Changeset 279265 in webkit

Timestamp:

Jun 24, 2021 7:23:28 PM (13 months ago)

Author:

commit-queue@webkit.org

Message:

[WASM-Function-References] Add support for (ref null? $t) type constructor
​https://bugs.webkit.org/show_bug.cgi?id=226296

JSTests:

Adds additional tests for uses of (ref $t) and (ref null $t)
types, including with non-null extern/funcrefs.

Patch by Asumu Takikawa <​asumu@igalia.com> on 2021-06-24
Reviewed by Yusuke Suzuki.

• wasm/function-references/ref_types.js: Added.

(module):
(async testRefTypeLocal):
(async testNonNullRefTypeLocal):
(async testRefTypeInSignature):
(async testRefTypeParamCheck):
(async testRefGlobalCheck):
(async testExternFuncrefNonNullCheck):
(async testExternrefCompatibility):
(async testNonNullExternrefIncompatible):
(async testFuncrefCompatibility):
(async testNonNullFuncrefIncompatible):

• wasm/wasm.json:

Source/JavaScriptCore:

Patch by Asumu Takikawa <​asumu@igalia.com> on 2021-06-24
Reviewed by Yusuke Suzuki.

Adds the ref type constructor from the typed function references proposal:

​https://github.com/WebAssembly/function-references/blob/master/proposals/function-references/Overview.md

It's also required for the type imports and GC proposals as well. Ref types represent
references to any heap type (including existing funcref and externref) with a specified
nullability.

This requires a new isNullable flag in the type representation. This flag also enables
non-null externref and funcrefs, and hence this commit also adds the necessary checks
at Wasm/JS boundaries.

Non-null reference types also generally cannot be used as function locals.

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::gTypeIdx):
(JSC::Wasm::AirIRGenerator::tmpForType):
(JSC::Wasm::AirIRGenerator::emitCCall):
(JSC::Wasm::AirIRGenerator::moveOpForValueType):
(JSC::Wasm::AirIRGenerator::AirIRGenerator):
(JSC::Wasm::AirIRGenerator::addLocal):
(JSC::Wasm::AirIRGenerator::addConstant):
(JSC::Wasm::AirIRGenerator::addRefFunc):

• wasm/WasmCallingConvention.h:

(JSC::Wasm::WasmCallingConvention::marshallLocation const):
(JSC::Wasm::JSCallingConvention::marshallLocation const):

• wasm/WasmFormat.h:

(JSC::Wasm::isSubtype):
(JSC::Wasm::isValidHeapTypeKind):
(JSC::Wasm::isDefaultableType):

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parse):
(JSC::Wasm::FunctionParser<Context>::parseAnnotatedSelectImmediates):
(JSC::Wasm::FunctionParser<Context>::checkBranchTarget):
(JSC::Wasm::FunctionParser<Context>::parseExpression):

• wasm/WasmGlobal.cpp:

(JSC::Wasm::Global::get const):
(JSC::Wasm::Global::set):

• wasm/WasmLLIntGenerator.cpp:

(JSC::Wasm::LLIntGenerator::callInformationForCaller):
(JSC::Wasm::LLIntGenerator::callInformationForCallee):
(JSC::Wasm::LLIntGenerator::addArguments):

• wasm/WasmParser.h:

(JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
(JSC::Wasm::Parser<SuccessType>::parseValueType):
(JSC::Wasm::Parser<SuccessType>::parseRefType):

• wasm/WasmSectionParser.cpp:

(JSC::Wasm::SectionParser::parseType):
(JSC::Wasm::SectionParser::parseElement):
(JSC::Wasm::SectionParser::parseInitExpr):
(JSC::Wasm::SectionParser::parseElementSegmentVectorOfExpressions):
(JSC::Wasm::SectionParser::parseGlobalType):

• wasm/WasmSignature.cpp:

(JSC::Wasm::computeHash):

• wasm/generateWasmOpsHeader.py:
• wasm/js/WasmToJS.cpp:

(JSC::Wasm::wasmToJS):

• wasm/js/WebAssemblyFunction.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

• wasm/js/WebAssemblyFunctionBase.h:

(JSC::WebAssemblyFunctionBase::offsetOfSignatureIndex):

• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::linkImpl):

