Changeset 270855 in webkit

Timestamp:

Dec 15, 2020 11:15:33 AM (19 months ago)

Author:

commit-queue@webkit.org

Message:

[WASM-References] Add support for memory.fill
​https://bugs.webkit.org/show_bug.cgi?id=219848

Patch by Dmitry Bezhetskov <dbezhetskov> on 2020-12-15
Reviewed by Yusuke Suzuki.

JSTests:

Added spec tests and unreachable tests for memory.fill.

• wasm.yaml:
• wasm/references-spec-tests/memory_fill.wast.js: Added.
• wasm/references/memory_fill_shared.js: Added.

(async test):

• wasm/references/table_instructions_parse_unreachable.js:

(invalidMemoryFillUnreachable):

• wasm/wasm.json:

Source/JavaScriptCore:

Add support for memory.fill from ref-types spec.
memory.fill sets all bytes in a memory region to a given byte:
​https://webassembly.github.io/reference-types/core/syntax/instructions.html#memory-instructions.

• bytecode/BytecodeList.rb:
• llint/WebAssembly.asm:
• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::addMemoryFill):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::addMemoryFill):

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseMemoryFillImmediate):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

• wasm/WasmLLIntGenerator.cpp:

(JSC::Wasm::LLIntGenerator::addMemoryFill):

• wasm/WasmMemory.cpp:

(JSC::Wasm::Memory::fill):
(JSC::Wasm::Memory::doMemoryFill):

• wasm/WasmMemory.h:
• wasm/WasmOperations.cpp:

(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):

• wasm/WasmOperations.h:
• wasm/WasmSlowPaths.cpp:

(JSC::LLInt::WASM_SLOW_PATH_DECL):

• wasm/WasmSlowPaths.h:
• wasm/wasm.json:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm.yaml (modified) (1 diff)
• JSTests/wasm/references-spec-tests/memory_fill.wast.js (added)
• JSTests/wasm/references/memory_fill_shared.js (added)
• JSTests/wasm/references/table_instructions_parse_unreachable.js (modified) (2 diffs)
• JSTests/wasm/wasm.json (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.rb (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Register.h (modified) (2 diffs)
• Source/JavaScriptCore/llint/WebAssembly.asm (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmMemory.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmMemory.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmOperations.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmSlowPaths.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/wasm.json (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-12-15  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
+
+        [WASM-References] Add support for memory.fill
+        https://bugs.webkit.org/show_bug.cgi?id=219848
+
+        Reviewed by Yusuke Suzuki.
+
+        Added spec tests and unreachable tests for memory.fill.
+
+        * wasm.yaml:
+        * wasm/references-spec-tests/memory_fill.wast.js: Added.
+        * wasm/references/memory_fill_shared.js: Added.
+        (async test):
+        * wasm/references/table_instructions_parse_unreachable.js:
+        (invalidMemoryFillUnreachable):
+        * wasm/wasm.json:
+
 2020-12-15  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
 

trunk/JSTests/wasm.yaml

@@ -57 +57 @@
 - path: wasm/references-spec-tests/select.wast.js
   cmd: runWebAssemblyReferenceSpecTest :normal
+- path: wasm/references-spec-tests/memory_fill.wast.js
+  cmd: runWebAssemblyReferenceSpecTest :normal
 
 - path: wasm/multi-value-spec-tests/block.wast.js

trunk/JSTests/wasm/references/table_instructions_parse_unreachable.js

@@ -254 +254 @@
 }
 
+function validMemoryFillUnreachable() {
+  /*
+  (module
+    (memory $mem0 1)
+    (func (export "run")
+      (return)
+      (memory.fill (i32.const 0) (i32.const 11) (i32.const 3))
+    )
+  )
+  */
+  let instance = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0a\x0e\x01\x0c\x00\x0f\x41\x00\x41\x0b\x41\x03\xfc\x0b\x00\x0b"));
+  instance.exports.run();
+}
+
+function invalidMemoryFillUnreachable() {
+  /*
+  (module
+    (memory $mem0 1)
+    (func (export "run")
+      (return)
+      (memory.fill (unused = 1) (i32.const 0) (i32.const 11) (i32.const 3))
+    )
+  )
+  */
+  assert.throws(() => module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0a\x0e\x01\x0c\x00\x0f\x41\x00\x41\x0b\x41\x03\xfc\x0b\x01\x0b"),
+  WebAssembly.CompileError,
+  "WebAssembly.Module doesn't parse at byte 11: auxiliary byte for memory.fill should be zero, but got 1, in function at index 0 (evaluating 'new WebAssembly.Module(buffer)')");
+}
+
 validTableInitUnreachable();
 invalidTableInitUnreachable();
@@ -274 +303 @@
 validAnnotatedSelectUnreachable();
 invalidAnnotatedSelectUnreachable();
+
+validMemoryFillUnreachable();
+invalidMemoryFillUnreachable();

