Changeset 270948 in webkit

Timestamp:

Dec 17, 2020 2:25:20 PM (19 months ago)

Author:

commit-queue@webkit.org

Message:

[WASM-References] Add support for memory.copy, memory.init and data.drop
​https://bugs.webkit.org/show_bug.cgi?id=219943

Patch by Dmitry Bezhetskov <dbezhetskov> on 2020-12-17
Reviewed by Yusuke Suzuki.

JSTests:

Added ref-types spec tests for memory.copy, memory.init and data.drop:
​https://github.com/WebAssembly/reference-types/tree/master/test/core.
Renamed table_instructions_parse_unreachable test into just
parse_unreachable to prevent confusion.

• wasm.yaml:
• wasm/references-spec-tests/memory_copy.wast.js: Added.
• wasm/references-spec-tests/memory_init.wast.js: Added.
• wasm/references/memory_copy.js: Added.

(async test):

• wasm/references/memory_copy_shared.js: Added.

(async test):

• wasm/references/parse_unreachable.js: Renamed from JSTests/wasm/references/table_instructions_parse_unreachable.js.

(invalidMemoryCopyUnreachable):
(invalidMemoryInitUnreachable):
(invalidDataDropUnreachable):

• wasm/wasm.json:

Source/JavaScriptCore:

Add support for memory.copy [dstAddress, srcAddress, length] -> []
that copies one memory segment to another memory segment.
The memory.copy calls C memcpy function to utilize all possible optimization for copy.
This instruction speedup copying data segments in wasm because without it we need to use a lot
load/store instructions with loops in wasm.

Add support for memory.init data_segment_index [dstAddress, srcAddress, length] -> []
that copies data from a passive data segment into a memory segment.
This instruction is the same as memory.copy but for read-only data segments.
It also utilize C memcpy under the hood.

Add support for data.drop data_segment_index [] -> []
that resize given data segment to zero.
Data.drop makes redundant data segment and prevents usage of it in the next.
BTW, it is just a hint for the host runtime so we don't have to change data segment.

Add support for Data count section.
This section just stores the number of data segments.
We need this to validate memory.init instruction's data index because
Code section comes before Data section.

These instructions are needed to support reference types proposal and bulk proposal.

• bytecode/BytecodeList.rb:
• llint/WebAssembly.asm:
• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::addMemoryCopy):
(JSC::Wasm::AirIRGenerator::addMemoryInit):
(JSC::Wasm::AirIRGenerator::addDataDrop):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::addMemoryInit):
(JSC::Wasm::B3IRGenerator::addMemoryCopy):
(JSC::Wasm::B3IRGenerator::addDataDrop):

• wasm/WasmFormat.cpp:

(JSC::Wasm::Segment::create):

• wasm/WasmFormat.h:

(JSC::Wasm::Segment::isActive const):
(JSC::Wasm::Segment::isPassive const):

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseDataSegmentIndex):
(JSC::Wasm::FunctionParser<Context>::parseMemoryCopyImmediates):
(JSC::Wasm::FunctionParser<Context>::parseMemoryInitImmediates):
(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

• wasm/WasmInstance.cpp:

(JSC::Wasm::Instance::Instance):
(JSC::Wasm::Instance::memoryInit):
(JSC::Wasm::Instance::dataDrop):

• wasm/WasmInstance.h:
• wasm/WasmLLIntGenerator.cpp:

(JSC::Wasm::LLIntGenerator::addMemoryInit):
(JSC::Wasm::LLIntGenerator::addDataDrop):
(JSC::Wasm::LLIntGenerator::addMemoryCopy):

• wasm/WasmMemory.cpp:

(JSC::Wasm::Memory::copy):
(JSC::Wasm::Memory::init):

• wasm/WasmMemory.h:
• wasm/WasmModuleInformation.h:

(JSC::Wasm::ModuleInformation::dataSegmentsCount const):

• wasm/WasmOperations.cpp:

(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):

• wasm/WasmOperations.h:
• wasm/WasmSectionParser.cpp:

(JSC::Wasm::SectionParser::parseElement):
(JSC::Wasm::SectionParser::parseI32InitExpr):
(JSC::Wasm::SectionParser::parseI32InitExprForElementSection):
(JSC::Wasm::SectionParser::parseI32InitExprForDataSection):
(JSC::Wasm::SectionParser::parseDataSegmentCoreSpec):
(JSC::Wasm::SectionParser::parseDataSegmentReferenceTypesSpec):
(JSC::Wasm::SectionParser::parseGlobalType):
(JSC::Wasm::SectionParser::parseData):
(JSC::Wasm::SectionParser::parseDataCount):

• wasm/WasmSectionParser.h:
• wasm/WasmSections.h:

(JSC::Wasm::validateOrder):

• wasm/WasmSlowPaths.cpp:

(JSC::LLInt::WASM_SLOW_PATH_DECL):

• wasm/WasmSlowPaths.h:
• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::evaluate):

• wasm/wasm.json:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm.yaml (modified) (1 diff)
• JSTests/wasm/references-spec-tests/memory_copy.wast.js (added)
• JSTests/wasm/references-spec-tests/memory_init.wast.js (added)
• JSTests/wasm/references/memory_copy.js (added)
• JSTests/wasm/references/memory_copy_shared.js (added)
• JSTests/wasm/references/parse_unreachable.js (moved) (moved from trunk/JSTests/wasm/references/table_instructions_parse_unreachable.js) (2 diffs)
• JSTests/wasm/wasm.json (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.rb (modified) (1 diff)
• Source/JavaScriptCore/llint/WebAssembly.asm (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmFormat.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmFormat.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (6 diffs)
• Source/JavaScriptCore/wasm/WasmInstance.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmInstance.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmMemory.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmMemory.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmModuleInformation.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmOperations.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmSectionParser.cpp (modified) (8 diffs)
• Source/JavaScriptCore/wasm/WasmSectionParser.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmSections.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmSlowPaths.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (modified) (4 diffs)
• Source/JavaScriptCore/wasm/wasm.json (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-12-17  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
+
+        [WASM-References] Add support for memory.copy, memory.init and data.drop
+        https://bugs.webkit.org/show_bug.cgi?id=219943
+
+        Reviewed by Yusuke Suzuki.
+
+        Added ref-types spec tests for memory.copy, memory.init and data.drop:
+        https://github.com/WebAssembly/reference-types/tree/master/test/core.
+        Renamed table_instructions_parse_unreachable test into just
+        parse_unreachable to prevent confusion.
+
+        * wasm.yaml:
+        * wasm/references-spec-tests/memory_copy.wast.js: Added.
+        * wasm/references-spec-tests/memory_init.wast.js: Added.
+        * wasm/references/memory_copy.js: Added.
+        (async test):
+        * wasm/references/memory_copy_shared.js: Added.
+        (async test):
+        * wasm/references/parse_unreachable.js: Renamed from JSTests/wasm/references/table_instructions_parse_unreachable.js.
+        (invalidMemoryCopyUnreachable):
+        (invalidMemoryInitUnreachable):
+        (invalidDataDropUnreachable):
+        * wasm/wasm.json:
+
 2020-12-15  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/wasm.yaml

@@ -59 +59 @@
 - path: wasm/references-spec-tests/memory_fill.wast.js
   cmd: runWebAssemblyReferenceSpecTest :normal
+- path: wasm/references-spec-tests/memory_copy.wast.js
+  cmd: runWebAssemblyReferenceSpecTest :normal
+- path: wasm/references-spec-tests/memory_init.wast.js
+  cmd: runWebAssemblyReferenceSpecTest :normal
 
