Changeset 189993 in webkit

Timestamp:

Sep 18, 2015 4:06:47 PM (9 years ago)

Author:

commit-queue@webkit.org

Message:

Implement linear memory instructions in WebAssembly
​https://bugs.webkit.org/show_bug.cgi?id=149326

Patch by Sukolsak Sakshuwong <Sukolsak Sakshuwong> on 2015-09-18
Reviewed by Geoffrey Garen.

This patch implements linear memory instructions in WebAssembly.[1] To
use the linear memory, an ArrayBuffer must be passed to loadWebAssembly().

Notes:

• We limit the ArrayBuffer's byte length to 2^{31 - 1. This enables us to use only one comparison (unsigned greater than) to check for out-of-bounds access.}
• There is no consensus yet on what should happen when an out-of-bounds access occurs.[2] For now, we throw an error when that happens.
• In asm.js, a heap access looks like this: int32Array[i >> 2]. Note that ">> 2" is part of the syntax and is required. pack-asmjs will produce bytecodes that look something like "LoadI32, i" (not "LoadI32, ShiftRightI32, i, 2"). The requirement of the shift operator prevents unaligned accesses in asm.js. (There is a proposal to support unaligned accesses in the future version of asm.js using DataView.[3]) The WebAssembly spec allows unaligned accesses.[4] But since we use asm.js for testing, we follow asm.js's behaviors for now.

[1]: ​https://github.com/WebAssembly/design/blob/master/AstSemantics.md#linear-memory
[2]: ​https://github.com/WebAssembly/design/blob/master/AstSemantics.md#out-of-bounds
[3]: ​https://wiki.mozilla.org/Javascript:SpiderMonkey:OdinMonkey#Possible_asm.js_extensions_that_don.27t_require_new_JS_features
[4]: ​https://github.com/WebAssembly/design/blob/master/AstSemantics.md#alignment

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• jsc.cpp:

(GlobalObject::finishCreation):
(functionLoadWebAssembly):

• tests/stress/wasm-linear-memory.js: Added.

(shouldBe):
(shouldThrow):

• tests/stress/wasm/linear-memory.wasm: Added.
• wasm/JSWASMModule.cpp:

(JSC::JSWASMModule::JSWASMModule):
(JSC::JSWASMModule::visitChildren):

• wasm/JSWASMModule.h:

(JSC::JSWASMModule::create):
(JSC::JSWASMModule::arrayBuffer):
(JSC::JSWASMModule::JSWASMModule): Deleted.

• wasm/WASMConstants.h:
• wasm/WASMFunctionCompiler.h:

(JSC::sizeOfMemoryType):
(JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress):
(JSC::WASMFunctionCompiler::endFunction):
(JSC::WASMFunctionCompiler::buildLoad):
(JSC::WASMFunctionCompiler::buildStore):

• wasm/WASMFunctionParser.cpp:

(JSC::WASMFunctionParser::parseStatement):
(JSC::WASMFunctionParser::parseExpressionI32):
(JSC::WASMFunctionParser::parseExpressionF32):
(JSC::WASMFunctionParser::parseExpressionF64):
(JSC::WASMFunctionParser::parseMemoryAddress):
(JSC::WASMFunctionParser::parseLoad):
(JSC::WASMFunctionParser::parseStore):

• wasm/WASMFunctionParser.h:
• wasm/WASMFunctionSyntaxChecker.h:

(JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress):
(JSC::WASMFunctionSyntaxChecker::buildLoad):
(JSC::WASMFunctionSyntaxChecker::buildStore):

• wasm/WASMModuleParser.cpp:

(JSC::WASMModuleParser::WASMModuleParser):
(JSC::WASMModuleParser::parseModule):
(JSC::parseWebAssembly):
(JSC::WASMModuleParser::parse): Deleted.