• wasm/wasm.json:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/function-references/ref_types.js (added)
• JSTests/wasm/wasm.json (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (8 diffs)
• Source/JavaScriptCore/wasm/WasmCallingConvention.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmFormat.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (5 diffs)
• Source/JavaScriptCore/wasm/WasmGlobal.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp (modified) (5 diffs)
• Source/JavaScriptCore/wasm/WasmParser.h (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmSectionParser.cpp (modified) (9 diffs)
• Source/JavaScriptCore/wasm/WasmSignature.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/generateWasmOpsHeader.py (modified) (3 diffs)
• Source/JavaScriptCore/wasm/js/WasmToJS.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (modified) (5 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/wasm.json (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-06-24  Asumu Takikawa  <asumu@igalia.com>
+
+        [WASM-Function-References] Add support for (ref null? $t) type constructor
+        https://bugs.webkit.org/show_bug.cgi?id=226296
+
+        Adds additional tests for uses of `(ref $t)` and `(ref null $t)`
+        types, including with non-null extern/funcrefs.
+
+        Reviewed by Yusuke Suzuki.
+
+        * wasm/function-references/ref_types.js: Added.
+        (module):
+        (async testRefTypeLocal):
+        (async testNonNullRefTypeLocal):
+        (async testRefTypeInSignature):
+        (async testRefTypeParamCheck):
+        (async testRefGlobalCheck):
+        (async testExternFuncrefNonNullCheck):
+        (async testExternrefCompatibility):
+        (async testNonNullExternrefIncompatible):
+        (async testFuncrefCompatibility):
+        (async testNonNullFuncrefIncompatible):
+        * wasm/wasm.json:
+
 2021-06-24  Guillaume Emont  <guijemont@igalia.com>
 

trunk/JSTests/wasm/wasm.json

@@ -14 +14 @@
         "funcref":   { "type": "varint7", "value":  -16, "b3type": "B3::Int64" },
         "externref": { "type": "varint7", "value":  -17, "b3type": "B3::Int64" },
+        "ref_null":  { "type": "varint7", "value":  -20, "b3type": "B3::Int64" },
+        "ref":       { "type": "varint7", "value":  -21, "b3type": "B3::Int64" },
         "func":      { "type": "varint7", "value":  -32, "b3type": "B3::Void" },
         "void":      { "type": "varint7", "value":  -64, "b3type": "B3::Void" },

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-06-24  Asumu Takikawa  <asumu@igalia.com>
+
+        [WASM-Function-References] Add support for (ref null? $t) type constructor
+        https://bugs.webkit.org/show_bug.cgi?id=226296
+
+        Reviewed by Yusuke Suzuki.
+
+        Adds the `ref` type constructor from the typed function references proposal:
+
+          https://github.com/WebAssembly/function-references/blob/master/proposals/function-references/Overview.md
+
+        It's also required for the type imports and GC proposals as well. Ref types represent
+        references to any heap type (including existing funcref and externref) with a specified
+        nullability.
+
+        This requires a new isNullable flag in the type representation. This flag also enables
+        non-null externref and funcrefs, and hence this commit also adds the necessary checks
+        at Wasm/JS boundaries.
+
+        Non-null reference types also generally cannot be used as function locals.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::gTypeIdx):
+        (JSC::Wasm::AirIRGenerator::tmpForType):
+        (JSC::Wasm::AirIRGenerator::emitCCall):
+        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::addLocal):
+        (JSC::Wasm::AirIRGenerator::addConstant):
+        (JSC::Wasm::AirIRGenerator::addRefFunc):
+        * wasm/WasmCallingConvention.h:
+        (JSC::Wasm::WasmCallingConvention::marshallLocation const):
+        (JSC::Wasm::JSCallingConvention::marshallLocation const):
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::isSubtype):
+        (JSC::Wasm::isValidHeapTypeKind):
+        (JSC::Wasm::isDefaultableType):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parse):
+        (JSC::Wasm::FunctionParser<Context>::parseAnnotatedSelectImmediates):
+        (JSC::Wasm::FunctionParser<Context>::checkBranchTarget):
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        * wasm/WasmGlobal.cpp:
+        (JSC::Wasm::Global::get const):
+        (JSC::Wasm::Global::set):
+        * wasm/WasmLLIntGenerator.cpp:
+        (JSC::Wasm::LLIntGenerator::callInformationForCaller):
+        (JSC::Wasm::LLIntGenerator::callInformationForCallee):
+        (JSC::Wasm::LLIntGenerator::addArguments):
+        * wasm/WasmParser.h:
+        (JSC::Wasm::Parser<SuccessType>::parseBlockSignature):
+        (JSC::Wasm::Parser<SuccessType>::parseValueType):
+        (JSC::Wasm::Parser<SuccessType>::parseRefType):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseType):
+        (JSC::Wasm::SectionParser::parseElement):
+        (JSC::Wasm::SectionParser::parseInitExpr):
+        (JSC::Wasm::SectionParser::parseElementSegmentVectorOfExpressions):
+        (JSC::Wasm::SectionParser::parseGlobalType):
+        * wasm/WasmSignature.cpp:
+        (JSC::Wasm::computeHash):
+        * wasm/generateWasmOpsHeader.py:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::wasmToJS):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::JSC_DEFINE_HOST_FUNCTION):
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+        * wasm/js/WebAssemblyFunctionBase.h:
+        (JSC::WebAssemblyFunctionBase::offsetOfSignatureIndex):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::linkImpl):
+        * wasm/wasm.json:
+
 2021-06-24  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -414 +414 @@
     TypedTmp gExternref() { return { newTmp(B3::GP), Types::Externref }; }
     TypedTmp gFuncref() { return { newTmp(B3::GP), Types::Funcref }; }
+    TypedTmp gTypeIdx(Type type) { return { newTmp(B3::GP), type }; }
     TypedTmp f32() { return { newTmp(B3::FP), Types::F32 }; }
     TypedTmp f64() { return { newTmp(B3::FP), Types::F64 }; }
@@ -426 +427 @@
         case TypeKind::Funcref:
             return gFuncref();
+        case TypeKind::TypeIdx:
+            return gTypeIdx(type);
         case TypeKind::Externref:
             return gExternref();
@@ -602 +605 @@
             case TypeKind::Externref:
             case TypeKind::Funcref:
+            case TypeKind::TypeIdx:
                 resultType = B3::Int64;
                 break;
@@ -651 +655 @@
         case TypeKind::Externref:
         case TypeKind::Funcref:
+        case TypeKind::TypeIdx:
             return Move;
         case TypeKind::F32:
@@ -908 +913 @@
         case TypeKind::Externref:
         case TypeKind::Funcref:
+        case TypeKind::TypeIdx:
             append(Move, arg, m_locals[i]);
             break;
@@ -1010 +1016 @@
         case TypeKind::Externref:
         case TypeKind::Funcref:
+        case TypeKind::TypeIdx:
             append(Move, Arg::imm(JSValue::encode(jsNull())), local);
             break;
@@ -1045 +1052 @@
     case TypeKind::Externref:
     case TypeKind::Funcref:
+    case TypeKind::TypeIdx:
         append(block, Move, Arg::bigImm(value), result);
         break;
@@ -1089 +1097 @@
 {
     // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
-    result = tmpForType(Types::Funcref);
+    if (Options::useWebAssemblyTypedFunctionReferences()) {
+        SignatureIndex signatureIndex = m_info.signatureIndexFromFunctionIndexSpace(index);
+        result = tmpForType(Type { TypeKind::TypeIdx, Nullable::No, signatureIndex });
+    } else
+        result = tmpForType(Types::Funcref);
     emitCCall(&operationWasmRefFunc, result, instanceValue(), addConstant(Types::I32, index));
 

