[Webkit-unassigned] [Bug 222903] [WASM-Function-References] Add call_ref instruction

Mon Apr 5 00:10:25 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=222903

--- Comment #11 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 425016
  --> https://bugs.webkit.org/attachment.cgi?id=425016
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425016&action=review

> Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp:3351
> +    // Note: call indirect can call either WebAssemblyFunction or WebAssemblyWrapperFunction. Because

call-indirect => call-ref.

> Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp:3358
> +    append(Move, Arg::addr(calleeFunction, WebAssemblyFunction::offsetOfEntrypointLoadLocation()), calleeCode); // Pointer to callee code.

WebAssemblyFunction::offsetOfEntrypointLoadLocation is only valid for WebAssemblyFunction. But the above comment is mentioning to WebAssemblyWrapperFunction.
If this is WebAssemblyWrapperFunction, then WebAssemblyFunction::offsetOfEntrypointLoadLocation() is not correct? Can you check?
And can you add a test for both cases?

> Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp:3405
>              jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratch);

Let's rename newContextInstance => calleeInstance

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:912
> +            AllowMacroScratchRegisterUsage allowScratch(jit);
> +            GPRReg newContextInstance = params[0].gpr();
> +            GPRReg oldContextInstance = params[1].gpr();
> +            const PinnedRegisterInfo& pinnedRegs = PinnedRegisterInfo::get();
> +            GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
> +            ASSERT(newContextInstance != baseMemory);
> +            jit.loadPtr(CCallHelpers::Address(oldContextInstance, Instance::offsetOfCachedStackLimit()), baseMemory);
> +            jit.storePtr(baseMemory, CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedStackLimit()));
> +            jit.storeWasmContextInstance(newContextInstance);
> +            ASSERT(pinnedRegs.boundsCheckingSizeRegister != baseMemory);
> +            // FIXME: We should support more than one memory size register
> +            //   see: https://bugs.webkit.org/show_bug.cgi?id=162952
> +            ASSERT(pinnedRegs.boundsCheckingSizeRegister != newContextInstance);
> +            GPRReg scratch = params.gpScratch(0);
> +
> +            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister); // Memory size.
> +            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
> +
> +            jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratch);

Rename newContextInstance => calleeInstance.

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:2641
> +            safeCast<int32_t>(WebAssemblyFunction::offsetOfEntrypointLoadLocation())));

Ditto.

> Source/JavaScriptCore/wasm/WasmFunctionParser.h:1252
> +    case CallRef: {

We need feature flag (`false` currently) for this. Like,

WASM_PARSER_FAIL_IF(!Options::useWebAssemblyFunctionReferences(), "function references are not enabled");

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210405/579fa8a7/attachment-0001.htm>