trunk/JSTests/wasm/wasm.json

@@ -79 +79 @@
         "table.fill":          { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "externref", "i32"],    "immediate": [{"name": "table_index",    "type": "varuint32"}],                                             "description": "fill entries [i,i+n) with the given value", "extendedOp": 17 },
         "table.copy":          { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "dst_index",      "type": "varuint32"}, {"name": "src_index",  "type": "varuint32"}],"description": "copy table elements from dst_table[dstOffset, dstOffset + length] to src_table[srcOffset, srcOffset + length]", "extendedOp": 14 },
+        "memory.fill":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "unused",         "type": "uint8"}],                                                 "description": "sets all values in a region to a given byte", "extendedOp": 11 },
         "call":                { "category": "call",       "value":  16, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "function_index", "type": "varuint32"}],                                             "description": "call a function by its index" },
         "call_indirect":       { "category": "call",       "value":  17, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "type_index",     "type": "varuint32"}, {"name": "table_index","type": "varuint32"}],"description": "call a function indirect with an expected signature" },

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-12-15  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
+
+        [WASM-References] Add support for memory.fill
+        https://bugs.webkit.org/show_bug.cgi?id=219848
+
+        Reviewed by Yusuke Suzuki.
+
+        Add support for memory.fill from ref-types spec.
+        memory.fill sets all bytes in a memory region to a given byte:
+        https://webassembly.github.io/reference-types/core/syntax/instructions.html#memory-instructions.
+
+        * bytecode/BytecodeList.rb:
+        * llint/WebAssembly.asm:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addMemoryFill):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addMemoryFill):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseMemoryFillImmediate):
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+        * wasm/WasmLLIntGenerator.cpp:
+        (JSC::Wasm::LLIntGenerator::addMemoryFill):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::fill):
+        (JSC::Wasm::Memory::doMemoryFill):
+        * wasm/WasmMemory.h:
+        * wasm/WasmOperations.cpp:
+        (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
+        * wasm/WasmOperations.h:
+        * wasm/WasmSlowPaths.cpp:
+        (JSC::LLInt::WASM_SLOW_PATH_DECL):
+        * wasm/WasmSlowPaths.h:
+        * wasm/wasm.json:
+
 2020-12-15  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.rb

@@ -1676 +1676 @@
     }
 
+op :memory_fill,
+    args: {
+        dstAddress: VirtualRegister,
+        targetValue: VirtualRegister,
+        count: VirtualRegister,
+    }
+
 op :select,
     args: {

trunk/Source/JavaScriptCore/interpreter/Register.h

@@ -64 +64 @@
         ALWAYS_INLINE JSScope* scope() const;
         int32_t unboxedInt32() const;
+        uint32_t unboxedUInt32() const;
         int32_t asanUnsafeUnboxedInt32() const;
         int64_t unboxedInt52() const;
@@ -143 +144 @@
     }
 
+    ALWAYS_INLINE uint32_t Register::unboxedUInt32() const
+    {
+        return static_cast<uint32_t>(unboxedInt32());
+    }
+
     SUPPRESS_ASAN ALWAYS_INLINE int32_t Register::asanUnsafeUnboxedInt32() const
     {

trunk/Source/JavaScriptCore/llint/WebAssembly.asm

@@ -568 +568 @@
 slowWasmOp(table_copy)
 slowWasmOp(table_grow)
+slowWasmOp(memory_fill)
 slowWasmOp(set_global_ref)
 slowWasmOp(set_global_ref_portable_binding)

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -281 +281 @@
     PartialResult WARN_UNUSED_RETURN addGrowMemory(ExpressionType delta, ExpressionType& result);
     PartialResult WARN_UNUSED_RETURN addCurrentMemory(ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count);
 
     // Atomics
@@ -1271 +1272 @@
     addShift(Type::I32, Urshift64, temp1, temp2, result);
     append(Move32, result, result);
+
+    return { };
+}
+
+auto AirIRGenerator::addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count) -> PartialResult
+{
+    ASSERT(dstAddress.tmp());
+    ASSERT(dstAddress.type() == Type::I32);
+
+    ASSERT(targetValue.tmp());
+    ASSERT(targetValue.type() == Type::I32);
+
+    ASSERT(count.tmp());
+    ASSERT(count.type() == Type::I32);
+
+    auto result = tmpForType(Type::I32);
+    emitCCall(
+        &operationWasmMemoryFill, result, instanceValue(),
+        dstAddress, targetValue, count);
+
+    emitCheck([&] {
+        return Inst(BranchTest32, nullptr, Arg::resCond(MacroAssembler::Zero), result, result);
+    }, [=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+        this->emitThrowException(jit, ExceptionType::OutOfBoundsTableAccess);
+    });
 
     return { };

