc b/deps/v8/src/compiler/wasm-compiler.cc
@@ -7325,6 +7325,8 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
           // TODO(14034): Add more fast paths?
           case wasm::HeapType::kExtern:
           case wasm::HeapType::kNoExtern:
+          case wasm::HeapType::kExn:
+          case wasm::HeapType::kNoExn:
             if (type.kind() == wasm::kRef) {
               Node* null_value = gasm_->LoadImmutable(
                   MachineType::Pointer(), gasm_->LoadRootRegister(),
@@ -7345,9 +7347,6 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
             return input;
           case wasm::HeapType::kString:
             return BuildCheckString(input, js_context, type);
-          case wasm::HeapType::kExn:
-          case wasm::HeapType::kNoExn:
-            return input;
           case wasm::HeapType::kNone:
           case wasm::HeapType::kNoFunc:
           case wasm::HeapType::kI31:
diff --git a/deps/v8/src/compiler/wasm-gc-lowering.cc b/deps/v8/src/compiler/wasm-gc-lowering.cc
@@ -224,7 +224,7 @@ Reduction WasmGCLowering::ReduceWasmTypeCheckAbstract(Node* node) {
     // The none-types only perform a null check. They need no control flow.
     if (to_rep == wasm::HeapType::kNone ||
         to_rep == wasm::HeapType::kNoExtern ||
-        to_rep == wasm::HeapType::kNoFunc) {
+        to_rep == wasm::HeapType::kNoFunc || to_rep == wasm::HeapType::kNoExn) {
       result = IsNull(object, config.from);
       break;
     }
@@ -398,7 +398,7 @@ Reduction WasmGCLowering::ReduceWasmTypeCastAbstract(Node* node) {
     // The none-types only perform a null check.
     if (to_rep == wasm::HeapType::kNone ||
         to_rep == wasm::HeapType::kNoExtern ||
-        to_rep == wasm::HeapType::kNoFunc) {
+        to_rep == wasm::HeapType::kNoFunc || to_rep == wasm::HeapType::kNoExn) {
       gasm_.TrapUnless(IsNull(object, config.from), TrapId::kTrapIllegalCast);
       UpdateSourcePosition(gasm_.effect(), node);
       break;
diff --git a/deps/v8/src/wasm/baseline/liftoff-compiler.cc b/deps/v8/src/wasm/baseline/liftoff-compiler.cc
@@ -6580,6 +6580,7 @@ class LiftoffCompiler {
       case HeapType::kNone:
       case HeapType::kNoExtern:
       case HeapType::kNoFunc:
+      case HeapType::kNoExn:
         DCHECK(null_succeeds);
         return AssertNullTypecheck(decoder, obj, result_val);
       case HeapType::kAny:
@@ -6674,6 +6675,7 @@ class LiftoffCompiler {
       case HeapType::kNone:
       case HeapType::kNoExtern:
       case HeapType::kNoFunc:
+      case HeapType::kNoExn:
         DCHECK(null_succeeds);
         return BrOnNull(decoder, obj, depth, /*pass_null_along_branch*/ true,
                         nullptr);
@@ -6707,6 +6709,7 @@ class LiftoffCompiler {
       case HeapType::kNone:
       case HeapType::kNoExtern:
       case HeapType::kNoFunc:
+      case HeapType::kNoExn:
         DCHECK(null_succeeds);
         return BrOnNonNull(decoder, obj, nullptr, depth,
                            /*drop_null_on_fallthrough*/ false);
diff --git a/deps/v8/src/wasm/function-body-decoder-impl.h b/deps/v8/src/wasm/function-body-decoder-impl.h
@@ -4659,7 +4659,8 @@ class WasmFullDecoder : public WasmDecoder<ValidationTag, decoding_mode> {
            ((!null_succeeds || !obj.type.is_nullable()) &&
             (expected_type.representation() == HeapType::kNone ||
              expected_type.representation() == HeapType::kNoFunc ||
-             expected_type.representation() == HeapType::kNoExtern));
+             expected_type.representation() == HeapType::kNoExtern ||
+             expected_type.representation() == HeapType::kNoExn));
   }
   bool TypeCheckAlwaysFails(Value obj, uint32_t ref_index) {
     // All old casts / checks treat null as failure.
diff --git a/deps/v8/src/wasm/graph-builder-interface.cc b/deps/v8/src/wasm/graph-builder-interface.cc
@@ -1803,6 +1803,7 @@ class WasmGraphBuildingInterface {
       case HeapType::kNone:
       case HeapType::kNoExtern:
       case HeapType::kNoFunc:
+      case HeapType::kNoExn:
         DCHECK(null_succeeds);
         // This is needed for BrOnNull. {value_on_branch} is on the value stack
         // and BrOnNull interacts with the values on the stack.
