Changeset 269940 in webkit

Timestamp:

Nov 17, 2020 7:46:39 PM (20 months ago)

Author:

ysuzuki@apple.com

Message:

[JSC] Implement WebAssembly.Memory with shared
​https://bugs.webkit.org/show_bug.cgi?id=218693

Reviewed by Saam Barati.

JSTests:

• wasm/function-tests/trap-load-shared.js: Added.

(wasmFrameCountFromError):

• wasm/function-tests/trap-store-shared.js: Added.
• wasm/js-api/test_memory.js:

(binaryShouldNotParse):

• wasm/stress/shared-memory-errors.js: Added.

(assert.throws):

• wasm/stress/shared-wasm-memory-buffer.js: Added.

LayoutTests/imported/w3c:

• web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/requires-success.any.worker-expected.txt:
• web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any-expected.txt:
• web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any.worker-expected.txt:
• web-platform-tests/wasm/jsapi/memory/constructor.any-expected.txt:
• web-platform-tests/wasm/jsapi/memory/constructor.any.worker-expected.txt:
• web-platform-tests/wasm/jsapi/memory/grow.any-expected.txt:
• web-platform-tests/wasm/jsapi/memory/grow.any.worker-expected.txt:
• web-platform-tests/webaudio/the-audio-api/the-audiobuffer-interface/audiobuffer-copy-channel-expected.txt:

Source/JavaScriptCore:

This patch implements shared WebAssembly.Memory. This can be shared between workers like SharedArrayBuffer.
The most interesting thing of shared WebAssembly.Memory is that it is growable. The memory can be grown in
one thread, and immediately, it should be accessible in the other threads.

To achieve that, shared WebAssembly.Memory leverages signaling even if bounds-checking is mainly used.
If the fast memory is enabled, we just use it so that mprotect can make memory grown easily. But if fast memory
is disabled, we allocates requested VA region and perform bounds-checking with this VA. Since WebAssembly.Memory
always requires "maximum" size of memory, we can first allocate VA and map active part of memory first. And
when growing, we perform mprotect to the rest of the memory. Since this VA is not 4GB, we still need to perform
bounds-checking, but we perform bounds-checking with VA size instead of active memory size. As a result, even if
shared WebAssembly.Memory is grown, we do not need to update (1) pointer and (2) bounds-checking size.
The shared bounds-checking WebAssembly.Memory is something like below.

<================================================ maximum ============================><------------ other memory, protected by bounds-checking --...
<======= active ==========><===================== not active yet =====================>
^{[ if we access this, fault handler will detect it]}
pointer bounds checking size

These "growable bound-checking memory" is now managed by wasm memory-manager. And fault handler is used even if fast memory is disabled.
And fault handler also accepts signals from Wasm LLInt code since both bounds-checkings + signalings are required to confine memory access even in
Wasm LLInt. This patch also renamed memory-size and size-register to bounds-checking-size and bounds-checking-size-register since this is no longer
a size of memory.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• llint/LLIntPCRanges.h:

(JSC::LLInt::isWasmLLIntPC):

• llint/LowLevelInterpreter.asm:
• llint/WebAssembly.asm:
• runtime/JSArrayBuffer.h:

(JSC::JSArrayBuffer::toWrappedAllowShared):

• runtime/JSArrayBufferView.h:
• runtime/JSArrayBufferViewInlines.h:

(JSC::JSArrayBufferView::toWrappedAllowShared):

• runtime/JSGenericTypedArrayView.h:

(JSC::JSGenericTypedArrayView<Adaptor>::toWrappedAllowShared):

• runtime/Options.cpp:

(JSC::overrideDefaults):
(JSC::Options::initialize):

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::AirIRGenerator):
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCurrentMemory):
(JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::AirIRGenerator::addCall):
(JSC::Wasm::AirIRGenerator::addCallIndirect):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::B3IRGenerator):
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCurrentMemory):
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
(JSC::Wasm::B3IRGenerator::addCall):
(JSC::Wasm::B3IRGenerator::addCallIndirect):

• wasm/WasmBinding.cpp:

(JSC::Wasm::wasmToWasm):

• wasm/WasmFaultSignalHandler.cpp:

(JSC::Wasm::trapHandler):
(JSC::Wasm::enableFastMemory):
(JSC::Wasm::prepareFastMemory):

• wasm/WasmInstance.h:

(JSC::Wasm::Instance::cachedMemory const):
(JSC::Wasm::Instance::cachedBoundsCheckingSize const):
(JSC::Wasm::Instance::updateCachedMemory):
(JSC::Wasm::Instance::offsetOfCachedBoundsCheckingSize):
(JSC::Wasm::Instance::cachedMemorySize const): Deleted.
(JSC::Wasm::Instance::offsetOfCachedMemorySize): Deleted.

• wasm/WasmMemory.cpp:

(JSC::Wasm::MemoryHandle::MemoryHandle):
(JSC::Wasm::MemoryHandle::~MemoryHandle):
(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::create):
(JSC::Wasm::Memory::tryCreate):
(JSC::Wasm::Memory::addressIsInGrowableOrFastMemory):
(JSC::Wasm::Memory::growShared):
(JSC::Wasm::Memory::grow):
(JSC::Wasm::Memory::dump const):
(JSC::Wasm::Memory::~Memory): Deleted.
(JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted.

• wasm/WasmMemory.h:

(JSC::Wasm::Memory::addressIsInGrowableOrFastMemory):
(JSC::Wasm::Memory::operator bool const): Deleted.
(JSC::Wasm::Memory::memory const): Deleted.
(JSC::Wasm::Memory::size const): Deleted.
(JSC::Wasm::Memory::sizeInPages const): Deleted.
(JSC::Wasm::Memory::initial const): Deleted.
(JSC::Wasm::Memory::maximum const): Deleted.
(JSC::Wasm::Memory::mode const): Deleted.
(JSC::Wasm::Memory::check): Deleted.
(JSC::Wasm::Memory::offsetOfMemory): Deleted.
(JSC::Wasm::Memory::offsetOfSize): Deleted.
(JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted.

• wasm/WasmMemoryInformation.cpp:

(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):

• wasm/WasmMemoryInformation.h:

(JSC::Wasm::PinnedRegisterInfo::toSave const):

• wasm/WasmMemoryMode.cpp:

(JSC::Wasm::makeString):

• wasm/WasmMemoryMode.h:
• wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

• wasm/js/JSWebAssemblyInstance.cpp:

(JSC::JSWebAssemblyInstance::tryCreate):

• wasm/js/JSWebAssemblyMemory.cpp:

(JSC::JSWebAssemblyMemory::buffer):
(JSC::JSWebAssemblyMemory::growSuccessCallback):

• wasm/js/JSWebAssemblyMemory.h:
• wasm/js/WebAssemblyFunction.cpp:

(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

• wasm/js/WebAssemblyMemoryConstructor.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

• wasm/js/WebAssemblyMemoryPrototype.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::evaluate):

Source/WebCore:

In WebCore, we need three things.

1. Shared WebAssembly.Memory serialization/deserialization

This patch adds structure-cloning for WebAssembly.Memory to pass it to the other workers. Cloning is available
only when the WebAssembly.Memory is shared mode. And it is only available when we are using it in postMessage.
So we cannot store WebAssembly.Memory in IndexedDB.

2. WebCoreTypedArrayController::isAtomicsWaitAllowedOnCurrentThread

Atomics.wait is usable only in Workers, and *not* usable in Service Workers. When creating VM, we pass WorkerThreadType
and make WebCoreTypedArrayController::isAtomicsWaitAllowedOnCurrentThread return appropriate value.

3. [AllowShared] support for WPT

WPT tests for this are broken, and tests are saying "PASS" while the feature is not implemented at all.
Now, the feature is actually implemented, and WPT tests start showing that [AllowShared] annotation in IDL
is not implemented. [AllowShared] is that, usually, DOM does not accept TypedArray originated from SharedArrayBuffer.
e.g. encodeInto(..., Uint8Array) DOM IDL throws an error if Uint8Array is backed by SharedArrayBuffer.
But in the limited places, we are explicitly allowing this. This is [AllowShared] annotation.
This patch implements that so that we keep passing TextEncoder / TextDecoder tests.

• Headers.cmake:
• Modules/indexeddb/server/IDBSerializationContext.cpp:

(WebCore::IDBServer::IDBSerializationContext::initializeVM):

• WebCore.xcodeproj/project.pbxproj:
• bindings/IDLTypes.h:
• bindings/js/CommonVM.cpp:

(WebCore::commonVMSlow):

• bindings/js/JSDOMConvertBufferSource.h:

(WebCore::Detail::BufferSourceConverter::convert):
(WebCore::Converter<IDLArrayBuffer>::convert):
(WebCore::Converter<IDLDataView>::convert):
(WebCore::Converter<IDLInt8Array>::convert):
(WebCore::Converter<IDLInt16Array>::convert):
(WebCore::Converter<IDLInt32Array>::convert):
(WebCore::Converter<IDLUint8Array>::convert):
(WebCore::Converter<IDLUint16Array>::convert):
(WebCore::Converter<IDLUint32Array>::convert):
(WebCore::Converter<IDLUint8ClampedArray>::convert):
(WebCore::Converter<IDLFloat32Array>::convert):
(WebCore::Converter<IDLFloat64Array>::convert):
(WebCore::Converter<IDLArrayBufferView>::convert):
(WebCore::Converter<IDLAllowSharedAdaptor<T>>::convert):

• bindings/js/JSDOMConvertUnion.h:
• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneSerializer::serialize):
(WebCore::CloneSerializer::CloneSerializer):
(WebCore::CloneSerializer::dumpIfTerminal):
(WebCore::CloneDeserializer::deserialize):
(WebCore::CloneDeserializer::CloneDeserializer):
(WebCore::CloneDeserializer::readTerminal):
(WebCore::SerializedScriptValue::SerializedScriptValue):
(WebCore::SerializedScriptValue::computeMemoryCost const):
(WebCore::SerializedScriptValue::create):
(WebCore::SerializedScriptValue::deserialize):

• bindings/js/SerializedScriptValue.h:
• bindings/js/WebCoreJSClientData.cpp:

(WebCore::JSVMClientData::initNormalWorld):

• bindings/js/WebCoreJSClientData.h:
• bindings/js/WebCoreTypedArrayController.cpp:

(WebCore::WebCoreTypedArrayController::WebCoreTypedArrayController):
(WebCore::WebCoreTypedArrayController::isAtomicsWaitAllowedOnCurrentThread):

• bindings/js/WebCoreTypedArrayController.h:
• bindings/scripts/CodeGeneratorJS.pm:

(IsAnnotatedType):
(GetAnnotatedIDLType):

• bindings/scripts/IDLAttributes.json:
• bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::JSTestObjDOMConstructor::construct):
(WebCore::jsTestObjPrototypeFunction_encodeIntoBody):
(WebCore::JSC_DEFINE_HOST_FUNCTION):

• bindings/scripts/test/TestObj.idl:
• dom/TextDecoder.idl:
• dom/TextDecoderStreamDecoder.idl:
• dom/TextEncoder.idl:
• workers/DedicatedWorkerGlobalScope.cpp:

(WebCore::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope):

• workers/WorkerGlobalScope.cpp:

(WebCore::WorkerGlobalScope::WorkerGlobalScope):

• workers/WorkerGlobalScope.h:
• workers/WorkerOrWorkletGlobalScope.cpp:

(WebCore::WorkerOrWorkletGlobalScope::WorkerOrWorkletGlobalScope):

• workers/WorkerOrWorkletGlobalScope.h:
• workers/WorkerOrWorkletScriptController.cpp:

(WebCore::WorkerOrWorkletScriptController::WorkerOrWorkletScriptController):

• workers/WorkerOrWorkletScriptController.h:
• workers/WorkerThreadType.h: Added.
• workers/service/ServiceWorkerGlobalScope.cpp:

(WebCore::ServiceWorkerGlobalScope::ServiceWorkerGlobalScope):

• worklets/WorkletGlobalScope.cpp:

(WebCore::WorkletGlobalScope::WorkletGlobalScope):

LayoutTests:

• js/dom/resources/webassembly-memory-normal-fail-worker.js: Added.
• js/dom/resources/webassembly-memory-shared-worker.js: Added.

(onmessage):

• js/dom/webassembly-memory-normal-fail-expected.txt: Added.
• js/dom/webassembly-memory-normal-fail.html: Added.
• js/dom/webassembly-memory-shared-basic-expected.txt: Added.
• js/dom/webassembly-memory-shared-basic.html: Added.
• js/dom/webassembly-memory-shared-fail-expected.txt: Added.
• js/dom/webassembly-memory-shared-fail.html: Added.
• platform/win/TestExpectations:
• storage/indexeddb/resources/shared-memory-structured-clone.js: Added.

(prepareDatabase):
(async startTests):
(testSharedWebAssemblyMemory):

• storage/indexeddb/shared-memory-structured-clone-expected.txt: Added.
• storage/indexeddb/shared-memory-structured-clone.html: Added.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/function-tests/trap-load-shared.js (added)
• JSTests/wasm/function-tests/trap-store-shared.js (added)
• JSTests/wasm/js-api/test_memory.js (modified) (1 diff)
• JSTests/wasm/stress/shared-memory-errors.js (added)
• JSTests/wasm/stress/shared-wasm-memory-buffer.js (added)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/requires-success.any.worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any.worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor.any-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor.any.worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/grow.any-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/grow.any.worker-expected.txt (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiobuffer-interface/audiobuffer-copy-channel-expected.txt (modified) (3 diffs)
• LayoutTests/js/dom/resources (added)
• LayoutTests/js/dom/resources/webassembly-memory-normal-fail-worker.js (added)
• LayoutTests/js/dom/resources/webassembly-memory-shared-worker.js (added)
• LayoutTests/js/dom/webassembly-memory-normal-fail-expected.txt (added)
• LayoutTests/js/dom/webassembly-memory-normal-fail.html (added)
• LayoutTests/js/dom/webassembly-memory-shared-basic-expected.txt (added)
• LayoutTests/js/dom/webassembly-memory-shared-basic.html (added)
• LayoutTests/js/dom/webassembly-memory-shared-fail-expected.txt (added)
• LayoutTests/js/dom/webassembly-memory-shared-fail.html (added)
• LayoutTests/platform/win/TestExpectations (modified) (1 diff)
• LayoutTests/storage/indexeddb/resources/shared-memory-structured-clone.js (added)
• LayoutTests/storage/indexeddb/shared-memory-structured-clone-expected.txt (added)
• LayoutTests/storage/indexeddb/shared-memory-structured-clone.html (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntPCRanges.h (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/WebAssembly.asm (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSArrayBuffer.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSArrayBufferView.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Options.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (9 diffs)
• Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (9 diffs)
• Source/JavaScriptCore/wasm/WasmBinding.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp (modified) (8 diffs)
• Source/JavaScriptCore/wasm/WasmInstance.h (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmMemory.cpp (modified) (11 diffs)
• Source/JavaScriptCore/wasm/WasmMemory.h (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmMemoryInformation.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmMemoryMode.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmMemoryMode.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/JSToWasm.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyMemoryPrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (modified) (1 diff)
• Source/WTF/wtf/PlatformEnable.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Headers.cmake (modified) (1 diff)
• Source/WebCore/Modules/indexeddb/server/IDBSerializationContext.cpp (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/WebCore/bindings/IDLTypes.h (modified) (2 diffs)
• Source/WebCore/bindings/js/CommonVM.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSDOMConvertBufferSource.h (modified) (15 diffs)
• Source/WebCore/bindings/js/JSDOMConvertUnion.h (modified) (3 diffs)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (32 diffs)
• Source/WebCore/bindings/js/SerializedScriptValue.h (modified) (4 diffs)
• Source/WebCore/bindings/js/WebCoreJSClientData.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/WebCoreJSClientData.h (modified) (2 diffs)
• Source/WebCore/bindings/js/WebCoreTypedArrayController.cpp (modified) (2 diffs)
• Source/WebCore/bindings/js/WebCoreTypedArrayController.h (modified) (2 diffs)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (2 diffs)
• Source/WebCore/bindings/scripts/IDLAttributes.json (modified) (1 diff)
• Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp (modified) (3 diffs)
• Source/WebCore/bindings/scripts/test/TestObj.idl (modified) (1 diff)
• Source/WebCore/dom/TextDecoder.idl (modified) (1 diff)
• Source/WebCore/dom/TextDecoderStreamDecoder.idl (modified) (1 diff)
• Source/WebCore/dom/TextEncoder.idl (modified) (1 diff)
• Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerGlobalScope.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerGlobalScope.h (modified) (1 diff)
• Source/WebCore/workers/WorkerOrWorkletGlobalScope.cpp (modified) (1 diff)
• Source/WebCore/workers/WorkerOrWorkletGlobalScope.h (modified) (2 diffs)
• Source/WebCore/workers/WorkerOrWorkletScriptController.cpp (modified) (2 diffs)
• Source/WebCore/workers/WorkerOrWorkletScriptController.h (modified) (2 diffs)
• Source/WebCore/workers/WorkerThreadType.h (added)
• Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp (modified) (1 diff)
• Source/WebCore/worklets/WorkletGlobalScope.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-11-16  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Implement WebAssembly.Memory with shared
+        https://bugs.webkit.org/show_bug.cgi?id=218693
+
+        Reviewed by Saam Barati.
+
+        * wasm/function-tests/trap-load-shared.js: Added.
+        (wasmFrameCountFromError):
+        * wasm/function-tests/trap-store-shared.js: Added.
+        * wasm/js-api/test_memory.js:
+        (binaryShouldNotParse):
+        * wasm/stress/shared-memory-errors.js: Added.
+        (assert.throws):
+        * wasm/stress/shared-wasm-memory-buffer.js: Added.
+
 2020-11-17  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/wasm/js-api/test_memory.js

