Changeset 189946 in webkit

Timestamp:

Sep 17, 2015 5:03:49 PM (9 years ago)

Author:

commit-queue@webkit.org

Message:

Convert return values from JavaScript functions to the expected types in WebAssembly
​https://bugs.webkit.org/show_bug.cgi?id=149200

Patch by Sukolsak Sakshuwong <Sukolsak Sakshuwong> on 2015-09-17
Reviewed by Mark Lam.

When a WebAssembly function calls a JavaScript function, there is no
guarantee that the JavaScript function will always return values of the
type we expect. This patch converts the return values to the expected
types.

(The reverse is also true: When a WebAssembly function is called from a
JavaScript function, there is no guarantee that the arguments to the
WebAssembly function will always be of the types we expect. We have
fixed this in Bug 149033.)

We don't need to type check the return values if the callee is a
WebAssembly function. We don't need to type check the arguments if the
caller is a WebAssembly function. This optimization will be
implemented in the future. See ​https://bugs.webkit.org/show_bug.cgi?id=149310

• tests/stress/wasm-type-conversion.js:
• tests/stress/wasm/type-conversion.wasm:
• wasm/WASMFunctionCompiler.h:

(JSC::WASMFunctionCompiler::startFunction):
(JSC::WASMFunctionCompiler::buildReturn):
(JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
(JSC::WASMFunctionCompiler::callAndUnboxResult):
(JSC::WASMFunctionCompiler::convertValueToInt32):
(JSC::WASMFunctionCompiler::convertValueToDouble):
(JSC::WASMFunctionCompiler::convertDoubleToValue):
(JSC::WASMFunctionCompiler::loadValueAndConvertToInt32): Deleted.
(JSC::WASMFunctionCompiler::loadValueAndConvertToDouble): Deleted.

• wasm/WASMFunctionParser.cpp:

(JSC::WASMFunctionParser::parseExpressionI32):
(JSC::WASMFunctionParser::parseExpressionF32):
(JSC::WASMFunctionParser::parseExpressionF64):
(JSC::WASMFunctionParser::parseCallInternalExpressionI32): Deleted.

• wasm/WASMFunctionParser.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• tests/stress/wasm-type-conversion.js (modified) (3 diffs)
• tests/stress/wasm/type-conversion.wasm (modified) (previous)
• wasm/WASMFunctionCompiler.h (modified) (7 diffs)
• wasm/WASMFunctionParser.cpp (modified) (6 diffs)
• wasm/WASMFunctionParser.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-09-17  Sukolsak Sakshuwong  <sukolsak@gmail.com>
+
+        Convert return values from JavaScript functions to the expected types in WebAssembly
+        https://bugs.webkit.org/show_bug.cgi?id=149200
+
+        Reviewed by Mark Lam.
+
+        When a WebAssembly function calls a JavaScript function, there is no
+        guarantee that the JavaScript function will always return values of the
+        type we expect. This patch converts the return values to the expected
+        types.
+
+        (The reverse is also true: When a WebAssembly function is called from a
+        JavaScript function, there is no guarantee that the arguments to the
+        WebAssembly function will always be of the types we expect. We have
+        fixed this in Bug 149033.)
+
+        We don't need to type check the return values if the callee is a
+        WebAssembly function. We don't need to type check the arguments if the
+        caller is a WebAssembly function. This optimization will be
+        implemented in the future. See https://bugs.webkit.org/show_bug.cgi?id=149310
+
+        * tests/stress/wasm-type-conversion.js:
+        * tests/stress/wasm/type-conversion.wasm:
+        * wasm/WASMFunctionCompiler.h:
+        (JSC::WASMFunctionCompiler::startFunction):
+        (JSC::WASMFunctionCompiler::buildReturn):
+        (JSC::WASMFunctionCompiler::boxArgumentsAndAdjustStackPointer):
+        (JSC::WASMFunctionCompiler::callAndUnboxResult):
+        (JSC::WASMFunctionCompiler::convertValueToInt32):
+        (JSC::WASMFunctionCompiler::convertValueToDouble):
+        (JSC::WASMFunctionCompiler::convertDoubleToValue):
+        (JSC::WASMFunctionCompiler::loadValueAndConvertToInt32): Deleted.
+        (JSC::WASMFunctionCompiler::loadValueAndConvertToDouble): Deleted.
+        * wasm/WASMFunctionParser.cpp:
+        (JSC::WASMFunctionParser::parseExpressionI32):
+        (JSC::WASMFunctionParser::parseExpressionF32):
+        (JSC::WASMFunctionParser::parseExpressionF64):
+        (JSC::WASMFunctionParser::parseCallInternalExpressionI32): Deleted.
+        * wasm/WASMFunctionParser.h:
+
 2015-09-17  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/JavaScriptCore/tests/stress/wasm-type-conversion.js