• wasm/WASMModuleParser.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• jit/JITOperations.cpp (modified) (1 diff)
• jit/JITOperations.h (modified) (1 diff)
• jsc.cpp (modified) (2 diffs)
• tests/stress/wasm-linear-memory.js (added)
• tests/stress/wasm/linear-memory.wasm (added)
• wasm/JSWASMModule.cpp (modified) (3 diffs)
• wasm/JSWASMModule.h (modified) (4 diffs)
• wasm/WASMConstants.h (modified) (1 diff)
• wasm/WASMFunctionCompiler.h (modified) (6 diffs)
• wasm/WASMFunctionParser.cpp (modified) (9 diffs)
• wasm/WASMFunctionParser.h (modified) (2 diffs)
• wasm/WASMFunctionSyntaxChecker.h (modified) (2 diffs)
• wasm/WASMModuleParser.cpp (modified) (6 diffs)
• wasm/WASMModuleParser.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-09-18  Sukolsak Sakshuwong  <sukolsak@gmail.com>
+
+        Implement linear memory instructions in WebAssembly
+        https://bugs.webkit.org/show_bug.cgi?id=149326
+
+        Reviewed by Geoffrey Garen.
+
+        This patch implements linear memory instructions in WebAssembly.[1] To
+        use the linear memory, an ArrayBuffer must be passed to loadWebAssembly().
+
+        Notes:
+        - We limit the ArrayBuffer's byte length to 2^31 - 1. This enables us to
+          use only one comparison (unsigned greater than) to check for
+          out-of-bounds access.
+        - There is no consensus yet on what should happen when an out-of-bounds
+          access occurs.[2] For now, we throw an error when that happens.
+        - In asm.js, a heap access looks like this: int32Array[i >> 2]. Note
+          that ">> 2" is part of the syntax and is required. pack-asmjs will
+          produce bytecodes that look something like "LoadI32, i" (not
+          "LoadI32, ShiftRightI32, i, 2"). The requirement of the shift operator
+          prevents unaligned accesses in asm.js. (There is a proposal to support
+          unaligned accesses in the future version of asm.js using DataView.[3])
+          The WebAssembly spec allows unaligned accesses.[4] But since we use
+          asm.js for testing, we follow asm.js's behaviors for now.
+
+        [1]: https://github.com/WebAssembly/design/blob/master/AstSemantics.md#linear-memory
+        [2]: https://github.com/WebAssembly/design/blob/master/AstSemantics.md#out-of-bounds
+        [3]: https://wiki.mozilla.org/Javascript:SpiderMonkey:OdinMonkey#Possible_asm.js_extensions_that_don.27t_require_new_JS_features
+        [4]: https://github.com/WebAssembly/design/blob/master/AstSemantics.md#alignment
+
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jsc.cpp:
+        (GlobalObject::finishCreation):
+        (functionLoadWebAssembly):
+        * tests/stress/wasm-linear-memory.js: Added.
+        (shouldBe):
+        (shouldThrow):
+        * tests/stress/wasm/linear-memory.wasm: Added.
+        * wasm/JSWASMModule.cpp:
+        (JSC::JSWASMModule::JSWASMModule):
+        (JSC::JSWASMModule::visitChildren):
+        * wasm/JSWASMModule.h:
+        (JSC::JSWASMModule::create):
+        (JSC::JSWASMModule::arrayBuffer):
+        (JSC::JSWASMModule::JSWASMModule): Deleted.
+        * wasm/WASMConstants.h:
+        * wasm/WASMFunctionCompiler.h:
+        (JSC::sizeOfMemoryType):
+        (JSC::WASMFunctionCompiler::MemoryAddress::MemoryAddress):
+        (JSC::WASMFunctionCompiler::endFunction):
+        (JSC::WASMFunctionCompiler::buildLoad):
+        (JSC::WASMFunctionCompiler::buildStore):
+        * wasm/WASMFunctionParser.cpp:
+        (JSC::WASMFunctionParser::parseStatement):
+        (JSC::WASMFunctionParser::parseExpressionI32):
+        (JSC::WASMFunctionParser::parseExpressionF32):
+        (JSC::WASMFunctionParser::parseExpressionF64):
+        (JSC::WASMFunctionParser::parseMemoryAddress):
+        (JSC::WASMFunctionParser::parseLoad):
+        (JSC::WASMFunctionParser::parseStore):
+        * wasm/WASMFunctionParser.h:
+        * wasm/WASMFunctionSyntaxChecker.h:
+        (JSC::WASMFunctionSyntaxChecker::MemoryAddress::MemoryAddress):
+        (JSC::WASMFunctionSyntaxChecker::buildLoad):
+        (JSC::WASMFunctionSyntaxChecker::buildStore):
+        * wasm/WASMModuleParser.cpp:
+        (JSC::WASMModuleParser::WASMModuleParser):
+        (JSC::WASMModuleParser::parseModule):
+        (JSC::parseWebAssembly):
+        (JSC::WASMModuleParser::parse): Deleted.
+        * wasm/WASMModuleParser.h:
+
 2015-09-18  Sukolsak Sakshuwong  <sukolsak@gmail.com>
 