@@ -125 +125 @@
 {
     assert.throws(() => new WebAssembly.Memory(20), TypeError, "WebAssembly.Memory expects its first argument to be an object"); 
-    assert.throws(() => new WebAssembly.Memory({}, {}), TypeError,  "WebAssembly.Memory expects exactly one argument");
+    new WebAssembly.Memory({initial:1}, {});
 }
 

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-11-16  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Implement WebAssembly.Memory with shared
+        https://bugs.webkit.org/show_bug.cgi?id=218693
+
+        Reviewed by Saam Barati.
+
+        * js/dom/resources/webassembly-memory-normal-fail-worker.js: Added.
+        * js/dom/resources/webassembly-memory-shared-worker.js: Added.
+        (onmessage):
+        * js/dom/webassembly-memory-normal-fail-expected.txt: Added.
+        * js/dom/webassembly-memory-normal-fail.html: Added.
+        * js/dom/webassembly-memory-shared-basic-expected.txt: Added.
+        * js/dom/webassembly-memory-shared-basic.html: Added.
+        * js/dom/webassembly-memory-shared-fail-expected.txt: Added.
+        * js/dom/webassembly-memory-shared-fail.html: Added.
+        * platform/win/TestExpectations:
+        * storage/indexeddb/resources/shared-memory-structured-clone.js: Added.
+        (prepareDatabase):
+        (async startTests):
+        (testSharedWebAssemblyMemory):
+        * storage/indexeddb/shared-memory-structured-clone-expected.txt: Added.
+        * storage/indexeddb/shared-memory-structured-clone.html: Added.
+
 2020-11-17  Sergey Rubanov  <chi187@gmail.com>
 

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2020-11-16  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Implement WebAssembly.Memory with shared
+        https://bugs.webkit.org/show_bug.cgi?id=218693
+
+        Reviewed by Saam Barati.
+
+        * web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/requires-success.any.worker-expected.txt:
+        * web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any-expected.txt:
+        * web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any.worker-expected.txt:
+        * web-platform-tests/wasm/jsapi/memory/constructor.any-expected.txt:
+        * web-platform-tests/wasm/jsapi/memory/constructor.any.worker-expected.txt:
+        * web-platform-tests/wasm/jsapi/memory/grow.any-expected.txt:
+        * web-platform-tests/wasm/jsapi/memory/grow.any.worker-expected.txt:
+        * web-platform-tests/webaudio/the-audio-api/the-audiobuffer-interface/audiobuffer-copy-channel-expected.txt:
+
 2020-11-16  Alex Christensen  <achristensen@webkit.org>
 

trunk/LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/integration-with-the-javascript-agent-formalism/requires-success.any.worker-expected.txt

@@ -1 +1 @@
 
-FAIL [[CanBlock]] in a DedicatedWorkerGlobalScope Typed array for wait/notify must wrap a SharedArrayBuffer.
+PASS [[CanBlock]] in a DedicatedWorkerGlobalScope
 

trunk/LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any-expected.txt

@@ -1 +1 @@
 
-FAIL Shared memory without maximum assert_throws_js: function "() => new WebAssembly.Memory({ "initial": 10, "shared": true })" did not throw
-FAIL Order of evaluation for descriptor (with shared) assert_array_equals: lengths differ, expected array ["initial", "initial valueOf", "maximum", "maximum valueOf", "shared"] length 5, got ["initial", "initial valueOf", "maximum", "maximum valueOf"] length 4
-FAIL Shared memory assert_equals: undefined: constructor expected true but got false
+PASS Shared memory without maximum
+PASS Order of evaluation for descriptor (with shared)
+PASS Shared memory
 

trunk/LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor-shared.tentative.any.worker-expected.txt

@@ -1 +1 @@
 
-FAIL Shared memory without maximum assert_throws_js: function "() => new WebAssembly.Memory({ "initial": 10, "shared": true })" did not throw
-FAIL Order of evaluation for descriptor (with shared) assert_array_equals: lengths differ, expected array ["initial", "initial valueOf", "maximum", "maximum valueOf", "shared"] length 5, got ["initial", "initial valueOf", "maximum", "maximum valueOf"] length 4
-FAIL Shared memory assert_equals: undefined: constructor expected true but got false
+PASS Shared memory without maximum
+PASS Order of evaluation for descriptor (with shared)
+PASS Shared memory
 

trunk/LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor.any-expected.txt

@@ -23 +23 @@
 PASS Zero initial
 PASS Non-zero initial
-FAIL Stray argument WebAssembly.Memory expects exactly one argument
+PASS Stray argument
 

trunk/LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/constructor.any.worker-expected.txt

@@ -23 +23 @@
 PASS Zero initial
 PASS Non-zero initial
-FAIL Stray argument WebAssembly.Memory expects exactly one argument
+PASS Stray argument
 

trunk/LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/grow.any-expected.txt

@@ -18 +18 @@
 PASS Out-of-range argument: object "[object Object]"
 PASS Stray argument
-FAIL Growing shared memory does not detach old buffer assert_equals: Buffer before growing: constructor expected true but got false
+PASS Growing shared memory does not detach old buffer
 

trunk/LayoutTests/imported/w3c/web-platform-tests/wasm/jsapi/memory/grow.any.worker-expected.txt

@@ -18 +18 @@
 PASS Out-of-range argument: object "[object Object]"
 PASS Stray argument
-FAIL Growing shared memory does not detach old buffer assert_equals: Buffer before growing: constructor expected true but got false
+PASS Growing shared memory does not detach old buffer
 

trunk/LayoutTests/imported/w3c/web-platform-tests/webaudio/the-audio-api/the-audiobuffer-interface/audiobuffer-copy-channel-expected.txt

@@ -20 +20 @@
 PASS   6: buffer.copyFromChannel(x, 0, 16) did not throw an exception.
 PASS   7: buffer.copyFromChannel(x, 3) threw IndexSizeError: "Not a valid channelNumber.".
-FAIL X 8: buffer.copyFromChannel(SharedArrayBuffer view, 0) did not throw an exception. assert_true: expected true got false
-FAIL X 9: buffer.copyFromChannel(SharedArrayBuffer view, 0, 0) did not throw an exception. assert_true: expected true got false
-FAIL < [copyFrom-exceptions] 2 out of 11 assertions were failed. assert_true: expected true got false
+PASS   8: buffer.copyFromChannel(SharedArrayBuffer view, 0) threw TypeError: "Argument 1 ('destination') to AudioBuffer.copyFromChannel must be an instance of Float32Array".
+PASS   9: buffer.copyFromChannel(SharedArrayBuffer view, 0, 0) threw TypeError: "Argument 1 ('destination') to AudioBuffer.copyFromChannel must be an instance of Float32Array".
+PASS < [copyFrom-exceptions] All assertions passed. (total 11 assertions)
 PASS > [copyTo-exceptions]
 PASS   AudioBuffer.prototype.copyToChannel does exist.
@@ -32 +32 @@
 PASS   5: buffer.copyToChannel(x, 0, 16) did not throw an exception.
 PASS   6: buffer.copyToChannel(x, 3) threw IndexSizeError: "Not a valid channelNumber.".
-FAIL X 7: buffer.copyToChannel(SharedArrayBuffer view, 0) did not throw an exception. assert_true: expected true got false
-FAIL X 8: buffer.copyToChannel(SharedArrayBuffer view, 0, 0) did not throw an exception. assert_true: expected true got false
-FAIL < [copyTo-exceptions] 2 out of 10 assertions were failed. assert_true: expected true got false
+PASS   7: buffer.copyToChannel(SharedArrayBuffer view, 0) threw TypeError: "Argument 1 ('source') to AudioBuffer.copyToChannel must be an instance of Float32Array".
+PASS   8: buffer.copyToChannel(SharedArrayBuffer view, 0, 0) threw TypeError: "Argument 1 ('source') to AudioBuffer.copyToChannel must be an instance of Float32Array".
+PASS < [copyTo-exceptions] All assertions passed. (total 10 assertions)
 PASS > [copyFrom-validate]
 PASS   buffer.copyFromChannel(dst8, 0) is identical to the array [1,2,3,4,5,6,7,8].
@@ -61 +61 @@
 PASS   buffer.copyToChannel(src10, 2, 5) is identical to the array [-1,-1,-1,-1,-1,1,2,3,4,5,6,7,8,9,10,-1...].
 PASS < [copyTo-validate] All assertions passed. (total 10 assertions)
-FAIL # AUDIT TASK RUNNER FINISHED: 2 out of 5 tasks were failed. assert_true: expected true got false
+PASS # AUDIT TASK RUNNER FINISHED: 5 tasks ran successfully.
 

trunk/LayoutTests/platform/win/TestExpectations

@@ -4601 +4601 @@
 webkit.org/b/218346 fast/text/canvas-color-fonts [ Pass ImageOnlyFailure ]
 webkit.org/b/218346 http/tests/canvas/color-fonts [ Pass ImageOnlyFailure ]
+
+# WebAssembly is not enabled
+js/dom/webassembly-memory-shared-basic.html [ Skip ]
+js/dom/webassembly-memory-normal-fail.html [ Skip ]
+js/dom/webassembly-memory-shared-fail.html [ Skip ]
+storage/indexeddb/shared-memory-structured-clone.html [ Skip ]

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -1090 +1090 @@
 
     wasm/js/JSWebAssembly.h
+    wasm/js/JSWebAssemblyMemory.h
     wasm/js/JSWebAssemblyModule.h
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-11-16  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Implement WebAssembly.Memory with shared
+        https://bugs.webkit.org/show_bug.cgi?id=218693
+
+        Reviewed by Saam Barati.
+
+        This patch implements shared WebAssembly.Memory. This can be shared between workers like SharedArrayBuffer.
+        The most interesting thing of shared WebAssembly.Memory is that it is growable. The memory can be grown in
+        one thread, and immediately, it should be accessible in the other threads.
+
+        To achieve that, shared WebAssembly.Memory leverages signaling even if bounds-checking is mainly used.
+        If the fast memory is enabled, we just use it so that mprotect can make memory grown easily. But if fast memory
+        is disabled, we allocates requested VA region and perform bounds-checking with this VA. Since WebAssembly.Memory
+        always requires "maximum" size of memory, we can first allocate VA and map active part of memory first. And
+        when growing, we perform mprotect to the rest of the memory. Since this VA is not 4GB, we still need to perform
+        bounds-checking, but we perform bounds-checking with VA size instead of active memory size. As a result, even if
+        shared WebAssembly.Memory is grown, we do not need to update (1) pointer and (2) bounds-checking size.
+        The shared bounds-checking WebAssembly.Memory is something like below.
+
+        <================================================ maximum ============================><------------ other memory, protected by bounds-checking --...
+        <======= active ==========><===================== not active yet =====================>
+        ^                               [ if we access this, fault handler will detect it]    ^
+        pointer                                                                               bounds checking size
+
+        These "growable bound-checking memory" is now managed by wasm memory-manager. And fault handler is used even if fast memory is disabled.
+        And fault handler also accepts signals from Wasm LLInt code since both bounds-checkings + signalings are required to confine memory access even in
+        Wasm LLInt. This patch also renamed memory-size and size-register to bounds-checking-size and bounds-checking-size-register since this is no longer
+        a size of memory.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * llint/LLIntPCRanges.h:
+        (JSC::LLInt::isWasmLLIntPC):
+        * llint/LowLevelInterpreter.asm:
+        * llint/WebAssembly.asm:
+        * runtime/JSArrayBuffer.h:
+        (JSC::JSArrayBuffer::toWrappedAllowShared):
+        * runtime/JSArrayBufferView.h:
+        * runtime/JSArrayBufferViewInlines.h:
+        (JSC::JSArrayBufferView::toWrappedAllowShared):
+        * runtime/JSGenericTypedArrayView.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::toWrappedAllowShared):
+        * runtime/Options.cpp:
+        (JSC::overrideDefaults):
+        (JSC::Options::initialize):
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::AirIRGenerator::addCurrentMemory):
+        (JSC::Wasm::AirIRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::AirIRGenerator::addCall):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCurrentMemory):
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+        (JSC::Wasm::B3IRGenerator::addCall):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/WasmFaultSignalHandler.cpp:
+        (JSC::Wasm::trapHandler):
+        (JSC::Wasm::enableFastMemory):
+        (JSC::Wasm::prepareFastMemory):
+        * wasm/WasmInstance.h:
+        (JSC::Wasm::Instance::cachedMemory const):
+        (JSC::Wasm::Instance::cachedBoundsCheckingSize const):
+        (JSC::Wasm::Instance::updateCachedMemory):
+        (JSC::Wasm::Instance::offsetOfCachedBoundsCheckingSize):
+        (JSC::Wasm::Instance::cachedMemorySize const): Deleted.
+        (JSC::Wasm::Instance::offsetOfCachedMemorySize): Deleted.
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::MemoryHandle::MemoryHandle):
+        (JSC::Wasm::MemoryHandle::~MemoryHandle):
+        (JSC::Wasm::Memory::Memory):
+        (JSC::Wasm::Memory::create):
+        (JSC::Wasm::Memory::tryCreate):
+        (JSC::Wasm::Memory::addressIsInGrowableOrFastMemory):
+        (JSC::Wasm::Memory::growShared):
+        (JSC::Wasm::Memory::grow):
+        (JSC::Wasm::Memory::dump const):
+        (JSC::Wasm::Memory::~Memory): Deleted.
+        (JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted.
+        * wasm/WasmMemory.h:
+        (JSC::Wasm::Memory::addressIsInGrowableOrFastMemory):
+        (JSC::Wasm::Memory::operator bool const): Deleted.
+        (JSC::Wasm::Memory::memory const): Deleted.
+        (JSC::Wasm::Memory::size const): Deleted.
+        (JSC::Wasm::Memory::sizeInPages const): Deleted.
+        (JSC::Wasm::Memory::initial const): Deleted.
+        (JSC::Wasm::Memory::maximum const): Deleted.
+        (JSC::Wasm::Memory::mode const): Deleted.
+        (JSC::Wasm::Memory::check): Deleted.
+        (JSC::Wasm::Memory::offsetOfMemory): Deleted.
+        (JSC::Wasm::Memory::offsetOfSize): Deleted.
+        (JSC::Wasm::Memory::addressIsInActiveFastMemory): Deleted.
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
+        * wasm/WasmMemoryInformation.h:
+        (JSC::Wasm::PinnedRegisterInfo::toSave const):
+        * wasm/WasmMemoryMode.cpp:
+        (JSC::Wasm::makeString):
+        * wasm/WasmMemoryMode.h:
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::tryCreate):
+        * wasm/js/JSWebAssemblyMemory.cpp:
+        (JSC::JSWebAssemblyMemory::buffer):
+        (JSC::JSWebAssemblyMemory::growSuccessCallback):
+        * wasm/js/JSWebAssemblyMemory.h:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+        * wasm/js/WebAssemblyMemoryConstructor.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyMemoryPrototype.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::evaluate):
+
 2020-11-17  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1575 +1575 @@
                 AD2FCBE31DB58DAD00B3E736 /* JSWebAssemblyCompileError.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCBA71DB58DA400B3E736 /* JSWebAssemblyCompileError.h */; };
                 AD2FCBE51DB58DAD00B3E736 /* JSWebAssemblyInstance.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCBA91DB58DA400B3E736 /* JSWebAssemblyInstance.h */; };
-                AD2FCBE71DB58DAD00B3E736 /* JSWebAssemblyMemory.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCBAB1DB58DA400B3E736 /* JSWebAssemblyMemory.h */; };
+                AD2FCBE71DB58DAD00B3E736 /* JSWebAssemblyMemory.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCBAB1DB58DA400B3E736 /* JSWebAssemblyMemory.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 AD2FCBE91DB58DAD00B3E736 /* JSWebAssemblyRuntimeError.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCBAD1DB58DA400B3E736 /* JSWebAssemblyRuntimeError.h */; };
                 AD2FCBEB1DB58DAD00B3E736 /* JSWebAssemblyTable.h in Headers */ = {isa = PBXBuildFile; fileRef = AD2FCBAF1DB58DA400B3E736 /* JSWebAssemblyTable.h */; };

trunk/Source/JavaScriptCore/llint/LLIntPCRanges.h

@@ -36 +36 @@
     void llintPCRangeStart();
     void llintPCRangeEnd();
+#if ENABLE(WEBASSEMBLY)
+    void wasmLLIntPCRangeStart();
+    void wasmLLIntPCRangeEnd();
+#endif
 }
 
@@ -47 +51 @@
 }
 
+#if ENABLE(WEBASSEMBLY)
+ALWAYS_INLINE bool isWasmLLIntPC(void* pc)
+{
+    uintptr_t pcAsInt = bitwise_cast<uintptr_t>(pc);
+    uintptr_t start = untagCodePtr<uintptr_t, CFunctionPtrTag>(wasmLLIntPCRangeStart);
+    uintptr_t end = untagCodePtr<uintptr_t, CFunctionPtrTag>(wasmLLIntPCRangeEnd);
+    RELEASE_ASSERT(start < end);
+    return start <= pcAsInt && pcAsInt <= end;
+}
+#endif
+
 #if !ENABLE(C_LOOP)
 static constexpr GPRReg LLIntPC = GPRInfo::regT4;

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -2468 +2468 @@
     include WebAssembly
 end
+
+global _wasmLLIntPCRangeStart
+_wasmLLIntPCRangeStart:
 wasmScope()
+global _wasmLLIntPCRangeEnd
+_wasmLLIntPCRangeEnd:
 
 else

trunk/Source/JavaScriptCore/llint/WebAssembly.asm

@@ -46 +46 @@
 const wasmInstance = csr0
 const memoryBase = csr3
-const memorySize = csr4
+const boundsCheckingSize = csr4
 