@@ -9 +9 @@
 wasm/type-conversion.wasm is generated by pack-asmjs <https://github.com/WebAssembly/polyfill-prototype-1> from the following script:
 
-function asmModule(global, env, buffer) {
+function asmModule(global, imports, buffer) {
     "use asm";
 
     var fround = global.Math.fround;
+    var getInt32 = imports.getInt32;
+    var getDouble = imports.getDouble;
+    var getString = imports.getString;
+    var getBoolean = imports.getBoolean;
 
     function takeAndReturnInt32(x) {
         x = x | 0;
-        return x;
+        return x | 0;
     }
 
@@ -29 +33 @@
     }
 
+    function returnInt32FromInt32() {
+        return getInt32() | 0;
+    }
+
+    function returnInt32FromDouble() {
+        return getDouble() | 0;
+    }
+
+    function returnInt32FromString() {
+        return getString() | 0;
+    }
+
+    function returnInt32FromBoolean() {
+        return getBoolean() | 0;
+    }
+
+    function returnDoubleFromInt32() {
+        return +getInt32();
+    }
+
+    function returnDoubleFromDouble() {
+        return +getDouble();
+    }
+
+    function returnDoubleFromString() {
+        return +getString();
+    }
+
+    function returnDoubleFromBoolean() {
+        return +getBoolean();
+    }
+
     return {
         takeAndReturnInt32: takeAndReturnInt32,
+        takeAndReturnFloat: takeAndReturnFloat,
         takeAndReturnDouble: takeAndReturnDouble,
+
+        returnInt32FromInt32: returnInt32FromInt32,
+        returnInt32FromDouble: returnInt32FromDouble,
+        returnInt32FromString: returnInt32FromString,
+        returnInt32FromBoolean: returnInt32FromBoolean,
+        returnDoubleFromInt32: returnDoubleFromInt32,
+        returnDoubleFromDouble: returnDoubleFromDouble,
+        returnDoubleFromString: returnDoubleFromString,
+        returnDoubleFromBoolean: returnDoubleFromBoolean,
     };
 }
 */
 
-var module = loadWebAssembly("wasm/type-conversion.wasm");
+var imports = {
+    getInt32: () => 42,
+    getDouble: () => 4.2,
+    getString: () => "4.2",
+    getBoolean: () => true,
+};
+var module = loadWebAssembly("wasm/type-conversion.wasm", imports);
 
 var two = {
@@ -71 +123 @@
 shouldBe(module.takeAndReturnDouble([2.5]), 2.5);
 shouldBe(module.takeAndReturnDouble(two), 2);
+
+shouldBe(module.returnInt32FromInt32(), 42);
+shouldBe(module.returnInt32FromDouble(), 4);
+shouldBe(module.returnInt32FromString(), 4);
+shouldBe(module.returnInt32FromBoolean(), 1);
+shouldBe(module.returnDoubleFromInt32(), 42);
+shouldBe(module.returnDoubleFromDouble(), 4.2);
+shouldBe(module.returnDoubleFromString(), 4.2);
+shouldBe(module.returnDoubleFromBoolean(), 1);