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -106 +106 @@
     vm->throwException(callerFrame, createError(callerFrame, ASCIILiteral("Division by zero or division overflow.")));
 }
+
+void JIT_OPERATION operationThrowOutOfBoundsAccessError(ExecState* exec)
+{
+    VM* vm = &exec->vm();
+    VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
+    CallFrame* callerFrame = exec->callerFrame(vmEntryFrame);
+
+    NativeCallFrameTracerWithRestore tracer(vm, vmEntryFrame, callerFrame);
+    ErrorHandlingScope errorScope(*vm);
+    vm->throwException(callerFrame, createError(callerFrame, ASCIILiteral("Out-of-bounds access.")));
+}
 #endif
 

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -252 +252 @@
 #if ENABLE(WEBASSEMBLY)
 void JIT_OPERATION operationThrowDivideError(ExecState*) WTF_INTERNAL;
+void JIT_OPERATION operationThrowOutOfBoundsAccessError(ExecState*) WTF_INTERNAL;
 #endif
 int32_t JIT_OPERATION operationCallArityCheck(ExecState*) WTF_INTERNAL;

trunk/Source/JavaScriptCore/jsc.cpp

@@ -678 +678 @@
 
 #if ENABLE(WEBASSEMBLY)
-        addFunction(vm, "loadWebAssembly", functionLoadWebAssembly, 2);
+        addFunction(vm, "loadWebAssembly", functionLoadWebAssembly, 3);
 #endif
         addFunction(vm, "loadModule", functionLoadModule, 1);
@@ -1451 +1451 @@
     SourceCode source(sourceProvider);
     JSObject* imports = exec->argument(1).getObject();
+    JSArrayBuffer* arrayBuffer = jsDynamicCast<JSArrayBuffer*>(exec->argument(2));
 
     String errorMessage;
-    JSWASMModule* module = parseWebAssembly(exec, source, imports, errorMessage);
+    JSWASMModule* module = parseWebAssembly(exec, source, imports, arrayBuffer, errorMessage);
     if (!module)
         return JSValue::encode(exec->vm().throwException(exec, createSyntaxError(exec, errorMessage)));

trunk/Source/JavaScriptCore/wasm/JSWASMModule.cpp

@@ -29 +29 @@
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSArrayBuffer.h"
 #include "JSFunction.h"
 #include "SlotVisitorInlines.h"
@@ -35 +36 @@
 
 const ClassInfo JSWASMModule::s_info = { "WASMModule", &Base::s_info, 0, CREATE_METHOD_TABLE(JSWASMModule) };
+
+JSWASMModule::JSWASMModule(VM& vm, Structure* structure, JSArrayBuffer* arrayBuffer)
+    : Base(vm, structure)
+{
+    if (arrayBuffer)
+        m_arrayBuffer.set(vm, this, arrayBuffer);
+}
 
 void JSWASMModule::destroy(JSCell* cell)
@@ -47 +55 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
     Base::visitChildren(thisObject, visitor);
+    visitor.append(&thisObject->m_arrayBuffer);
     for (auto function : thisObject->m_functions)
         visitor.append(&function);

trunk/Source/JavaScriptCore/wasm/JSWASMModule.h

@@ -57 +57 @@
     };
 
-    static JSWASMModule* create(VM& vm, Structure* structure)
+    static JSWASMModule* create(VM& vm, Structure* structure, JSArrayBuffer* arrayBuffer)
     {
-        JSWASMModule* module = new (NotNull, allocateCell<JSWASMModule>(vm.heap)) JSWASMModule(vm, structure);
+        JSWASMModule* module = new (NotNull, allocateCell<JSWASMModule>(vm.heap)) JSWASMModule(vm, structure, arrayBuffer);
         module->finishCreation(vm);
         return module;
@@ -84 +84 @@
     Vector<WASMFunctionPointerTable>& functionPointerTables() { return m_functionPointerTables; }
 