trunk/Source/JavaScriptCore/wasm/WasmCallingConvention.h

@@ -108 +108 @@
         case TypeKind::Funcref:
         case TypeKind::Externref:
+        case TypeKind::TypeIdx:
             return marshallLocationImpl(role, gprArgs, gpArgumentCount, stackOffset);
         case TypeKind::F32:
@@ -196 +197 @@
         case TypeKind::Funcref:
         case TypeKind::Externref:
+        case TypeKind::TypeIdx:
             return marshallLocationImpl(role, gprArgs, gpArgumentCount, stackOffset);
         case TypeKind::F32:

trunk/Source/JavaScriptCore/wasm/WasmFormat.h

@@ -80 +80 @@
 inline bool isSubtype(Type sub, Type parent)
 {
+    if (sub.isNullable() && !parent.isNullable())
+        return false;
+
     if (sub.isTypeIdx() && parent.isFuncref())
         return true;
@@ -89 +92 @@
 {
     return type.isFuncref() || type.isExternref() || type.isTypeIdx();
+}
+
+inline bool isValidHeapTypeKind(TypeKind kind)
+{
+    switch (kind) {
+    case TypeKind::Funcref:
+    case TypeKind::Externref:
+        return true;
+    default:
+        break;
+    }
+    return false;
+}
+
+inline bool isDefaultableType(Type type)
+{
+    return !isRefType(type) || type.isNullable();
 }
 

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -244 +244 @@
         totalNumberOfLocals += numberOfLocals;
         WASM_PARSER_FAIL_IF(totalNumberOfLocals > maxFunctionLocals, "Function's number of locals is too big ", totalNumberOfLocals, " maximum ", maxFunctionLocals);
-        WASM_PARSER_FAIL_IF(!parseValueType(typeOfLocal), "can't get Function local's type in group ", i);
+        WASM_PARSER_FAIL_IF(!parseValueType(m_info, typeOfLocal), "can't get Function local's type in group ", i);
+        WASM_PARSER_FAIL_IF(!isDefaultableType(typeOfLocal), "Function locals must have a defaultable type");
 
         WASM_PARSER_FAIL_IF(!m_locals.tryReserveCapacity(totalNumberOfLocals), "can't allocate enough memory for function's ", totalNumberOfLocals, " locals");
@@ -645 +646 @@
 