 - path: wasm/multi-value-spec-tests/block.wast.js

trunk/JSTests/wasm/references/parse_unreachable.js

@@ -283 +283 @@
 }
 
+function validMemoryCopyUnreachable() {
+  /*
+  (module
+    (memory $mem0 1)
+    (func (export "run")
+      (return)
+      (memory.copy (i32.const 3) (i32.const 0) (i32.const 1))
+    )
+  )
+  */
+  let instance = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0a\x0f\x01\x0d\x00\x0f\x41\x03\x41\x00\x41\x01\xfc\x0a\x00\x00\x0b"));
+  instance.exports.run();
+}
+
+function invalidMemoryCopyUnreachable() {
+  /*
+  (module
+    (memory $mem0 1)
+    (func (export "run")
+      (return)
+      (memory.copy (unsued_1 = 1) (i32.const 3) (i32.const 0) (i32.const 1))
+    )
+  )
+  */
+  assert.throws(() => module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0a\x0f\x01\x0d\x00\x0f\x41\x03\x41\x00\x41\x01\xfc\x0a\x01\x00\x0b"),
+  WebAssembly.CompileError,
+  "WebAssembly.Module doesn't parse at byte 11: auxiliary byte for memory.copy should be zero, but got 1, in function at index 0 (evaluating 'new WebAssembly.Module(buffer)')");
+
+  /*
+  (module
+    (memory $mem0 1)
+    (func (export "run")
+      (return)
+      (memory.copy (unsued_1 = 0, unused_2 = 1) (i32.const 3) (i32.const 0) (i32.const 1))
+    )
+  )
+  */
+  assert.throws(() => module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0a\x0f\x01\x0d\x00\x0f\x41\x03\x41\x00\x41\x01\xfc\x0a\x00\x01\x0b"),
+  WebAssembly.CompileError,
+  "WebAssembly.Module doesn't parse at byte 12: auxiliary byte for memory.copy should be zero, but got 1, in function at index 0 (evaluating 'new WebAssembly.Module(buffer)')");
+}
+
+function validMemoryInitUnreachable() {
+  /*
+  (module
+    (memory $mem0 1)
+    (data $data0 "\02\03\05\07")
+    (func (export "run")
+      (return)
+      (memory.init $data0 (i32.const 4) (i32.const 0) (i32.const 4))
+    )
+  )
+  */
+  let instance = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0c\x01\x01\x0a\x0f\x01\x0d\x00\x0f\x41\x04\x41\x00\x41\x04\xfc\x08\x00\x00\x0b\x0b\x07\x01\x01\x04\x02\x03\x05\x07"));
+  instance.exports.run();
+}
+
+function invalidMemoryInitUnreachable() {
+  /*
+  (module
+    (memory $mem0 1)
+    (data $data0 "\02\03\05\07")
+    (func (export "run")
+      (return)
+      (memory.init 10 (i32.const 4) (i32.const 0) (i32.const 4))
+    )
+  )
+  */
+  assert.throws(() => module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0c\x01\x01\x0a\x0f\x01\x0d\x00\x0f\x41\x04\x41\x00\x41\x04\xfc\x08\x0a\x00\x0b\x0b\x07\x01\x01\x04\x02\x03\x05\x07"),
+  WebAssembly.CompileError,
+  "WebAssembly.Module doesn't validate: data segment index 10 is invalid, limit is 1, in function at index 0 (evaluating 'new WebAssembly.Module(buffer)')");
+}
+
+function validDataDropUnreachable() {
+  /*
+  (module
+    (memory 1)
+    (data $data0 "\37")
+    (func (export "run")
+      (return)
+      (data.drop $data0)
+    )
+  )
+  */
+  let instance = new WebAssembly.Instance(module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0c\x01\x01\x0a\x08\x01\x06\x00\x0f\xfc\x09\x00\x0b\x0b\x04\x01\x01\x01\x37"));
+  instance.exports.run();
+}
+
+function invalidDataDropUnreachable() {
+  /*
+  (module
+    (memory 1)
+    (data $data0 "\37")
+    (func (export "run")
+      (return)
+      (data.drop 10)
+    )
+  )
+  */
+  assert.throws(() => module("\x00\x61\x73\x6d\x01\x00\x00\x00\x01\x04\x01\x60\x00\x00\x03\x02\x01\x00\x05\x03\x01\x00\x01\x07\x07\x01\x03\x72\x75\x6e\x00\x00\x0c\x01\x01\x0a\x08\x01\x06\x00\x0f\xfc\x09\x0a\x0b\x0b\x04\x01\x01\x01\x37"),
+  WebAssembly.CompileError,
+  "WebAssembly.Module doesn't validate: data segment index 10 is invalid, limit is 1, in function at index 0 (evaluating 'new WebAssembly.Module(buffer)')");
+}
+
 validTableInitUnreachable();
 invalidTableInitUnreachable();
@@ -306 +410 @@
 validMemoryFillUnreachable();
 invalidMemoryFillUnreachable();
+
+validMemoryCopyUnreachable();
+invalidMemoryCopyUnreachable();
+
+validMemoryInitUnreachable();
+invalidMemoryInitUnreachable();
+
+validDataDropUnreachable();
+invalidDataDropUnreachable();

trunk/JSTests/wasm/wasm.json

@@ -80 +80 @@
         "table.copy":          { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "dst_index",      "type": "varuint32"}, {"name": "src_index",  "type": "varuint32"}],"description": "copy table elements from dst_table[dstOffset, dstOffset + length] to src_table[srcOffset, srcOffset + length]", "extendedOp": 14 },
         "memory.fill":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "unused",         "type": "uint8"}],                                                 "description": "sets all values in a region to a given byte", "extendedOp": 11 },
+        "memory.copy":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "unused",         "type": "uint8"}, {"name": "unused",         "type": "uint8"}],    "description": "copies data from a source memory region to destination region", "extendedOp": 10 },
+        "memory.init":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "segment_index",  "type": "varuint32"}, {"name": "unsued",  "type": "varuint32"}],   "description": "copies data from a passive data segment into a memory", "extendedOp": 8 },
+        "data.drop":           { "category": "exttable",   "value":  252, "return": [],                              "parameter": [],                             "immediate": [{"name": "segment_index",  "type": "varuint32"}],                                             "description": "shrinks the size of the segment to zero", "extendedOp": 9 },
         "call":                { "category": "call",       "value":  16, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "function_index", "type": "varuint32"}],                                             "description": "call a function by its index" },
         "call_indirect":       { "category": "call",       "value":  17, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "type_index",     "type": "varuint32"}, {"name": "table_index","type": "varuint32"}],"description": "call a function indirect with an expected signature" },

