[webkit-changes] [WebKit/WebKit] 0d8721: [Wasm-GC] Fix some interactions between subtyping ...
Asumu Takikawa
noreply at github.com
Thu Dec 15 11:24:22 PST 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0d872184b6e17f15c34fe5f5c8ddd50a3269a129
https://github.com/WebKit/WebKit/commit/0d872184b6e17f15c34fe5f5c8ddd50a3269a129
Author: Asumu Takikawa <asumu at igalia.com>
Date: 2022-12-15 (Thu, 15 Dec 2022)
Changed paths:
M JSTests/wasm/gc-spec-tests/type-subtyping.wast.js
M JSTests/wasm/gc/sub.js
M Source/JavaScriptCore/wasm/WasmFormat.h
M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
M Source/JavaScriptCore/wasm/WasmSectionParser.h
M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
Log Message:
-----------
[Wasm-GC] Fix some interactions between subtyping and recursion
https://bugs.webkit.org/show_bug.cgi?id=247536
Reviewed by Justin Michaud.
Interactions between recursive types and subtyping can be tricky,
because a `sub` clause can refer to another member of the same recursion
group as a supertype. How this supertype is dereferenced can affect
whether subtyping/type equality holds correctly.
This patch makes a few fixes to the representation of subtypes to
accommodate recursion. The supertype index of a Subtype should be a
recursive placeholder when pointing to another member of the same
recursion group (i.e., it should resolve to the projection). And the
structural subtype check needs to be deferred until after projections
are constructed.
In addition, reference subtype checking via displays is abstracted out
of the Subtype and put into a new RTT data structure. Every type in the
type section has a canonical RTT. This RTT is looked up to check
subtyping between references. Splitting out the RTT provides a better
logical separation between subtype declaration and checking, and makes
Subtype construction cleaner (as RTT creation can happen after recursive
references can be fully resolved).
The RTT can be used in the future to implement subtype-aware runtime
casts.
* JSTests/wasm/gc-spec-tests/type-subtyping.wast.js:
* JSTests/wasm/gc/sub.js:
(testSubDeclaration):
* Source/JavaScriptCore/wasm/WasmFormat.h:
(JSC::Wasm::isSubtypeIndex):
* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseRecursionGroup):
(JSC::Wasm::SectionParser::checkSubtypeValidity):
(JSC::Wasm::SectionParser::parseSubtype):
* Source/JavaScriptCore/wasm/WasmSectionParser.h:
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::Projection::dump const):
(JSC::Wasm::TypeDefinition::tryCreateSubtype):
(JSC::Wasm::substituteParent):
(JSC::Wasm::TypeDefinition::replacePlaceholders const):
(JSC::Wasm::TypeDefinition::hasRecursiveReference const):
(JSC::Wasm::RTT::tryCreateRTT):
(JSC::Wasm::RTT::isSubRTT const):
(JSC::Wasm::SubtypeParameterTypes::translate):
(JSC::Wasm::TypeInformation::registerCanonicalRTTForType):
(JSC::Wasm::TypeInformation::canonicalRTTForType):
(JSC::Wasm::TypeInformation::tryCleanup):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
(JSC::Wasm::RecursionGroup::getType):
(JSC::Wasm::Subtype::Subtype):
(JSC::Wasm::Subtype::underlyingType const):
(JSC::Wasm::Subtype::getUnderlyingType):
(JSC::Wasm::RTT::RTT):
(JSC::Wasm::RTT::displaySize const):
(JSC::Wasm::RTT::displayEntry const):
(JSC::Wasm::RTT::setDisplayEntry):
(JSC::Wasm::RTT::allocatedRTTSize):
(JSC::Wasm::RTT::payload):
(JSC::Wasm::TypeDefinition::allocatedSubtypeSize):
(JSC::Wasm::Subtype::displayType const): Deleted.
(JSC::Wasm::Subtype::displaySize const): Deleted.
(JSC::Wasm::Subtype::getDisplayType): Deleted.
Canonical link: https://commits.webkit.org/257945@main
More information about the webkit-changes
mailing list