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -236 +236 @@
     PartialResult WARN_UNUSED_RETURN addGrowMemory(ExpressionType delta, ExpressionType& result);
     PartialResult WARN_UNUSED_RETURN addCurrentMemory(ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count);
 
     // Atomics
@@ -880 +881 @@
 
     result = m_currentBlock->appendNew<Value>(m_proc, Trunc, origin(), numPages);
+
+    return { };
+}
+
+auto B3IRGenerator::addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count) -> PartialResult
+{
+    auto result = m_currentBlock->appendNew<CCallValue>(
+        m_proc, toB3Type(I32), origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunction<OperationPtrTag>(operationWasmMemoryFill)),
+        instanceValue(),
+        dstAddress, targetValue, count);
+
+    {
+        CheckValue* check = m_currentBlock->appendNew<CheckValue>(m_proc, Check, origin(),
+            m_currentBlock->appendNew<Value>(m_proc, Equal, origin(), result, m_currentBlock->appendNew<Const32Value>(m_proc, origin(), 0)));
+
+        check->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsTableAccess);
+        });
+    }
 
     return { };

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -157 +157 @@
     PartialResult WARN_UNUSED_RETURN parseAnnotatedSelectImmediates(AnnotatedSelectImmediates&);
 
+    PartialResult WARN_UNUSED_RETURN parseMemoryFillImmediate();
+
 #define WASM_TRY_ADD_TO_CONTEXT(add_expression) WASM_FAIL_IF_HELPER_FAILS(m_context.add_expression)
 
@@ -565 +567 @@
     result.sizeOfAnnotationVector = sizeOfAnnotationVector;
     result.targetType = targetType;
-
+    return { };
+}
+
+template<typename Context>
+auto FunctionParser<Context>::parseMemoryFillImmediate() -> PartialResult
+{
+    uint8_t auxiliaryByte;
+    WASM_PARSER_FAIL_IF(!parseUInt8(auxiliaryByte), "can't parse auxiliary byte");
+    WASM_PARSER_FAIL_IF(!!auxiliaryByte, "auxiliary byte for memory.fill should be zero, but got ", auxiliaryByte);
     return { };
 }
@@ -816 +826 @@
 
             WASM_TRY_ADD_TO_CONTEXT(addTableCopy(immediates.dstTableIndex, immediates.srcTableIndex, dstOffset, srcOffset, length));
+            break;
+        }
+        case ExtTableOpType::MemoryFill: {
+            WASM_FAIL_IF_HELPER_FAILS(parseMemoryFillImmediate());
+
+            WASM_VALIDATOR_FAIL_IF(!m_info.memoryCount(), "memory must be present");
+
+            TypedExpression dstAddress;
+            TypedExpression targetValue;
+            TypedExpression count;
+
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(count, "memory.fill");
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(targetValue, "memory.fill");
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(dstAddress, "memory.fill");
+
+            WASM_VALIDATOR_FAIL_IF(I32 != dstAddress.type(), "memory.fill dstAddress to type ", dstAddress.type(), " expected ", I32);
+            WASM_VALIDATOR_FAIL_IF(I32 != targetValue.type(), "memory.fill targetValue to type ", targetValue.type(), " expected ", I32);
+            WASM_VALIDATOR_FAIL_IF(I32 != count.type(), "memory.fill size to type ", count.type(), " expected ", I32);
+
+            WASM_TRY_ADD_TO_CONTEXT(addMemoryFill(dstAddress, targetValue, count));
             break;
         }
@@ -1386 +1416 @@
             return { };
         }
+        case ExtTableOpType::MemoryFill: {
+            WASM_FAIL_IF_HELPER_FAILS(parseMemoryFillImmediate());
+            return { };
+        }
         default:
             WASM_PARSER_FAIL_IF(true, "invalid extended table op ", extOp);

trunk/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp

@@ -212 +212 @@
     PartialResult WARN_UNUSED_RETURN addGrowMemory(ExpressionType delta, ExpressionType& result);
     PartialResult WARN_UNUSED_RETURN addCurrentMemory(ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count);
 
     // Atomics
@@ -1188 +1189 @@
 }
 
+auto LLIntGenerator::addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count) -> PartialResult
+{
+    WasmMemoryFill::emit(this, dstAddress, targetValue, count);
+    return { };
+}
+
 auto LLIntGenerator::addSelect(ExpressionType condition, ExpressionType nonZero, ExpressionType zero, ExpressionType& result) -> PartialResult
 {

trunk/Source/JavaScriptCore/wasm/WasmMemory.cpp

@@ -31 +31 @@
 
 #include "Options.h"
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/DataLog.h>
 #include <wtf/Gigacage.h>
@@ -618 +619 @@
 }
 