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-12-17  Dmitry Bezhetskov  <dbezhetskov@igalia.com>
+
+        [WASM-References] Add support for memory.copy, memory.init and data.drop
+        https://bugs.webkit.org/show_bug.cgi?id=219943
+
+        Reviewed by Yusuke Suzuki.
+
+        Add support for memory.copy [dstAddress, srcAddress, length] -> []
+        that copies one  memory segment to another memory segment.
+        The memory.copy calls C memcpy function to utilize all possible optimization for copy.
+        This instruction speedup copying data segments in wasm because without it we need to use a lot
+        load/store instructions with loops in wasm.
+
+        Add support for memory.init data_segment_index [dstAddress, srcAddress, length] -> []
+        that copies data from a passive data segment into a memory segment.
+        This instruction is the same as memory.copy but for read-only data segments.
+        It also utilize C memcpy under the hood.
+
+        Add support for data.drop data_segment_index [] -> []
+        that resize given data segment to zero.
+        Data.drop makes redundant data segment and prevents usage of it in the next.
+        BTW, it is just a hint for the host runtime so we don't have to change data segment.
+
+        Add support for Data count section.
+        This section just stores the number of data segments.
+        We need this to validate memory.init instruction's data index because
+        Code section comes before Data section.
+
+        These instructions are needed to support reference types proposal and bulk proposal.
+
+        * bytecode/BytecodeList.rb:
+        * llint/WebAssembly.asm:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addMemoryCopy):
+        (JSC::Wasm::AirIRGenerator::addMemoryInit):
+        (JSC::Wasm::AirIRGenerator::addDataDrop):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addMemoryInit):
+        (JSC::Wasm::B3IRGenerator::addMemoryCopy):
+        (JSC::Wasm::B3IRGenerator::addDataDrop):
+        * wasm/WasmFormat.cpp:
+        (JSC::Wasm::Segment::create):
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::Segment::isActive const):
+        (JSC::Wasm::Segment::isPassive const):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseDataSegmentIndex):
+        (JSC::Wasm::FunctionParser<Context>::parseMemoryCopyImmediates):
+        (JSC::Wasm::FunctionParser<Context>::parseMemoryInitImmediates):
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::memoryInit):
+        (JSC::Wasm::Instance::dataDrop):
+        * wasm/WasmInstance.h:
+        * wasm/WasmLLIntGenerator.cpp:
+        (JSC::Wasm::LLIntGenerator::addMemoryInit):
+        (JSC::Wasm::LLIntGenerator::addDataDrop):
+        (JSC::Wasm::LLIntGenerator::addMemoryCopy):
+        * wasm/WasmMemory.cpp:
+        (JSC::Wasm::Memory::copy):
+        (JSC::Wasm::Memory::init):
+        * wasm/WasmMemory.h:
+        * wasm/WasmModuleInformation.h:
+        (JSC::Wasm::ModuleInformation::dataSegmentsCount const):
+        * wasm/WasmOperations.cpp:
+        (JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
+        * wasm/WasmOperations.h:
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseElement):
+        (JSC::Wasm::SectionParser::parseI32InitExpr):
+        (JSC::Wasm::SectionParser::parseI32InitExprForElementSection):
+        (JSC::Wasm::SectionParser::parseI32InitExprForDataSection):
+        (JSC::Wasm::SectionParser::parseDataSegmentCoreSpec):
+        (JSC::Wasm::SectionParser::parseDataSegmentReferenceTypesSpec):
+        (JSC::Wasm::SectionParser::parseGlobalType):
+        (JSC::Wasm::SectionParser::parseData):
+        (JSC::Wasm::SectionParser::parseDataCount):
+        * wasm/WasmSectionParser.h:
+        * wasm/WasmSections.h:
+        (JSC::Wasm::validateOrder):
+        * wasm/WasmSlowPaths.cpp:
+        (JSC::LLInt::WASM_SLOW_PATH_DECL):
+        * wasm/WasmSlowPaths.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/wasm.json:
+
 2020-12-16  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.rb

@@ -1683 +1683 @@
     }
 
+op :memory_copy,
+    args: {
+        dstAddress: VirtualRegister,
+        srcAddress: VirtualRegister,
+        count: VirtualRegister,
+    }
+
+op :memory_init,
+    args: {
+        dstAddress: VirtualRegister,
+        srcAddress: VirtualRegister,
+        length: VirtualRegister,
+        dataSegmentIndex: unsigned,
+    }
+
+op :data_drop,
+    args: {
+        dataSegmentIndex: unsigned,
+    }
+
 op :select,
     args: {

trunk/Source/JavaScriptCore/llint/WebAssembly.asm

@@ -569 +569 @@
 slowWasmOp(table_grow)
 slowWasmOp(memory_fill)
+slowWasmOp(memory_copy)
+slowWasmOp(memory_init)
+slowWasmOp(data_drop)
 slowWasmOp(set_global_ref)
 slowWasmOp(set_global_ref_portable_binding)

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -282 +282 @@
     PartialResult WARN_UNUSED_RETURN addCurrentMemory(ExpressionType& result);
     PartialResult WARN_UNUSED_RETURN addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count);
+    PartialResult WARN_UNUSED_RETURN addMemoryCopy(ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType count);
+    PartialResult WARN_UNUSED_RETURN addMemoryInit(unsigned, ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType length);
+    PartialResult WARN_UNUSED_RETURN addDataDrop(unsigned);
 
     // Atomics
@@ -1298 +1301 @@
     });
 
+    return { };
+}
+
+auto AirIRGenerator::addMemoryCopy(ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType count) -> PartialResult
+{
+    ASSERT(dstAddress.tmp());
+    ASSERT(dstAddress.type() == Type::I32);
+
+    ASSERT(srcAddress.tmp());
+    ASSERT(srcAddress.type() == Type::I32);
+
+    ASSERT(count.tmp());
+    ASSERT(count.type() == Type::I32);
+
+    auto result = tmpForType(Type::I32);
+    emitCCall(
+        &operationWasmMemoryCopy, result, instanceValue(),
+        dstAddress, srcAddress, count);
+
+    emitCheck([&] {
+        return Inst(BranchTest32, nullptr, Arg::resCond(MacroAssembler::Zero), result, result);
+    }, [=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+        this->emitThrowException(jit, ExceptionType::OutOfBoundsTableAccess);
+    });
+
+    return { };
+}
+
+auto AirIRGenerator::addMemoryInit(unsigned dataSegmentIndex, ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType length) -> PartialResult
+{
+    ASSERT(dstAddress.tmp());
+    ASSERT(dstAddress.type() == Type::I32);
+
+    ASSERT(srcAddress.tmp());
+    ASSERT(srcAddress.type() == Type::I32);
+
+    ASSERT(length.tmp());
+    ASSERT(length.type() == Type::I32);
+
+    auto result = tmpForType(Type::I32);
+    emitCCall(
+        &operationWasmMemoryInit, result, instanceValue(),
+        addConstant(Type::I32, dataSegmentIndex),
+        dstAddress, srcAddress, length);
+
+    emitCheck([&] {
+        return Inst(BranchTest32, nullptr, Arg::resCond(MacroAssembler::Zero), result, result);
+    }, [=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+        this->emitThrowException(jit, ExceptionType::OutOfBoundsTableAccess);
+    });
+
+    return { };
+}
+
+auto AirIRGenerator::addDataDrop(unsigned dataSegmentIndex) -> PartialResult
+{
+    emitCCall(&operationWasmDataDrop, TypedTmp(), instanceValue(), addConstant(Type::I32, dataSegmentIndex));
     return { };
 }

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -237 +237 @@
     PartialResult WARN_UNUSED_RETURN addCurrentMemory(ExpressionType& result);
     PartialResult WARN_UNUSED_RETURN addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count);
+    PartialResult WARN_UNUSED_RETURN addMemoryCopy(ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType count);
+    PartialResult WARN_UNUSED_RETURN addMemoryInit(unsigned, ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType length);
+    PartialResult WARN_UNUSED_RETURN addDataDrop(unsigned);
 
     // Atomics
@@ -901 +904 @@
         });
     }
+
+    return { };
+}
+
+auto B3IRGenerator::addMemoryInit(unsigned dataSegmentIndex, ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType length) -> PartialResult
+{
+    auto result = m_currentBlock->appendNew<CCallValue>(
+        m_proc, toB3Type(I32), origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunction<OperationPtrTag>(operationWasmMemoryInit)),
+        instanceValue(),
+        m_currentBlock->appendNew<Const32Value>(m_proc, origin(), dataSegmentIndex),
+        dstAddress, srcAddress, length);
+
+    {
+        CheckValue* check = m_currentBlock->appendNew<CheckValue>(m_proc, Check, origin(),
+            m_currentBlock->appendNew<Value>(m_proc, Equal, origin(), result, m_currentBlock->appendNew<Const32Value>(m_proc, origin(), 0)));
+
+        check->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsTableAccess);
+        });
+    }
+
+    return { };
+}
+
+auto B3IRGenerator::addMemoryCopy(ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType count) -> PartialResult
+{
+    auto result = m_currentBlock->appendNew<CCallValue>(
+        m_proc, toB3Type(I32), origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunction<OperationPtrTag>(operationWasmMemoryCopy)),
+        instanceValue(),
+        dstAddress, srcAddress, count);
+
+    {
+        CheckValue* check = m_currentBlock->appendNew<CheckValue>(m_proc, Check, origin(),
+            m_currentBlock->appendNew<Value>(m_proc, Equal, origin(), result, m_currentBlock->appendNew<Const32Value>(m_proc, origin(), 0)));
+
+        check->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsTableAccess);
+        });
+    }
+
+    return { };
+}
+
+auto B3IRGenerator::addDataDrop(unsigned dataSegmentIndex) -> PartialResult
+{
+    m_currentBlock->appendNew<CCallValue>(
+        m_proc, B3::Void, origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunction<OperationPtrTag>(operationWasmDataDrop)),
+        instanceValue(),
+        m_currentBlock->appendNew<Const32Value>(m_proc, origin(), dataSegmentIndex));
 