     Type targetType;
-    WASM_PARSER_FAIL_IF(!parseValueType(targetType), "select can't parse annotations");
+    WASM_PARSER_FAIL_IF(!parseValueType(m_info, targetType), "select can't parse annotations");
 
     result.sizeOfAnnotationVector = sizeOfAnnotationVector;
@@ -700 +701 @@
     unsigned offset = m_expressionStack.size() - target.branchTargetArity();
     for (unsigned i = 0; i < target.branchTargetArity(); ++i)
-        WASM_VALIDATOR_FAIL_IF(!isSubtype(target.branchTargetType(i), m_expressionStack[offset + i].type()), "branch's stack type is not a block's type branch target type. Stack value has type", m_expressionStack[offset + i].type().kind, " but branch target expects a value of ", target.branchTargetType(i).kind, " at index ", i);
+        WASM_VALIDATOR_FAIL_IF(!isSubtype(m_expressionStack[offset + i].type(), target.branchTargetType(i)), "branch's stack type is not a block's type branch target type. Stack value has type ", m_expressionStack[offset + i].type().kind, " but branch target expects a value of ", target.branchTargetType(i).kind, " at index ", i);
 
     return { };
@@ -1080 +1081 @@
         WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
         Type typeOfNull;
-        WASM_PARSER_FAIL_IF(!parseRefType(typeOfNull), "ref.null type must be a reference type");
+        WASM_PARSER_FAIL_IF(!parseRefType(m_info, typeOfNull), "ref.null type must be a reference type");
         m_expressionStack.constructAndAppend(typeOfNull, m_context.addConstant(typeOfNull, JSValue::encode(jsNull())));
         return { };
@@ -1110 +1111 @@
         if (Options::useWebAssemblyTypedFunctionReferences()) {
             SignatureIndex signatureIndex = m_info.signatureIndexFromFunctionIndexSpace(index);
-            m_expressionStack.constructAndAppend(Type {TypeKind::TypeIdx, signatureIndex}, result);
+            m_expressionStack.constructAndAppend(Type {TypeKind::TypeIdx, Nullable::No, signatureIndex}, result);
             return { };
         }

trunk/Source/JavaScriptCore/wasm/WasmGlobal.cpp

@@ -49 +49 @@
     case TypeKind::Externref:
     case TypeKind::Funcref:
+    case TypeKind::TypeIdx:
         return m_value.m_externref.get();
     default:
@@ -87 +88 @@
     case TypeKind::Externref: {
         RELEASE_ASSERT(m_owner);
+        if (!m_type.isNullable() && argument.isNull()) {
+            throwException(globalObject, throwScope, createJSWebAssemblyRuntimeError(globalObject, vm, "Non-null Externref cannot be null"));
+            return;
+        }
         m_value.m_externref.set(m_owner->vm(), m_owner, argument);
         break;
     }
+    case TypeKind::TypeIdx:
     case TypeKind::Funcref: {
         RELEASE_ASSERT(m_owner);
-        if (!isWebAssemblyHostFunction(vm, argument) && !argument.isNull()) {
+        bool isNullable = m_type.isNullable();
+        WebAssemblyFunction* wasmFunction = nullptr;
+        WebAssemblyWrapperFunction* wasmWrapperFunction = nullptr;
+        if (!isWebAssemblyHostFunction(vm, argument, wasmFunction, wasmWrapperFunction) && (!isNullable || !argument.isNull())) {
             throwException(globalObject, throwScope, createJSWebAssemblyRuntimeError(globalObject, vm, "Funcref must be an exported wasm function"));
             return;
+        }
+        if (m_type.kind == TypeKind::TypeIdx && (wasmFunction || wasmWrapperFunction)) {
+            Wasm::SignatureIndex paramIndex = m_type.index;
+            Wasm::SignatureIndex argIndex;
+            if (wasmFunction)
+                argIndex = wasmFunction->signatureIndex();
+            else
+                argIndex = wasmWrapperFunction->signatureIndex();
+            if (paramIndex != argIndex) {
+                throwException(globalObject, throwScope, createJSWebAssemblyRuntimeError(globalObject, vm, "Argument function did not match the reference type"));
+                return;
+            }
         }
         m_value.m_externref.set(m_owner->vm(), m_owner, argument);

trunk/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp

@@ -563 +563 @@
         case TypeKind::Void:
         case TypeKind::Func:
+        case TypeKind::RefNull:
+        case TypeKind::Ref:
             RELEASE_ASSERT_NOT_REACHED();
         }
@@ -619 +621 @@
         case TypeKind::Void:
         case TypeKind::Func:
+        case TypeKind::RefNull:
+        case TypeKind::Ref:
             RELEASE_ASSERT_NOT_REACHED();
         }
@@ -647 +651 @@
         case TypeKind::Void:
         case TypeKind::Func:
+        case TypeKind::RefNull:
+        case TypeKind::Ref:
             RELEASE_ASSERT_NOT_REACHED();
         }
@@ -703 +709 @@
         case TypeKind::Void:
         case TypeKind::Func:
+        case TypeKind::RefNull:
+        case TypeKind::Ref:
             RELEASE_ASSERT_NOT_REACHED();
         }
@@ -752 +760 @@
         case TypeKind::Void:
         case TypeKind::Func:
+        case TypeKind::RefNull:
+        case TypeKind::Ref:
             RELEASE_ASSERT_NOT_REACHED();
         }

trunk/Source/JavaScriptCore/wasm/WasmParser.h

@@ -85 +85 @@
 
     PartialResult WARN_UNUSED_RETURN parseBlockSignature(const ModuleInformation&, BlockSignature&);
-    bool WARN_UNUSED_RETURN parseValueType(Type&);
-    bool WARN_UNUSED_RETURN parseRefType(Type&);
+    bool WARN_UNUSED_RETURN parseValueType(const ModuleInformation&, Type&);
+    bool WARN_UNUSED_RETURN parseRefType(const ModuleInformation&, Type&);
     bool WARN_UNUSED_RETURN parseExternalKind(ExternalKind&);
 