trunk/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h

@@ -113 +113 @@
         unsigned localIndex = 0;
         for (size_t i = 0; i < arguments.size(); ++i) {
+            // FIXME: No need to do type conversion if the caller is a WebAssembly function.
+            // https://bugs.webkit.org/show_bug.cgi?id=149310
             Address address(GPRInfo::callFrameRegister, CallFrame::argumentOffset(i) * sizeof(Register));
+#if USE(JSVALUE64)
+            JSValueRegs valueRegs(GPRInfo::regT0);
+#else
+            JSValueRegs valueRegs(GPRInfo::regT1, GPRInfo::regT0);
+#endif
+            loadValue(address, valueRegs);
             switch (arguments[i]) {
             case WASMType::I32:
-#if USE(JSVALUE64)
-                loadValueAndConvertToInt32(address, GPRInfo::regT0);
-#else
-                loadValueAndConvertToInt32(address, GPRInfo::regT0, GPRInfo::regT1);
-#endif
+                convertValueToInt32(valueRegs, GPRInfo::regT0);
                 store32(GPRInfo::regT0, localAddress(localIndex++));
                 break;
@@ -126 +130 @@
             case WASMType::F64:
 #if USE(JSVALUE64)
-                loadValueAndConvertToDouble(address, FPRInfo::fpRegT0, GPRInfo::regT0, GPRInfo::regT1);
-#else
-                loadValueAndConvertToDouble(address, FPRInfo::fpRegT0, GPRInfo::regT0, GPRInfo::regT1, GPRInfo::regT2, FPRInfo::fpRegT1);
+                convertValueToDouble(valueRegs, FPRInfo::fpRegT0, GPRInfo::regT1);
+#else
+                convertValueToDouble(valueRegs, FPRInfo::fpRegT0, GPRInfo::regT2, FPRInfo::fpRegT1);
 #endif
                 if (arguments[i] == WASMType::F32)
@@ -286 +290 @@
             if (returnType == WASMExpressionType::F32)
                 convertFloatToDouble(FPRInfo::fpRegT0, FPRInfo::fpRegT0);
-#if USE(JSVALUE64)
-            boxDouble(FPRInfo::fpRegT0, GPRInfo::returnValueGPR);
-#else
-            boxDouble(FPRInfo::fpRegT0, GPRInfo::returnValueGPR2, GPRInfo::returnValueGPR);
-#endif
+            convertDoubleToValue(FPRInfo::fpRegT0, returnValueRegs);
             m_tempStackTop--;
             break;
@@ -939 +939 @@
         for (size_t i = 0; i < argumentCount; ++i) {
             Address address(GPRInfo::callFrameRegister, (stackOffset + CallFrame::argumentOffset(i)) * sizeof(Register));
+#if USE(JSVALUE64)
+            JSValueRegs valueRegs(GPRInfo::regT0);
+#else
+            JSValueRegs valueRegs(GPRInfo::regT1, GPRInfo::regT0);
+#endif
             switch (arguments[i]) {
             case WASMType::I32:
@@ -949 +954 @@
                 store32(TrustedImm32(JSValue::Int32Tag), address.withOffset(TagOffset));
 #endif
+                break;
+            case WASMType::F32:
+            case WASMType::F64:
+                loadDouble(temporaryAddress(m_tempStackTop - argumentCount + i), FPRInfo::fpRegT0);
+                if (arguments[i] == WASMType::F32)
+                    convertFloatToDouble(FPRInfo::fpRegT0, FPRInfo::fpRegT0);
+                convertDoubleToValue(FPRInfo::fpRegT0, valueRegs);
+                storeValue(valueRegs, address);
                 break;
             default:
@@ -989 +1002 @@
         checkStackPointerAlignment();
 
+        // FIXME: No need to do type conversion if the callee is a WebAssembly function.
+        // https://bugs.webkit.org/show_bug.cgi?id=149310
+#if USE(JSVALUE64)
+        JSValueRegs valueRegs(GPRInfo::returnValueGPR);
+#else
+        JSValueRegs valueRegs(GPRInfo::returnValueGPR2, GPRInfo::returnValueGPR);
+#endif
         switch (returnType) {
         case WASMExpressionType::I32:
-            store32(GPRInfo::returnValueGPR, temporaryAddress(m_tempStackTop++));
+            convertValueToInt32(valueRegs, GPRInfo::regT0);
+            store32(GPRInfo::regT0, temporaryAddress(m_tempStackTop++));
+            break;
+        case WASMExpressionType::F32:
+        case WASMExpressionType::F64:
+#if USE(JSVALUE64)
+            convertValueToDouble(valueRegs, FPRInfo::fpRegT0, GPRInfo::nonPreservedNonReturnGPR);
+#else
+            convertValueToDouble(valueRegs, FPRInfo::fpRegT0, GPRInfo::nonPreservedNonReturnGPR, FPRInfo::fpRegT1);
+#endif
+            if (returnType == WASMExpressionType::F32)
+                convertDoubleToFloat(FPRInfo::fpRegT0, FPRInfo::fpRegT0);
+            storeDouble(FPRInfo::fpRegT0, temporaryAddress(m_tempStackTop++));
             break;
         case WASMExpressionType::Void:
@@ -1001 +1033 @@
 