 # This must match the definition in LowLevelInterpreter.asm
@@ -188 +188 @@
 
 macro preserveCalleeSavesUsedByWasm()
-    # NOTE: We intentionally don't save memoryBase and memorySize here. See the comment
+    # NOTE: We intentionally don't save memoryBase and boundsCheckingSize here. See the comment
     # in restoreCalleeSavesUsedByWasm() below for why.
     subp CalleeSaveSpaceStackAligned, sp
@@ -202 +202 @@
 
 macro restoreCalleeSavesUsedByWasm()
-    # NOTE: We intentionally don't restore memoryBase and memorySize here. These are saved
+    # NOTE: We intentionally don't restore memoryBase and boundsCheckingSize here. These are saved
     # and restored when entering Wasm by the JSToWasm wrapper and changes to them are meant
     # to be observable within the same Wasm module.
@@ -241 +241 @@
 macro reloadMemoryRegistersFromInstance(instance, scratch1, scratch2)
     loadp Wasm::Instance::m_cachedMemory[instance], memoryBase
-    loadi Wasm::Instance::m_cachedMemorySize[instance], memorySize
-    cagedPrimitive(memoryBase, memorySize, scratch1, scratch2)
+    loadi Wasm::Instance::m_cachedBoundsCheckingSize[instance], boundsCheckingSize
+    cagedPrimitive(memoryBase, boundsCheckingSize, scratch1, scratch2)
 end
 
@@ -857 +857 @@
 
 wasmOp(current_memory, WasmCurrentMemory, macro(ctx)
-    loadp Wasm::Instance::m_cachedMemorySize[wasmInstance], t0
+    loadp Wasm::Instance::m_memory[wasmInstance], t0
+    loadp Wasm::Memory::m_handle[t0], t0
+    loadp Wasm::MemoryHandle::m_size[t0], t0
     urshiftq 16, t0
     returnq(ctx, t0)
@@ -875 +877 @@
 macro emitCheckAndPreparePointer(ctx, pointer, offset, size)
     leap size - 1[pointer, offset], t5
-    bpb t5, memorySize, .continuation
+    bpb t5, boundsCheckingSize, .continuation
     throwException(OutOfBoundsMemoryAccess)
 .continuation:

trunk/Source/JavaScriptCore/runtime/JSArrayBuffer.h

@@ -56 +56 @@
     // This is the default DOM unwrapping. It calls toUnsharedArrayBuffer().
     static ArrayBuffer* toWrapped(VM&, JSValue);
+    static ArrayBuffer* toWrappedAllowShared(VM&, JSValue);
     
 private:
@@ -87 +88 @@
 }
 
+inline ArrayBuffer* JSArrayBuffer::toWrappedAllowShared(VM& vm, JSValue value)
+{
+    return toPossiblySharedArrayBuffer(vm, value);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

@@ -205 +205 @@
     
     static RefPtr<ArrayBufferView> toWrapped(VM&, JSValue);
+    static RefPtr<ArrayBufferView> toWrappedAllowShared(VM&, JSValue);
 
 private:

trunk/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h

@@ -130 +130 @@
 }
 
+inline RefPtr<ArrayBufferView> JSArrayBufferView::toWrappedAllowShared(VM& vm, JSValue value)
+{
+    if (JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(vm, value))
+        return view->possiblySharedImpl();
+    return nullptr;
+}
+
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayView.h

@@ -288 +288 @@
     // This is the default DOM unwrapping. It calls toUnsharedNativeTypedView().
     static RefPtr<typename Adaptor::ViewType> toWrapped(VM&, JSValue);
+    // [AllowShared] annotation allows accepting TypedArray originated from SharedArrayBuffer.
+    static RefPtr<typename Adaptor::ViewType> toWrappedAllowShared(VM&, JSValue);
     
 private:
@@ -393 +395 @@
 }
 
+template<typename Adaptor>
+RefPtr<typename Adaptor::ViewType> JSGenericTypedArrayView<Adaptor>::toWrappedAllowShared(VM& vm, JSValue value)
+{
+    return JSC::toPossiblySharedNativeTypedView<Adaptor>(vm, value);
+}
+
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/Options.cpp

@@ -366 +366 @@
 #endif
 
-#if !ENABLE(WEBASSEMBLY_FAST_MEMORY)
+#if !ENABLE(WEBASSEMBLY_SIGNALING_MEMORY)
     Options::useWebAssemblyFastMemory() = false;
+    Options::useSharedArrayBuffer() = false;
 #endif
 
@@ -659 +660 @@
 #endif
 
-#if ASAN_ENABLED && OS(LINUX) && ENABLE(WEBASSEMBLY_FAST_MEMORY)
-            if (Options::useWebAssemblyFastMemory()) {
+#if ASAN_ENABLED && OS(LINUX) && ENABLE(WEBASSEMBLY_SIGNALING_MEMORY)
+            if (Options::useWebAssemblyFastMemory() || Options::useSharedArrayBuffer()) {
                 const char* asanOptions = getenv("ASAN_OPTIONS");
                 bool okToUseWebAssemblyFastMemory = asanOptions
                     && (strstr(asanOptions, "allow_user_segv_handler=1") || strstr(asanOptions, "handle_segv=0"));
                 if (!okToUseWebAssemblyFastMemory) {
-                    dataLogLn("WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory will be disabled.");
+                    dataLogLn("WARNING: ASAN interferes with JSC signal handlers; useWebAssemblyFastMemory and useSharedArrayBuffer will be disabled.");
                     Options::useWebAssemblyFastMemory() = false;
+                    Options::useSharedArrayBuffer() = false;
                 }
             }

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -681 +681 @@
     Vector<UnlinkedWasmToWasmCall>& m_unlinkedWasmToWasmCalls; // List each call site and the function index whose address it should be patched with.
     GPRReg m_memoryBaseGPR { InvalidGPRReg };
-    GPRReg m_memorySizeGPR { InvalidGPRReg };
+    GPRReg m_boundsCheckingSizeGPR { InvalidGPRReg };
     GPRReg m_wasmContextInstanceGPR { InvalidGPRReg };
     bool m_makesCalls { false };
@@ -773 +773 @@
 
     if (mode != MemoryMode::Signaling) {
-        m_memorySizeGPR = pinnedRegs.sizeRegister;
-        m_code.pinRegister(m_memorySizeGPR);
+        m_boundsCheckingSizeGPR = pinnedRegs.boundsCheckingSizeRegister;
+        m_code.pinRegister(m_boundsCheckingSizeGPR);
     }
 
@@ -919 +919 @@
         RegisterSet clobbers;
         clobbers.set(pinnedRegs->baseMemoryPointer);
-        clobbers.set(pinnedRegs->sizeRegister);
+        clobbers.set(pinnedRegs->boundsCheckingSizeRegister);
         if (!isARM64())
             clobbers.set(RegisterSet::macroScratchRegisters());
@@ -934 +934 @@
             AllowMacroScratchRegisterUsage allowScratch(jit);
             GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
-            GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
-
-            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
+            GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->boundsCheckingSizeRegister;
+
+            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs->boundsCheckingSizeRegister);
             jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
         });
 
@@ -1169 +1169 @@
     auto temp2 = g64();
 
-    RELEASE_ASSERT(Arg::isValidAddrForm(Instance::offsetOfCachedMemorySize(), B3::Width64));
-    append(Move, Arg::addr(instanceValue(), Instance::offsetOfCachedMemorySize()), temp1);
+    RELEASE_ASSERT(Arg::isValidAddrForm(Instance::offsetOfMemory(), B3::Width64));
+    RELEASE_ASSERT(Arg::isValidAddrForm(Memory::offsetOfHandle(), B3::Width64));
+    RELEASE_ASSERT(Arg::isValidAddrForm(MemoryHandle::offsetOfSize(), B3::Width64));
+    append(Move, Arg::addr(instanceValue(), Instance::offsetOfMemory()), temp1);
+    append(Move, Arg::addr(temp1, Memory::offsetOfHandle()), temp1);
+    append(Move, Arg::addr(temp1, MemoryHandle::offsetOfSize()), temp1);
     constexpr uint32_t shiftValue = 16;
     static_assert(PageCount::pageSize == 1ull << shiftValue, "This must hold for the code below to be correct.");
@@ -1364 +1368 @@
     switch (m_mode) {
     case MemoryMode::BoundsChecking: {
-        // We're not using signal handling at all, we must therefore check that no memory access exceeds the current memory size.
-        ASSERT(m_memorySizeGPR);
+        // In bound checking mode, while shared wasm memory partially relies on signal handler too, we need to perform bound checking
+        // to ensure that no memory access exceeds the current memory size.
+        ASSERT(m_boundsCheckingSizeGPR);
         ASSERT(sizeOfOperation + offset > offset);
         auto temp = g64();
@@ -1372 +1377 @@
 
         emitCheck([&] {
-            return Inst(Branch64, nullptr, Arg::relCond(MacroAssembler::AboveOrEqual), temp, Tmp(m_memorySizeGPR));
+            return Inst(Branch64, nullptr, Arg::relCond(MacroAssembler::AboveOrEqual), temp, Tmp(m_boundsCheckingSizeGPR));
         }, [=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
             this->emitThrowException(jit, ExceptionType::OutOfBoundsMemoryAccess);
@@ -2155 +2160 @@
         // We need to clobber the size register since the LLInt always bounds checks
         if (m_mode == MemoryMode::Signaling)
-            patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().sizeRegister });
+            patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().boundsCheckingSizeRegister });
         patchpoint->setGenerator([unlinkedWasmToWasmCalls, functionIndex] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
             AllowMacroScratchRegisterUsage allowScratch(jit);
@@ -2279 +2284 @@
             // FIXME: We should support more than one memory size register
             //   see: https://bugs.webkit.org/show_bug.cgi?id=162952
-            ASSERT(pinnedRegs.sizeRegister != newContextInstance);
-            GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
-
-            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
+            ASSERT(pinnedRegs.boundsCheckingSizeRegister != newContextInstance);
+            GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.boundsCheckingSizeRegister;
+
+            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister); // Bound checking size.
             jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
         });
 

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -326 +326 @@
     Value* m_framePointer { nullptr };
     GPRReg m_memoryBaseGPR { InvalidGPRReg };
-    GPRReg m_memorySizeGPR { InvalidGPRReg };
+    GPRReg m_boundsCheckingSizeGPR { InvalidGPRReg };
     GPRReg m_wasmContextInstanceGPR { InvalidGPRReg };
     bool m_makesCalls { false };
@@ -409 +409 @@
 
     if (mode != MemoryMode::Signaling) {
-        m_memorySizeGPR = pinnedRegs.sizeRegister;
-        m_proc.pinRegister(m_memorySizeGPR);
+        m_boundsCheckingSizeGPR = pinnedRegs.boundsCheckingSizeRegister;
+        m_proc.pinRegister(m_boundsCheckingSizeGPR);
     }
 
@@ -418 +418 @@
             switch (m_mode) {
             case MemoryMode::BoundsChecking:
-                ASSERT_UNUSED(pinnedGPR, m_memorySizeGPR == pinnedGPR);
+                ASSERT_UNUSED(pinnedGPR, m_boundsCheckingSizeGPR == pinnedGPR);
                 break;
             case MemoryMode::Signaling:
@@ -546 +546 @@
         RegisterSet clobbers;
         clobbers.set(pinnedRegs->baseMemoryPointer);
-        clobbers.set(pinnedRegs->sizeRegister);
+        clobbers.set(pinnedRegs->boundsCheckingSizeRegister);
         if (!isARM64())
             clobbers.set(RegisterSet::macroScratchRegisters());
@@ -562 +562 @@
             AllowMacroScratchRegisterUsage allowScratch(jit);
             GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
-            GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
-
-            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
+            GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->boundsCheckingSizeRegister;
+
+            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs->boundsCheckingSizeRegister);
             jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
         });
     }
@@ -794 +794 @@
 {
     static_assert(sizeof(decltype(static_cast<Memory*>(nullptr)->size())) == sizeof(uint64_t), "codegen relies on this size");
-    Value* size = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, Int64, origin(), instanceValue(), safeCast<int32_t>(Instance::offsetOfCachedMemorySize()));
+    Value* memory = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, Int64, origin(), instanceValue(), safeCast<int32_t>(Instance::offsetOfMemory()));
+    Value* handle = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, Int64, origin(), memory, safeCast<int32_t>(Memory::offsetOfHandle()));
+    Value* size = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, Int64, origin(), handle, safeCast<int32_t>(MemoryHandle::offsetOfSize()));
 
     constexpr uint32_t shiftValue = 16;
@@ -955 +957 @@
     case MemoryMode::BoundsChecking: {
         // We're not using signal handling at all, we must therefore check that no memory access exceeds the current memory size.
-        ASSERT(m_memorySizeGPR);
+        ASSERT(m_boundsCheckingSizeGPR);
         ASSERT(sizeOfOperation + offset > offset);
-        m_currentBlock->appendNew<WasmBoundsCheckValue>(m_proc, origin(), m_memorySizeGPR, pointer, sizeOfOperation + offset - 1);
+        m_currentBlock->appendNew<WasmBoundsCheckValue>(m_proc, origin(), m_boundsCheckingSizeGPR, pointer, sizeOfOperation + offset - 1);
         break;
     }
@@ -1711 +1713 @@
                 // We need to clobber the size register since the LLInt always bounds checks
                 if (m_mode == MemoryMode::Signaling)
-                    patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().sizeRegister });
+                    patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().boundsCheckingSizeRegister });
                 patchpoint->setGenerator([unlinkedWasmToWasmCalls, functionIndex] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
                     AllowMacroScratchRegisterUsage allowScratch(jit);
@@ -1832 +1834 @@
             jit.storePtr(baseMemory, CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedStackLimit()));
             jit.storeWasmContextInstance(newContextInstance);
-            ASSERT(pinnedRegs.sizeRegister != baseMemory);
+            ASSERT(pinnedRegs.boundsCheckingSizeRegister != baseMemory);
             // FIXME: We should support more than one memory size register
             //   see: https://bugs.webkit.org/show_bug.cgi?id=162952
-            ASSERT(pinnedRegs.sizeRegister != newContextInstance);
-            GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
-
-            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
+            ASSERT(pinnedRegs.boundsCheckingSizeRegister != newContextInstance);
+            GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.boundsCheckingSizeRegister;
+
+            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister); // Memory size.
             jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
         });
         doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);

trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp

@@ -50 +50 @@
     ASSERT(baseMemory != GPRReg::InvalidGPRReg);
     ASSERT(baseMemory != scratch);
-    ASSERT(pinnedRegs.sizeRegister != baseMemory);
-    ASSERT(pinnedRegs.sizeRegister != scratch);
-    GPRReg sizeRegAsScratch = pinnedRegs.sizeRegister;
+    ASSERT(pinnedRegs.boundsCheckingSizeRegister != baseMemory);
+    ASSERT(pinnedRegs.boundsCheckingSizeRegister != scratch);
+    GPRReg sizeRegAsScratch = pinnedRegs.boundsCheckingSizeRegister;
     ASSERT(sizeRegAsScratch != GPRReg::InvalidGPRReg);
 
@@ -69 +69 @@
     // Set up the callee's baseMemory register as well as the memory size registers.
     {
-        GPRReg scratchOrSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.sizeRegister : wasmCallingConvention().prologueScratchGPRs[1];
+        GPRReg scratchOrBoundsCheckingSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.boundsCheckingSizeRegister : wasmCallingConvention().prologueScratchGPRs[1];
 
-        jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
+        jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister); // Bound checking size.
         jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+        jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
     }
 

trunk/Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp

@@ -53 +53 @@
 static bool fastHandlerInstalled { false };
 
-#if ENABLE(WEBASSEMBLY_FAST_MEMORY)
+#if ENABLE(WEBASSEMBLY_SIGNALING_MEMORY)
 
 static SignalAction trapHandler(Signal, SigInfo& sigInfo, PlatformRegisters& context)
@@ -64 +64 @@
 
     dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "JIT memory start: ", RawPointer(startOfFixedExecutableMemoryPool()), " end: ", RawPointer(endOfFixedExecutableMemoryPool()));
-    // First we need to make sure we are in JIT code before we can aquire any locks. Otherwise,
+    dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "WasmLLInt memory start: ", RawPointer(untagCodePtr<void*, CFunctionPtrTag>(LLInt::wasmLLIntPCRangeStart)), " end: ", RawPointer(untagCodePtr<void*, CFunctionPtrTag>(LLInt::wasmLLIntPCRangeEnd)));
+    // First we need to make sure we are in JIT code or Wasm LLInt code before we can aquire any locks. Otherwise,
     // we might have crashed in code that is already holding one of the locks we want to aquire.
     assertIsNotTagged(faultingInstruction);
-    if (isJITPC(faultingInstruction)) {
-        bool faultedInActiveFastMemory = false;
+    if (isJITPC(faultingInstruction) || LLInt::isWasmLLIntPC(faultingInstruction)) {
+        bool faultedInActiveGrowableMemory = false;
         {
             void* faultingAddress = sigInfo.faultingAddress;
             dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "checking faulting address: ", RawPointer(faultingAddress), " is in an active fast memory");
-            faultedInActiveFastMemory = Wasm::Memory::addressIsInActiveFastMemory(faultingAddress);
+            faultedInActiveGrowableMemory = Wasm::Memory::addressIsInGrowableOrFastMemory(faultingAddress);
         }
-        if (faultedInActiveFastMemory) {
+        if (faultedInActiveGrowableMemory) {
             dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "found active fast memory for faulting address");
-            auto& calleeRegistry = CalleeRegistry::singleton();
-            auto locker = holdLock(calleeRegistry.getLock());
-            for (auto* callee : calleeRegistry.allCallees(locker)) {
-                auto [start, end] = callee->range();
-                dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "function start: ", RawPointer(start), " end: ", RawPointer(end));
-                if (start <= faultingInstruction && faultingInstruction < end) {
-                    dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "found match");
-                    MachineContext::argumentPointer<1>(context) = reinterpret_cast<void*>(static_cast<uintptr_t>(Wasm::Context::useFastTLS()));
-                    MachineContext::setInstructionPointer(context, LLInt::getCodePtr<CFunctionPtrTag>(wasm_throw_from_fault_handler_trampoline));
-                    return SignalAction::Handled;
+
+            auto didFaultInWasm = [](void* faultingInstruction) {
+                if (LLInt::isWasmLLIntPC(faultingInstruction))
+                    return true;
+                auto& calleeRegistry = CalleeRegistry::singleton();
+                auto locker = holdLock(calleeRegistry.getLock());
+                for (auto* callee : calleeRegistry.allCallees(locker)) {
+                    auto [start, end] = callee->range();
+                    dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "function start: ", RawPointer(start), " end: ", RawPointer(end));
+                    if (start <= faultingInstruction && faultingInstruction < end) {
+                        dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "found match");
+                        return true;
+                    }
                 }
+                return false;
+            };
+
+            if (didFaultInWasm(faultingInstruction)) {
+                MachineContext::argumentPointer<1>(context) = reinterpret_cast<void*>(static_cast<uintptr_t>(Wasm::Context::useFastTLS()));
+                MachineContext::setInstructionPointer(context, LLInt::getCodePtr<CFunctionPtrTag>(wasm_throw_from_fault_handler_trampoline));
+                return SignalAction::Handled;
             }
         }
@@ -93 +104 @@
 }
 
