[webkit-changes] [WebKit/WebKit] c9c2f3: [JSC] Store Wasm::Instance* in |codeBlock| slot

Yusuke Suzuki noreply at github.com
Fri Jan 20 08:42:14 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c9c2f3401b35fdb0f2ab6d548fbc77bc69c8e590
      https://github.com/WebKit/WebKit/commit/c9c2f3401b35fdb0f2ab6d548fbc77bc69c8e590
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-01-20 (Fri, 20 Jan 2023)

  Changed paths:
    M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
    M Source/JavaScriptCore/interpreter/CallFrame.cpp
    M Source/JavaScriptCore/interpreter/CallFrame.h
    M Source/JavaScriptCore/interpreter/CallFrameInlines.h
    M Source/JavaScriptCore/interpreter/Interpreter.cpp
    M Source/JavaScriptCore/interpreter/ProtoCallFrame.h
    M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
    M Source/JavaScriptCore/jit/GPRInfo.h
    M Source/JavaScriptCore/llint/LLIntExceptions.cpp
    M Source/JavaScriptCore/llint/LLIntThunks.cpp
    M Source/JavaScriptCore/llint/WebAssembly.asm
    M Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmCallee.cpp
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmCallingConvention.h
    M Source/JavaScriptCore/wasm/WasmContext.h
    R Source/JavaScriptCore/wasm/WasmContextInlines.h
    M Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp
    M Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h
    M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp
    M Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/js/JSToWasm.cpp
    M Source/JavaScriptCore/wasm/js/WasmToJS.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

  Log Message:
  -----------
  [JSC] Store Wasm::Instance* in |codeBlock| slot
https://bugs.webkit.org/show_bug.cgi?id=250822
rdar://104410328

Reviewed by Mark Lam.

This patch fixes wasm calling convention problems. The new one becomes much simpler and robust (and fixing existing bugs).

1. We remove vm.wasmContext.instance field. Previously, it was randomly configured and a lot code is missing the update of this thing (for example, wasm context switching
   inside wasm -> wasm call missed the update). We should not have this kind of "global" variable and instead we should query to CallFrame about Wasm::Instance* of the current CallFrame*.
2. Each wasm function stores Wasm::Instance* to the CallFrame. We use |codeBlock| slot for that purpose. Since it is next to |callee| slot, we can use storePairPtr in ARM64, no code size increase.
   Plus, because we are already writing |callee| slot, it does not add new performance problem. This change makes CallFrame::lexicalGlobalObjectFromWasmCallee super simple since we can just get
   this slot from CallFrame instead of getting it from vm.wasmContext.instance. And it also makes Interpreter::unwind much simpler since we no longer need to book-keep this variable in unwinding case.
   And this also contributes to code size reduction in Wasm IC since we no longer need to have store and load code for vm.wasmContext.instance.
3. We use |codeBlock| slot for Wasm::Instance*. However, Wasm LLInt already used it for Wasm::Callee* (wasm's codeblock). This patch allocates 2 internal slots for Wasm::LLInt code and use
   this slot for Wasm::Callee* instead. This slot is "WasmCodeBlock".
4. We revise the use of |this| slot for wasm functions. Previously, it was randomly used. But we use this slot to anchor JSWebAssemblyInstance from conservative GC root.
   While we are keeping Wasm::Instance* in the stack, it is not GC-managed cell. To keep Wasm functions alive while running, we need to anchor JSWebAssemblyInstance* from conservative GC root.
   We use this slot in three cases. (1) Calling wasm function from JS world / C++ world so that we need to keep wasm function alive. (2) We wasm-tail-call to a new function. Since tail-call can wipe the previous
   frame, if it is the entrance frame created by (1), we miss the anchor. Conservatively, we always store this cell in tail-call case. (3) And we do this when calling wasm function indirectly.
   This could switch to a new wasm instance, so we should keep a new instance anchored from the stack.

This change wipes a lot of weird things in wasm and makes calling convention much simpler.

* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::UnwindFunctor::operator() const):
* Source/JavaScriptCore/interpreter/ProtoCallFrame.h:
* Source/JavaScriptCore/llint/WebAssembly.asm:
* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
(JSC::Wasm::ExpressionType>::AirIRGeneratorBase):
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::insertConstants):
* Source/JavaScriptCore/wasm/WasmCallingConvention.h:
* Source/JavaScriptCore/wasm/WasmIRGeneratorHelpers.h:
(JSC::Wasm::emitCatchPrologueShared):
* Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/259139@main

More information about the webkit-changes mailing list