[webkit-changes] [WebKit/WebKit] 575381: [JSC] Wasm GC BlockSignature should hold underlyin...

Yusuke Suzuki noreply at github.com
Thu Oct 31 12:18:33 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 57538110b768d4e03c1779de5b7fc9e1cc1a4425
      https://github.com/WebKit/WebKit/commit/57538110b768d4e03c1779de5b7fc9e1cc1a4425
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-10-31 (Thu, 31 Oct 2024)

  Changed paths:
    A JSTests/wasm/stress/block-signature-create-adhoc-type-definition.js
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmFormat.h
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h
    M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmModuleInformation.h
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
    M Source/JavaScriptCore/wasm/WasmParser.h

  Log Message:
  -----------
  [JSC] Wasm GC BlockSignature should hold underlying TypeDefinition
https://bugs.webkit.org/show_bug.cgi?id=282363
rdar://138177632

Reviewed by Justin Michaud.

Wasm GC BlockSignature is not holding adhocly created TypeDefinition as
RefPtr. That's completely wrong: not holding TypeDefinition is allowed
because it is generated in wasm types in the section, and held by
ModuleInformation. If it is adhocly generated, it must be retained.

This patch fixes it by changing BlockSignature to keep underlying TypeDefinition
via RefPtr.

* JSTests/wasm/stress/block-signature-create-adhoc-type-definition.js: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJITImpl::ControlData::branchTargetArity const):
(JSC::Wasm::BBQJITImpl::ControlData::branchTargetType const):
(JSC::Wasm::BBQJITImpl::ControlData::argumentType const):
(JSC::Wasm::BBQJITImpl::BBQJIT::addBlock):
(JSC::Wasm::BBQJITImpl::BBQJIT::addLoop):
(JSC::Wasm::BBQJITImpl::BBQJIT::addIf):
(JSC::Wasm::BBQJITImpl::BBQJIT::addElse):
(JSC::Wasm::BBQJITImpl::BBQJIT::addElseToUnreachable):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTry):
(JSC::Wasm::BBQJITImpl::BBQJIT::addTryTable):
(JSC::Wasm::BBQJITImpl::BBQJIT::addReturn):
(JSC::Wasm::BBQJITImpl::BBQJIT::addEndToUnreachable):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addFusedIfCompare):
* Source/JavaScriptCore/wasm/WasmFormat.h:
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::splitStack):
(JSC::Wasm::FunctionParser<Context>::parseBlockSignatureAndNotifySIMDUseIfNeeded):
(JSC::Wasm::FunctionParser<Context>::parseBody):
(JSC::Wasm::FunctionParser<Context>::binaryCompareCase):
(JSC::Wasm::FunctionParser<Context>::unaryCompareCase):
(JSC::Wasm::FunctionParser<Context>::checkBranchTarget):
(JSC::Wasm::FunctionParser<Context>::unify):
(JSC::Wasm::FunctionParser<Context>::parseNestedBlocksEagerly):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp:
(JSC::Wasm::IPIntControlType::branchTargetType const):
(JSC::Wasm::IPIntControlType::branchTargetArity const):
(JSC::Wasm::IPIntGenerator::addElseToUnreachable):
(JSC::Wasm::IPIntGenerator::addEndToUnreachable):
(JSC::Wasm::IPIntGenerator::endTopLevel):
* Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
(JSC::Wasm::LLIntGenerator::ControlType::loop):
(JSC::Wasm::LLIntGenerator::ControlType::block):
(JSC::Wasm::LLIntGenerator::ControlType::if_):
(JSC::Wasm::LLIntGenerator::ControlType::createTry):
(JSC::Wasm::LLIntGenerator::ControlType::createTryTable):
(JSC::Wasm::LLIntGenerator::ControlType::branchTargetArity const):
(JSC::Wasm::LLIntGenerator::ControlType::branchTargetType const):
(JSC::Wasm::LLIntGenerator::addElseToUnreachable):
(JSC::Wasm::LLIntGenerator::addReturn):
(JSC::Wasm::LLIntGenerator::addEndToUnreachable):
(JSC::Wasm::LLIntGenerator::endTopLevel):
* Source/JavaScriptCore/wasm/WasmModuleInformation.cpp:
(JSC::Wasm::ModuleInformation::operator delete):
* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