-#endif // ENABLE(WEBASSEMBLY_FAST_MEMORY)
+#endif // ENABLE(WEBASSEMBLY_SIGNALING_MEMORY)
 
 bool fastMemoryEnabled()
@@ -102 +113 @@
 void enableFastMemory()
 {
-#if ENABLE(WEBASSEMBLY_FAST_MEMORY)
+#if ENABLE(WEBASSEMBLY_SIGNALING_MEMORY)
     static std::once_flag once;
     std::call_once(once, [] {
@@ -108 +119 @@
             return;
 
-        if (!Options::useWebAssemblyFastMemory())
+        if (!Options::useWebAssemblyFastMemory() && !Options::useSharedArrayBuffer())
             return;
 
@@ -120 +131 @@
 void prepareFastMemory()
 {
-#if ENABLE(WEBASSEMBLY_FAST_MEMORY)
+#if ENABLE(WEBASSEMBLY_SIGNALING_MEMORY)
     static std::once_flag once;
     std::call_once(once, [] {
@@ -126 +137 @@
             return;
 
-        if (!Options::useWebAssemblyFastMemory())
+        if (!Options::useWebAssemblyFastMemory() && !Options::useSharedArrayBuffer())
             return;
 
@@ -133 +144 @@
         });
     });
-#endif // ENABLE(WEBASSEMBLY_FAST_MEMORY)
+#endif // ENABLE(WEBASSEMBLY_SIGNALING_MEMORY)
 }
     

trunk/Source/JavaScriptCore/wasm/WasmInstance.h

@@ -78 +78 @@
     void setTable(unsigned, Ref<Table>&&);
 
-    void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedMemorySize()); }
-    size_t cachedMemorySize() const { return m_cachedMemorySize; }
+    void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedBoundsCheckingSize()); }
+    size_t cachedBoundsCheckingSize() const { return m_cachedBoundsCheckingSize; }
 
     void setMemory(Ref<Memory>&& memory)
@@ -90 +90 @@
     {
         if (m_memory != nullptr) {
-            m_cachedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>(memory()->memory(), memory()->size());
-            m_cachedMemorySize = memory()->size();
+            m_cachedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>(memory()->memory(), memory()->boundsCheckingSize());
+            m_cachedBoundsCheckingSize = memory()->boundsCheckingSize();
         }
     }
@@ -147 +147 @@
     static ptrdiff_t offsetOfGlobals() { return OBJECT_OFFSETOF(Instance, m_globals); }
     static ptrdiff_t offsetOfCachedMemory() { return OBJECT_OFFSETOF(Instance, m_cachedMemory); }
-    static ptrdiff_t offsetOfCachedMemorySize() { return OBJECT_OFFSETOF(Instance, m_cachedMemorySize); }
+    static ptrdiff_t offsetOfCachedBoundsCheckingSize() { return OBJECT_OFFSETOF(Instance, m_cachedBoundsCheckingSize); }
     static ptrdiff_t offsetOfPointerToTopEntryFrame() { return OBJECT_OFFSETOF(Instance, m_pointerToTopEntryFrame); }
 
@@ -202 +202 @@
     Context* m_context { nullptr };
     CagedPtr<Gigacage::Primitive, void, tagCagedPtr> m_cachedMemory;
-    size_t m_cachedMemorySize { 0 };
+    size_t m_cachedBoundsCheckingSize { 0 };
     Ref<Module> m_module;
     RefPtr<CodeBlock> m_codeBlock;

trunk/Source/JavaScriptCore/wasm/WasmMemory.cpp

@@ -37 +37 @@
 #include <wtf/PrintStream.h>
 #include <wtf/RAMSize.h>
+#include <wtf/StdSet.h>
 #include <wtf/Vector.h>
 
@@ -134 +135 @@
         dataLogLnIf(Options::logWebAssemblyMemory(), "Freed virtual; state: ", *this);
     }
-    
-    bool isAddressInFastMemory(void* address)
-    {
-        // NOTE: This can be called from a signal handler, but only after we proved that we're in JIT code.
+
+    MemoryResult tryAllocateGrowableBoundsCheckingMemory(size_t mappedCapacity)
+    {
+        MemoryResult result = [&] {
+            auto holder = holdLock(m_lock);
+            void* result = Gigacage::tryAllocateZeroedVirtualPages(Gigacage::Primitive, mappedCapacity);
+            if (!result)
+                return MemoryResult(nullptr, MemoryResult::SyncTryToReclaimMemory);
+
+            m_growableBoundsCheckingMemories.insert(std::make_pair(bitwise_cast<uintptr_t>(result), mappedCapacity));
+
+            return MemoryResult(result, MemoryResult::Success);
+        }();
+
+        dataLogLnIf(Options::logWebAssemblyMemory(), "Allocated virtual: ", result, "; state: ", *this);
+
+        return result;
+    }
+
+    void freeGrowableBoundsCheckingMemory(void* basePtr, size_t mappedCapacity)
+    {
+        {
+            auto holder = holdLock(m_lock);
+            Gigacage::freeVirtualPages(Gigacage::Primitive, basePtr, mappedCapacity);
+            m_growableBoundsCheckingMemories.erase(std::make_pair(bitwise_cast<uintptr_t>(basePtr), mappedCapacity));
+        }
+
+        dataLogLnIf(Options::logWebAssemblyMemory(), "Freed virtual; state: ", *this);
+    }
+
+    bool isInGrowableOrFastMemory(void* address)
+    {
+        // NOTE: This can be called from a signal handler, but only after we proved that we're in JIT code or WasmLLInt code.
         auto holder = holdLock(m_lock);
         for (void* memory : m_fastMemories) {
             char* start = static_cast<char*>(memory);
             if (start <= address && address <= start + Memory::fastMappedBytes())
+                return true;
+        }
+        uintptr_t addressValue = bitwise_cast<uintptr_t>(address);
+        auto iterator = std::upper_bound(m_growableBoundsCheckingMemories.begin(), m_growableBoundsCheckingMemories.end(), std::make_pair(addressValue, 0),
+            [](std::pair<uintptr_t, size_t> a, std::pair<uintptr_t, size_t> b) {
+                return (a.first + a.second) < (b.first + b.second);
+            });
+        if (iterator != m_growableBoundsCheckingMemories.end()) {
+            // Since we never have overlapped range in m_growableBoundsCheckingMemories, just checking one lower-bound range is enough.
+            if (iterator->first <= addressValue && addressValue < (iterator->first + iterator->second))
                 return true;
         }
@@ -193 +233 @@
     unsigned m_maxFastMemoryCount { 0 };
     Vector<void*> m_fastMemories;
+    StdSet<std::pair<uintptr_t, size_t>> m_growableBoundsCheckingMemories;
     size_t m_physicalBytes { 0 };
 };
@@ -236 +277 @@
 } // anonymous namespace
 
-Memory::Memory()
-{
-}
-
-Memory::Memory(PageCount initial, PageCount maximum, Function<void(NotifyPressure)>&& notifyMemoryPressure, Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
-    : m_initial(initial)
-    , m_maximum(maximum)
-    , m_notifyMemoryPressure(WTFMove(notifyMemoryPressure))
-    , m_syncTryToReclaimMemory(WTFMove(syncTryToReclaimMemory))
-    , m_growSuccessCallback(WTFMove(growSuccessCallback))
-{
-    ASSERT(!initial.bytes());
-    ASSERT(m_mode == MemoryMode::BoundsChecking);
-    dataLogLnIf(verbose, "Memory::Memory allocating ", *this);
-    ASSERT(!memory());
-}
-
-Memory::Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode mode, Function<void(NotifyPressure)>&& notifyMemoryPressure, Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
-    : m_memory(memory, initial.bytes())
-    , m_size(initial.bytes())
+
+MemoryHandle::MemoryHandle(void* memory, size_t size, size_t mappedCapacity, PageCount initial, PageCount maximum, MemorySharingMode sharingMode, MemoryMode mode)
+    : m_memory(memory, mappedCapacity)
+    , m_size(size)
+    , m_mappedCapacity(mappedCapacity)
     , m_initial(initial)
     , m_maximum(maximum)
-    , m_mappedCapacity(mappedCapacity)
+    , m_sharingMode(sharingMode)
     , m_mode(mode)
-    , m_notifyMemoryPressure(WTFMove(notifyMemoryPressure))
-    , m_syncTryToReclaimMemory(WTFMove(syncTryToReclaimMemory))
-    , m_growSuccessCallback(WTFMove(growSuccessCallback))
-{
-    dataLogLnIf(verbose, "Memory::Memory allocating ", *this);
-}
-
-Ref<Memory> Memory::create()
-{
-    return adoptRef(*new Memory());
-}
-
-RefPtr<Memory> Memory::tryCreate(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
-{
-    ASSERT(initial);
-    RELEASE_ASSERT(!maximum || maximum >= initial); // This should be guaranteed by our caller.
-
-    const size_t initialBytes = initial.bytes();
-    const size_t maximumBytes = maximum ? maximum.bytes() : 0;
-
-    if (initialBytes > MAX_ARRAY_BUFFER_SIZE)
-        return nullptr; // Client will throw OOMError.
-
-    if (maximum && !maximumBytes) {
-        // User specified a zero maximum, initial size must also be zero.
-        RELEASE_ASSERT(!initialBytes);
-        return adoptRef(new Memory(initial, maximum, WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback)));
-    }
-    
-    bool done = tryAllocate(
-        [&] () -> MemoryResult::Kind {
-            return memoryManager().tryAllocatePhysicalBytes(initialBytes);
-        }, notifyMemoryPressure, syncTryToReclaimMemory);
-    if (!done)
-        return nullptr;
-        
-    char* fastMemory = nullptr;
-    if (Options::useWebAssemblyFastMemory()) {
-        tryAllocate(
-            [&] () -> MemoryResult::Kind {
-                auto result = memoryManager().tryAllocateFastMemory();
-                fastMemory = bitwise_cast<char*>(result.basePtr);
-                return result.kind;
-            }, notifyMemoryPressure, syncTryToReclaimMemory);
-    }
-    
-    if (fastMemory) {
-        
-        if (mprotect(fastMemory + initialBytes, Memory::fastMappedBytes() - initialBytes, PROT_NONE)) {
-            dataLog("mprotect failed: ", strerror(errno), "\n");
-            RELEASE_ASSERT_NOT_REACHED();
-        }
-
-        return adoptRef(new Memory(fastMemory, initial, maximum, Memory::fastMappedBytes(), MemoryMode::Signaling, WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback)));
-    }
-    
-    if (UNLIKELY(Options::crashIfWebAssemblyCantFastMemory()))
-        webAssemblyCouldntGetFastMemory();
-
-    if (!initialBytes)
-        return adoptRef(new Memory(initial, maximum, WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback)));
-    
-    void* slowMemory = Gigacage::tryAllocateZeroedVirtualPages(Gigacage::Primitive, initialBytes);
-    if (!slowMemory) {
-        memoryManager().freePhysicalBytes(initialBytes);
-        return nullptr;
-    }
-    return adoptRef(new Memory(slowMemory, initial, maximum, initialBytes, MemoryMode::BoundsChecking, WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback)));
-}
-
-Memory::~Memory()
+{
+#if ASSERT_ENABLED
+    if (sharingMode == MemorySharingMode::Default && mode == MemoryMode::BoundsChecking)
+        ASSERT(mappedCapacity == size);
+#endif
+}
+
+MemoryHandle::~MemoryHandle()
 {
     if (m_memory) {
@@ -342 +305 @@
             memoryManager().freeFastMemory(memory());
             break;
-        case MemoryMode::BoundsChecking:
-            Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size);
+        case MemoryMode::BoundsChecking: {
+            switch (m_sharingMode) {
+            case MemorySharingMode::Default:
+                Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size);
+                break;
+            case MemorySharingMode::Shared: {
+                if (mprotect(memory(), m_mappedCapacity, PROT_READ | PROT_WRITE)) {
+                    dataLog("mprotect failed: ", strerror(errno), "\n");
+                    RELEASE_ASSERT_NOT_REACHED();
+                }
+                memoryManager().freeGrowableBoundsCheckingMemory(memory(), m_mappedCapacity);
+                break;
+            }
+            }
             break;
         }
-    }
-}
+        }
+    }
+}
+
+Memory::Memory()
+    : m_handle(adoptRef(*new MemoryHandle(nullptr, 0, 0, PageCount(0), PageCount(0), MemorySharingMode::Default, MemoryMode::BoundsChecking)))
+{
+}
+
+Memory::Memory(PageCount initial, PageCount maximum, MemorySharingMode sharingMode, Function<void(NotifyPressure)>&& notifyMemoryPressure, Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
+    : m_handle(adoptRef(*new MemoryHandle(nullptr, 0, 0, initial, maximum, sharingMode, MemoryMode::BoundsChecking)))
+    , m_notifyMemoryPressure(WTFMove(notifyMemoryPressure))
+    , m_syncTryToReclaimMemory(WTFMove(syncTryToReclaimMemory))
+    , m_growSuccessCallback(WTFMove(growSuccessCallback))
+{
+    ASSERT(!initial.bytes());
+    ASSERT(mode() == MemoryMode::BoundsChecking);
+    dataLogLnIf(verbose, "Memory::Memory allocating ", *this);
+    ASSERT(!memory());
+}
+
+Memory::Memory(Ref<MemoryHandle>&& handle, Function<void(NotifyPressure)>&& notifyMemoryPressure, Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
+    : m_handle(WTFMove(handle))
+    , m_notifyMemoryPressure(WTFMove(notifyMemoryPressure))
+    , m_syncTryToReclaimMemory(WTFMove(syncTryToReclaimMemory))
+    , m_growSuccessCallback(WTFMove(growSuccessCallback))
+{
+    dataLogLnIf(verbose, "Memory::Memory allocating ", *this);
+}
+
+Ref<Memory> Memory::create()
+{
+    return adoptRef(*new Memory());
+}
+
+Ref<Memory> Memory::create(Ref<MemoryHandle>&& handle, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
+{
+    return adoptRef(*new Memory(WTFMove(handle), WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback)));
+}
+
+RefPtr<Memory> Memory::tryCreate(PageCount initial, PageCount maximum, MemorySharingMode sharingMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
+{
+    ASSERT(initial);
+    RELEASE_ASSERT(!maximum || maximum >= initial); // This should be guaranteed by our caller.
+
+    const size_t initialBytes = initial.bytes();
+    const size_t maximumBytes = maximum ? maximum.bytes() : 0;
+
+    if (initialBytes > MAX_ARRAY_BUFFER_SIZE)
+        return nullptr; // Client will throw OOMError.
+
+    if (maximum && !maximumBytes) {
+        // User specified a zero maximum, initial size must also be zero.
+        RELEASE_ASSERT(!initialBytes);
+        return adoptRef(new Memory(initial, maximum, sharingMode, WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback)));
+    }
+    
+    bool done = tryAllocate(
+        [&] () -> MemoryResult::Kind {
+            return memoryManager().tryAllocatePhysicalBytes(initialBytes);
+        }, notifyMemoryPressure, syncTryToReclaimMemory);
+    if (!done)
+        return nullptr;
+        
+    char* fastMemory = nullptr;
+    if (Options::useWebAssemblyFastMemory()) {
+        tryAllocate(
+            [&] () -> MemoryResult::Kind {
+                auto result = memoryManager().tryAllocateFastMemory();
+                fastMemory = bitwise_cast<char*>(result.basePtr);
+                return result.kind;
+            }, notifyMemoryPressure, syncTryToReclaimMemory);
+    }
+    
+    if (fastMemory) {
+        if (mprotect(fastMemory + initialBytes, Memory::fastMappedBytes() - initialBytes, PROT_NONE)) {
+            dataLog("mprotect failed: ", strerror(errno), "\n");
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+
+        return Memory::create(adoptRef(*new MemoryHandle(fastMemory, initialBytes, Memory::fastMappedBytes(), initial, maximum, sharingMode, MemoryMode::Signaling)), WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback));
+    }
+    
+    if (UNLIKELY(Options::crashIfWebAssemblyCantFastMemory()))
+        webAssemblyCouldntGetFastMemory();
+
+    if (!initialBytes)
+        return adoptRef(new Memory(initial, maximum, sharingMode, WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback)));
+
+    switch (sharingMode) {
+    case MemorySharingMode::Default: {
+        void* slowMemory = Gigacage::tryAllocateZeroedVirtualPages(Gigacage::Primitive, initialBytes);
+        if (!slowMemory) {
+            memoryManager().freePhysicalBytes(initialBytes);
+            return nullptr;
+        }
+        return Memory::create(adoptRef(*new MemoryHandle(slowMemory, initialBytes, initialBytes, initial, maximum, sharingMode, MemoryMode::BoundsChecking)), WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback));
+    }
+    case MemorySharingMode::Shared: {
+        char* slowMemory = nullptr;
+        tryAllocate(
+            [&] () -> MemoryResult::Kind {
+                auto result = memoryManager().tryAllocateGrowableBoundsCheckingMemory(maximumBytes);
+                slowMemory = bitwise_cast<char*>(result.basePtr);
+                return result.kind;
+            }, notifyMemoryPressure, syncTryToReclaimMemory);
+        if (!slowMemory) {
+            memoryManager().freePhysicalBytes(initialBytes);
+            return nullptr;
+        }
+
+        if (mprotect(slowMemory + initialBytes, maximumBytes - initialBytes, PROT_NONE)) {
+            dataLog("mprotect failed: ", strerror(errno), "\n");
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+
+        return Memory::create(adoptRef(*new MemoryHandle(slowMemory, initialBytes, maximumBytes, initial, maximum, sharingMode, MemoryMode::BoundsChecking)), WTFMove(notifyMemoryPressure), WTFMove(syncTryToReclaimMemory), WTFMove(growSuccessCallback));
+    }
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+    return nullptr;
+}
+
+Memory::~Memory() = default;
 