@@ -1841,6 +1842,7 @@ class WasmGraphBuildingInterface {
       case HeapType::kNone:
       case HeapType::kNoExtern:
       case HeapType::kNoFunc:
+      case HeapType::kNoExn:
         DCHECK(null_succeeds);
         // We need to store a node in the stack where the decoder so far only
         // pushed a value and expects the `BrOnCastFailAbstract` to set it.
diff --git a/deps/v8/src/wasm/wrappers.cc b/deps/v8/src/wasm/wrappers.cc
@@ -857,6 +857,8 @@ class WasmWrapperTSGraphBuilder : public WasmGraphBuilderBase {
           // TODO(14034): Add more fast paths?
           case wasm::HeapType::kExtern:
           case wasm::HeapType::kNoExtern:
+          case wasm::HeapType::kExn:
+          case wasm::HeapType::kNoExn:
             if (type.kind() == wasm::kRef) {
               IF (__ TaggedEqual(input, LOAD_ROOT(NullValue))) {
                 CallRuntime(__ phase_zone(), Runtime::kWasmThrowJSTypeError, {},
@@ -867,9 +869,6 @@ class WasmWrapperTSGraphBuilder : public WasmGraphBuilderBase {
             return input;
           case wasm::HeapType::kString:
             return BuildCheckString(input, context, type);
-          case wasm::HeapType::kExn:
-          case wasm::HeapType::kNoExn:
-            return input;
           case wasm::HeapType::kNone:
           case wasm::HeapType::kNoFunc:
           case wasm::HeapType::kI31:
diff --git a/deps/v8/test/mjsunit/wasm/gc-casts-exnref.js b/deps/v8/test/mjsunit/wasm/gc-casts-exnref.js
@@ -0,0 +1,232 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --experimental-wasm-exnref --no-experimental-wasm-inlining
+
+d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
+
+let getExnRef = function() {
+  let tag = new WebAssembly.Tag({parameters:[]});
+  return new WebAssembly.Exception(tag, []);
+};
+
+(function RefTestExnRef() {
+  print(arguments.callee.name);
+  let builder = new WasmModuleBuilder();
+  let tag = builder.addTag(makeSig([], []));
+
+  builder.addFunction('testExnRef',
+      makeSig([kWasmExnRef], [kWasmI32, kWasmI32]))
+    .addBody([
+      kExprLocalGet, 0, kGCPrefix, kExprRefTest, kExnRefCode,
+      kExprLocalGet, 0, kGCPrefix, kExprRefTest, kNullExnRefCode,
+    ]).exportFunc();
+
+  builder.addFunction('testNullExnRef',
+      makeSig([kWasmExnRef], [kWasmI32, kWasmI32]))
+    .addBody([
+      kExprLocalGet, 0, kGCPrefix, kExprRefTestNull, kExnRefCode,
+      kExprLocalGet, 0, kGCPrefix, kExprRefTestNull, kNullExnRefCode,
+    ]).exportFunc();
+
+  let instance = builder.instantiate();
+  let wasm = instance.exports;
+  assertEquals([0, 0], wasm.testExnRef(null));
+  assertEquals([1, 0], wasm.testExnRef(getExnRef()));
+  assertEquals([1, 1], wasm.testNullExnRef(null));
+  assertEquals([1, 0], wasm.testNullExnRef(getExnRef()));
+})();
+
+(function RefCastExnRef() {
+  print(arguments.callee.name);
+  let builder = new WasmModuleBuilder();
+
+  builder.addFunction('castToExnRef',
+      makeSig([kWasmExnRef], [kWasmExnRef]))
+    .addBody([kExprLocalGet, 0, kGCPrefix, kExprRefCast, kExnRefCode])
+    .exportFunc();
+  builder.addFunction('castToNullExnRef',
+    makeSig([kWasmExnRef], [kWasmExnRef]))
+  .addBody([kExprLocalGet, 0, kGCPrefix, kExprRefCast, kNullExnRefCode])
+  .exportFunc();
+  builder.addFunction('castNullToExnRef',
+    makeSig([kWasmExnRef], [kWasmExnRef]))
+  .addBody([kExprLocalGet, 0, kGCPrefix, kExprRefCastNull, kExnRefCode])
+  .exportFunc();
+  builder.addFunction('castNullToNullExnRef',
+    makeSig([kWasmExnRef], [kWasmExnRef]))
+  .addBody([kExprLocalGet, 0, kGCPrefix, kExprRefCastNull, kNullExnRefCode])
+  .exportFunc();
+
+  let instance = builder.instantiate();
+  let wasm = instance.exports;
+
+  let exnRef = getExnRef();
+  assertTraps(kTrapIllegalCast, () => wasm.castToExnRef(null));
+  assertEquals(exnRef, wasm.castToExnRef(exnRef));
+  assertTraps(kTrapIllegalCast, () => wasm.castToNullExnRef(null));
+  assertTraps(kTrapIllegalCast, () => wasm.castToNullExnRef(exnRef));
+
+  assertSame(null, wasm.castNullToExnRef(null));
+  assertEquals(exnRef, wasm.castNullToExnRef(exnRef));
+  assertSame(null, wasm.castNullToNullExnRef(null));
+  assertTraps(kTrapIllegalCast, () => wasm.castNullToNullExnRef(exnRef));
+})();
+
+(function BrOnCastExnRef() {
+  print(arguments.callee.name);
+  let builder = new WasmModuleBuilder();
+