(JSC::Wasm::ModuleInformation::create): Deleted.
(JSC::Wasm::ModuleInformation::functionIndexSpaceSize const): Deleted.
(JSC::Wasm::ModuleInformation::isImportedFunctionFromFunctionIndexSpace const): Deleted.
(JSC::Wasm::ModuleInformation::typeIndexFromFunctionIndexSpace const): Deleted.
(JSC::Wasm::ModuleInformation::exceptionIndexSpaceSize const): Deleted.
(JSC::Wasm::ModuleInformation::isImportedExceptionFromExceptionIndexSpace const): Deleted.
(JSC::Wasm::ModuleInformation::typeIndexFromExceptionIndexSpace const): Deleted.
(JSC::Wasm::ModuleInformation::importFunctionCount const): Deleted.
(JSC::Wasm::ModuleInformation::internalFunctionCount const): Deleted.
(JSC::Wasm::ModuleInformation::importExceptionCount const): Deleted.
(JSC::Wasm::ModuleInformation::internalExceptionCount const): Deleted.
(JSC::Wasm::ModuleInformation::toCodeIndex const): Deleted.
(JSC::Wasm::ModuleInformation::toSpaceIndex const): Deleted.
(JSC::Wasm::ModuleInformation::memoryCount const): Deleted.
(JSC::Wasm::ModuleInformation::tableCount const): Deleted.
(JSC::Wasm::ModuleInformation::elementCount const): Deleted.
(JSC::Wasm::ModuleInformation::globalCount const): Deleted.
(JSC::Wasm::ModuleInformation::dataSegmentsCount const): Deleted.
(JSC::Wasm::ModuleInformation::table const): Deleted.
(JSC::Wasm::ModuleInformation::global const): Deleted.
(JSC::Wasm::ModuleInformation::initializeFunctionTrackers const): Deleted.
(JSC::Wasm::ModuleInformation::referencedFunctions const): Deleted.
(JSC::Wasm::ModuleInformation::hasReferencedFunction const): Deleted.
(JSC::Wasm::ModuleInformation::addReferencedFunction const): Deleted.
(JSC::Wasm::ModuleInformation::isDeclaredFunction const): Deleted.
(JSC::Wasm::ModuleInformation::addDeclaredFunction): Deleted.
(JSC::Wasm::ModuleInformation::isDeclaredException const): Deleted.
(JSC::Wasm::ModuleInformation::addDeclaredException): Deleted.
(JSC::Wasm::ModuleInformation::functionWasmSizeImportSpace const): Deleted.
(JSC::Wasm::ModuleInformation::functionWasmSize const): Deleted.
(JSC::Wasm::ModuleInformation::usesSIMDImportSpace const): Deleted.
(JSC::Wasm::ModuleInformation::usesSIMD const): Deleted.
(JSC::Wasm::ModuleInformation::markUsesSIMD): Deleted.
(JSC::Wasm::ModuleInformation::usesExceptions const): Deleted.
(JSC::Wasm::ModuleInformation::markUsesExceptions): Deleted.
(JSC::Wasm::ModuleInformation::usesAtomics const): Deleted.
(JSC::Wasm::ModuleInformation::markUsesAtomics): Deleted.
(JSC::Wasm::ModuleInformation::doneSeeingFunction): Deleted.
(JSC::Wasm::ModuleInformation::typeCount const): Deleted.
(JSC::Wasm::ModuleInformation::hasMemoryImport const): Deleted.
(JSC::Wasm::ModuleInformation::getBranchHint const): Deleted.
(JSC::Wasm::ModuleInformation::clobberingTailCalls const): Deleted.
(JSC::Wasm::ModuleInformation::callCanClobberInstance const): Deleted.
(JSC::Wasm::ModuleInformation::addClobberingTailCall): Deleted.
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::ControlData::ControlData):
(JSC::Wasm::OMGIRGenerator::ControlData::hasNonVoidresult const):
(JSC::Wasm::OMGIRGenerator::ControlData::branchTargetArity const):
(JSC::Wasm::OMGIRGenerator::ControlData::branchTargetType const):
(JSC::Wasm::OMGIRGenerator::addLoop):
(JSC::Wasm::OMGIRGenerator::addTopLevel):
(JSC::Wasm::OMGIRGenerator::addBlock):
(JSC::Wasm::OMGIRGenerator::addElseToUnreachable):
(JSC::Wasm::OMGIRGenerator::addEndToUnreachable):
* Source/JavaScriptCore/wasm/WasmParser.h:
(JSC::Wasm::ParserBase::parseBlockSignature):
(JSC::Wasm::ParserBase::parseReftypeSignature):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.cpp:
(JSC::JSWebAssemblyModule::destroy):

Canonical link: https://commits.webkit.org/285969@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list