 size_t Memory::fastMappedRedzoneBytes()
@@ -360 +457 @@
 }
 
-bool Memory::addressIsInActiveFastMemory(void* address)
-{
-    return memoryManager().isAddressInFastMemory(address);
+bool Memory::addressIsInGrowableOrFastMemory(void* address)
+{
+    return memoryManager().isInGrowableOrFastMemory(address);
+}
+
+Expected<PageCount, Memory::GrowFailReason> Memory::growShared(PageCount delta)
+{
+    Wasm::PageCount oldPageCount;
+    Wasm::PageCount newPageCount;
+    auto result = ([&]() -> Expected<PageCount, Memory::GrowFailReason> {
+        auto locker = holdLock(m_handle->lock());
+
+        oldPageCount = sizeInPages();
+        newPageCount = oldPageCount + delta;
+        if (!newPageCount || !newPageCount.isValid())
+            return makeUnexpected(GrowFailReason::InvalidGrowSize);
+        if (newPageCount.bytes() > MAX_ARRAY_BUFFER_SIZE)
+            return makeUnexpected(GrowFailReason::OutOfMemory);
+
+        if (!delta.pageCount())
+            return oldPageCount;
+
+        dataLogLnIf(verbose, "Memory::grow(", delta, ") to ", newPageCount, " from ", *this);
+        RELEASE_ASSERT(newPageCount > PageCount::fromBytes(size()));
+
+        if (maximum() && newPageCount > maximum())
+            return makeUnexpected(GrowFailReason::WouldExceedMaximum);
+
+        size_t desiredSize = newPageCount.bytes();
+        RELEASE_ASSERT(desiredSize <= MAX_ARRAY_BUFFER_SIZE);
+        RELEASE_ASSERT(desiredSize > size());
+
+        // If the memory is MemorySharingMode::Shared, we already allocated enough virtual address space even if the memory is bound-checking mode. We perform mprotect to extend.
+        size_t extraBytes = desiredSize - size();
+        RELEASE_ASSERT(extraBytes);
+        bool allocationSuccess = tryAllocate(
+            [&] () -> MemoryResult::Kind {
+                return memoryManager().tryAllocatePhysicalBytes(extraBytes);
+            }, [](Wasm::Memory::NotifyPressure) { }, [](Memory::SyncTryToReclaim) { });
+        if (!allocationSuccess)
+            return makeUnexpected(GrowFailReason::OutOfMemory);
+
+        RELEASE_ASSERT(memory());
+
+        // Signaling memory must have been pre-allocated virtually.
+        uint8_t* startAddress = static_cast<uint8_t*>(memory()) + size();
+
+        dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(memory()), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")");
+        if (mprotect(startAddress, extraBytes, PROT_READ | PROT_WRITE)) {
+            dataLog("mprotect failed: ", strerror(errno), "\n");
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+
+        m_handle->growToSize(desiredSize);
+        return oldPageCount;
+    }());
+    if (result)
+        m_growSuccessCallback(GrowSuccessTag, oldPageCount, newPageCount);
+    return result;
 }
 
 Expected<PageCount, Memory::GrowFailReason> Memory::grow(PageCount delta)
 {
-    const Wasm::PageCount oldPageCount = sizeInPages();
-
     if (!delta.isValid())
         return makeUnexpected(GrowFailReason::InvalidDelta);
-    
+
+    if (sharingMode() == MemorySharingMode::Shared)
+        return growShared(delta);
+
+    const Wasm::PageCount oldPageCount = sizeInPages();
     const Wasm::PageCount newPageCount = oldPageCount + delta;
     if (!newPageCount || !newPageCount.isValid())
@@ -392 +547 @@
 
     dataLogLnIf(verbose, "Memory::grow(", delta, ") to ", newPageCount, " from ", *this);
-    RELEASE_ASSERT(newPageCount > PageCount::fromBytes(m_size));
+    RELEASE_ASSERT(newPageCount > PageCount::fromBytes(size()));
 
     if (maximum() && newPageCount > maximum())
@@ -399 +554 @@
     size_t desiredSize = newPageCount.bytes();
     RELEASE_ASSERT(desiredSize <= MAX_ARRAY_BUFFER_SIZE);
-    RELEASE_ASSERT(desiredSize > m_size);
-    size_t extraBytes = desiredSize - m_size;
-    RELEASE_ASSERT(extraBytes);
-    bool allocationSuccess = tryAllocate(
-        [&] () -> MemoryResult::Kind {
-            return memoryManager().tryAllocatePhysicalBytes(extraBytes);
-        }, m_notifyMemoryPressure, m_syncTryToReclaimMemory);
-    if (!allocationSuccess)
-        return makeUnexpected(GrowFailReason::OutOfMemory);
-
+    RELEASE_ASSERT(desiredSize > size());
     switch (mode()) {
     case MemoryMode::BoundsChecking: {
+        bool allocationSuccess = tryAllocate(
+            [&] () -> MemoryResult::Kind {
+                return memoryManager().tryAllocatePhysicalBytes(desiredSize);
+            }, m_notifyMemoryPressure, m_syncTryToReclaimMemory);
+        if (!allocationSuccess)
+            return makeUnexpected(GrowFailReason::OutOfMemory);
+
         RELEASE_ASSERT(maximum().bytes() != 0);
 
@@ -417 +570 @@
             return makeUnexpected(GrowFailReason::OutOfMemory);
 
-        memcpy(newMemory, memory(), m_size);
-        if (m_memory)
-            Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size);
-        m_memory = CagedMemory(newMemory, desiredSize);
-        m_mappedCapacity = desiredSize;
-        m_size = desiredSize;
+        memcpy(newMemory, memory(), size());
+        auto newHandle = adoptRef(*new MemoryHandle(newMemory, desiredSize, desiredSize, initial(), maximum(), sharingMode(), MemoryMode::BoundsChecking));
+        m_handle = WTFMove(newHandle);
+
         ASSERT(memory() == newMemory);
         return success();
     }
     case MemoryMode::Signaling: {
+        size_t extraBytes = desiredSize - size();
+        RELEASE_ASSERT(extraBytes);
+        bool allocationSuccess = tryAllocate(
+            [&] () -> MemoryResult::Kind {
+                return memoryManager().tryAllocatePhysicalBytes(extraBytes);
+            }, m_notifyMemoryPressure, m_syncTryToReclaimMemory);
+        if (!allocationSuccess)
+            return makeUnexpected(GrowFailReason::OutOfMemory);
+
         RELEASE_ASSERT(memory());
+
         // Signaling memory must have been pre-allocated virtually.
-        uint8_t* startAddress = static_cast<uint8_t*>(memory()) + m_size;
+        uint8_t* startAddress = static_cast<uint8_t*>(memory()) + size();
         
         dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(memory()), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")");
@@ -436 +597 @@
             RELEASE_ASSERT_NOT_REACHED();
         }
-        m_memory.recage(m_size, desiredSize);
-        m_size = desiredSize;
+
+        m_handle->growToSize(desiredSize);
         return success();
     }
@@ -460 +621 @@
 void Memory::dump(PrintStream& out) const
 {
-    out.print("Memory at ", RawPointer(memory()), ", size ", m_size, "B capacity ", m_mappedCapacity, "B, initial ", m_initial, " maximum ", m_maximum, " mode ", makeString(m_mode));
+    auto handle = m_handle.copyRef();
+    out.print("Memory at ", RawPointer(handle->memory()), ", size ", handle->size(), "B capacity ", handle->mappedCapacity(), "B, initial ", handle->initial(), " maximum ", handle->maximum(), " mode ", makeString(handle->mode()), " sharingMode ", makeString(handle->sharingMode()));
 }
 

trunk/Source/JavaScriptCore/wasm/WasmMemory.h

@@ -45 +45 @@
 namespace JSC {
 
+class LLIntOffsetsExtractor;
+
 namespace Wasm {
 
 class Instance;
 
-class Memory : public RefCounted<Memory> {
+class MemoryHandle final : public ThreadSafeRefCounted<MemoryHandle> {
+    WTF_MAKE_NONCOPYABLE(MemoryHandle);
+    WTF_MAKE_FAST_ALLOCATED;
+    friend LLIntOffsetsExtractor;
+public:
+    MemoryHandle(void*, size_t size, size_t mappedCapacity, PageCount initial, PageCount maximum, MemorySharingMode, MemoryMode);
+    JS_EXPORT_PRIVATE ~MemoryHandle();
+
+    void* memory() const { ASSERT(m_memory.getMayBeNull(m_mappedCapacity) == m_memory.getUnsafe()); return m_memory.getMayBeNull(m_mappedCapacity); }
+    size_t size() const { return m_size; }
+    size_t mappedCapacity() const { return m_mappedCapacity; }
+    PageCount initial() const { return m_initial; }
+    PageCount maximum() const { return m_maximum; }
+    MemorySharingMode sharingMode() const { return m_sharingMode; }
+    MemoryMode mode() const { return m_mode; }
+    static ptrdiff_t offsetOfSize() { return OBJECT_OFFSETOF(MemoryHandle, m_size); }
+    Lock& lock() { return m_lock; }
+
+    void growToSize(size_t size)
+    {
+        m_size = size;
+    }
+
+private:
+    using CagedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
+    CagedMemory m_memory;
+    size_t m_size { 0 };
+    size_t m_mappedCapacity { 0 };
+    PageCount m_initial;
+    PageCount m_maximum;
+    MemorySharingMode m_sharingMode { MemorySharingMode::Default };
+    MemoryMode m_mode { MemoryMode::BoundsChecking };
+    Lock m_lock;
+};
+
+class Memory final : public RefCounted<Memory> {
     WTF_MAKE_NONCOPYABLE(Memory);
     WTF_MAKE_FAST_ALLOCATED;
+    friend LLIntOffsetsExtractor;
 public:
     void dump(WTF::PrintStream&) const;
 
-    explicit operator bool() const { return !!m_memory; }
+    explicit operator bool() const { return !!m_handle->memory(); }
     
     enum NotifyPressure { NotifyPressureTag };
@@ -62 +100 @@
 
     static Ref<Memory> create();
-    static RefPtr<Memory> tryCreate(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
+    JS_EXPORT_PRIVATE static Ref<Memory> create(Ref<MemoryHandle>&&, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
+    static RefPtr<Memory> tryCreate(PageCount initial, PageCount maximum, MemorySharingMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
 
-    ~Memory();
+    JS_EXPORT_PRIVATE ~Memory();
 
     static size_t fastMappedRedzoneBytes();
     static size_t fastMappedBytes(); // Includes redzone.
-    static bool addressIsInActiveFastMemory(void*);
+    static bool addressIsInGrowableOrFastMemory(void*);
 
-    void* memory() const { ASSERT(m_memory.getMayBeNull(size()) == m_memory.getUnsafe()); return m_memory.getMayBeNull(size()); }
-    size_t size() const { return m_size; }
-    PageCount sizeInPages() const { return PageCount::fromBytes(m_size); }
+    void* memory() const { return m_handle->memory(); }
+    size_t size() const { return m_handle->size(); }
+    PageCount sizeInPages() const { return PageCount::fromBytes(size()); }
+    size_t boundsCheckingSize() const { return m_handle->mappedCapacity(); }
+    PageCount initial() const { return m_handle->initial(); }
+    PageCount maximum() const { return m_handle->maximum(); }
+    MemoryHandle& handle() { return m_handle.get(); }
 
-    PageCount initial() const { return m_initial; }
-    PageCount maximum() const { return m_maximum; }
-
-    MemoryMode mode() const { return m_mode; }
+    MemorySharingMode sharingMode() const { return m_handle->sharingMode(); }
+    MemoryMode mode() const { return m_handle->mode(); }
 
     enum class GrowFailReason {
@@ -90 +131 @@
     void check() {  ASSERT(!deletionHasBegun()); }
 
-    static ptrdiff_t offsetOfMemory() { return OBJECT_OFFSETOF(Memory, m_memory); }
-    static ptrdiff_t offsetOfSize() { return OBJECT_OFFSETOF(Memory, m_size); }
+    static ptrdiff_t offsetOfHandle() { return OBJECT_OFFSETOF(Memory, m_handle); }
 
 private:
     Memory();
-    Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
-    Memory(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
+    Memory(Ref<MemoryHandle>&&, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
+    Memory(PageCount initial, PageCount maximum, MemorySharingMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
 
-    using CagedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
-    CagedMemory m_memory;
-    size_t m_size { 0 };
-    PageCount m_initial;
-    PageCount m_maximum;
-    size_t m_mappedCapacity { 0 };
-    MemoryMode m_mode { MemoryMode::BoundsChecking };
+    Expected<PageCount, GrowFailReason> growShared(PageCount);
+
+    Ref<MemoryHandle> m_handle;
     WTF::Function<void(NotifyPressure)> m_notifyMemoryPressure;
     WTF::Function<void(SyncTryToReclaim)> m_syncTryToReclaimMemory;
@@ -120 +156 @@
 public:
     static size_t maxFastMemoryCount() { return 0; }
-    static bool addressIsInActiveFastMemory(void*) { return false; }
+    static bool addressIsInGrowableOrFastMemory(void*) { return false; }
 };
 

trunk/Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp

@@ -43 +43 @@
             ++numberOfPinnedRegisters;
         GPRReg baseMemoryPointer = GPRInfo::regCS3;
-        GPRReg sizeRegister = GPRInfo::regCS4;
+        GPRReg boundsCheckingSizeRegister = GPRInfo::regCS4;
         GPRReg wasmContextInstancePointer = InvalidGPRReg;
         if (!Context::useFastTLS())
             wasmContextInstancePointer = GPRInfo::regCS0;
 
-        staticPinnedRegisterInfo.construct(sizeRegister, baseMemoryPointer, wasmContextInstancePointer);
+        staticPinnedRegisterInfo.construct(boundsCheckingSizeRegister, baseMemoryPointer, wasmContextInstancePointer);
     });
 
@@ -54 +54 @@
 }
 
-PinnedRegisterInfo::PinnedRegisterInfo(GPRReg sizeRegister, GPRReg baseMemoryPointer, GPRReg wasmContextInstancePointer)
-    : sizeRegister(sizeRegister)
+PinnedRegisterInfo::PinnedRegisterInfo(GPRReg boundsCheckingSizeRegister, GPRReg baseMemoryPointer, GPRReg wasmContextInstancePointer)
+    : boundsCheckingSizeRegister(boundsCheckingSizeRegister)
     , baseMemoryPointer(baseMemoryPointer)
     , wasmContextInstancePointer(wasmContextInstancePointer)

trunk/Source/JavaScriptCore/wasm/WasmMemoryInformation.h

@@ -40 +40 @@
 
 struct PinnedSizeRegisterInfo {
-    GPRReg sizeRegister;
+    GPRReg boundsCheckingSizeRegister;
     unsigned sizeOffset;
 };
@@ -57 +57 @@
             result.set(wasmContextInstancePointer);
         if (mode != MemoryMode::Signaling)
-            result.set(sizeRegister);
+            result.set(boundsCheckingSizeRegister);
         return result;
     }
 
-    GPRReg sizeRegister;
+    GPRReg boundsCheckingSizeRegister;
     GPRReg baseMemoryPointer;
     GPRReg wasmContextInstancePointer;

trunk/Source/JavaScriptCore/wasm/WasmMemoryMode.cpp

@@ -43 +43 @@
 }
 
+const char* makeString(MemorySharingMode sharingMode)
+{
+    switch (sharingMode) {
+    case MemorySharingMode::Default: return "Default";
+    case MemorySharingMode::Shared: return "Shared";
+    }
+    RELEASE_ASSERT_NOT_REACHED();
+    return "";
+}
+
 } } // namespace JSC::Wasm
 

trunk/Source/JavaScriptCore/wasm/WasmMemoryMode.h

@@ -41 +41 @@
 JS_EXPORT_PRIVATE const char* makeString(MemoryMode);
 
+enum class MemorySharingMode : uint8_t {
+    Default,
+    Shared,
+};
+
+JS_EXPORT_PRIVATE const char* makeString(MemorySharingMode);
+
 } } // namespace JSC::Wasm
 

trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

@@ -222 +222 @@
     if (!!info.memory) {
         GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
-        GPRReg scratchOrSize = wasmCallingConvention().prologueScratchGPRs[0];
+        GPRReg scratchOrBoundsCheckingSize = wasmCallingConvention().prologueScratchGPRs[0];
 
         if (Context::useFastTLS())
@@ -230 +230 @@
         if (isARM64E()) {
             if (mode != Wasm::MemoryMode::Signaling)
-                scratchOrSize = pinnedRegs.sizeRegister;
-            jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
+                scratchOrBoundsCheckingSize = pinnedRegs.boundsCheckingSizeRegister;
+            jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), scratchOrBoundsCheckingSize);
         } else {
             if (mode != Wasm::MemoryMode::Signaling)
-                jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
+                jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister);
         }
 
         jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
+        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrBoundsCheckingSize, scratchOrBoundsCheckingSize);
     }
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp

@@ -292 +292 @@
             RETURN_IF_EXCEPTION(throwScope, nullptr);
 