     return { };

trunk/Source/JavaScriptCore/wasm/WasmFormat.cpp

@@ -35 +35 @@
 namespace JSC { namespace Wasm {
 
-Segment* Segment::create(I32InitExpr offset, uint32_t sizeInBytes)
+Segment::Ptr Segment::create(Optional<I32InitExpr> offset, uint32_t sizeInBytes, Kind kind)
 {
     Checked<uint32_t, RecordOverflow> totalBytesChecked = sizeInBytes;
@@ -41 +41 @@
     uint32_t totalBytes;
     if (totalBytesChecked.safeGet(totalBytes) == CheckedState::DidOverflow)
-        return nullptr;
+        return Ptr(nullptr, &Segment::destroy);
     auto allocated = tryFastCalloc(totalBytes, 1);
     Segment* segment;
     if (!allocated.getValue(segment))
-        return nullptr;
-    segment->offset = offset;
+        return Ptr(nullptr, &Segment::destroy);
+    ASSERT(kind == Kind::Passive || !!offset);
+    segment->kind = kind;
+    segment->offsetIfActive = WTFMove(offset);
     segment->sizeInBytes = sizeInBytes;
-    return segment;
+    return Ptr(segment, &Segment::destroy);
 }
 
@@ -54 +56 @@
 {
     fastFree(segment);
-}
-
-Segment::Ptr Segment::adoptPtr(Segment* segment)
-{
-    return Ptr(segment, &Segment::destroy);
 }
 

trunk/Source/JavaScriptCore/wasm/WasmFormat.h

@@ -212 +212 @@
 struct Segment {
     WTF_MAKE_STRUCT_FAST_ALLOCATED;
+
+    enum class Kind : uint8_t {
+        Active,
+        Passive,
+    };
+
+    Kind kind;
     uint32_t sizeInBytes;
-    I32InitExpr offset;
+    Optional<I32InitExpr> offsetIfActive;
     // Bytes are allocated at the end.
     uint8_t& byte(uint32_t pos)
@@ -220 +227 @@
         return *reinterpret_cast<uint8_t*>(reinterpret_cast<char*>(this) + sizeof(Segment) + pos);
     }
-    static Segment* create(I32InitExpr, uint32_t);
+
     static void destroy(Segment*);
     typedef std::unique_ptr<Segment, decltype(&Segment::destroy)> Ptr;
-    static Ptr adoptPtr(Segment*);
+    static Segment::Ptr create(Optional<I32InitExpr>, uint32_t, Kind);
+
+    bool isActive() const { return kind == Kind::Active; }
+    bool isPassive() const { return kind == Kind::Passive; }
 };
 

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -138 +138 @@
     PartialResult WARN_UNUSED_RETURN parseTableIndex(unsigned&);
     PartialResult WARN_UNUSED_RETURN parseElementIndex(unsigned&);
+    PartialResult WARN_UNUSED_RETURN parseDataSegmentIndex(unsigned&);
 
     struct TableInitImmediates {
@@ -158 +159 @@
 
     PartialResult WARN_UNUSED_RETURN parseMemoryFillImmediate();
+    PartialResult WARN_UNUSED_RETURN parseMemoryCopyImmediates();
+
+    struct MemoryInitImmediates {
+        unsigned dataSegmentIndex;
+        unsigned unused;
+    };
+    PartialResult WARN_UNUSED_RETURN parseMemoryInitImmediates(MemoryInitImmediates&);
 
 #define WASM_TRY_ADD_TO_CONTEXT(add_expression) WASM_FAIL_IF_HELPER_FAILS(m_context.add_expression)
@@ -524 +532 @@
 
 template<typename Context>
+auto FunctionParser<Context>::parseDataSegmentIndex(unsigned& result) -> PartialResult
+{
+    unsigned dataSegmentIndex;
+    WASM_PARSER_FAIL_IF(!parseVarUInt32(dataSegmentIndex), "can't parse data segment index");
+    WASM_VALIDATOR_FAIL_IF(dataSegmentIndex >= m_info.dataSegmentsCount(), "data segment index ", dataSegmentIndex, " is invalid, limit is ", m_info.dataSegmentsCount());
+    result = dataSegmentIndex;
+    return { };
+}
+
+template<typename Context>
 auto FunctionParser<Context>::parseTableInitImmediates(TableInitImmediates& result) -> PartialResult
 {
@@ -576 +594 @@
     WASM_PARSER_FAIL_IF(!parseUInt8(auxiliaryByte), "can't parse auxiliary byte");
     WASM_PARSER_FAIL_IF(!!auxiliaryByte, "auxiliary byte for memory.fill should be zero, but got ", auxiliaryByte);
+    return { };
+}
+
+template<typename Context>
+auto FunctionParser<Context>::parseMemoryCopyImmediates() -> PartialResult
+{
+    uint8_t firstAuxiliaryByte;
+    WASM_PARSER_FAIL_IF(!parseUInt8(firstAuxiliaryByte), "can't parse auxiliary byte");
+    WASM_PARSER_FAIL_IF(!!firstAuxiliaryByte, "auxiliary byte for memory.copy should be zero, but got ", firstAuxiliaryByte);
+
+    uint8_t secondAuxiliaryByte;
+    WASM_PARSER_FAIL_IF(!parseUInt8(secondAuxiliaryByte), "can't parse auxiliary byte");
+    WASM_PARSER_FAIL_IF(!!secondAuxiliaryByte, "auxiliary byte for memory.copy should be zero, but got ", secondAuxiliaryByte);
+    return { };
+}
+
+template<typename Context>
+auto FunctionParser<Context>::parseMemoryInitImmediates(MemoryInitImmediates& result) -> PartialResult
+{
+    unsigned dataSegmentIndex;
+    WASM_FAIL_IF_HELPER_FAILS(parseDataSegmentIndex(dataSegmentIndex));
+
+    unsigned unused;
+    WASM_PARSER_FAIL_IF(!parseVarUInt32(unused), "can't parse unused");
+    WASM_PARSER_FAIL_IF(!!unused, "memory.init invalid unsued byte");
+
+    result.unused = unused;
+    result.dataSegmentIndex = dataSegmentIndex;
     return { };
 }
@@ -846 +892 @@
 
