Bug 198157

Created attachment 371816 [details]
Patch

This patch modifies one of the wasm.json files. Please ensure that any changes in one have been mirrored to the other. You can find the wasm.json files at "Source/JavaScriptCore/wasm/wasm.json" and "JSTests/wasm/wasm.json".

Comment on attachment 371816 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=371816&action=review

> Source/JavaScriptCore/ChangeLog:9
> +        a funcref (née anyfunc), we first make sure it is an exported wasm function or null. 

remove non-ascii character here.

> Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp:1016
> +            } else if (!value.isFunction(*instance->owner<JSObject>()->vm()))

Maybe I'm missing something, but based on the type system, aren't the only options for this value jsNull() or web assembly host function?

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:606
> +        JSValue value = JSValue::decode(encValue);
> +        if (instance->table()->type() == TableElementType::Anyref)
> +            instance->table()->set(idx, value);
> +        else if (instance->table()->type() == TableElementType::Funcref) {
> +            WebAssemblyFunction* wasmFunction;
> +            WebAssemblyWrapperFunction* wasmWrapperFunction;
> +
> +            if (isWebAssemblyHostFunction(*instance->owner<JSObject>()->vm(), value, wasmFunction, wasmWrapperFunction)) {
> +                ASSERT(!!wasmFunction || !!wasmWrapperFunction);
> +                if (wasmFunction)
> +                    instance->table()->asFuncrefTable()->setFunction(idx, jsCast<JSObject*>(value), wasmFunction->importableFunction(), &wasmFunction->instance()->instance());
> +                else
> +                    instance->table()->asFuncrefTable()->setFunction(idx, jsCast<JSObject*>(value), wasmWrapperFunction->importableFunction(), &wasmWrapperFunction->instance()->instance());
> +            } else if (!value.isFunction(*instance->owner<JSObject>()->vm()))
> +                instance->table()->clear(idx);
> +            else
> +                ASSERT_NOT_REACHED();
> +        } else
> +            ASSERT_NOT_REACHED();

This is identical to WasmAIRIRGenerator. Let's make a helper for it.

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:622
> +        JSValue val = instance->getFunctionWrapper(index);
> +        ASSERT(val.isFunction(*instance->owner<JSObject>()->vm()));
> +        return JSValue::encode(val);

ditto.

> Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:289
> +        // TODO check if used in ref.func

?

> Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:290
> +        if (m_exportedFunctionIndices.contains(functionIndex) || true) {

oops

> Source/JavaScriptCore/wasm/WasmInstance.cpp:47
> +    return (Checked<size_t>(module.moduleInformation().functionIndexSpaceSize()) * sizeof(WriteBarrier<Unknown>)).unsafeGet();

This is not great. We probably only ref.func a few functions, but we're allocating space for all of them. Can we have a mapping from index=>index, where ModuleInformation just has a HashMap from index in function index space to index in this buffer?

> Source/JavaScriptCore/wasm/WasmInstance.cpp:65
> +        new (&m_globals.get()[i].anyref) WriteBarrier<Unknown>(UndefinedWriteBarrierTag);

Don't we want the null value to be jsNull? Not undefined?

> Source/JavaScriptCore/wasm/WasmInstance.cpp:67
> +    for (unsigned i = 0; i < m_module->moduleInformation().functionIndexSpaceSize(); ++i)
> +        new (&m_functionWrappers.get()[i]) WriteBarrier<Unknown>(UndefinedWriteBarrierTag);

I think it's ok to just zero this. Since they should all get filled in (see above). Also, based on above, maybe we just want to use Vector?

> Source/JavaScriptCore/wasm/WasmValidate.cpp:191
> +    auto type = m_module.tableInformation.type() == TableElementType::Funcref ? Type::Anyfunc : Type::Anyref;

I suggested this helper in the past, but maybe I was wrong. It would be nice if the tableInformation.type() returned Wasm type.