+    const JSArrayBuffer* arrayBuffer() const { return m_arrayBuffer.get(); }
     Vector<WriteBarrier<JSFunction>>& functions() { return m_functions; }
     Vector<unsigned>& functionStartOffsetsInSource() { return m_functionStartOffsetsInSource; }
@@ -91 +92 @@
 
 private:
-    JSWASMModule(VM& vm, Structure* structure)
-        : Base(vm, structure)
-    {
-    }
+    JSWASMModule(VM&, Structure*, JSArrayBuffer*);
 
     Vector<uint32_t> m_i32Constants;
@@ -106 +104 @@
     Vector<WASMFunctionPointerTable> m_functionPointerTables;
 
+    WriteBarrier<JSArrayBuffer> m_arrayBuffer;
     Vector<WriteBarrier<JSFunction>> m_functions;
     Vector<unsigned> m_functionStartOffsetsInSource;

trunk/Source/JavaScriptCore/wasm/WASMConstants.h

@@ -292 +292 @@
 };
 
+enum class WASMMemoryType {
+    I8,
+    I16,
+    I32,
+    F32,
+    F64
+};
+
+enum class MemoryAccessOffsetMode { NoOffset, WithOffset };
+enum class MemoryAccessConversion { NoConversion, SignExtend, ZeroExtend };
+
 static const uint8_t hasImmediateInOpFlag = 0x80;
 

trunk/Source/JavaScriptCore/wasm/WASMFunctionCompiler.h

@@ -33 +33 @@
 #include "JIT.h"
 #include "JITOperations.h"
+#include "JSArrayBuffer.h"
 #include "LinkBuffer.h"
 #include "MaxFrameExtentForSlowPathCall.h"
@@ -79 +80 @@
 #endif
 
+static size_t sizeOfMemoryType(WASMMemoryType memoryType)
+{
+    switch (memoryType) {
+    case WASMMemoryType::I8:
+        return 1;
+    case WASMMemoryType::I16:
+        return 2;
+    case WASMMemoryType::I32:
+    case WASMMemoryType::F32:
+        return 4;
+    case WASMMemoryType::F64:
+        return 8;
+    default:
+        ASSERT_NOT_REACHED();
+    }
+}
+
 class WASMFunctionCompiler : private CCallHelpers {
 public:
@@ -84 +102 @@
     typedef int Statement;
     typedef int ExpressionList;
+    struct MemoryAddress {
+        MemoryAddress(void*) { }
+        MemoryAddress(int, uint32_t offset)
+            : offset(offset)
+        {
+        }
+        uint32_t offset;
+    };
     struct JumpTarget {
         Label label;
@@ -198 +224 @@
             setupArgumentsExecState();
             appendCallWithExceptionCheck(operationThrowDivideError);
+        }
+
+        if (!m_outOfBoundsErrorJumpList.empty()) {
+            m_outOfBoundsErrorJumpList.link(this);
+
+            setupArgumentsExecState();
+            appendCallWithExceptionCheck(operationThrowOutOfBoundsAccessError);
         }
 