-            RefPtr<Wasm::Memory> memory = Wasm::Memory::tryCreate(moduleInformation.memory.initial(), moduleInformation.memory.maximum(),
+            RefPtr<Wasm::Memory> memory = Wasm::Memory::tryCreate(moduleInformation.memory.initial(), moduleInformation.memory.maximum(), Wasm::MemorySharingMode::Default,
                 [&vm] (Wasm::Memory::NotifyPressure) { vm.heap.collectAsync(CollectionScope::Full); },
                 [&vm] (Wasm::Memory::SyncTryToReclaim) { vm.heap.collectSync(CollectionScope::Full); },

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.cpp

@@ -33 +33 @@
 #include "ArrayBuffer.h"
 #include "JSArrayBuffer.h"
+#include "ObjectConstructor.h"
 
 namespace JSC {
@@ -73 +74 @@
 }
 
-JSArrayBuffer* JSWebAssemblyMemory::buffer(VM& vm, JSGlobalObject* globalObject)
+JSArrayBuffer* JSWebAssemblyMemory::buffer(JSGlobalObject* globalObject)
 {
-    if (m_bufferWrapper)
-        return m_bufferWrapper.get();
+    VM& vm = globalObject->vm();
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
 
-    // We can't use a ref here since it doesn't have a copy constructor...
-    Ref<Wasm::Memory> protectedMemory = m_memory.get();
-    auto destructor = createSharedTask<void(void*)>([protectedMemory = WTFMove(protectedMemory)] (void*) { });
+    auto* wrapper = m_bufferWrapper.get();
+    if (wrapper) {
+        if (m_memory->sharingMode() == Wasm::MemorySharingMode::Default)
+            return wrapper;
+
+        ASSERT(m_memory->sharingMode() == Wasm::MemorySharingMode::Shared);
+        // If SharedArrayBuffer's underlying memory is not grown, we continue using cached wrapper.
+        if (wrapper->impl()->byteLength() == memory().size())
+            return wrapper;
+    }
+
+    Ref<Wasm::MemoryHandle> protectedHandle = m_memory->handle();
+    auto destructor = createSharedTask<void(void*)>([protectedHandle = WTFMove(protectedHandle)] (void*) { });
     m_buffer = ArrayBuffer::createFromBytes(memory().memory(), memory().size(), WTFMove(destructor));
     m_buffer->makeWasmMemory();
-    m_bufferWrapper.set(vm, this, JSArrayBuffer::create(vm, globalObject->arrayBufferStructure(ArrayBufferSharingMode::Default), m_buffer.get()));
+    if (m_memory->sharingMode() == Wasm::MemorySharingMode::Shared)
+        m_buffer->makeShared();
+    auto* arrayBuffer = JSArrayBuffer::create(vm, globalObject->arrayBufferStructure(m_buffer->sharingMode()), m_buffer.get());
+    if (m_memory->sharingMode() == Wasm::MemorySharingMode::Shared) {
+        objectConstructorFreeze(globalObject, arrayBuffer);
+        RETURN_IF_EXCEPTION(throwScope, { });
+    }
+    m_bufferWrapper.set(vm, this, arrayBuffer);
     RELEASE_ASSERT(m_bufferWrapper);
     return m_bufferWrapper.get();
@@ -118 +136 @@
     // We need to clear out the old array buffer because it might now be pointing to stale memory.
     if (m_buffer) {
-        m_buffer->detach(vm);
+        if (m_memory->sharingMode() == Wasm::MemorySharingMode::Default)
+            m_buffer->detach(vm);
         m_buffer = nullptr;
         m_bufferWrapper.clear();

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyMemory.h

@@ -28 +28 @@
 #if ENABLE(WEBASSEMBLY)
 
-#include "JSDestructibleObject.h"
+#include "JSObject.h"
 #include "WasmMemory.h"
 #include <wtf/Ref.h>
@@ -50 +50 @@
     }
 
-    static JSWebAssemblyMemory* tryCreate(JSGlobalObject*, VM&, Structure*);
+    JS_EXPORT_PRIVATE static JSWebAssemblyMemory* tryCreate(JSGlobalObject*, VM&, Structure*);
     static Structure* createStructure(VM&, JSGlobalObject*, JSValue);
 
     DECLARE_EXPORT_INFO;
 
-    void adopt(Ref<Wasm::Memory>&&);
+    JS_EXPORT_PRIVATE void adopt(Ref<Wasm::Memory>&&);
     Wasm::Memory& memory() { return m_memory.get(); }
-    JSArrayBuffer* buffer(VM& vm, JSGlobalObject*);
+    JSArrayBuffer* buffer(JSGlobalObject*);
     Wasm::PageCount grow(VM&, JSGlobalObject*, uint32_t delta);
-    void growSuccessCallback(VM&, Wasm::PageCount oldPageCount, Wasm::PageCount newPageCount);
+    JS_EXPORT_PRIVATE void growSuccessCallback(VM&, Wasm::PageCount oldPageCount, Wasm::PageCount newPageCount);
 
 private:

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

@@ -358 +358 @@
     if (!!moduleInformation.memory) {
         GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
-        GPRReg scratchOrSize = stackLimitGPR;
+        GPRReg scratchOrBoundsCheckingSize = stackLimitGPR;
         auto mode = instance()->memoryMode();
 
         if (isARM64E()) {
             if (mode != Wasm::MemoryMode::Signaling)
-                scratchOrSize = pinnedRegs.sizeRegister;
-            jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
+                scratchOrBoundsCheckingSize = pinnedRegs.boundsCheckingSizeRegister;
+            jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), scratchOrBoundsCheckingSize);
         } else {
             if (mode != Wasm::MemoryMode::Signaling)
-                jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
+                jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister);
         }
 
         jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
+        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrBoundsCheckingSize, scratchOrBoundsCheckingSize);
     }
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyMemoryConstructor.cpp

@@ -57 +57 @@
     VM& vm = globalObject->vm();
     auto throwScope = DECLARE_THROW_SCOPE(vm);
-    if (callFrame->argumentCount() != 1)
-        return JSValue::encode(throwException(globalObject, throwScope, createTypeError(globalObject, "WebAssembly.Memory expects exactly one argument"_s)));
 
     JSObject* memoryDescriptor;
@@ -103 +101 @@
     }
 
+    Wasm::MemorySharingMode sharingMode = Wasm::MemorySharingMode::Default;
+    JSValue sharedValue = memoryDescriptor->get(globalObject, Identifier::fromString(vm, "shared"));
+    RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
+    bool shared = sharedValue.toBoolean(globalObject);
+    RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
+    if (shared) {
+        if (!maximumPageCount)
+            return throwVMTypeError(globalObject, throwScope, "'maximum' page count must be defined if 'shared' is true"_s);
+        if (!Options::useSharedArrayBuffer())
+            return throwVMTypeError(globalObject, throwScope, "Shared WebAssembly.Memory and SharedArrayBuffer are not enabled"_s);
+        sharingMode = Wasm::MemorySharingMode::Shared;
+    }
+
     auto* jsMemory = JSWebAssemblyMemory::tryCreate(globalObject, vm, globalObject->webAssemblyMemoryStructure());
     RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
 
-    RefPtr<Wasm::Memory> memory = Wasm::Memory::tryCreate(initialPageCount, maximumPageCount,
+    RefPtr<Wasm::Memory> memory = Wasm::Memory::tryCreate(initialPageCount, maximumPageCount, sharingMode,
         [&vm] (Wasm::Memory::NotifyPressure) { vm.heap.collectAsync(CollectionScope::Full); },
         [&vm] (Wasm::Memory::SyncTryToReclaim) { vm.heap.collectSync(CollectionScope::Full); },

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyMemoryPrototype.cpp

@@ -94 +94 @@
     JSWebAssemblyMemory* memory = getMemory(globalObject, vm, callFrame->thisValue()); 
     RETURN_IF_EXCEPTION(throwScope, { });
-    return JSValue::encode(memory->buffer(globalObject->vm(), globalObject));
+    RELEASE_AND_RETURN(throwScope, JSValue::encode(memory->buffer(globalObject)));
 }
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -567 +567 @@
 
     auto forEachSegment = [&] (auto fn) {
-        uint8_t* memory = reinterpret_cast<uint8_t*>(m_instance->instance().cachedMemory());
-        uint64_t sizeInBytes = m_instance->instance().cachedMemorySize();
+        auto wasmMemory = m_instance->instance().memory();
+        uint8_t* memory = reinterpret_cast<uint8_t*>(wasmMemory->memory());
+        uint64_t sizeInBytes = wasmMemory->size();
 
         for (const Wasm::Segment::Ptr& segment : data) {

trunk/Source/WTF/wtf/PlatformEnable.h

@@ -691 +691 @@
 
 #if ENABLE(WEBASSEMBLY) && HAVE(MACHINE_CONTEXT)
-#define ENABLE_WEBASSEMBLY_FAST_MEMORY 1
+#define ENABLE_WEBASSEMBLY_SIGNALING_MEMORY 1
 #endif
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-11-16  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] Implement WebAssembly.Memory with shared
+        https://bugs.webkit.org/show_bug.cgi?id=218693
+
+        Reviewed by Saam Barati.
+
+        In WebCore, we need three things.
+
+        1. Shared WebAssembly.Memory serialization/deserialization
+
+            This patch adds structure-cloning for WebAssembly.Memory to pass it to the other workers. Cloning is available
+            only when the WebAssembly.Memory is shared mode. And it is only available when we are using it in postMessage.
+            So we cannot store WebAssembly.Memory in IndexedDB.
+
+        2. WebCoreTypedArrayController::isAtomicsWaitAllowedOnCurrentThread
+
+            Atomics.wait is usable only in Workers, and *not* usable in Service Workers. When creating VM, we pass WorkerThreadType
+            and make WebCoreTypedArrayController::isAtomicsWaitAllowedOnCurrentThread return appropriate value.
+
+        3. [AllowShared] support for WPT
+
+            WPT tests for this are broken, and tests are saying "PASS" while the feature is not implemented at all.
+            Now, the feature is actually implemented, and WPT tests start showing that [AllowShared] annotation in IDL
+            is not implemented. [AllowShared] is that, usually, DOM does not accept TypedArray originated from SharedArrayBuffer.
+            e.g. encodeInto(..., Uint8Array) DOM IDL throws an error if Uint8Array is backed by SharedArrayBuffer.
+            But in the limited places, we are explicitly allowing this. This is [AllowShared] annotation.
+            This patch implements that so that we keep passing TextEncoder / TextDecoder tests.
+
+        * Headers.cmake:
+        * Modules/indexeddb/server/IDBSerializationContext.cpp:
+        (WebCore::IDBServer::IDBSerializationContext::initializeVM):
+        * WebCore.xcodeproj/project.pbxproj:
+        * bindings/IDLTypes.h:
+        * bindings/js/CommonVM.cpp:
+        (WebCore::commonVMSlow):
+        * bindings/js/JSDOMConvertBufferSource.h:
+        (WebCore::Detail::BufferSourceConverter::convert):
+        (WebCore::Converter<IDLArrayBuffer>::convert):
+        (WebCore::Converter<IDLDataView>::convert):
+        (WebCore::Converter<IDLInt8Array>::convert):
+        (WebCore::Converter<IDLInt16Array>::convert):
+        (WebCore::Converter<IDLInt32Array>::convert):
+        (WebCore::Converter<IDLUint8Array>::convert):
+        (WebCore::Converter<IDLUint16Array>::convert):
+        (WebCore::Converter<IDLUint32Array>::convert):
+        (WebCore::Converter<IDLUint8ClampedArray>::convert):
+        (WebCore::Converter<IDLFloat32Array>::convert):
+        (WebCore::Converter<IDLFloat64Array>::convert):
+        (WebCore::Converter<IDLArrayBufferView>::convert):
+        (WebCore::Converter<IDLAllowSharedAdaptor<T>>::convert):
+        * bindings/js/JSDOMConvertUnion.h:
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneSerializer::serialize):
+        (WebCore::CloneSerializer::CloneSerializer):
+        (WebCore::CloneSerializer::dumpIfTerminal):
+        (WebCore::CloneDeserializer::deserialize):
+        (WebCore::CloneDeserializer::CloneDeserializer):
+        (WebCore::CloneDeserializer::readTerminal):
+        (WebCore::SerializedScriptValue::SerializedScriptValue):
+        (WebCore::SerializedScriptValue::computeMemoryCost const):
+        (WebCore::SerializedScriptValue::create):
+        (WebCore::SerializedScriptValue::deserialize):
+        * bindings/js/SerializedScriptValue.h:
+        * bindings/js/WebCoreJSClientData.cpp:
+        (WebCore::JSVMClientData::initNormalWorld):
+        * bindings/js/WebCoreJSClientData.h:
+        * bindings/js/WebCoreTypedArrayController.cpp:
+        (WebCore::WebCoreTypedArrayController::WebCoreTypedArrayController):
+        (WebCore::WebCoreTypedArrayController::isAtomicsWaitAllowedOnCurrentThread):
+        * bindings/js/WebCoreTypedArrayController.h:
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (IsAnnotatedType):
+        (GetAnnotatedIDLType):
+        * bindings/scripts/IDLAttributes.json:
+        * bindings/scripts/test/JS/JSTestObj.cpp:
+        (WebCore::JSTestObjDOMConstructor::construct):
+        (WebCore::jsTestObjPrototypeFunction_encodeIntoBody):
+        (WebCore::JSC_DEFINE_HOST_FUNCTION):
+        * bindings/scripts/test/TestObj.idl:
+        * dom/TextDecoder.idl:
+        * dom/TextDecoderStreamDecoder.idl:
+        * dom/TextEncoder.idl:
+        * workers/DedicatedWorkerGlobalScope.cpp:
+        (WebCore::DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope):
+        * workers/WorkerGlobalScope.cpp:
+        (WebCore::WorkerGlobalScope::WorkerGlobalScope):
+        * workers/WorkerGlobalScope.h:
+        * workers/WorkerOrWorkletGlobalScope.cpp:
+        (WebCore::WorkerOrWorkletGlobalScope::WorkerOrWorkletGlobalScope):
+        * workers/WorkerOrWorkletGlobalScope.h:
+        * workers/WorkerOrWorkletScriptController.cpp:
+        (WebCore::WorkerOrWorkletScriptController::WorkerOrWorkletScriptController):
+        * workers/WorkerOrWorkletScriptController.h:
+        * workers/WorkerThreadType.h: Added.
+        * workers/service/ServiceWorkerGlobalScope.cpp:
+        (WebCore::ServiceWorkerGlobalScope::ServiceWorkerGlobalScope):
+        * worklets/WorkletGlobalScope.cpp:
+        (WebCore::WorkletGlobalScope::WorkletGlobalScope):
+
 2020-11-17  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/Headers.cmake

@@ -1577 +1577 @@
     workers/WorkerScriptLoaderClient.h
     workers/WorkerThread.h
+    workers/WorkerThreadType.h
     workers/WorkerType.h
 

trunk/Source/WebCore/Modules/indexeddb/server/IDBSerializationContext.cpp

@@ -80 +80 @@
     m_vm = JSC::VM::create();
     m_vm->heap.acquireAccess();
-    JSVMClientData::initNormalWorld(m_vm.get());
+    JSVMClientData::initNormalWorld(m_vm.get(), WorkerThreadType::Worklet);
 
     JSC::JSLockHolder locker(m_vm.get());

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -5027 +5027 @@
                 E3A776671DC85D2800B690D8 /* DOMJITIDLConvert.h in Headers */ = {isa = PBXBuildFile; fileRef = E3A776651DC85D2200B690D8 /* DOMJITIDLConvert.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E3A776681DC85D2800B690D8 /* DOMJITIDLType.h in Headers */ = {isa = PBXBuildFile; fileRef = E3A776661DC85D2200B690D8 /* DOMJITIDLType.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                E3AFD7AD255F50EB00E5E30E /* WorkerThreadType.h in Headers */ = {isa = PBXBuildFile; fileRef = E3AFD7AB255F50DC00E5E30E /* WorkerThreadType.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E3B2F0ED1D7F4CA300B0C9D1 /* LoadableScript.h in Headers */ = {isa = PBXBuildFile; fileRef = E3B2F0E71D7F35EC00B0C9D1 /* LoadableScript.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 E3B2F0EE1D7F4CA900B0C9D1 /* LoadableScriptClient.h in Headers */ = {isa = PBXBuildFile; fileRef = E3B2F0E81D7F35EC00B0C9D1 /* LoadableScriptClient.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -16072 +16073 @@
                 E3AE6CD12252F27000C70B50 /* AllDescendantsCollection.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AllDescendantsCollection.cpp; sourceTree = "<group>"; };
                 E3AFA9641DA6E908002861BD /* JSNodeDOMJIT.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSNodeDOMJIT.cpp; sourceTree = "<group>"; };
+                E3AFD7AB255F50DC00E5E30E /* WorkerThreadType.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = WorkerThreadType.h; sourceTree = "<group>"; };
                 E3B2F0E31D7F35EC00B0C9D1 /* LoadableClassicScript.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LoadableClassicScript.cpp; sourceTree = "<group>"; };
                 E3B2F0E41D7F35EC00B0C9D1 /* LoadableClassicScript.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LoadableClassicScript.h; sourceTree = "<group>"; };
@@ -19048 +19050 @@
                                 2E4346420F546A8200B0F1BA /* WorkerThread.cpp */,
                                 2E4346430F546A8200B0F1BA /* WorkerThread.h */,
+                                E3AFD7AB255F50DC00E5E30E /* WorkerThreadType.h */,
                                 51F174FC1F35898800C74950 /* WorkerType.h */,
                                 51F174FA1F3588D700C74950 /* WorkerType.idl */,
@@ -35196 +35199 @@
                                 0B9056F90F2685F30095FF6A /* WorkerThreadableLoader.h in Headers */,
                                 97AABD2D14FA09D5007457AE /* WorkerThreadableWebSocketChannel.h in Headers */,
+                                E3AFD7AD255F50EB00E5E30E /* WorkerThreadType.h in Headers */,
                                 A54A0C681DB807D90017A90B /* WorkerToPageFrontendChannel.h in Headers */,
                                 51F174FE1F35899200C74950 /* WorkerType.h in Headers */,

trunk/Source/WebCore/bindings/IDLTypes.h

@@ -152 +152 @@
 };
 