> Source/JavaScriptCore/wasm/WasmValidate.cpp:211
> +    WASM_VALIDATOR_FAIL_IF(index >= m_module.functionIndexSpaceSize(), "ref.func index ", index, " is too large");

nit: it'd be nice to get a better error message here, maybe one that contains "index" and "index space size"

> Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:333
> +                emitWasmToJSException(jit, GPRInfo::argumentGPR2, Wasm::ExceptionType::FuncrefNotWasm);

I vote for just going to the slow path instead of this. It makes us have to reason less about if this is a valid place to emit this exception handler.
(My guess: this might be wrong, and it might have to do with callee saves.)

> Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp:244
> +                    return exception(createJSWebAssemblyLinkError(exec, vm, importFailMessage(import, "imported global", "must be a wasm exported function")));

nit: error message should also say "or null".

Created attachment 372095 [details]
Patch

Comment on attachment 372095 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=372095&action=review

I found GC bug, so r-, but the code looks really nice!

> Source/JavaScriptCore/wasm/WasmInstance.cpp:98
> +void setWasmTableElement(Wasm::Instance* instance, uint32_t idx, uint64_t encValue)

Is encValue always encoded JSValue? If so, let's use EncodedJSValue type instead. And the name "encodedValue" is better.
I also like "index" instead of "idx".

> Source/JavaScriptCore/wasm/WasmInstance.cpp:123
> +    JSValue val = instance->getFunctionWrapper(index);

val => value.

> Source/JavaScriptCore/wasm/WasmInstance.h:167
> +    HashMap<uint32_t, WriteBarrier<Unknown>, IntHash<uint32_t>, WTF::UnsignedWithZeroKeyHashTraits<uint32_t>> m_functionWrappers;

I think visitChildren handling for m_functionWrappers is missing.

> Source/JavaScriptCore/wasm/js/JSToWasm.cpp:127
> +        emitWasmToJSException(jit, GPRInfo::argumentGPR2, argumentsIncludeI64 ? ExceptionType::I64ArgumentType : ExceptionType::I64ReturnType);

I like to see the word "Throw" for such a function. So, "emitThrowWasmToJSException" would be nice.

Comment on attachment 372095 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=372095&action=review

>> Source/JavaScriptCore/wasm/WasmInstance.h:167
>> +    HashMap<uint32_t, WriteBarrier<Unknown>, IntHash<uint32_t>, WTF::UnsignedWithZeroKeyHashTraits<uint32_t>> m_functionWrappers;
> 
> I think visitChildren handling for m_functionWrappers is missing.

We do it in the JS wrapper, right?

> Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:98
> +        visitor.appendUnbarriered(thisObject->instance().getFunctionWrapper(i));

We do the function wrapper visiting here

Created attachment 372170 [details]
Patch

Comment on attachment 372170 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=372170&action=review

r=me with several fixes.

> Source/JavaScriptCore/wasm/WasmInstance.cpp:86
> +    return m_functionWrappers.contains(i) ? m_functionWrappers.get(i).get() : jsNull();

`contains(i)` and `get(i)` calls are duplicate basically. So we are looking up hash table twice.
Can we just use `get(i)`? I think it will return empty WriteBarrier thing.
Then, we can convert JSEmpty to JSNull, and we can do this function without using `contains`.

> Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp:98
> +        visitor.appendUnbarriered(thisObject->instance().getFunctionWrapper(i));

Ah, I missed it. Why not just iterating the hashmap of wrappers? I think # of wrappers can be much smaller than the total number of function space size. And it also avoids repeated calls of `contains()` / `get()` in getFunctionWrapper.
And I think the hashtable can be modified by the user's setFunctionWrapper. So locking is necessary.

Created attachment 372256 [details]
Patch

Created attachment 372257 [details]
Patch

Comment on attachment 372257 [details]
Patch

Clearing flags on attachment: 372257

Committed r246504: <https://trac.webkit.org/changeset/246504>

All reviewed patches have been landed.  Closing bug.

<rdar://problem/51814501>