@@ -434 +467 @@
             ASSERT_NOT_REACHED();
         }
+        return UNUSED;
+    }
+
+    int buildLoad(const MemoryAddress& memoryAddress, WASMExpressionType expressionType, WASMMemoryType memoryType, MemoryAccessConversion conversion)
+    {
+        const ArrayBuffer* arrayBuffer = m_module->arrayBuffer()->impl();
+        move(TrustedImmPtr(arrayBuffer->data()), GPRInfo::regT0);
+        load32(temporaryAddress(m_tempStackTop - 1), GPRInfo::regT1);
+        if (memoryAddress.offset)
+            add32(TrustedImm32(memoryAddress.offset), GPRInfo::regT1, GPRInfo::regT1);
+        and32(TrustedImm32(~(sizeOfMemoryType(memoryType) - 1)), GPRInfo::regT1);
+
+        ASSERT(arrayBuffer->byteLength() < (unsigned)(1 << 31));
+        if (arrayBuffer->byteLength() >= sizeOfMemoryType(memoryType))
+            m_outOfBoundsErrorJumpList.append(branch32(Above, GPRInfo::regT1, TrustedImm32(arrayBuffer->byteLength() - sizeOfMemoryType(memoryType))));
+        else
+            m_outOfBoundsErrorJumpList.append(jump());
+
+        BaseIndex address = BaseIndex(GPRInfo::regT0, GPRInfo::regT1, TimesOne);
+
+        switch (expressionType) {
+        case WASMExpressionType::I32:
+            switch (memoryType) {
+            case WASMMemoryType::I8:
+                if (conversion == MemoryAccessConversion::SignExtend)
+                    load8SignedExtendTo32(address, GPRInfo::regT0);
+                else {
+                    ASSERT(conversion == MemoryAccessConversion::ZeroExtend);
+                    load8(address, GPRInfo::regT0);
+                }
+                break;
+            case WASMMemoryType::I16:
+                if (conversion == MemoryAccessConversion::SignExtend)
+                    load16SignedExtendTo32(address, GPRInfo::regT0);
+                else {
+                    ASSERT(conversion == MemoryAccessConversion::ZeroExtend);
+                    load16(address, GPRInfo::regT0);
+                }
+                break;
+            case WASMMemoryType::I32:
+                load32(address, GPRInfo::regT0);
+                break;
+            default:
+                ASSERT_NOT_REACHED();
+            }
+            store32(GPRInfo::regT0, temporaryAddress(m_tempStackTop - 1));
+            break;
+        case WASMExpressionType::F32:
+            ASSERT(memoryType == WASMMemoryType::F32 && conversion == MemoryAccessConversion::NoConversion);
+            load32(address, GPRInfo::regT0);
+            store32(GPRInfo::regT0, temporaryAddress(m_tempStackTop - 1));
+            break;
+        case WASMExpressionType::F64:
+            ASSERT(memoryType == WASMMemoryType::F64 && conversion == MemoryAccessConversion::NoConversion);
+            loadDouble(address, FPRInfo::fpRegT0);
+            storeDouble(FPRInfo::fpRegT0, temporaryAddress(m_tempStackTop - 1));
+            break;
+        default:
+            ASSERT_NOT_REACHED();
+        }
+        return UNUSED;
+    }
+
+    int buildStore(const MemoryAddress& memoryAddress, WASMExpressionType expressionType, WASMMemoryType memoryType, int)
+    {
+        const ArrayBuffer* arrayBuffer = m_module->arrayBuffer()->impl();
+        move(TrustedImmPtr(arrayBuffer->data()), GPRInfo::regT0);
+        load32(temporaryAddress(m_tempStackTop - 2), GPRInfo::regT1);
+        if (memoryAddress.offset)
+            add32(TrustedImm32(memoryAddress.offset), GPRInfo::regT1, GPRInfo::regT1);
+        and32(TrustedImm32(~(sizeOfMemoryType(memoryType) - 1)), GPRInfo::regT1);
+
+        ASSERT(arrayBuffer->byteLength() < (1u << 31));
+        if (arrayBuffer->byteLength() >= sizeOfMemoryType(memoryType))
+            m_outOfBoundsErrorJumpList.append(branch32(Above, GPRInfo::regT1, TrustedImm32(arrayBuffer->byteLength() - sizeOfMemoryType(memoryType))));
+        else
+            m_outOfBoundsErrorJumpList.append(jump());
+
+        BaseIndex address = BaseIndex(GPRInfo::regT0, GPRInfo::regT1, TimesOne);
+
+        switch (expressionType) {
+        case WASMExpressionType::I32:
+            load32(temporaryAddress(m_tempStackTop - 1), GPRInfo::regT2);
+            switch (memoryType) {
+            case WASMMemoryType::I8:
+                store8(GPRInfo::regT2, address);
+                break;
+            case WASMMemoryType::I16:
+                store16(GPRInfo::regT2, address);
+                break;
+            case WASMMemoryType::I32:
+                store32(GPRInfo::regT2, address);
+                break;
+            default:
+                ASSERT_NOT_REACHED();
+            }
+            break;
+        case WASMExpressionType::F32:
+            ASSERT(memoryType == WASMMemoryType::F32);
+            load32(temporaryAddress(m_tempStackTop - 1), GPRInfo::regT2);
+            store32(GPRInfo::regT2, address);
+            break;
+        case WASMExpressionType::F64:
+            ASSERT(memoryType == WASMMemoryType::F64);
+            loadDouble(temporaryAddress(m_tempStackTop - 1), FPRInfo::fpRegT0);
+            storeDouble(FPRInfo::fpRegT0, address);
+            break;
+        default:
+            ASSERT_NOT_REACHED();
+        }
+        m_tempStackTop -= 2;
         return UNUSED;
     }
@@ -1187 +1331 @@
     Jump m_stackOverflow;
     JumpList m_divideErrorJumpList;
+    JumpList m_outOfBoundsErrorJumpList;
     JumpList m_exceptionChecks;
 