             WASM_TRY_ADD_TO_CONTEXT(addMemoryFill(dstAddress, targetValue, count));
+            break;
+        }
+        case ExtTableOpType::MemoryCopy: {
+            WASM_FAIL_IF_HELPER_FAILS(parseMemoryCopyImmediates());
+
+            WASM_VALIDATOR_FAIL_IF(!m_info.memoryCount(), "memory must be present");
+
+            TypedExpression dstAddress;
+            TypedExpression srcAddress;
+            TypedExpression count;
+
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(count, "memory.copy");
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(srcAddress, "memory.copy");
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(dstAddress, "memory.copy");
+
+            WASM_VALIDATOR_FAIL_IF(I32 != dstAddress.type(), "memory.copy dstAddress to type ", dstAddress.type(), " expected ", I32);
+            WASM_VALIDATOR_FAIL_IF(I32 != srcAddress.type(), "memory.copy targetValue to type ", srcAddress.type(), " expected ", I32);
+            WASM_VALIDATOR_FAIL_IF(I32 != count.type(), "memory.copy size to type ", count.type(), " expected ", I32);
+
+            WASM_TRY_ADD_TO_CONTEXT(addMemoryCopy(dstAddress, srcAddress, count));
+            break;
+        }
+        case ExtTableOpType::MemoryInit: {
+            MemoryInitImmediates immediates;
+            WASM_FAIL_IF_HELPER_FAILS(parseMemoryInitImmediates(immediates));
+
+            TypedExpression dstAddress;
+            TypedExpression srcAddress;
+            TypedExpression length;
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(length, "memory.init");
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(srcAddress, "memory.init");
+            WASM_TRY_POP_EXPRESSION_STACK_INTO(dstAddress, "memory.init");
+
+            WASM_VALIDATOR_FAIL_IF(I32 != dstAddress.type(), "memory.init dst address to type ", dstAddress.type(), " expected ", I32);
+            WASM_VALIDATOR_FAIL_IF(I32 != srcAddress.type(), "memory.init src address to type ", srcAddress.type(), " expected ", I32);
+            WASM_VALIDATOR_FAIL_IF(I32 != length.type(), "memory.init length to type ", length.type(), " expected ", I32);
+
+            WASM_TRY_ADD_TO_CONTEXT(addMemoryInit(immediates.dataSegmentIndex, dstAddress, srcAddress, length));
+            break;
+        }
+        case ExtTableOpType::DataDrop: {
+            unsigned dataSegmentIndex;
+            WASM_FAIL_IF_HELPER_FAILS(parseDataSegmentIndex(dataSegmentIndex));
+
+            WASM_TRY_ADD_TO_CONTEXT(addDataDrop(dataSegmentIndex));
             break;
         }
@@ -1420 +1511 @@
             return { };
         }
+        case ExtTableOpType::MemoryCopy: {
+            WASM_FAIL_IF_HELPER_FAILS(parseMemoryCopyImmediates());
+            return { };
+        }
+        case ExtTableOpType::MemoryInit: {
+            MemoryInitImmediates immediates;
+            WASM_FAIL_IF_HELPER_FAILS(parseMemoryInitImmediates(immediates));
+            return { };
+        }
+        case ExtTableOpType::DataDrop: {
+            unsigned dataSegmentIndex;
+            WASM_FAIL_IF_HELPER_FAILS(parseDataSegmentIndex(dataSegmentIndex));
+            return { };
+        }
         default:
             WASM_PARSER_FAIL_IF(true, "invalid extended table op ", extOp);

trunk/Source/JavaScriptCore/wasm/WasmInstance.cpp

@@ -56 +56 @@
     , m_numImportFunctions(m_module->moduleInformation().importFunctionCount())
     , m_passiveElements(m_module->moduleInformation().elementCount())
+    , m_passiveDataSegments(m_module->moduleInformation().dataSegmentsCount())
 {
     for (unsigned i = 0; i < m_numImportFunctions; ++i)
@@ -76 +77 @@
             m_passiveElements.quickSet(elementIndex);
     }
+
+    for (unsigned dataSegmentIndex = 0; dataSegmentIndex < m_module->moduleInformation().dataSegmentsCount(); ++dataSegmentIndex) {
+        const auto& dataSegment = m_module->moduleInformation().data[dataSegmentIndex];
+        if (dataSegment->isPassive())
+            m_passiveDataSegments.quickSet(dataSegmentIndex);
+    }
 }
 
@@ -164 +171 @@
 {
     m_passiveElements.quickClear(elementIndex);
+}
+
+bool Instance::memoryInit(uint32_t dstAddress, uint32_t srcAddress, uint32_t length, uint32_t dataSegmentIndex)
+{
+    RELEASE_ASSERT(dataSegmentIndex < module().moduleInformation().dataSegmentsCount());
+
+    if (sumOverflows<uint32_t>(srcAddress, length))
+        return false;
+
+    const Segment::Ptr& segment = module().moduleInformation().data[dataSegmentIndex];
+    const uint32_t segmentSizeInBytes = m_passiveDataSegments.quickGet(dataSegmentIndex) ? segment->sizeInBytes : 0U;
+    if (srcAddress + length > segmentSizeInBytes)
+        return false;
+
+    const uint8_t* segmentData = !length ? nullptr : &segment->byte(srcAddress);
+
+    ASSERT(memory());
+    return memory()->init(dstAddress, segmentData, length);
+}
+
+void Instance::dataDrop(uint32_t dataSegmentIndex)
+{
+    m_passiveDataSegments.quickClear(dataSegmentIndex);
 }
 

trunk/Source/JavaScriptCore/wasm/WasmInstance.h

@@ -92 +92 @@
     void elemDrop(uint32_t elementIndex);
 
+    bool memoryInit(uint32_t dstAddress, uint32_t srcAddress, uint32_t length, uint32_t dataSegmentIndex);
+
+    void dataDrop(uint32_t dataSegmentIndex);
+
     void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedBoundsCheckingSize()); }
     size_t cachedBoundsCheckingSize() const { return m_cachedBoundsCheckingSize; }
@@ -232 +236 @@
     HashMap<uint32_t, Ref<Global>, IntHash<uint32_t>, WTF::UnsignedWithZeroKeyHashTraits<uint32_t>> m_linkedGlobals;
     BitVector m_passiveElements;
+    BitVector m_passiveDataSegments;
 };
 

trunk/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp

@@ -213 +213 @@
     PartialResult WARN_UNUSED_RETURN addCurrentMemory(ExpressionType& result);
     PartialResult WARN_UNUSED_RETURN addMemoryFill(ExpressionType dstAddress, ExpressionType targetValue, ExpressionType count);
+    PartialResult WARN_UNUSED_RETURN addMemoryCopy(ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType count);
+    PartialResult WARN_UNUSED_RETURN addMemoryInit(unsigned, ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType length);
+    PartialResult WARN_UNUSED_RETURN addDataDrop(unsigned);
 
     // Atomics
@@ -1181 +1184 @@
 }
 
+auto LLIntGenerator::addMemoryInit(unsigned dataSegmentIndex, ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType length) -> PartialResult
+{
+    WasmMemoryInit::emit(this, dstAddress, srcAddress, length, dataSegmentIndex);
+
+    return { };
+}
+
+auto LLIntGenerator::addDataDrop(unsigned dataSegmentIndex) -> PartialResult
+{
+    WasmDataDrop::emit(this, dataSegmentIndex);
+
+    return { };
+}
+
 auto LLIntGenerator::addGrowMemory(ExpressionType delta, ExpressionType& result) -> PartialResult
 {
@@ -1192 +1209 @@
 {
     WasmMemoryFill::emit(this, dstAddress, targetValue, count);
+    return { };
+}
+
+auto LLIntGenerator::addMemoryCopy(ExpressionType dstAddress, ExpressionType srcAddress, ExpressionType count) -> PartialResult
+{
+    WasmMemoryCopy::emit(this, dstAddress, srcAddress, count);
     return { };
 }

trunk/Source/JavaScriptCore/wasm/WasmMemory.cpp

@@ -631 +631 @@
 }
 
+bool Memory::copy(uint32_t dstAddress, uint32_t srcAddress, uint32_t count)
+{
+    if (sumOverflows<uint32_t>(dstAddress, count) || sumOverflows<uint32_t>(srcAddress, count))
+        return false;
+
+    const uint32_t lastDstAddress = dstAddress + count;
+    const uint32_t lastSrcAddress = srcAddress + count;
+
+    if (lastDstAddress > size() || lastSrcAddress > size())
+        return false;
+
+    if (!count)
+        return true;
+
+    uint8_t* base = reinterpret_cast<uint8_t*>(memory());
+    memcpy(base + dstAddress, base + srcAddress, count);
+    return true;
+}
+
+bool Memory::init(uint32_t offset, const uint8_t* data, uint32_t length)
+{
+    if (sumOverflows<uint32_t>(offset, length))
+        return false;
+
+    if (offset + length > m_handle->size())
+        return false;
+
+    if (!length)
+        return true;
+
+    memcpy(reinterpret_cast<uint8_t*>(memory()) + offset, data, length);
+    return true;
+}
+
 void Memory::registerInstance(Instance* instance)
 {