@@ -278 +278 @@
     int8_t typeKind;
     if (peekInt7(typeKind) && isValidTypeKind(typeKind)) {
-        Type type = {static_cast<TypeKind>(typeKind), 0};
+        Type type = {static_cast<TypeKind>(typeKind), Nullable::Yes, 0};
         WASM_PARSER_FAIL_IF(!(isValueType(type) || type.isVoid()), "result type of block: ", makeString(type.kind), " is not a value type or Void");
         result = m_signatureInformation.thunkFor(type);
@@ -297 +297 @@
 
 template<typename SuccessType>
-ALWAYS_INLINE bool Parser<SuccessType>::parseValueType(Type& result)
+ALWAYS_INLINE bool Parser<SuccessType>::parseValueType(const ModuleInformation& info, Type& result)
 {
     int8_t kind;
     if (!parseInt7(kind))
         return false;
-    Type type = {static_cast<TypeKind>(kind), 0};
-    if (!isValidTypeKind(kind) || !isValueType(type))
+    if (!isValidTypeKind(kind))
+        return false;
+
+    TypeKind typeKind = static_cast<TypeKind>(kind);
+    bool isNullable = true;
+    SignatureIndex sigIndex = 0;
+    if (typeKind == TypeKind::Ref || typeKind == TypeKind::RefNull) {
+        if (!Options::useWebAssemblyTypedFunctionReferences())
+            return false;
+
+        int32_t heapType;
+        isNullable = typeKind == TypeKind::RefNull;
+
+        if (!parseVarInt32(heapType))
+            return false;
+        if (heapType < 0) {
+            TypeKind heapKind = static_cast<TypeKind>(heapType);
+            if (!isValidHeapTypeKind(heapKind))
+                return false;
+            typeKind = heapKind;
+        } else {
+            typeKind = TypeKind::TypeIdx;
+            if (static_cast<size_t>(heapType) >= info.usedSignatures.size())
+                return false;
+            sigIndex = SignatureInformation::get(info.usedSignatures[heapType].get());
+        }
+    }
+
+    Type type = { typeKind, static_cast<Nullable>(isNullable), sigIndex };
+    if (!isValueType(type))
         return false;
     result = type;
@@ -310 +338 @@
 
 template<typename SuccessType>
-ALWAYS_INLINE bool Parser<SuccessType>::parseRefType(Type& result)
-{
-    const bool parsed = parseValueType(result);
+ALWAYS_INLINE bool Parser<SuccessType>::parseRefType(const ModuleInformation& info, Type& result)
+{
+    const bool parsed = parseValueType(info, result);
     return parsed && isRefType(result);
 }

trunk/Source/JavaScriptCore/wasm/WasmSectionParser.cpp

@@ -61 +61 @@
         for (unsigned i = 0; i < argumentCount; ++i) {
             Type argumentType;
-            WASM_PARSER_FAIL_IF(!parseValueType(argumentType), "can't get ", i, "th argument Type");
+            WASM_PARSER_FAIL_IF(!parseValueType(m_info, argumentType), "can't get ", i, "th argument Type");
             arguments.append(argumentType);
         }
@@ -73 +73 @@
         for (unsigned i = 0; i < returnCount; ++i) {
             Type value;
-            WASM_PARSER_FAIL_IF(!parseValueType(value), "can't get ", i, "th Type's return value");
+            WASM_PARSER_FAIL_IF(!parseValueType(m_info, value), "can't get ", i, "th Type's return value");
             returnTypes.append(value);
         }
@@ -484 +484 @@
             WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
             Type refType;
-            WASM_PARSER_FAIL_IF(!parseRefType(refType), "can't parse reftype in elem section");
+            WASM_PARSER_FAIL_IF(!parseRefType(m_info, refType), "can't parse reftype in elem section");
             WASM_PARSER_FAIL_IF(!refType.isFuncref(), "reftype in element section should be funcref");
 
@@ -508 +508 @@
 
             Type refType;
-            WASM_PARSER_FAIL_IF(!parseRefType(refType), "can't parse reftype in elem section");
+            WASM_PARSER_FAIL_IF(!parseRefType(m_info, refType), "can't parse reftype in elem section");
             WASM_PARSER_FAIL_IF(!refType.isFuncref(), "reftype in element section should be funcref");
 
@@ -526 +526 @@
 
             Type refType;
-            WASM_PARSER_FAIL_IF(!parseRefType(refType), "can't parse reftype in elem section");
+            WASM_PARSER_FAIL_IF(!parseRefType(m_info, refType), "can't parse reftype in elem section");
             WASM_PARSER_FAIL_IF(!refType.isFuncref(), "reftype in element section should be funcref");
 