trunk/Source/JavaScriptCore/wasm/WASMFunctionParser.cpp

@@ -144 +144 @@
             parseSetGlobalStatement(context);
             break;
+        case WASMOpStatement::I32Store8:
+            parseStore(context, WASMExpressionType::I32, WASMMemoryType::I8, MemoryAccessOffsetMode::NoOffset);
+            break;
+        case WASMOpStatement::I32StoreWithOffset8:
+            parseStore(context, WASMExpressionType::I32, WASMMemoryType::I8, MemoryAccessOffsetMode::WithOffset);
+            break;
+        case WASMOpStatement::I32Store16:
+            parseStore(context, WASMExpressionType::I32, WASMMemoryType::I16, MemoryAccessOffsetMode::NoOffset);
+            break;
+        case WASMOpStatement::I32StoreWithOffset16:
+            parseStore(context, WASMExpressionType::I32, WASMMemoryType::I16, MemoryAccessOffsetMode::WithOffset);
+            break;
+        case WASMOpStatement::I32Store32:
+            parseStore(context, WASMExpressionType::I32, WASMMemoryType::I32, MemoryAccessOffsetMode::NoOffset);
+            break;
+        case WASMOpStatement::I32StoreWithOffset32:
+            parseStore(context, WASMExpressionType::I32, WASMMemoryType::I32, MemoryAccessOffsetMode::WithOffset);
+            break;
+        case WASMOpStatement::F32Store:
+            parseStore(context, WASMExpressionType::F32, WASMMemoryType::F32, MemoryAccessOffsetMode::NoOffset);
+            break;
+        case WASMOpStatement::F32StoreWithOffset:
+            parseStore(context, WASMExpressionType::F32, WASMMemoryType::F32, MemoryAccessOffsetMode::WithOffset);
+            break;
+        case WASMOpStatement::F64Store:
+            parseStore(context, WASMExpressionType::F64, WASMMemoryType::F64, MemoryAccessOffsetMode::NoOffset);
+            break;
+        case WASMOpStatement::F64StoreWithOffset:
+            parseStore(context, WASMExpressionType::F64, WASMMemoryType::F64, MemoryAccessOffsetMode::WithOffset);
+            break;
         case WASMOpStatement::Return:
             parseReturnStatement(context);
@@ -180 +210 @@
             parseSwitchStatement(context);
             break;
-        case WASMOpStatement::I32Store8:
-        case WASMOpStatement::I32StoreWithOffset8:
-        case WASMOpStatement::I32Store16:
-        case WASMOpStatement::I32StoreWithOffset16:
-        case WASMOpStatement::I32Store32:
-        case WASMOpStatement::I32StoreWithOffset32:
-        case WASMOpStatement::F32Store:
-        case WASMOpStatement::F32StoreWithOffset:
-        case WASMOpStatement::F64Store:
-        case WASMOpStatement::F64StoreWithOffset:
         case WASMOpStatement::CallInternal:
         case WASMOpStatement::CallIndirect:
@@ -529 +549 @@
         case WASMOpExpressionI32::GetGlobal:
             return parseGetGlobalExpressionI32(context);
+        case WASMOpExpressionI32::SLoad8:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I8, MemoryAccessOffsetMode::NoOffset, MemoryAccessConversion::SignExtend);
+        case WASMOpExpressionI32::SLoadWithOffset8:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I8, MemoryAccessOffsetMode::WithOffset, MemoryAccessConversion::SignExtend);
+        case WASMOpExpressionI32::ULoad8:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I8, MemoryAccessOffsetMode::NoOffset, MemoryAccessConversion::ZeroExtend);
+        case WASMOpExpressionI32::ULoadWithOffset8:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I8, MemoryAccessOffsetMode::WithOffset, MemoryAccessConversion::ZeroExtend);