trunk/Source/JavaScriptCore/wasm/WasmMemory.h

@@ -134 +134 @@
     Expected<PageCount, GrowFailReason> grow(PageCount);
     bool fill(uint32_t, uint8_t, uint32_t);
+    bool copy(uint32_t, uint32_t, uint32_t);
+    bool init(uint32_t, const uint8_t*, uint32_t);
+
     void registerInstance(Instance*);
 

trunk/Source/JavaScriptCore/wasm/WasmModuleInformation.h

@@ -68 +68 @@
     uint32_t tableCount() const { return tables.size(); }
     uint32_t elementCount() const { return elements.size(); }
+    uint32_t dataSegmentsCount() const { return numberOfDataSegments; }
 
     const TableInformation& table(unsigned index) const { return tables[index]; }
@@ -93 +94 @@
     Vector<CustomSection> customSections;
     Ref<NameSection> nameSection;
+    uint32_t numberOfDataSegments { 0 };
     
     mutable BitVector m_referencedFunctions;

trunk/Source/JavaScriptCore/wasm/WasmOperations.cpp

@@ -644 +644 @@
 }
 
+JSC_DEFINE_JIT_OPERATION(operationWasmMemoryCopy, bool, (Instance* instance, uint32_t dstAddress, uint32_t srcAddress, uint32_t count))
+{
+    return instance->memory()->copy(dstAddress, srcAddress, count);
+}
+
 JSC_DEFINE_JIT_OPERATION(operationGetWasmTableElement, EncodedJSValue, (Instance* instance, unsigned tableIndex, int32_t signedIndex))
 {
@@ -896 +901 @@
 }
 
+JSC_DEFINE_JIT_OPERATION(operationWasmMemoryInit, bool, (Instance* instance, unsigned dataSegmentIndex, uint32_t dstAddress, uint32_t srcAddress, uint32_t length))
+{
+    ASSERT(dataSegmentIndex < instance->module().moduleInformation().dataSegmentsCount());
+    return instance->memoryInit(dstAddress, srcAddress, length, dataSegmentIndex);
+}
+
+JSC_DEFINE_JIT_OPERATION(operationWasmDataDrop, void, (Instance* instance, unsigned dataSegmentIndex))
+{
+    ASSERT(dataSegmentIndex < instance->module().moduleInformation().dataSegmentsCount());
+    instance->dataDrop(dataSegmentIndex);
+}
+
 JSC_DEFINE_JIT_OPERATION(operationWasmToJSException, void*, (CallFrame* callFrame, Wasm::ExceptionType type, Instance* wasmInstance))
 {

trunk/Source/JavaScriptCore/wasm/WasmOperations.h

@@ -63 +63 @@
 JSC_DECLARE_JIT_OPERATION(operationGrowMemory, int32_t, (void*, Instance*, int32_t));
 JSC_DECLARE_JIT_OPERATION(operationWasmMemoryFill, bool, (Instance*, uint32_t dstAddress, uint32_t targetValue, uint32_t count));
+JSC_DECLARE_JIT_OPERATION(operationWasmMemoryCopy, bool, (Instance*, uint32_t dstAddress, uint32_t srcAddress, uint32_t count));
 
 JSC_DECLARE_JIT_OPERATION(operationGetWasmTableElement, EncodedJSValue, (Instance*, unsigned, int32_t));
@@ -77 +78 @@
 JSC_DECLARE_JIT_OPERATION(operationMemoryAtomicWait64, int32_t, (Instance* instance, unsigned base, unsigned offset, uint64_t value, int64_t timeout));
 JSC_DECLARE_JIT_OPERATION(operationMemoryAtomicNotify, int32_t, (Instance*, unsigned, unsigned, int32_t));
+JSC_DECLARE_JIT_OPERATION(operationWasmMemoryInit, bool, (Instance*, unsigned dataSegmentIndex, uint32_t dstAddress, uint32_t srcAddress, uint32_t length));
+JSC_DECLARE_JIT_OPERATION(operationWasmDataDrop, void, (Instance*, unsigned dataSegmentIndex));
 
 JSC_DECLARE_JIT_OPERATION(operationWasmToJSException, void*, (CallFrame*, Wasm::ExceptionType, Instance*));

trunk/Source/JavaScriptCore/wasm/WasmSectionParser.cpp

@@ -394 +394 @@
 
             Optional<I32InitExpr> initExpr;
-            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExpr(initExpr));
+            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExprForElementSection(initExpr));
 
             uint32_t indexCount;
@@ -428 +428 @@
 
             Optional<I32InitExpr> initExpr;
-            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExpr(initExpr));
+            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExprForElementSection(initExpr));
 
             uint8_t elementKind;
@@ -465 +465 @@
 
             Optional<I32InitExpr> initExpr;
-            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExpr(initExpr));
+            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExprForElementSection(initExpr));
 
             uint32_t indexCount;
@@ -502 +502 @@
 
             Optional<I32InitExpr> initExpr;
-            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExpr(initExpr));
+            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExprForElementSection(initExpr));
 
             Type refType;
@@ -638 +638 @@
 }
 
-auto SectionParser::parseI32InitExpr(Optional<I32InitExpr>& initExpr) -> PartialResult
+auto SectionParser::parseI32InitExpr(Optional<I32InitExpr>& initExpr, ASCIILiteral failMessage) -> PartialResult
 {
     uint8_t initOpcode;
@@ -644 +644 @@
     Type initExprType;
     WASM_FAIL_IF_HELPER_FAILS(parseInitExpr(initOpcode, initExprBits, initExprType));
-    WASM_PARSER_FAIL_IF(initExprType != I32, "Element init_expr must produce an i32");
+    WASM_PARSER_FAIL_IF(initExprType != I32, failMessage);
     initExpr = makeI32InitExpr(initOpcode, initExprBits);
 
     return { };
+}
+
+auto SectionParser::parseI32InitExprForElementSection(Optional<I32InitExpr>& initExpr) -> PartialResult
+{
+    return parseI32InitExpr(initExpr, "Element init_expr must produce an i32"_s);
 }
 
@@ -710 +715 @@
 }
 
+auto SectionParser::parseI32InitExprForDataSection(Optional<I32InitExpr>& initExpr) -> PartialResult
+{
+    return parseI32InitExpr(initExpr, "Data init_expr must produce an i32"_s);
+}
+
 auto SectionParser::parseGlobalType(GlobalInformation& global) -> PartialResult
 {
@@ -728 +738 @@
 