@@ -606 +606 @@
     case RefNull: {
         Type typeOfNull;
-        WASM_PARSER_FAIL_IF(!parseRefType(typeOfNull), "ref.null type must be a reference type");
+        WASM_PARSER_FAIL_IF(!parseRefType(m_info, typeOfNull), "ref.null type must be a reference type");
         resultType = typeOfNull;
         bitsOrImportNumber = JSValue::encode(jsNull());
@@ -617 +617 @@
         WASM_PARSER_FAIL_IF(index >= m_info->functions.size(), "ref.func index", index, " exceeds the number of functions ", m_info->functions.size());
 
-        resultType = Types::Funcref;
+        if (Options::useWebAssemblyTypedFunctionReferences()) {
+            SignatureIndex signatureIndex = m_info->signatureIndexFromFunctionIndexSpace(index);
+            resultType = { TypeKind::TypeIdx, Nullable::No, signatureIndex };
+        } else
+            resultType = Types::Funcref;
+
         bitsOrImportNumber = index;
         break;
@@ -692 +697 @@
         } else {
             Type typeOfNull;
-            WASM_PARSER_FAIL_IF(!parseRefType(typeOfNull), "ref.null type must be a func type in elem section");
+            WASM_PARSER_FAIL_IF(!parseRefType(m_info, typeOfNull), "ref.null type must be a func type in elem section");
             WASM_PARSER_FAIL_IF(!typeOfNull.isFuncref(), "ref.null extern is forbidden in element section's, ", elementNum, "th element's ", index, "th index");
             functionIndex = Element::nullFuncIndex;
@@ -728 +733 @@
 {
     uint8_t mutability;
-    WASM_PARSER_FAIL_IF(!parseValueType(global.type), "can't get Global's value type");
+    WASM_PARSER_FAIL_IF(!parseValueType(m_info, global.type), "can't get Global's value type");
     WASM_PARSER_FAIL_IF(!parseUInt8(mutability), "can't get Global type's mutability");
     WASM_PARSER_FAIL_IF(mutability != 0x0 && mutability != 0x1, "invalid Global's mutability: 0x", hex(mutability, 2, Lowercase));

trunk/Source/JavaScriptCore/wasm/WasmSignature.cpp

@@ -71 +71 @@
     for (uint32_t i = 0; i < argumentCount; ++i) {
         accumulator = WTF::pairIntHash(accumulator, WTF::IntHash<uint8_t>::hash(static_cast<uint8_t>(argumentTypes[i].kind)));
+        accumulator = WTF::pairIntHash(accumulator, WTF::IntHash<uint8_t>::hash(static_cast<uint8_t>(argumentTypes[i].nullable)));
         accumulator = WTF::pairIntHash(accumulator, WTF::IntHash<unsigned>::hash(argumentTypes[i].index));
     }
     for (uint32_t i = 0; i < returnCount; ++i) {
         accumulator = WTF::pairIntHash(accumulator, WTF::IntHash<uint8_t>::hash(static_cast<uint8_t>(returnTypes[i].kind)));
+        accumulator = WTF::pairIntHash(accumulator, WTF::IntHash<uint8_t>::hash(static_cast<uint8_t>(returnTypes[i].nullable)));
         accumulator = WTF::pairIntHash(accumulator, WTF::IntHash<unsigned>::hash(returnTypes[i].index));
     }

trunk/Source/JavaScriptCore/wasm/generateWasmOpsHeader.py

@@ -213 +213 @@
 #undef CREATE_ENUM_VALUE
 
+enum class Nullable : bool {
+  No = false,
+  Yes = true,
+};
+
 using SignatureIndex = uintptr_t;
 
 struct Type {
     TypeKind kind;
+    Nullable nullable;
     SignatureIndex index;
 
     bool operator==(const Type& other) const
     {
-        return other.kind == kind && other.index == index;
+        return other.kind == kind && other.nullable == nullable && other.index == index;
     }
 
@@ -229 +235 @@
     }
 
+    bool isNullable() const
+    {
+        return static_cast<bool>(nullable);
+    }
+
     #define CREATE_PREDICATE(name, ...) bool is ## name() const { return kind == TypeKind::name; }
     FOR_EACH_WASM_TYPE(CREATE_PREDICATE)
@@ -236 +247 @@
 namespace Types
 {
-#define CREATE_CONSTANT(name, id, ...) constexpr Type name = Type{TypeKind::name, 0u};
+#define CREATE_CONSTANT(name, id, ...) constexpr Type name = Type{TypeKind::name, Nullable::Yes, 0u};
 FOR_EACH_WASM_TYPE(CREATE_CONSTANT)
 #undef CREATE_CONSTANT

trunk/Source/JavaScriptCore/wasm/js/WasmToJS.cpp

@@ -105 +105 @@
             case TypeKind::Void:
             case TypeKind::Func:
+            case TypeKind::RefNull:
+            case TypeKind::Ref:
                 RELEASE_ASSERT_NOT_REACHED(); // Handled above.
             case TypeKind::TypeIdx:
@@ -178 +180 @@
             case TypeKind::Void:
             case TypeKind::Func:
+            case TypeKind::RefNull:
+            case TypeKind::Ref:
                 RELEASE_ASSERT_NOT_REACHED(); // Handled above.
             case TypeKind::TypeIdx:
@@ -279 +283 @@
         case TypeKind::Void:
         case TypeKind::Func:
+        case TypeKind::RefNull:
+        case TypeKind::Ref:
             // For the JavaScript embedding, imports with these types in their signature return are a WebAssembly.Module validation error.
             RELEASE_ASSERT_NOT_REACHED();