+bool Memory::fill(uint32_t offset, uint8_t targetValue, uint32_t count)
+{
+    if (sumOverflows<uint32_t>(offset, count))
+        return false;
+
+    if (offset + count > m_handle->size())
+        return false;
+
+    memset(reinterpret_cast<uint8_t*>(memory()) + offset, targetValue, count);
+    return true;
+}
+
 void Memory::registerInstance(Instance* instance)
 {

trunk/Source/JavaScriptCore/wasm/WasmMemory.h

@@ -133 +133 @@
     };
     Expected<PageCount, GrowFailReason> grow(PageCount);
+    bool fill(uint32_t, uint8_t, uint32_t);
     void registerInstance(Instance*);
 

trunk/Source/JavaScriptCore/wasm/WasmOperations.cpp

@@ -639 +639 @@
 }
 
+JSC_DEFINE_JIT_OPERATION(operationWasmMemoryFill, bool, (Instance* instance, uint32_t dstAddress, uint32_t targetValue, uint32_t count))
+{
+    return instance->memory()->fill(dstAddress, static_cast<uint8_t>(targetValue), count);
+}
+
 JSC_DEFINE_JIT_OPERATION(operationGetWasmTableElement, EncodedJSValue, (Instance* instance, unsigned tableIndex, int32_t signedIndex))
 {

trunk/Source/JavaScriptCore/wasm/WasmOperations.h

@@ -62 +62 @@
 JSC_DECLARE_JIT_OPERATION(operationPopcount64, uint64_t, (int64_t));
 JSC_DECLARE_JIT_OPERATION(operationGrowMemory, int32_t, (void*, Instance*, int32_t));
+JSC_DECLARE_JIT_OPERATION(operationWasmMemoryFill, bool, (Instance*, uint32_t dstAddress, uint32_t targetValue, uint32_t count));
 
 JSC_DECLARE_JIT_OPERATION(operationGetWasmTableElement, EncodedJSValue, (Instance*, unsigned, int32_t));

trunk/Source/JavaScriptCore/wasm/WasmSlowPaths.cpp

@@ -380 +380 @@
 }
 
+WASM_SLOW_PATH_DECL(memory_fill)
+{
+    auto instruction = pc->as<WasmMemoryFill, WasmOpcodeTraits>();
+    uint32_t dstAddress = READ(instruction.m_dstAddress).unboxedUInt32();
+    uint32_t targetValue = READ(instruction.m_targetValue).unboxedUInt32();
+    uint32_t count = READ(instruction.m_count).unboxedUInt32();
+    if (!Wasm::operationWasmMemoryFill(instance, dstAddress, targetValue, count))
+        WASM_THROW(Wasm::ExceptionType::OutOfBoundsTableAccess);
+    WASM_END();
+}
+
 inline SlowPathReturnType doWasmCall(Wasm::Instance* instance, unsigned functionIndex)
 {

trunk/Source/JavaScriptCore/wasm/WasmSlowPaths.h

@@ -67 +67 @@
 WASM_SLOW_PATH_HIDDEN_DECL(table_grow);
 WASM_SLOW_PATH_HIDDEN_DECL(grow_memory);
+WASM_SLOW_PATH_HIDDEN_DECL(memory_fill);
 WASM_SLOW_PATH_HIDDEN_DECL(call);
 WASM_SLOW_PATH_HIDDEN_DECL(call_no_tls);

trunk/Source/JavaScriptCore/wasm/wasm.json

@@ -79 +79 @@
         "table.fill":          { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "externref", "i32"],    "immediate": [{"name": "table_index",    "type": "varuint32"}],                                             "description": "fill entries [i,i+n) with the given value", "extendedOp": 17 },
         "table.copy":          { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "dst_index",      "type": "varuint32"}, {"name": "src_index",  "type": "varuint32"}],"description": "copy table elements from dst_table[dstOffset, dstOffset + length] to src_table[srcOffset, srcOffset + length]", "extendedOp": 14 },
+        "memory.fill":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "unused",         "type": "uint8"}],                                                 "description": "sets all values in a region to a given byte", "extendedOp": 11 },
         "call":                { "category": "call",       "value":  16, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "function_index", "type": "varuint32"}],                                             "description": "call a function by its index" },
         "call_indirect":       { "category": "call",       "value":  17, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "type_index",     "type": "varuint32"}, {"name": "table_index","type": "varuint32"}],"description": "call a function indirect with an expected signature" },