[webkit-changes] [WebKit/WebKit] b1b24f: [Wasm-GC] call_indirect should take subtyping into...

Asumu Takikawa noreply at github.com
Tue Feb 13 10:51:07 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b1b24f76c39f334914eaaf7b29191a414d904e99
      https://github.com/WebKit/WebKit/commit/b1b24f76c39f334914eaaf7b29191a414d904e99
  Author: Asumu Takikawa <asumu at igalia.com>
  Date:   2024-02-13 (Tue, 13 Feb 2024)

  Changed paths:
    M JSTests/wasm/gc-spec-tests/type-subtyping.wast.js
    A JSTests/wasm/gc/call_indirect.js
    M Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmFormat.h
    M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp
    M Source/JavaScriptCore/wasm/WasmTypeDefinition.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h

  Log Message:
  -----------
  [Wasm-GC] call_indirect should take subtyping into account
https://bugs.webkit.org/show_bug.cgi?id=260820

Reviewed by Justin Michaud.

Changes call_indirect to use subtype checks instead of type equality. The fast
path is still the type equality check, which means most existing code will
still do a quick check.

The slow path is used only if type equality fails and the GC proposal is
enabled.

On BBQJIT, the slow path is emitted out-of-line in the same fashion as
exception throw sites. On both BBQ and OMG, the check is JIT-inlined.

TODOs for the future:
  * The RTT subtype check JIT code can be reused to make ref.cast and
    ref.test faster in both BBQ and OMG (and for JS API).
  * It may be possible to avoid storing the type index in function
    metadata and instead store just the RTT pointer to save space.

* JSTests/wasm/gc/call_indirect.js: Added.
(testCallIndirect):
* JSTests/wasm/gc-spec-tests/type-subtyping.wast.js:
* Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::endTopLevel):
(JSC::Wasm::BBQJITImpl::BBQJIT::addRTTSlowPathJump):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitSlowPathRTTCheck):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCallIndirect):
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmFormat.h:
(JSC::Wasm::WasmToWasmImportableFunction::offsetOfRTT):
* Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:
(JSC::LLInt::doWasmCallIndirect):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::TypeInformation::castReference):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.h:
* Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::WebAssemblyFunction):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.cpp:
(JSC::WebAssemblyFunctionBase::WebAssemblyFunctionBase):
* Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h:
(JSC::WebAssemblyFunctionBase::rtt const):
(JSC::WebAssemblyFunctionBase::offsetOfRTT):
* Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.cpp:
(JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
(JSC::WebAssemblyWrapperFunction::create):
* Source/JavaScriptCore/wasm/js/WebAssemblyWrapperFunction.h:

Canonical link: https://commits.webkit.org/274558@main

More information about the webkit-changes mailing list