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

@@ -86 +86 @@
         case Wasm::TypeKind::TypeIdx:
         case Wasm::TypeKind::Funcref: {
-            if (!isWebAssemblyHostFunction(vm, arg) && !arg.isNull())
+            bool isNullable = signature.argument(argIndex).isNullable();
+            WebAssemblyFunction* wasmFunction = nullptr;
+            WebAssemblyWrapperFunction* wasmWrapperFunction = nullptr;
+            if (!isWebAssemblyHostFunction(vm, arg, wasmFunction, wasmWrapperFunction) && (!isNullable || !arg.isNull()))
                 return JSValue::encode(throwException(globalObject, scope, createJSWebAssemblyRuntimeError(globalObject, vm, "Funcref must be an exported wasm function")));
+            if (signature.argument(argIndex).kind == Wasm::TypeKind::TypeIdx && (wasmFunction || wasmWrapperFunction)) {
+                Wasm::SignatureIndex paramIndex = signature.argument(argIndex).index;
+                Wasm::SignatureIndex argIndex;
+                if (wasmFunction)
+                    argIndex = wasmFunction->signatureIndex();
+                else
+                    argIndex = wasmWrapperFunction->signatureIndex();
+                if (paramIndex != argIndex)
+                    return JSValue::encode(throwException(globalObject, scope, createJSWebAssemblyRuntimeError(globalObject, vm, "Argument function did not match the reference type")));
+            }
             break;
         }
         case Wasm::TypeKind::Externref:
+            if (!signature.argument(argIndex).isNullable() && arg.isNull())
+                return JSValue::encode(throwException(globalObject, scope, createJSWebAssemblyRuntimeError(globalObject, vm, "Non-null Externref cannot be null")));
             break;
         case Wasm::TypeKind::I64:
@@ -103 +118 @@
         case Wasm::TypeKind::Void:
         case Wasm::TypeKind::Func:
+        case Wasm::TypeKind::RefNull:
+        case Wasm::TypeKind::Ref:
             RELEASE_ASSERT_NOT_REACHED();
         }
@@ -278 +295 @@
             break;
         }
+        case Wasm::TypeKind::TypeIdx:
         case Wasm::TypeKind::Funcref: {
             // Ensure we have a WASM exported function.
             jit.load64(jsParam, scratchGPR);
             auto isNull = jit.branchIfNull(scratchGPR);
+            if (!type.isNullable())
+                slowPath.append(isNull);
             slowPath.append(jit.branchIfNotCell(scratchGPR));
 
@@ -295 +315 @@
 
             isWasmFunction.link(&jit);
-            isNull.link(&jit);
+            if (type.kind == Wasm::TypeKind::TypeIdx) {
+                jit.load64(jsParam, scratchGPR);
+                jit.loadPtr(CCallHelpers::Address(scratchGPR, WebAssemblyFunctionBase::offsetOfSignatureIndex()), scratchGPR);
+                slowPath.append(jit.branchPtr(CCallHelpers::NotEqual, scratchGPR, CCallHelpers::TrustedImmPtr(type.index)));
+            }
+
+            if (type.isNullable())
+                isNull.link(&jit);
             FALLTHROUGH;
         }
@@ -301 +328 @@
             if (isStack) {
                 jit.load64(jsParam, scratchGPR);
+                if (!type.isNullable())
+                    slowPath.append(jit.branchIfNull(scratchGPR));
                 jit.store64(scratchGPR, calleeFrame.withOffset(wasmCallInfo.params[i].offsetFromSP()));
-            } else
-                jit.load64(jsParam, wasmCallInfo.params[i].gpr());
+            } else {
+                auto externGPR = wasmCallInfo.params[i].gpr();
+                jit.load64(jsParam, externGPR);
+                if (!type.isNullable())
+                    slowPath.append(jit.branchIfNull(externGPR));
+            }
             break;
         }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunctionBase.h

@@ -53 +53 @@
     static ptrdiff_t offsetOfInstance() { return OBJECT_OFFSETOF(WebAssemblyFunctionBase, m_instance); }
 