+template<typename T> struct IDLAllowSharedAdaptor : T {
+    using InnerType = T;
+};
+
 struct IDLObject : IDLType<JSC::Strong<JSC::JSObject>> {
     using NullableType = JSC::Strong<JSC::JSObject>;
@@ -324 +328 @@
 struct IsIDLTypedArray : public std::integral_constant<bool, WTF::IsBaseOfTemplate<IDLTypedArray, T>::value> { };
 
+template<typename T>
+struct IsIDLArrayBuffer : public std::integral_constant<bool, std::is_base_of<IDLArrayBuffer, T>::value> { };
+
+template<typename T>
+struct IsIDLArrayBufferView : public std::integral_constant<bool, std::is_base_of<IDLArrayBufferView, T>::value> { };
+
+template<typename T>
+struct IsIDLArrayBufferAllowShared : public std::integral_constant<bool, std::is_base_of<IDLAllowSharedAdaptor<IDLArrayBuffer>, T>::value> { };
+
+template<typename T>
+struct IsIDLArrayBufferViewAllowShared : public std::integral_constant<bool, std::is_base_of<IDLAllowSharedAdaptor<IDLArrayBufferView>, T>::value> { };
+
+
 } // namespace WebCore

trunk/Source/WebCore/bindings/js/CommonVM.cpp

@@ -89 +89 @@
     vm.setGlobalConstRedeclarationShouldThrow(globalConstRedeclarationShouldThrow());
 
-    JSVMClientData::initNormalWorld(&vm);
+    JSVMClientData::initNormalWorld(&vm, WorkerThreadType::Main);
 
     return vm;

trunk/Source/WebCore/bindings/js/JSDOMConvertBufferSource.h

@@ -110 +110 @@
 namespace Detail {
 
-template<typename BufferSourceType>
+enum class BufferSourceConverterAllowSharedMode { Allow, Disallow };
+template<typename BufferSourceType, BufferSourceConverterAllowSharedMode mode>
 struct BufferSourceConverter {
     using WrapperType = typename Converter<BufferSourceType>::WrapperType;
@@ -120 +121 @@
         auto& vm = JSC::getVM(&lexicalGlobalObject);
         auto scope = DECLARE_THROW_SCOPE(vm);
-        ReturnType object = WrapperType::toWrapped(vm, value);
+        ReturnType object { };
+        if constexpr (mode == BufferSourceConverterAllowSharedMode::Allow)
+            object = WrapperType::toWrappedAllowShared(vm, value);
+        else
+            object = WrapperType::toWrapped(vm, value);
         if (UNLIKELY(!object))
             exceptionThrower(lexicalGlobalObject, scope);
@@ -136 +141 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLArrayBuffer>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLArrayBuffer, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -158 +163 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLDataView>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLDataView, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -180 +185 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLInt8Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLInt8Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -202 +207 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLInt16Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLInt16Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -224 +229 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLInt32Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLInt32Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -246 +251 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLUint8Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLUint8Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -274 +279 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLUint16Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLUint16Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -296 +301 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLUint32Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLUint32Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -318 +323 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLUint8ClampedArray>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLUint8ClampedArray, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -340 +345 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLFloat32Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLFloat32Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -362 +367 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLFloat64Array>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLFloat64Array, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -384 +389 @@
     static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
     {
-        return Detail::BufferSourceConverter<IDLArrayBufferView>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+        return Detail::BufferSourceConverter<IDLArrayBufferView, Detail::BufferSourceConverterAllowSharedMode::Disallow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
     }
 };
@@ -399 +404 @@
 };
 
+template<typename T>
+struct Converter<IDLAllowSharedAdaptor<T>> : DefaultConverter<T> {
+    using ConverterType = Converter<T>;
+    using WrapperType = typename ConverterType::WrapperType;
+    using ReturnType = typename ConverterType::ReturnType;
+
+    template<typename ExceptionThrower = DefaultExceptionThrower>
+    static ReturnType convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value, ExceptionThrower&& exceptionThrower = ExceptionThrower())
+    {
+        return Detail::BufferSourceConverter<T, Detail::BufferSourceConverterAllowSharedMode::Allow>::convert(lexicalGlobalObject, value, std::forward<ExceptionThrower>(exceptionThrower));
+    }
+};
+
 } // namespace WebCore

trunk/Source/WebCore/bindings/js/JSDOMConvertUnion.h

@@ -226 +226 @@
         //     1. If types includes ArrayBuffer, then return the result of converting V to ArrayBuffer.
         //     2. If types includes object, then return the IDL value that is a reference to the object V.
-        constexpr bool hasArrayBufferType = brigand::any<TypeList, std::is_same<IDLArrayBuffer, brigand::_1>>::value;
+        constexpr bool hasArrayBufferType = brigand::any<TypeList, IsIDLArrayBuffer<brigand::_1>>::value;
         if (hasArrayBufferType || hasObjectType) {
-            auto arrayBuffer = JSC::JSArrayBuffer::toWrapped(vm, value);
+            auto arrayBuffer = (brigand::any<TypeList, IsIDLArrayBufferAllowShared<brigand::_1>>::value) ? JSC::JSArrayBuffer::toWrappedAllowShared(vm, value) : JSC::JSArrayBuffer::toWrapped(vm, value);
             if (arrayBuffer) {
                 if (hasArrayBufferType)
@@ -236 +236 @@
         }
 
-        constexpr bool hasArrayBufferViewType = brigand::any<TypeList, std::is_same<IDLArrayBufferView, brigand::_1>>::value;
+        constexpr bool hasArrayBufferViewType = brigand::any<TypeList, IsIDLArrayBufferView<brigand::_1>>::value;
         if (hasArrayBufferViewType || hasObjectType) {
-            auto arrayBufferView = JSC::JSArrayBufferView::toWrapped(vm, value);
+            auto arrayBufferView = (brigand::any<TypeList, IsIDLArrayBufferViewAllowShared<brigand::_1>>::value) ? JSC::JSArrayBufferView::toWrappedAllowShared(vm, value) : JSC::JSArrayBufferView::toWrapped(vm, value);
             if (arrayBufferView) {
                 if (hasArrayBufferViewType)
@@ -406 +406 @@
 };
 
+// BufferSource specialization. In WebKit, BufferSource is defined as IDLUnion<IDLArrayBufferView, IDLArrayBuffer> as a hack, and it is not compatible to
+// annotation described in WebIDL.
+template<> struct Converter<IDLAllowSharedAdaptor<IDLUnion<IDLArrayBufferView, IDLArrayBuffer>>> : DefaultConverter<IDLUnion<IDLArrayBufferView, IDLArrayBuffer>> {
+    static auto convert(JSC::JSGlobalObject& lexicalGlobalObject, JSC::JSValue value) -> decltype(auto)
+    {
+        return Converter<IDLUnion<IDLAllowSharedAdaptor<IDLArrayBufferView>, IDLAllowSharedAdaptor<IDLArrayBuffer>>>::convert(lexicalGlobalObject, value);
+    }
+};
+
 } // namespace WebCore

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -76 +76 @@
 #include <JavaScriptCore/JSSetIterator.h>
 #include <JavaScriptCore/JSTypedArrays.h>
+#include <JavaScriptCore/JSWebAssemblyMemory.h>
 #include <JavaScriptCore/JSWebAssemblyModule.h>
 #include <JavaScriptCore/ObjectConstructor.h>
@@ -183 +184 @@
     BigIntTag = 47,
     BigIntObjectTag = 48,
+#if ENABLE(WEBASSEMBLY)
+    WasmMemoryTag = 49,
+#endif
     ErrorTag = 255
 };
@@ -358 +362 @@
  *    | ArrayBuffer
  *    | ArrayBufferViewTag ArrayBufferViewSubtag <byteOffset:uint32_t> <byteLength:uint32_t> (ArrayBuffer | ObjectReference)
- *    | ArrayBufferTransferTag <value:uint32_t>
  *    | CryptoKeyTag <wrappedKeyLength:uint32_t> <factor:byte{wrappedKeyLength}>
  *    | DOMPoint
@@ -368 +371 @@
  *    | ImageBitmapTag <originClean:uint8_t> <logicalWidth:int32_t> <logicalHeight:int32_t> <resolutionScale:double> <byteLength:uint32_t>(<imageByteData:uint8_t>)
  *    | OffscreenCanvasTransferTag <value:uint32_t>
+ *    | WasmMemoryTag <value:uint32_t>
  *
  * Inside certificate, data is serialized in this format as per spec:
@@ -420 +424 @@
  * ArrayBuffer :-
  *    ArrayBufferTag <length:uint32_t> <contents:byte{length}>
+ *    ArrayBufferTransferTag <value:uint32_t>
+ *    SharedArrayBufferTag <value:uint32_t>
  *
  * CryptoKeyHMAC :-
@@ -577 +583 @@
 #if ENABLE(WEBASSEMBLY)
             WasmModuleArray& wasmModules,
+            WasmMemoryHandleArray& wasmMemoryHandles,
 #endif
         Vector<String>& blobURLs, Vector<uint8_t>& out, SerializationContext context, ArrayBufferContentsArray& sharedBuffers)
@@ -586 +593 @@
 #if ENABLE(WEBASSEMBLY)
             wasmModules,
+            wasmMemoryHandles,
 #endif
             blobURLs, out, context, sharedBuffers);
@@ -616 +624 @@
 #if ENABLE(WEBASSEMBLY)
             WasmModuleArray& wasmModules,
+            WasmMemoryHandleArray& wasmMemoryHandles,
 #endif
         Vector<String>& blobURLs, Vector<uint8_t>& out, SerializationContext context, ArrayBufferContentsArray& sharedBuffers)
@@ -626 +635 @@
 #if ENABLE(WEBASSEMBLY)
         , m_wasmModules(wasmModules)
+        , m_wasmMemoryHandles(wasmMemoryHandles)
 #endif
     {
@@ -1231 +1241 @@
 #if ENABLE(WEBASSEMBLY)
                 WasmModuleArray dummyModules;
+                WasmMemoryHandleArray dummyMemoryHandles;
 #endif
                 ArrayBufferContentsArray dummySharedBuffers;
@@ -1239 +1250 @@
 #if ENABLE(WEBASSEMBLY)
                     dummyModules,
+                    dummyMemoryHandles,
 #endif
                     dummyBlobURLs, serializedKey, SerializationContext::Default, dummySharedBuffers);
@@ -1272 +1284 @@
                 m_wasmModules.append(makeRef(module->module()));
                 write(WasmModuleTag);
+                write(index);
+                return true;
+            }
+            if (JSWebAssemblyMemory* memory = jsDynamicCast<JSWebAssemblyMemory*>(vm, obj)) {
+                if (memory->memory().sharingMode() != JSC::Wasm::MemorySharingMode::Shared) {
+                    code = SerializationReturnCode::DataCloneError;
+                    return true;
+                }
+                if (m_context != SerializationContext::WorkerPostMessage) {
+                    code = SerializationReturnCode::DataCloneError;
+                    return true;
+                }
+                uint32_t index = m_wasmMemoryHandles.size();
+                m_wasmMemoryHandles.append(makeRef(memory->memory().handle()));
+                write(WasmMemoryTag);
                 write(index);
                 return true;
@@ -1659 +1686 @@
 #if ENABLE(WEBASSEMBLY)
     WasmModuleArray& m_wasmModules;
+    WasmMemoryHandleArray& m_wasmMemoryHandles;
 #endif
 };
@@ -1938 +1966 @@
 #if ENABLE(WEBASSEMBLY)
         , WasmModuleArray* wasmModules
+        , WasmMemoryHandleArray* wasmMemoryHandles
 #endif
         )
@@ -1949 +1978 @@
 #if ENABLE(WEBASSEMBLY)
             , wasmModules
+            , wasmMemoryHandles
 #endif
             );
@@ -2002 +2032 @@
 #if ENABLE(WEBASSEMBLY)
         , WasmModuleArray* wasmModules = nullptr
+        , WasmMemoryHandleArray* wasmMemoryHandles = nullptr
 #endif
         )
@@ -2022 +2053 @@
 #if ENABLE(WEBASSEMBLY)
         , m_wasmModules(wasmModules)
+        , m_wasmMemoryHandles(wasmMemoryHandles)
 #endif
     {
@@ -2034 +2066 @@
 #if ENABLE(WEBASSEMBLY)
         , WasmModuleArray* wasmModules
+        , WasmMemoryHandleArray* wasmMemoryHandles
 #endif
         )
@@ -2057 +2090 @@
 #if ENABLE(WEBASSEMBLY)
         , m_wasmModules(wasmModules)
+        , m_wasmMemoryHandles(wasmMemoryHandles)
 #endif
     {
@@ -3300 +3334 @@
             return result;
         }
+        case WasmMemoryTag: {
+            uint32_t index;
+            bool indexSuccessfullyRead = read(index);
+            if (!indexSuccessfullyRead || !m_wasmMemoryHandles || index >= m_wasmMemoryHandles->size()) {
+                fail();
+                return JSValue();
+            }
+            RefPtr<Wasm::MemoryHandle> handle = m_wasmMemoryHandles->at(index);
+            if (!handle) {
+                fail();
+                return JSValue();
+            }
+            auto& vm = m_lexicalGlobalObject->vm();
+            auto scope = DECLARE_THROW_SCOPE(vm);
+            JSWebAssemblyMemory* result = JSC::JSWebAssemblyMemory::tryCreate(m_lexicalGlobalObject, vm, m_globalObject->webAssemblyMemoryStructure());
+            // Since we are cloning a JSWebAssemblyMemory, it's impossible for that
+            // module to not have been a valid module. Therefore, createStub should
+            // not trow.
+            scope.releaseAssertNoException();
+            Ref<Wasm::Memory> memory = Wasm::Memory::create(handle.releaseNonNull(),
+                [&vm] (Wasm::Memory::NotifyPressure) { vm.heap.collectAsync(CollectionScope::Full); },
+                [&vm] (Wasm::Memory::SyncTryToReclaim) { vm.heap.collectSync(CollectionScope::Full); },
+                [&vm, result] (Wasm::Memory::GrowSuccess, Wasm::PageCount oldPageCount, Wasm::PageCount newPageCount) { result->growSuccessCallback(vm, oldPageCount, newPageCount); });
+            result->adopt(WTFMove(memory));
+            m_gcBuffer.appendWithCrashOnOverflow(result);
+            return result;
+        }
 #endif
         case ArrayBufferTag: {
@@ -3440 +3501 @@
 #if ENABLE(WEBASSEMBLY)
     WasmModuleArray* m_wasmModules;
+    WasmMemoryHandleArray* m_wasmMemoryHandles;
 #endif
 
@@ -3662 +3724 @@
 #if ENABLE(WEBASSEMBLY)
         , std::unique_ptr<WasmModuleArray> wasmModulesArray
+        , std::unique_ptr<WasmMemoryHandleArray> wasmMemoryHandlesArray
 #endif
         )
@@ -3673 +3736 @@
 #if ENABLE(WEBASSEMBLY)
     , m_wasmModulesArray(WTFMove(wasmModulesArray))
+    , m_wasmMemoryHandlesArray(WTFMove(wasmMemoryHandlesArray))
 #endif
 {
@@ -3711 +3775 @@
 #if ENABLE(WEBASSEMBLY)
     // We are not supporting WebAssembly Module memory estimation yet.
+    if (m_wasmMemoryHandlesArray) {
+        for (auto& content : *m_wasmMemoryHandlesArray)
+            cost += content->size();
+    }
 #endif
 
@@ -3801 +3869 @@
 #if ENABLE(WEBASSEMBLY)
     WasmModuleArray dummyModules;
+    WasmMemoryHandleArray dummyMemoryHandles;
 #endif
     ArrayBufferContentsArray dummySharedBuffers;
@@ -3809 +3878 @@
 #if ENABLE(WEBASSEMBLY)
         dummyModules,
+        dummyMemoryHandles,
 #endif
         blobURLs, buffer, SerializationContext::Default, dummySharedBuffers);
@@ -3814 +3884 @@
 #if ENABLE(WEBASSEMBLY)
     ASSERT_WITH_MESSAGE(dummyModules.isEmpty(), "Wasm::Module serialization is only allowed in the postMessage context");
+    ASSERT_WITH_MESSAGE(dummyMemoryHandles.isEmpty(), "Wasm::Memory serialization is only allowed in the postMessage context");
 #endif
 
@@ -3860 +3931 @@
     for (auto& transferable : transferList) {
         if (auto arrayBuffer = toPossiblySharedArrayBuffer(vm, transferable.get())) {
-            if (arrayBuffer->isDetached())
+            if (arrayBuffer->isDetached() || arrayBuffer->isShared())
                 return Exception { DataCloneError };
             if (arrayBuffer->isLocked()) {
@@ -3905 +3976 @@
 #if ENABLE(WEBASSEMBLY)
     WasmModuleArray wasmModules;
+    WasmMemoryHandleArray wasmMemoryHandles;
 #endif
     std::unique_ptr<ArrayBufferContentsArray> sharedBuffers = makeUnique<ArrayBufferContentsArray>();
@@ -3912 +3984 @@
 #endif
 #if ENABLE(WEBASSEMBLY)
-        wasmModules, 
+        wasmModules,
+        wasmMemoryHandles,
 #endif
         blobURLs, buffer, context, *sharedBuffers);
@@ -3937 +4010 @@
 #if ENABLE(WEBASSEMBLY)
                 , makeUnique<WasmModuleArray>(wasmModules)
+                , context == SerializationContext::WorkerPostMessage ? makeUnique<WasmMemoryHandleArray>(wasmMemoryHandles) : nullptr
 #endif
                 ));
@@ -3994 +4068 @@
 #if ENABLE(WEBASSEMBLY)
         , m_wasmModulesArray.get()
+        , m_wasmMemoryHandlesArray.get()
 #endif
         );

trunk/Source/WebCore/bindings/js/SerializedScriptValue.h

@@ -42 +42 @@
 namespace JSC { namespace Wasm {
 class Module;
+class MemoryHandle;
 } }
 #endif
@@ -62 +63 @@
 #if ENABLE(WEBASSEMBLY)
 using WasmModuleArray = Vector<RefPtr<JSC::Wasm::Module>>;
+using WasmMemoryHandleArray = Vector<RefPtr<JSC::Wasm::MemoryHandle>>;
 #endif
 