 #if USE(JSVALUE64)
-    void loadValueAndConvertToInt32(Address address, GPRReg dst)
-    {
-        JSValueRegs tempRegs(dst);
-        loadValue(address, tempRegs);
-        Jump checkJSInt32 = branchIfInt32(tempRegs);
-
-        callOperation(operationConvertJSValueToInt32, dst, dst);
+    void convertValueToInt32(JSValueRegs valueRegs, GPRReg dst)
+    {
+        Jump checkJSInt32 = branchIfInt32(valueRegs);
+
+        callOperation(operationConvertJSValueToInt32, valueRegs.gpr(), valueRegs.gpr());
 
         checkJSInt32.link(this);
-    }
-
-    void loadValueAndConvertToDouble(Address address, FPRReg dst, GPRReg scratch1, GPRReg scratch2)
-    {
-        JSValueRegs tempRegs(scratch1);
-        loadValue(address, tempRegs);
-        Jump checkJSInt32 = branchIfInt32(tempRegs);
-        Jump checkJSNumber = branchIfNumber(tempRegs, scratch2);
+        move(valueRegs.gpr(), dst);
+    }
+
+    void convertValueToDouble(JSValueRegs valueRegs, FPRReg dst, GPRReg scratch)
+    {
+        Jump checkJSInt32 = branchIfInt32(valueRegs);
+        Jump checkJSNumber = branchIfNumber(valueRegs, scratch);
         JumpList end;
 
-        callOperation(operationConvertJSValueToDouble, tempRegs.gpr(), dst);
+        callOperation(operationConvertJSValueToDouble, valueRegs.gpr(), dst);
         end.append(jump());
 
         checkJSInt32.link(this);
-        convertInt32ToDouble(tempRegs.gpr(), dst);
+        convertInt32ToDouble(valueRegs.gpr(), dst);
         end.append(jump());
 
         checkJSNumber.link(this);
-        unboxDoubleWithoutAssertions(tempRegs.gpr(), dst);
+        unboxDoubleWithoutAssertions(valueRegs.gpr(), dst);
         end.link(this);
     }
 #else
-    void loadValueAndConvertToInt32(Address address, GPRReg dst, GPRReg scratch)
-    {
-        JSValueRegs tempRegs(scratch, dst);
-        loadValue(address, tempRegs);
-        Jump checkJSInt32 = branchIfInt32(tempRegs);
-
-        callOperation(operationConvertJSValueToInt32, tempRegs.tagGPR(), tempRegs.payloadGPR(), dst);
+    void convertValueToInt32(JSValueRegs valueRegs, GPRReg dst)
+    {
+        Jump checkJSInt32 = branchIfInt32(valueRegs);
+
+        callOperation(operationConvertJSValueToInt32, valueRegs.tagGPR(), valueRegs.payloadGPR(), valueRegs.payloadGPR());
 
         checkJSInt32.link(this);
-    }
-
-    void loadValueAndConvertToDouble(Address address, FPRReg dst, GPRReg scratch1, GPRReg scratch2, GPRReg scratch3, FPRReg fpScratch)
-    {
-        JSValueRegs tempRegs(scratch2, scratch1);
-        loadValue(address, tempRegs);
-        Jump checkJSInt32 = branchIfInt32(tempRegs);
-        Jump checkJSNumber = branchIfNumber(tempRegs, scratch3);
+        move(valueRegs.payloadGPR(), dst);
+    }
+
+    void convertValueToDouble(JSValueRegs valueRegs, FPRReg dst, GPRReg scratch, FPRReg fpScratch)
+    {
+        Jump checkJSInt32 = branchIfInt32(valueRegs);
+        Jump checkJSNumber = branchIfNumber(valueRegs, scratch);
         JumpList end;
 