     for (uint32_t segmentNumber = 0; segmentNumber < segmentCount; ++segmentNumber) {
-        uint32_t memoryIndex;
-        uint64_t initExprBits;
-        uint8_t initOpcode;
-        uint32_t dataByteLength;
-
-        WASM_PARSER_FAIL_IF(!parseVarUInt32(memoryIndex), "can't get ", segmentNumber, "th Data segment's index");
-        WASM_PARSER_FAIL_IF(memoryIndex >= m_info->memoryCount(), segmentNumber, "th Data segment has index ", memoryIndex, " which exceeds the number of Memories ", m_info->memoryCount());
-        Type initExprType;
-        WASM_FAIL_IF_HELPER_FAILS(parseInitExpr(initOpcode, initExprBits, initExprType));
-        WASM_PARSER_FAIL_IF(initExprType != I32, segmentNumber, "th Data segment's init_expr must produce an i32");
-        WASM_PARSER_FAIL_IF(!parseVarUInt32(dataByteLength), "can't get ", segmentNumber, "th Data segment's data byte length");
-        WASM_PARSER_FAIL_IF(dataByteLength > maxModuleSize, segmentNumber, "th Data segment's data byte length is too big ", dataByteLength, " maximum ", maxModuleSize);
-
-        Segment* segment = Segment::create(makeI32InitExpr(initOpcode, initExprBits), dataByteLength);
-        WASM_PARSER_FAIL_IF(!segment, "can't allocate enough memory for ", segmentNumber, "th Data segment of size ", dataByteLength);
-        m_info->data.uncheckedAppend(Segment::adoptPtr(segment));
-        for (uint32_t dataByte = 0; dataByte < dataByteLength; ++dataByte) {
-            uint8_t byte;
-            WASM_PARSER_FAIL_IF(!parseUInt8(byte), "can't get ", dataByte, "th data byte from ", segmentNumber, "th Data segment");
-            segment->byte(dataByte) = byte;
-        }
-    }
+        uint32_t memoryIndex = UINT32_MAX;
+        uint8_t dataFlag = UINT8_MAX;
+
+        if (Options::useWebAssemblyReferences()) {
+            WASM_PARSER_FAIL_IF(!parseUInt8(dataFlag), "can't get ", segmentNumber, "th Data segment's flag");
+            memoryIndex = 0U;
+        } else
+            WASM_PARSER_FAIL_IF(!parseVarUInt32(memoryIndex), "can't get ", segmentNumber, "th Data segment's index");
+
+        if (!Options::useWebAssemblyReferences() || !dataFlag) {
+            WASM_PARSER_FAIL_IF(memoryIndex >= m_info->memoryCount(), segmentNumber, "th Data segment has index ", memoryIndex, " which exceeds the number of Memories ", m_info->memoryCount());
+
+            Optional<I32InitExpr> initExpr;
+            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExprForDataSection(initExpr));
+
+            uint32_t dataByteLength;
+            WASM_PARSER_FAIL_IF(!parseVarUInt32(dataByteLength), "can't get ", segmentNumber, "th Data segment's data byte length");
+            WASM_PARSER_FAIL_IF(dataByteLength > maxModuleSize, segmentNumber, "th Data segment's data byte length is too big ", dataByteLength, " maximum ", maxModuleSize);
+
+            auto segment = Segment::create(*initExpr, dataByteLength, Segment::Kind::Active);
+            WASM_PARSER_FAIL_IF(!segment, "can't allocate enough memory for ", segmentNumber, "th Data segment of size ", dataByteLength);
+            for (uint32_t dataByte = 0; dataByte < dataByteLength; ++dataByte) {
+                uint8_t byte;
+                WASM_PARSER_FAIL_IF(!parseUInt8(byte), "can't get ", dataByte, "th data byte from ", segmentNumber, "th Data segment");
+                segment->byte(dataByte) = byte;
+            }
+            m_info->data.uncheckedAppend(WTFMove(segment));
+            continue;
+        }
+
+        ASSERT(Options::useWebAssemblyReferences());
+
+        if (dataFlag == 0x01) {
+            uint32_t dataByteLength;
+            WASM_PARSER_FAIL_IF(!parseVarUInt32(dataByteLength), "can't get ", segmentNumber, "th Data segment's data byte length");
+            WASM_PARSER_FAIL_IF(dataByteLength > maxModuleSize, segmentNumber, "th Data segment's data byte length is too big ", dataByteLength, " maximum ", maxModuleSize);
+
+            auto segment = Segment::create(WTF::nullopt, dataByteLength, Segment::Kind::Passive);
+            WASM_PARSER_FAIL_IF(!segment, "can't allocate enough memory for ", segmentNumber, "th Data segment of size ", dataByteLength);
+            for (uint32_t dataByte = 0; dataByte < dataByteLength; ++dataByte) {
+                uint8_t byte;
+                WASM_PARSER_FAIL_IF(!parseUInt8(byte), "can't get ", dataByte, "th data byte from ", segmentNumber, "th Data segment");
+                segment->byte(dataByte) = byte;
+            }
+            m_info->data.uncheckedAppend(WTFMove(segment));
+            continue;
+
+        }
+
+        if (dataFlag == 0x02) {
+            uint32_t memoryIndex;
+            WASM_PARSER_FAIL_IF(!parseVarUInt32(memoryIndex), "can't get ", segmentNumber, "th Data segment's index");
+            WASM_PARSER_FAIL_IF(memoryIndex >= m_info->memoryCount(), segmentNumber, "th Data segment has index ", memoryIndex, " which exceeds the number of Memories ", m_info->memoryCount());
+
+            Optional<I32InitExpr> initExpr;
+            WASM_FAIL_IF_HELPER_FAILS(parseI32InitExprForDataSection(initExpr));
+
+            uint32_t dataByteLength;
+            WASM_PARSER_FAIL_IF(!parseVarUInt32(dataByteLength), "can't get ", segmentNumber, "th Data segment's data byte length");
+            WASM_PARSER_FAIL_IF(dataByteLength > maxModuleSize, segmentNumber, "th Data segment's data byte length is too big ", dataByteLength, " maximum ", maxModuleSize);
+
+            auto segment = Segment::create(*initExpr, dataByteLength, Segment::Kind::Active);
+            WASM_PARSER_FAIL_IF(!segment, "can't allocate enough memory for ", segmentNumber, "th Data segment of size ", dataByteLength);
+            for (uint32_t dataByte = 0; dataByte < dataByteLength; ++dataByte) {
+                uint8_t byte;
+                WASM_PARSER_FAIL_IF(!parseUInt8(byte), "can't get ", dataByte, "th data byte from ", segmentNumber, "th Data segment");
+                segment->byte(dataByte) = byte;
+            }
+            m_info->data.uncheckedAppend(WTFMove(segment));
+            continue;
+        }
+
+        WASM_PARSER_FAIL_IF(true, "unknown ", segmentNumber, "th Data segment's flag");
+    }
+
+    return { };
+}
+
+auto SectionParser::parseDataCount() -> PartialResult
+{
+    WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
+    uint32_t numberOfDataSegments;
+    WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfDataSegments), "can't get Data Count section's count");
+
+    m_info->numberOfDataSegments = numberOfDataSegments;
     return { };
 }

trunk/Source/JavaScriptCore/wasm/WasmSectionParser.h

@@ -32 +32 @@
 #include "WasmOps.h"
 #include "WasmParser.h"
+#include <wtf/text/ASCIILiteral.h>
 
 namespace JSC { namespace Wasm {
@@ -67 +68 @@
     PartialResult WARN_UNUSED_RETURN parseResizableLimits(uint32_t& initial, Optional<uint32_t>& maximum, bool& isShared, LimitsType);
     PartialResult WARN_UNUSED_RETURN parseInitExpr(uint8_t&, uint64_t&, Type& initExprType);
+    PartialResult WARN_UNUSED_RETURN parseI32InitExpr(Optional<I32InitExpr>&, ASCIILiteral failMessage);
 