+        case WASMOpExpressionI32::SLoad16:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I16, MemoryAccessOffsetMode::NoOffset, MemoryAccessConversion::SignExtend);
+        case WASMOpExpressionI32::SLoadWithOffset16:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I16, MemoryAccessOffsetMode::WithOffset, MemoryAccessConversion::SignExtend);
+        case WASMOpExpressionI32::ULoad16:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I16, MemoryAccessOffsetMode::NoOffset, MemoryAccessConversion::ZeroExtend);
+        case WASMOpExpressionI32::ULoadWithOffset16:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I16, MemoryAccessOffsetMode::WithOffset, MemoryAccessConversion::ZeroExtend);
+        case WASMOpExpressionI32::Load32:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I32, MemoryAccessOffsetMode::NoOffset);
+        case WASMOpExpressionI32::LoadWithOffset32:
+            return parseLoad(context, WASMExpressionType::I32, WASMMemoryType::I32, MemoryAccessOffsetMode::WithOffset);
         case WASMOpExpressionI32::CallInternal:
             return parseCallInternal(context, WASMExpressionType::I32);
@@ -586 +626 @@
         case WASMOpExpressionI32::SetLocal:
         case WASMOpExpressionI32::SetGlobal:
-        case WASMOpExpressionI32::SLoad8:
-        case WASMOpExpressionI32::SLoadWithOffset8:
-        case WASMOpExpressionI32::ULoad8:
-        case WASMOpExpressionI32::ULoadWithOffset8:
-        case WASMOpExpressionI32::SLoad16:
-        case WASMOpExpressionI32::SLoadWithOffset16:
-        case WASMOpExpressionI32::ULoad16:
-        case WASMOpExpressionI32::ULoadWithOffset16:
-        case WASMOpExpressionI32::Load32:
-        case WASMOpExpressionI32::LoadWithOffset32:
         case WASMOpExpressionI32::Store8:
         case WASMOpExpressionI32::StoreWithOffset8:
@@ -749 +779 @@
         case WASMOpExpressionF32::GetGlobal:
             return parseGetGlobalExpressionF32(context);
+        case WASMOpExpressionF32::Load:
+            return parseLoad(context, WASMExpressionType::F32, WASMMemoryType::F32, MemoryAccessOffsetMode::NoOffset);
+        case WASMOpExpressionF32::LoadWithOffset:
+            return parseLoad(context, WASMExpressionType::F32, WASMMemoryType::F32, MemoryAccessOffsetMode::WithOffset);
         case WASMOpExpressionF32::CallInternal:
             return parseCallInternal(context, WASMExpressionType::F32);
@@ -772 +806 @@
         case WASMOpExpressionF32::SetLocal:
         case WASMOpExpressionF32::SetGlobal:
-        case WASMOpExpressionF32::Load:
-        case WASMOpExpressionF32::LoadWithOffset:
         case WASMOpExpressionF32::Store:
         case WASMOpExpressionF32::StoreWithOffset:
@@ -881 +913 @@
         case WASMOpExpressionF64::GetGlobal:
             return parseGetGlobalExpressionF64(context);
+        case WASMOpExpressionF64::Load:
+            return parseLoad(context, WASMExpressionType::F64, WASMMemoryType::F64, MemoryAccessOffsetMode::NoOffset);
+        case WASMOpExpressionF64::LoadWithOffset:
+            return parseLoad(context, WASMExpressionType::F64, WASMMemoryType::F64, MemoryAccessOffsetMode::WithOffset);
         case WASMOpExpressionF64::CallInternal:
             return parseCallInternal(context, WASMExpressionType::F64);
@@ -895 +931 @@
         case WASMOpExpressionF64::SetLocal:
         case WASMOpExpressionF64::SetGlobal:
-        case WASMOpExpressionF64::Load:
-        case WASMOpExpressionF64::LoadWithOffset:
         case WASMOpExpressionF64::Store:
         case WASMOpExpressionF64::StoreWithOffset:
@@ -991 +1025 @@
 