-        callOperation(operationConvertJSValueToDouble, tempRegs.tagGPR(), tempRegs.payloadGPR(), dst);
+        callOperation(operationConvertJSValueToDouble, valueRegs.tagGPR(), valueRegs.payloadGPR(), dst);
         end.append(jump());
 
         checkJSInt32.link(this);
-        convertInt32ToDouble(tempRegs.payloadGPR(), dst);
+        convertInt32ToDouble(valueRegs.payloadGPR(), dst);
         end.append(jump());
 
         checkJSNumber.link(this);
-        unboxDouble(tempRegs.tagGPR(), tempRegs.payloadGPR(), dst, fpScratch);
+        unboxDouble(valueRegs.tagGPR(), valueRegs.payloadGPR(), dst, fpScratch);
         end.link(this);
     }
 #endif
+
+    void convertDoubleToValue(FPRReg fpr, JSValueRegs valueRegs)
+    {
+#if USE(JSVALUE64)
+        boxDouble(fpr, valueRegs.gpr());
+#else
+        boxDouble(fpr, valueRegs.tagGPR(), valueRegs.payloadGPR());
+#endif
+    }
 
     JSWASMModule* m_module;

trunk/Source/JavaScriptCore/wasm/WASMFunctionParser.cpp

@@ -530 +530 @@
             return parseGetGlobalExpressionI32(context);
         case WASMOpExpressionI32::CallInternal:
-            return parseCallInternalExpressionI32(context);
+            return parseCallInternal(context, WASMExpressionType::I32);
         case WASMOpExpressionI32::CallIndirect:
             return parseCallIndirect(context, WASMExpressionType::I32);
@@ -682 +682 @@
 
 template <class Context>
-ContextExpression WASMFunctionParser::parseCallInternalExpressionI32(Context& context)
-{
-    return parseCallInternal(context, WASMExpressionType::I32);
-}
-
-template <class Context>
 ContextExpression WASMFunctionParser::parseUnaryExpressionI32(Context& context, WASMOpExpressionI32 op)
 {
@@ -753 +747 @@
         case WASMOpExpressionF32::GetGlobal:
             return parseGetGlobalExpressionF32(context);
+        case WASMOpExpressionF32::CallInternal:
+            return parseCallInternal(context, WASMExpressionType::F32);
         case WASMOpExpressionF32::CallIndirect:
             return parseCallIndirect(context, WASMExpressionType::F32);
@@ -772 +768 @@
         case WASMOpExpressionF32::Store:
         case WASMOpExpressionF32::StoreWithOffset:
-        case WASMOpExpressionF32::CallInternal:
         case WASMOpExpressionF32::Conditional:
         case WASMOpExpressionF32::Comma:
@@ -881 +876 @@
         case WASMOpExpressionF64::GetGlobal:
             return parseGetGlobalExpressionF64(context);
+        case WASMOpExpressionF64::CallInternal:
+            return parseCallInternal(context, WASMExpressionType::F64);
         case WASMOpExpressionF64::CallImport:
             return parseCallImport(context, WASMExpressionType::F64);
@@ -891 +888 @@
         case WASMOpExpressionF64::Store:
         case WASMOpExpressionF64::StoreWithOffset:
-        case WASMOpExpressionF64::CallInternal:
         case WASMOpExpressionF64::Conditional:
         case WASMOpExpressionF64::Comma:

trunk/Source/JavaScriptCore/wasm/WASMFunctionParser.h

@@ -90 +90 @@
     template <class Context> ContextExpression parseGetLocalExpressionI32(Context&);
     template <class Context> ContextExpression parseGetGlobalExpressionI32(Context&);
-    template <class Context> ContextExpression parseCallInternalExpressionI32(Context&);
     template <class Context> ContextExpression parseUnaryExpressionI32(Context&, WASMOpExpressionI32);
     template <class Context> ContextExpression parseBinaryExpressionI32(Context&, WASMOpExpressionI32);