+    static ptrdiff_t offsetOfSignatureIndex() { return OBJECT_OFFSETOF(WebAssemblyFunctionBase, m_importableFunction) + WasmToWasmImportableFunction::offsetOfSignatureIndex(); }
+
     static ptrdiff_t offsetOfEntrypointLoadLocation() { return OBJECT_OFFSETOF(WebAssemblyFunctionBase, m_importableFunction) + WasmToWasmImportableFunction::offsetOfEntrypointLoadLocation(); }
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -248 +248 @@
                         return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", "must be a same mutability")));
                     switch (moduleInformation.globals[import.kindIndex].type.kind) {
-                    case Wasm::TypeKind::Funcref:
+                    case Wasm::TypeKind::TypeIdx:
+                    case Wasm::TypeKind::Funcref: {
+                        bool isNullable = global.type.isNullable();
+                        WebAssemblyFunction* wasmFunction = nullptr;
+                        WebAssemblyWrapperFunction* wasmWrapperFunction = nullptr;
                         value = globalValue->global()->get(globalObject);
                         RETURN_IF_EXCEPTION(scope, void());
-                        if (!isWebAssemblyHostFunction(vm, value) && !value.isNull())
-                            return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", "must be a wasm exported function or null")));
+                        if (!isWebAssemblyHostFunction(vm, value, wasmFunction, wasmWrapperFunction) && (!isNullable || !value.isNull())) {
+                            const char* msg = isNullable ? "must be a wasm exported function or null" : "must be a wasm exported function";
+                            return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", msg)));
+                        }
+                        if (global.type.kind == Wasm::TypeKind::TypeIdx && (wasmFunction || wasmWrapperFunction)) {
+                            Wasm::SignatureIndex paramIndex = global.type.index;
+                            Wasm::SignatureIndex argIndex;
+                            if (wasmFunction)
+                                argIndex = wasmFunction->signatureIndex();
+                            else
+                                argIndex = wasmWrapperFunction->signatureIndex();
+                            if (paramIndex != argIndex)
+                                return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", "Argument function did not match the reference type")));
+                        }
                         m_instance->instance().setGlobal(import.kindIndex, value);
                         break;
+                    }
                     case Wasm::TypeKind::Externref:
                         value = globalValue->global()->get(globalObject);
                         RETURN_IF_EXCEPTION(scope, void());
+                        if (!global.type.isNullable() && value.isNull())
+                            return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", "non-null externref cannot be null")));
                         m_instance->instance().setGlobal(import.kindIndex, value);
                         break;
@@ -284 +303 @@
                     // iii. Append ToWebAssemblyValue(v) to imports.
                     switch (globalType.kind) {
-                    case Wasm::TypeKind::Funcref:
-                        if (!isWebAssemblyHostFunction(vm, value) && !value.isNull())
-                            return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", "must be a wasm exported function or null")));
+                    case Wasm::TypeKind::TypeIdx:
+                    case Wasm::TypeKind::Funcref: {
+                        bool isNullable = globalType.isNullable();
+                        WebAssemblyFunction* wasmFunction = nullptr;
+                        WebAssemblyWrapperFunction* wasmWrapperFunction = nullptr;
+                        if (!isWebAssemblyHostFunction(vm, value, wasmFunction, wasmWrapperFunction) && (!isNullable || !value.isNull())) {
+                            const char* msg = isNullable ? "must be a wasm exported function or null" : "must be a wasm exported function";
+                            return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", msg)));
+                        }
+                        if (globalType.kind == Wasm::TypeKind::TypeIdx && (wasmFunction || wasmWrapperFunction)) {
+                            Wasm::SignatureIndex paramIndex = global.type.index;
+                            Wasm::SignatureIndex argIndex;
+                            if (wasmFunction)
+                                argIndex = wasmFunction->signatureIndex();
+                            else
+                                argIndex = wasmWrapperFunction->signatureIndex();
+                            if (paramIndex != argIndex)
+                                return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", "Argument function did not match the reference type")));
+                        }
                         m_instance->instance().setGlobal(import.kindIndex, value);
                         break;
+                    }
                     case Wasm::TypeKind::Externref:
+                        if (!globalType.isNullable() && value.isNull())
+                            return exception(createJSWebAssemblyLinkError(globalObject, vm, importFailMessage(import, "imported global", "must be a non-null value")));
                         m_instance->instance().setGlobal(import.kindIndex, value);
                         break;
@@ -491 +529 @@
             case Wasm::TypeKind::Externref:
             case Wasm::TypeKind::Funcref:
+            case Wasm::TypeKind::TypeIdx:
             case Wasm::TypeKind::I32:
             case Wasm::TypeKind::I64:

trunk/Source/JavaScriptCore/wasm/wasm.json

@@ -14 +14 @@
         "funcref":   { "type": "varint7", "value":  -16, "b3type": "B3::Int64" },
         "externref": { "type": "varint7", "value":  -17, "b3type": "B3::Int64" },
+        "ref_null":  { "type": "varint7", "value":  -20, "b3type": "B3::Int64" },
+        "ref":       { "type": "varint7", "value":  -21, "b3type": "B3::Int64" },
         "func":      { "type": "varint7", "value":  -32, "b3type": "B3::Void" },
         "void":      { "type": "varint7", "value":  -64, "b3type": "B3::Void" },