+  builder.addFunction('castToExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRef, kExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCast(
+          0, wasmRefNullType(kWasmExnRef), wasmRefType(kWasmExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+  builder.addFunction('castToNullExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRef, kNullExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCast(
+          0, wasmRefNullType(kWasmExnRef), wasmRefType(kWasmNullExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+
+  builder.addFunction('castNullToExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRefNull, kExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCast(0,
+          wasmRefNullType(kWasmExnRef), wasmRefNullType(kWasmExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+  builder.addFunction('castNullToNullExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRefNull, kNullExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCast(0,
+          wasmRefNullType(kWasmExnRef), wasmRefNullType(kWasmNullExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+
+  builder.addFunction('castFailToExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRefNull, kExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCastFail(0,
+          wasmRefNullType(kWasmExnRef), wasmRefType(kWasmExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+  builder.addFunction('castFailToNullExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRefNull, kExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCastFail(0,
+          wasmRefNullType(kWasmExnRef), wasmRefType(kWasmNullExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+
+  builder.addFunction('castFailNullToExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRef, kExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCastFail(0,
+          wasmRefNullType(kWasmExnRef), wasmRefNullType(kWasmExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+  builder.addFunction('castFailNullToNullExnRef',
+    makeSig([kWasmExnRef], [kWasmI32]))
+  .addBody([
+    kExprBlock, kWasmRef, kExnRefCode,
+      kExprLocalGet, 0,
+      ...wasmBrOnCastFail(0,
+          wasmRefNullType(kWasmExnRef), wasmRefNullType(kWasmNullExnRef)),
+      kExprI32Const, 0,
+      kExprReturn,
+    kExprEnd,
+    kExprDrop,
+    kExprI32Const, 1,
+    kExprReturn,
+  ])
+  .exportFunc();
+
+  let instance = builder.instantiate();
+  let wasm = instance.exports;
+  let exnRef = getExnRef();
+
+  assertEquals(0, wasm.castToExnRef(null));
+  assertEquals(1, wasm.castToExnRef(exnRef));
+
+  assertEquals(0, wasm.castToNullExnRef(null));
+  assertEquals(0, wasm.castToNullExnRef(exnRef));
+
+  assertEquals(1, wasm.castNullToExnRef(null));
+  assertEquals(1, wasm.castNullToExnRef(exnRef));
+
+  assertEquals(1, wasm.castNullToNullExnRef(null));
+  assertEquals(0, wasm.castNullToNullExnRef(exnRef));
+
+  assertEquals(1, wasm.castFailToExnRef(null));
+  assertEquals(0, wasm.castFailToExnRef(exnRef));
+
+  assertEquals(1, wasm.castFailToNullExnRef(null));
+  assertEquals(1, wasm.castFailToNullExnRef(exnRef));
+
+  assertEquals(0, wasm.castFailNullToExnRef(null));
+  assertEquals(0, wasm.castFailNullToExnRef(exnRef));
+
+  assertEquals(0, wasm.castFailNullToNullExnRef(null));
+  assertEquals(1, wasm.castFailNullToNullExnRef(exnRef));
+})();
diff --git a/deps/v8/test/mjsunit/wasm/gc-casts-invalid.js b/deps/v8/test/mjsunit/wasm/gc-casts-invalid.js
@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+// Flags: --experimental-wasm-exnref
+
 d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
 
 (function TestRefTestInvalid() {
@@ -20,6 +22,11 @@ d8.file.execute('test/mjsunit/wasm/wasm-module-builder.js');
     [wasmRefType(sig),    kExternRefCode],
     [kWasmAnyRef,         kExternRefCode],
     [kWasmAnyRef,         kFuncRefCode],
+    [kWasmAnyRef,         kExnRefCode],
+    [wasmRefType(sig),    kExnRefCode],
+    [kWasmNullExternRef,  kExnRefCode],
+    [wasmRefType(array),  kNullExnRefCode],
+    [kWasmNullFuncRef,    kNullExnRefCode],
   ];
   let casts = [
     kExprRefTest,
diff --git a/deps/v8/test/mjsunit/wasm/js-wrapper-typechecks.js b/deps/v8/test/mjsunit/wasm/js-wrapper-typechecks.js
diff --git a/deps/v8/test/mjsunit/wasm/wasm-module-builder.js b/deps/v8/test/mjsunit/wasm/wasm-module-builder.js