     PartialResult WARN_UNUSED_RETURN validateElementTableIdx(uint32_t);
-    PartialResult WARN_UNUSED_RETURN parseI32InitExpr(Optional<I32InitExpr>&);
+    PartialResult WARN_UNUSED_RETURN parseI32InitExprForElementSection(Optional<I32InitExpr>&);
     PartialResult WARN_UNUSED_RETURN parseElementKind(uint8_t& elementKind);
     PartialResult WARN_UNUSED_RETURN parseIndexCountForElementSection(uint32_t&, const unsigned);
     PartialResult WARN_UNUSED_RETURN parseElementSegmentVectorOfExpressions(Vector<uint32_t>&, const unsigned, const unsigned);
     PartialResult WARN_UNUSED_RETURN parseElementSegmentVectorOfIndexes(Vector<uint32_t>&, const unsigned, const unsigned);
+
+    PartialResult WARN_UNUSED_RETURN parseI32InitExprForDataSection(Optional<I32InitExpr>&);
 
     size_t m_offsetInSource;

trunk/Source/JavaScriptCore/wasm/WasmSections.h

@@ -35 +35 @@
 
 #define FOR_EACH_KNOWN_WASM_SECTION(macro) \
-    macro(Type,     1, "Function signature declarations") \
-    macro(Import,   2, "Import declarations") \
-    macro(Function, 3, "Function declarations") \
-    macro(Table,    4, "Indirect function table and other tables") \
-    macro(Memory,   5, "Memory attributes") \
-    macro(Global,   6, "Global declarations") \
-    macro(Export,   7, "Exports") \
-    macro(Start,    8, "Start function declaration") \
-    macro(Element,  9, "Elements section") \
-    macro(Code,    10, "Function bodies (code)") \
-    macro(Data,    11, "Data segments")
+    macro(Type,       1, "Function signature declarations") \
+    macro(Import,     2, "Import declarations") \
+    macro(Function,   3, "Function declarations") \
+    macro(Table,      4, "Indirect function table and other tables") \
+    macro(Memory,     5, "Memory attributes") \
+    macro(Global,     6, "Global declarations") \
+    macro(Export,     7, "Exports") \
+    macro(Start,      8, "Start function declaration") \
+    macro(Element,    9, "Elements section") \
+    macro(Code,      10, "Function bodies (code)") \
+    macro(Data,      11, "Data segments") \
+    macro(DataCount, 12, "Data count")
 
 enum class Section : uint8_t {
@@ -88 +89 @@
 {
     ASSERT(isKnownSection(previousKnown) || previousKnown == Section::Begin);
+    if (previousKnown == Section::DataCount && next == Section::Code)
+        return true;
     return static_cast<uint8_t>(previousKnown) < static_cast<uint8_t>(next);
 }

trunk/Source/JavaScriptCore/wasm/WasmSlowPaths.cpp

@@ -391 +391 @@
 }
 
+WASM_SLOW_PATH_DECL(memory_copy)
+{
+    auto instruction = pc->as<WasmMemoryCopy, WasmOpcodeTraits>();
+    uint32_t dstAddress = READ(instruction.m_dstAddress).unboxedUInt32();
+    uint32_t srcAddress = READ(instruction.m_srcAddress).unboxedUInt32();
+    uint32_t count = READ(instruction.m_count).unboxedUInt32();
+    if (!Wasm::operationWasmMemoryCopy(instance, dstAddress, srcAddress, count))
+        WASM_THROW(Wasm::ExceptionType::OutOfBoundsMemoryAccess);
+    WASM_END();
+}
+
+WASM_SLOW_PATH_DECL(memory_init)
+{
+    auto instruction = pc->as<WasmMemoryInit, WasmOpcodeTraits>();
+    uint32_t dstAddress = READ(instruction.m_dstAddress).unboxedUInt32();
+    uint32_t srcAddress = READ(instruction.m_srcAddress).unboxedUInt32();
+    uint32_t length = READ(instruction.m_length).unboxedUInt32();
+    if (!Wasm::operationWasmMemoryInit(instance, instruction.m_dataSegmentIndex, dstAddress, srcAddress, length))
+        WASM_THROW(Wasm::ExceptionType::OutOfBoundsMemoryAccess);
+    WASM_END();
+}
+
+WASM_SLOW_PATH_DECL(data_drop)
+{
+    UNUSED_PARAM(callFrame);
+
+    auto instruction = pc->as<WasmDataDrop, WasmOpcodeTraits>();
+    Wasm::operationWasmDataDrop(instance, instruction.m_dataSegmentIndex);
+    WASM_END();
+}
+
 inline SlowPathReturnType doWasmCall(Wasm::Instance* instance, unsigned functionIndex)
 {

trunk/Source/JavaScriptCore/wasm/WasmSlowPaths.h

@@ -68 +68 @@
 WASM_SLOW_PATH_HIDDEN_DECL(grow_memory);
 WASM_SLOW_PATH_HIDDEN_DECL(memory_fill);
+WASM_SLOW_PATH_HIDDEN_DECL(memory_copy);
+WASM_SLOW_PATH_HIDDEN_DECL(memory_init);
+WASM_SLOW_PATH_HIDDEN_DECL(data_drop);
 WASM_SLOW_PATH_HIDDEN_DECL(call);
 WASM_SLOW_PATH_HIDDEN_DECL(call_no_tls);

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -568 +568 @@
     };
 
-    auto forEachSegment = [&] (auto fn) {
+    auto forEachActiveDataSegment = [&] (auto fn) {
         auto wasmMemory = m_instance->instance().memory();
         uint8_t* memory = reinterpret_cast<uint8_t*>(wasmMemory->memory());
@@ -574 +574 @@
 
         for (const Wasm::Segment::Ptr& segment : data) {
-            uint32_t offset = segment->offset.isGlobalImport()
-                ? static_cast<uint32_t>(m_instance->instance().loadI32Global(segment->offset.globalImportIndex()))
-                : segment->offset.constValue();
+            if (!segment->isActive())
+                continue;
+            uint32_t offset = segment->offsetIfActive->isGlobalImport()
+                ? static_cast<uint32_t>(m_instance->instance().loadI32Global(segment->offsetIfActive->globalImportIndex()))
+                : segment->offsetIfActive->constValue();
 
             fn(memory, sizeInBytes, segment, offset);
@@ -596 +598 @@
 
     // Validation of all segment ranges comes before all Table and Memory initialization.
-    forEachSegment([&] (uint8_t*, uint64_t sizeInBytes, const Wasm::Segment::Ptr& segment, uint32_t offset) {
+    forEachActiveDataSegment([&] (uint8_t*, uint64_t sizeInBytes, const Wasm::Segment::Ptr& segment, uint32_t offset) {
         if (UNLIKELY(sizeInBytes < segment->sizeInBytes))
             exception = dataSegmentFail(globalObject, vm, scope, sizeInBytes, segment->sizeInBytes, offset, ", segment is too big"_s);
@@ -653 +655 @@
     ASSERT(!exception);
 
-    forEachSegment([&] (uint8_t* memory, uint64_t, const Wasm::Segment::Ptr& segment, uint32_t offset) {
+    forEachActiveDataSegment([&] (uint8_t* memory, uint64_t, const Wasm::Segment::Ptr& segment, uint32_t offset) {
         // Empty segments are valid, but only if memory isn't present, which would be undefined behavior in memcpy.
         if (segment->sizeInBytes) {

trunk/Source/JavaScriptCore/wasm/wasm.json

@@ -80 +80 @@
         "table.copy":          { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "dst_index",      "type": "varuint32"}, {"name": "src_index",  "type": "varuint32"}],"description": "copy table elements from dst_table[dstOffset, dstOffset + length] to src_table[srcOffset, srcOffset + length]", "extendedOp": 14 },
         "memory.fill":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "unused",         "type": "uint8"}],                                                 "description": "sets all values in a region to a given byte", "extendedOp": 11 },
+        "memory.copy":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "unused",         "type": "uint8"}, {"name": "unused",         "type": "uint8"}],    "description": "copies data from a source memory region to destination region", "extendedOp": 10 },
+        "memory.init":         { "category": "exttable",   "value":  252, "return": [],                              "parameter": ["i32", "i32", "i32"],          "immediate": [{"name": "segment_index",  "type": "varuint32"}, {"name": "unsued",  "type": "varuint32"}],   "description": "copies data from a passive data segment into a memory", "extendedOp": 8 },
+        "data.drop":           { "category": "exttable",   "value":  252, "return": [],                              "parameter": [],                             "immediate": [{"name": "segment_index",  "type": "varuint32"}],                                             "description": "shrinks the size of the segment to zero", "extendedOp": 9 },
         "call":                { "category": "call",       "value":  16, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "function_index", "type": "varuint32"}],                                             "description": "call a function by its index" },
         "call_indirect":       { "category": "call",       "value":  17, "return": ["call"],                         "parameter": ["call"],                       "immediate": [{"name": "type_index",     "type": "varuint32"}, {"name": "table_index","type": "varuint32"}],"description": "call a function indirect with an expected signature" },