@@ -123 +125 @@
 #if ENABLE(WEBASSEMBLY)
         , std::unique_ptr<WasmModuleArray> = nullptr
+        , std::unique_ptr<WasmMemoryHandleArray> = nullptr
 #endif
         );
@@ -137 +140 @@
 #if ENABLE(WEBASSEMBLY)
     std::unique_ptr<WasmModuleArray> m_wasmModulesArray;
+    std::unique_ptr<WasmMemoryHandleArray> m_wasmMemoryHandlesArray;
 #endif
     Vector<String> m_blobURLs;

trunk/Source/WebCore/bindings/js/WebCoreJSClientData.cpp

@@ -137 +137 @@
 }
 
-void JSVMClientData::initNormalWorld(VM* vm)
+void JSVMClientData::initNormalWorld(VM* vm, WorkerThreadType type)
 {
     JSVMClientData* clientData = new JSVMClientData(*vm);
@@ -145 +145 @@
 
     clientData->m_normalWorld = DOMWrapperWorld::create(*vm, DOMWrapperWorld::Type::Normal);
-    vm->m_typedArrayController = adoptRef(new WebCoreTypedArrayController());
+    vm->m_typedArrayController = adoptRef(new WebCoreTypedArrayController(type == WorkerThreadType::DedicatedWorker || type == WorkerThreadType::Worklet));
 }
 

trunk/Source/WebCore/bindings/js/WebCoreJSClientData.h

@@ -25 +25 @@
 #include "WebCoreBuiltinNames.h"
 #include "WebCoreJSBuiltins.h"
+#include "WorkerThreadType.h"
 #include <wtf/HashSet.h>
 #include <wtf/RefPtr.h>
@@ -41 +42 @@
     virtual ~JSVMClientData();
     
-    WEBCORE_EXPORT static void initNormalWorld(JSC::VM*);
+    WEBCORE_EXPORT static void initNormalWorld(JSC::VM*, WorkerThreadType);
 
     DOMWrapperWorld& normalWorld() { return *m_normalWorld; }

trunk/Source/WebCore/bindings/js/WebCoreTypedArrayController.cpp

@@ -35 +35 @@
 namespace WebCore {
 
-WebCoreTypedArrayController::WebCoreTypedArrayController() = default;
+WebCoreTypedArrayController::WebCoreTypedArrayController(bool allowAtomicsWait)
+    : m_allowAtomicsWait(allowAtomicsWait)
+{
+}
 
 WebCoreTypedArrayController::~WebCoreTypedArrayController() = default;
@@ -51 +54 @@
 bool WebCoreTypedArrayController::isAtomicsWaitAllowedOnCurrentThread()
 {
-    return !isMainThread();
+    return m_allowAtomicsWait;
 }
 

trunk/Source/WebCore/bindings/js/WebCoreTypedArrayController.h

@@ -37 +37 @@
 class WebCoreTypedArrayController : public JSC::TypedArrayController {
 public:
-    WebCoreTypedArrayController();
+    WebCoreTypedArrayController(bool allowAtomicsWait);
     virtual ~WebCoreTypedArrayController();
     
@@ -54 +54 @@
 
     JSArrayBufferOwner m_owner;
+    bool m_allowAtomicsWait;
 };
 

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -7000 +7000 @@
     return 1 if $type->extendedAttributes->{AtomString};
     return 1 if $type->extendedAttributes->{RequiresExistingAtomString};
+    return 1 if $type->extendedAttributes->{AllowShared};
 }
 
@@ -7011 +7012 @@
     return "IDLAtomStringAdaptor" if $type->extendedAttributes->{AtomString};
     return "IDLRequiresExistingAtomStringAdaptor" if $type->extendedAttributes->{RequiresExistingAtomString};
+    return "IDLAllowSharedAdaptor" if $type->extendedAttributes->{AllowShared};
 }
 

trunk/Source/WebCore/bindings/scripts/IDLAttributes.json

@@ -25 +25 @@
             "standard": {
                 "url": "https://heycam.github.io/webidl/#AllowShared"
-            },
-            "unsupported": true
+            }
         },
         "AppleCopyright": {

trunk/Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp

@@ -1603 +1603 @@
 static JSC_DECLARE_HOST_FUNCTION(jsTestObjPrototypeFunction_double_leading_underscore_function);
 static JSC_DECLARE_HOST_FUNCTION(jsTestObjPrototypeFunction_trailing_underscore_function_);
+static JSC_DECLARE_HOST_FUNCTION(jsTestObjPrototypeFunction_encodeInto);
 static JSC_DECLARE_HOST_FUNCTION(jsTestObjPrototypeFunction_toString);
 
@@ -2334 +2335 @@
     { "_double_leading_underscore_function", static_cast<unsigned>(JSC::PropertyAttribute::Function), NoIntrinsic, { (intptr_t)static_cast<RawNativeFunction>(jsTestObjPrototypeFunction_double_leading_underscore_function), (intptr_t) (0) } },
     { "trailing_underscore_function_", static_cast<unsigned>(JSC::PropertyAttribute::Function), NoIntrinsic, { (intptr_t)static_cast<RawNativeFunction>(jsTestObjPrototypeFunction_trailing_underscore_function_), (intptr_t) (0) } },
+    { "encodeInto", static_cast<unsigned>(JSC::PropertyAttribute::Function), NoIntrinsic, { (intptr_t)static_cast<RawNativeFunction>(jsTestObjPrototypeFunction_encodeInto), (intptr_t) (1) } },
     { "toString", static_cast<unsigned>(JSC::PropertyAttribute::Function), NoIntrinsic, { (intptr_t)static_cast<RawNativeFunction>(jsTestObjPrototypeFunction_toString), (intptr_t) (0) } },
 #if ENABLE(Condition1)
@@ -9498 +9500 @@
 }
 
+static inline JSC::EncodedJSValue jsTestObjPrototypeFunction_encodeIntoBody(JSC::JSGlobalObject* lexicalGlobalObject, JSC::CallFrame* callFrame, typename IDLOperation<JSTestObj>::ClassParameter castedThis)
+{
+    auto& vm = JSC::getVM(lexicalGlobalObject);
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+    UNUSED_PARAM(throwScope);
+    UNUSED_PARAM(callFrame);
+    auto& impl = castedThis->wrapped();
+    if (UNLIKELY(callFrame->argumentCount() < 1))
+        return throwVMError(lexicalGlobalObject, throwScope, createNotEnoughArgumentsError(lexicalGlobalObject));
+    EnsureStillAliveScope argument0 = callFrame->uncheckedArgument(0);
+    auto destination = convert<IDLAllowSharedAdaptor<IDLUint8Array>>(*lexicalGlobalObject, argument0.value(), [](JSC::JSGlobalObject& lexicalGlobalObject, JSC::ThrowScope& scope) { throwArgumentTypeError(lexicalGlobalObject, scope, 0, "destination", "TestObject", "encodeInto", "Uint8Array"); });
+    RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
+    RELEASE_AND_RETURN(throwScope, JSValue::encode(toJS<IDLBoolean>(impl.encodeInto(destination.releaseNonNull()))));
+}
+
+JSC_DEFINE_HOST_FUNCTION(jsTestObjPrototypeFunction_encodeInto, (JSGlobalObject* lexicalGlobalObject, CallFrame* callFrame))
+{
+    return IDLOperation<JSTestObj>::call<jsTestObjPrototypeFunction_encodeIntoBody>(*lexicalGlobalObject, *callFrame, "encodeInto");
+}
+
 static inline JSC::EncodedJSValue jsTestObjPrototypeFunction_toStringBody(JSC::JSGlobalObject* lexicalGlobalObject, JSC::CallFrame* callFrame, typename IDLOperation<JSTestObj>::ClassParameter castedThis)
 {

trunk/Source/WebCore/bindings/scripts/test/TestObj.idl

@@ -468 +468 @@
     undefined __double_leading_underscore_function(); // NOTE: WebIDL removes the leading underscore so this is interpreted as "_double_leading_underscore_function"
     undefined trailing_underscore_function_();
+
+    boolean encodeInto([AllowShared] Uint8Array destination);
 };
 

trunk/Source/WebCore/dom/TextDecoder.idl

@@ -42 +42 @@
     readonly attribute boolean fatal;
     readonly attribute boolean ignoreBOM;
-    [MayThrowException] USVString decode(optional BufferSource? input, optional TextDecodeOptions options);
+    [MayThrowException] USVString decode(optional [AllowShared] BufferSource? input, optional TextDecodeOptions options);
 };

trunk/Source/WebCore/dom/TextDecoderStreamDecoder.idl

@@ -33 +33 @@
 
     [PrivateIdentifier] DOMString encoding();
-    [PrivateIdentifier, MayThrowException] DOMString decode(BufferSource source);
+    [PrivateIdentifier, MayThrowException] DOMString decode([AllowShared] BufferSource source);
     [PrivateIdentifier, MayThrowException] DOMString flush();
 };

trunk/Source/WebCore/dom/TextEncoder.idl

@@ -40 +40 @@
 
     [NewObject] Uint8Array encode(optional USVString input = "");
-    TextEncoderEncodeIntoResult encodeInto(USVString source, Uint8Array destination);
+    TextEncoderEncodeIntoResult encodeInto(USVString source, [AllowShared] Uint8Array destination);
 };

trunk/Source/WebCore/workers/DedicatedWorkerGlobalScope.cpp

@@ -58 +58 @@
 
 DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope(const WorkerParameters& params, Ref<SecurityOrigin>&& origin, DedicatedWorkerThread& thread, Ref<SecurityOrigin>&& topOrigin, IDBClient::IDBConnectionProxy* connectionProxy, SocketProvider* socketProvider)
-    : WorkerGlobalScope(params, WTFMove(origin), thread, WTFMove(topOrigin), connectionProxy, socketProvider)
+    : WorkerGlobalScope(WorkerThreadType::DedicatedWorker, params, WTFMove(origin), thread, WTFMove(topOrigin), connectionProxy, socketProvider)
     , m_name(params.name)
 {

trunk/Source/WebCore/workers/WorkerGlobalScope.cpp

@@ -60 +60 @@
 WTF_MAKE_ISO_ALLOCATED_IMPL(WorkerGlobalScope);
 
-WorkerGlobalScope::WorkerGlobalScope(const WorkerParameters& params, Ref<SecurityOrigin>&& origin, WorkerThread& thread, Ref<SecurityOrigin>&& topOrigin, IDBClient::IDBConnectionProxy* connectionProxy, SocketProvider* socketProvider)
-    : WorkerOrWorkletGlobalScope(JSC::VM::create(), &thread)
+WorkerGlobalScope::WorkerGlobalScope(WorkerThreadType type, const WorkerParameters& params, Ref<SecurityOrigin>&& origin, WorkerThread& thread, Ref<SecurityOrigin>&& topOrigin, IDBClient::IDBConnectionProxy* connectionProxy, SocketProvider* socketProvider)
+    : WorkerOrWorkletGlobalScope(type, JSC::VM::create(), &thread)
     , m_url(params.scriptURL)
     , m_identifier(params.identifier)

trunk/Source/WebCore/workers/WorkerGlobalScope.h

@@ -127 +127 @@
 
 protected:
-    WorkerGlobalScope(const WorkerParameters&, Ref<SecurityOrigin>&&, WorkerThread&, Ref<SecurityOrigin>&& topOrigin, IDBClient::IDBConnectionProxy*, SocketProvider*);
+    WorkerGlobalScope(WorkerThreadType, const WorkerParameters&, Ref<SecurityOrigin>&&, WorkerThread&, Ref<SecurityOrigin>&& topOrigin, IDBClient::IDBConnectionProxy*, SocketProvider*);
 
     void applyContentSecurityPolicyResponseHeaders(const ContentSecurityPolicyResponseHeaders&);

trunk/Source/WebCore/workers/WorkerOrWorkletGlobalScope.cpp

@@ -38 +38 @@
 WTF_MAKE_ISO_ALLOCATED_IMPL(WorkerOrWorkletGlobalScope);
 
-WorkerOrWorkletGlobalScope::WorkerOrWorkletGlobalScope(Ref<JSC::VM>&& vm, WorkerOrWorkletThread* thread)
-    : m_script(makeUnique<WorkerOrWorkletScriptController>(WTFMove(vm), this))
+WorkerOrWorkletGlobalScope::WorkerOrWorkletGlobalScope(WorkerThreadType type, Ref<JSC::VM>&& vm, WorkerOrWorkletThread* thread)
+    : m_script(makeUnique<WorkerOrWorkletScriptController>(type, WTFMove(vm), this))
     , m_thread(thread)
     , m_inspectorController(makeUnique<WorkerInspectorController>(*this))

trunk/Source/WebCore/workers/WorkerOrWorkletGlobalScope.h

@@ -28 +28 @@
 #include "EventTarget.h"
 #include "ScriptExecutionContext.h"
+#include "WorkerThreadType.h"
 
 namespace WebCore {
@@ -68 +69 @@
 
 protected:
-    WorkerOrWorkletGlobalScope(Ref<JSC::VM>&&, WorkerOrWorkletThread*);
+    WorkerOrWorkletGlobalScope(WorkerThreadType, Ref<JSC::VM>&&, WorkerOrWorkletThread*);
 
     // ScriptExecutionContext.

trunk/Source/WebCore/workers/WorkerOrWorkletScriptController.cpp

@@ -51 +51 @@
 using namespace JSC;
 
-WorkerOrWorkletScriptController::WorkerOrWorkletScriptController(Ref<VM>&& vm, WorkerOrWorkletGlobalScope* globalScope)
+WorkerOrWorkletScriptController::WorkerOrWorkletScriptController(WorkerThreadType type, Ref<VM>&& vm, WorkerOrWorkletGlobalScope* globalScope)
     : m_vm(WTFMove(vm))
     , m_globalScope(globalScope)
@@ -57 +57 @@
 {
     m_vm->heap.acquireAccess(); // It's not clear that we have good discipline for heap access, so turn it on permanently.
-    JSVMClientData::initNormalWorld(m_vm.get());
-}
-
-WorkerOrWorkletScriptController::WorkerOrWorkletScriptController(WorkerOrWorkletGlobalScope* globalScope)
-    : WorkerOrWorkletScriptController(JSC::VM::create(), globalScope)
+    JSVMClientData::initNormalWorld(m_vm.get(), type);
+}
+
+WorkerOrWorkletScriptController::WorkerOrWorkletScriptController(WorkerThreadType type, WorkerOrWorkletGlobalScope* globalScope)
+    : WorkerOrWorkletScriptController(type, JSC::VM::create(), globalScope)
 {
 }

trunk/Source/WebCore/workers/WorkerOrWorkletScriptController.h

@@ -27 +27 @@
 #pragma once
 
+#include "WorkerThreadType.h"
 #include <JavaScriptCore/Debugger.h>
 #include <JavaScriptCore/JSRunLoopTimer.h>
@@ -52 +53 @@
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    WorkerOrWorkletScriptController(Ref<JSC::VM>&&, WorkerOrWorkletGlobalScope*);
-    explicit WorkerOrWorkletScriptController(WorkerOrWorkletGlobalScope*);
+    WorkerOrWorkletScriptController(WorkerThreadType, Ref<JSC::VM>&&, WorkerOrWorkletGlobalScope*);
+    explicit WorkerOrWorkletScriptController(WorkerThreadType, WorkerOrWorkletGlobalScope*);
     ~WorkerOrWorkletScriptController();
 

trunk/Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp

@@ -53 +53 @@
 
 ServiceWorkerGlobalScope::ServiceWorkerGlobalScope(const ServiceWorkerContextData& data, const WorkerParameters& params, Ref<SecurityOrigin>&& origin, ServiceWorkerThread& thread, Ref<SecurityOrigin>&& topOrigin, IDBClient::IDBConnectionProxy* connectionProxy, SocketProvider* socketProvider)
-    : WorkerGlobalScope(params, WTFMove(origin), thread, WTFMove(topOrigin), connectionProxy, socketProvider)
+    : WorkerGlobalScope(WorkerThreadType::ServiceWorker, params, WTFMove(origin), thread, WTFMove(topOrigin), connectionProxy, socketProvider)
     , m_contextData(crossThreadCopy(data))
     , m_registration(ServiceWorkerRegistration::getOrCreate(*this, navigator().serviceWorker(), WTFMove(m_contextData.registration)))

trunk/Source/WebCore/worklets/WorkletGlobalScope.cpp

@@ -51 +51 @@
 
 WorkletGlobalScope::WorkletGlobalScope(WorkerOrWorkletThread& thread, const WorkletParameters& parameters)
-    : WorkerOrWorkletGlobalScope(JSC::VM::create(), &thread)
+    : WorkerOrWorkletGlobalScope(WorkerThreadType::Worklet, JSC::VM::create(), &thread)
     , m_topOrigin(SecurityOrigin::createUnique())
     , m_url(parameters.windowURL)
@@ -63 +63 @@
 
 WorkletGlobalScope::WorkletGlobalScope(Document& document, Ref<JSC::VM>&& vm, ScriptSourceCode&& code)
-    : WorkerOrWorkletGlobalScope(WTFMove(vm), nullptr)
+    : WorkerOrWorkletGlobalScope(WorkerThreadType::Worklet, WTFMove(vm), nullptr)
     , m_document(makeWeakPtr(document))
     , m_topOrigin(SecurityOrigin::createUnique())