We just read random memory and call it, potentially. Fun stuff

<rdar://problem/32231828>

For example:
```
import Builder from '../Builder.js'
import * as assert from '../assert.js'

{
    function makeInstance() {
        const tableDescription = {initial: 1, element: "anyfunc"};
        const builder = new Builder()
            .Type()
                .Func([], "void")
            .End()
            .Import()
                .Table("imp", "table", tableDescription)
            .End()
            .Function().End()
            .Export()
                .Function("foo")
            .End()
            .Code()
                .Function("foo", {params:["i32"], ret:"void"})
                    .GetLocal(0) // parameter to call
                    .GetLocal(0) // call index
                    .CallIndirect(0, 0) // calling function of type [] => 'void'
                    .Return()
                .End()
            .End();


        const bin = builder.WebAssembly().get();
        const module = new WebAssembly.Module(bin);
        const table = new WebAssembly.Table(tableDescription);
        return {instance: new WebAssembly.Instance(module, {imp: {table}}), table};
    }

    function makeInstance2() {
        const tableDescription = {initial: 1, element: "anyfunc"};
        const builder = new Builder()
            .Type()
            .End()
            .Import()
                .Function("imp", "f", {params:[], ret:"void"})
            .End()
            .Function().End()
            .Export()
                .Function("foo")
            .End()
            .Code()
                .Function("foo", {params: [], ret: "void" })
                    .Call(0)
                    .Return()
                .End()
            .End();


        const bin = builder.WebAssembly().get();
        const module = new WebAssembly.Module(bin);
        return new WebAssembly.Instance(module, {imp: {f: function() { print("Inside f"); }}});
    }

    const {instance: i1, table: t1} = makeInstance();
    const foo = i1.exports.foo;

    const i2 = makeInstance2();
    t1.set(0, i2.exports.foo);
    
    foo(0);
}
```

Created attachment 310308 [details]
WIP

I'm thinking of moving to a thunk approach, so we're not stuck with this branchiness. Just putting this here since I think it works.

The thunk approach could be like this:

A table has three states:
- NoInstance: not yet tied to an instance, so we hold off on making any thunks, since it's not yet callable from wasm
- SingleInstance: Now, all functions in the table only need thunks to context switch if they're from a different instance
- MultipleInstances: now all functions need context switching thunks regardless, since we don't know what instance is calling us. We could have the thunk branch to see if it's actually performing a context switch.

(In reply to Saam Barati from comment #5)
> The thunk approach could be like this:
> 
> A table has three states:
> - NoInstance: not yet tied to an instance, so we hold off on making any
> thunks, since it's not yet callable from wasm
> - SingleInstance: Now, all functions in the table only need thunks to
> context switch if they're from a different instance
> - MultipleInstances: now all functions need context switching thunks
> regardless, since we don't know what instance is calling us. We could have
> the thunk branch to see if it's actually performing a context switch.

Ima save thunk land for:
https://bugs.webkit.org/show_bug.cgi?id=172197

Created attachment 310330 [details]
WIP

Might be done.

Created attachment 310332 [details]
patch

Created attachment 310336 [details]
patch

added file to cmakelists.

Created attachment 310340 [details]
patch

Comment on attachment 310340 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=310340&action=review

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:1155
> +        BasicBlock* continuation = m_proc.addBlock();
> +        BasicBlock* doContextSwitch = m_proc.addBlock();

These should probably be switched for better block ordering.

Comment on attachment 310340 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=310340&action=review

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:1170
> +        patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {

I think as a follow-up to this patch I'd rather have this be outlined, and shared between all modules. Kinda like what we do for direct wasm->wasm calls, but cleaned up. I think the code duplication and compile cost aren't worth it, because I don't think inlining exposes any perf win here.

Maybe add a FIXME?

Comment on attachment 310340 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=310340&action=review

>> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:1170
>> +        patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
> 
> I think as a follow-up to this patch I'd rather have this be outlined, and shared between all modules. Kinda like what we do for direct wasm->wasm calls, but cleaned up. I think the code duplication and compile cost aren't worth it, because I don't think inlining exposes any perf win here.
> 
> Maybe add a FIXME?

I think long term we just want to do this:
https://bugs.webkit.org/show_bug.cgi?id=172197

Comment on attachment 310340 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=310340&action=review

r=me.

>> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:1155
>> +        BasicBlock* doContextSwitch = m_proc.addBlock();
> 
> These should probably be switched for better block ordering.

I don't think this matters. Doesn't B3 pick the ordering it wants later anyway?

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:1164
> +        PatchpointValue* patchpoint = doContextSwitch->appendNew<PatchpointValue>(m_proc, B3::Void, origin());

I think you need to say this writes pinned.

landed in:
https://trac.webkit.org/changeset/217017/webkit