 template <class Context>
+ContextMemoryAddress WASMFunctionParser::parseMemoryAddress(Context& context, MemoryAccessOffsetMode offsetMode)
+{
+    uint32_t offset = 0;
+    if (offsetMode == MemoryAccessOffsetMode::WithOffset)
+        READ_COMPACT_UINT32_OR_FAIL(offset, "Cannot read the address offset.");
+    ContextExpression index = parseExpressionI32(context);
+    PROPAGATE_ERROR();
+    return ContextMemoryAddress(index, offset);
+}
+
+template <class Context>
+ContextExpression WASMFunctionParser::parseLoad(Context& context, WASMExpressionType expressionType, WASMMemoryType memoryType, MemoryAccessOffsetMode offsetMode, MemoryAccessConversion conversion)
+{
+    FAIL_IF_FALSE(m_module->arrayBuffer(), "An ArrayBuffer is not provided.");
+    const ContextMemoryAddress& memoryAddress = parseMemoryAddress(context, offsetMode);
+    PROPAGATE_ERROR();
+    return context.buildLoad(memoryAddress, expressionType, memoryType, conversion);
+}
+
+template <class Context>
+ContextExpression WASMFunctionParser::parseStore(Context& context, WASMExpressionType expressionType, WASMMemoryType memoryType, MemoryAccessOffsetMode offsetMode)
+{
+    FAIL_IF_FALSE(m_module->arrayBuffer(), "An ArrayBuffer is not provided.");
+    const ContextMemoryAddress& memoryAddress = parseMemoryAddress(context, offsetMode);
+    PROPAGATE_ERROR();
+
+    ContextExpression value = parseExpression(context, expressionType);
+    PROPAGATE_ERROR();
+    return context.buildStore(memoryAddress, expressionType, memoryType, value);
+}
+
+template <class Context>
 ContextExpressionList WASMFunctionParser::parseCallArguments(Context& context, const Vector<WASMType>& arguments)
 {

trunk/Source/JavaScriptCore/wasm/WASMFunctionParser.h

@@ -35 +35 @@
 #define ContextStatement typename Context::Statement
 #define ContextExpressionList typename Context::ExpressionList
+#define ContextMemoryAddress typename Context::MemoryAddress
 #define ContextJumpTarget typename Context::JumpTarget
 
@@ -114 +115 @@
     template <class Context> ContextExpression parseGetGlobalExpressionF64(Context&);
 
+    template <class Context> ContextMemoryAddress parseMemoryAddress(Context&, MemoryAccessOffsetMode);
+    template <class Context> ContextExpression parseLoad(Context&, WASMExpressionType, WASMMemoryType, MemoryAccessOffsetMode, MemoryAccessConversion = MemoryAccessConversion::NoConversion);
+    template <class Context> ContextExpression parseStore(Context&, WASMExpressionType, WASMMemoryType, MemoryAccessOffsetMode);
+
     template <class Context> ContextExpressionList parseCallArguments(Context&, const Vector<WASMType>& arguments);
     template <class Context> ContextExpression parseCallInternal(Context&, WASMExpressionType returnType);

trunk/Source/JavaScriptCore/wasm/WASMFunctionSyntaxChecker.h

@@ -38 +38 @@
     typedef int Statement;
     typedef int ExpressionList;
+    struct MemoryAddress {
+        MemoryAddress(void*) { }
+        MemoryAddress(int, uint32_t) { }
+    };
     typedef int JumpTarget;
     enum class JumpCondition { Zero, NonZero };
@@ -104 +108 @@
     int buildConvertType(int, WASMExpressionType, WASMExpressionType, WASMTypeConversion)
     {
+        return UNUSED;
+    }
+
+    int buildLoad(const MemoryAddress&, WASMExpressionType, WASMMemoryType, MemoryAccessConversion)
+    {
+        return UNUSED;
+    }
+
+    int buildStore(const MemoryAddress&, WASMExpressionType, WASMMemoryType, int)
+    {
+        m_tempStackTop -= 2;
         return UNUSED;
     }

trunk/Source/JavaScriptCore/wasm/WASMModuleParser.cpp

@@ -29 +29 @@
 #if ENABLE(WEBASSEMBLY)
 
+#include "JSArrayBuffer.h"
 #include "JSCInlines.h"
 #include "JSWASMModule.h"
@@ -50 +51 @@
 namespace JSC {
 
-WASMModuleParser::WASMModuleParser(VM& vm, JSGlobalObject* globalObject, const SourceCode& source, JSObject* imports)
+WASMModuleParser::WASMModuleParser(VM& vm, JSGlobalObject* globalObject, const SourceCode& source, JSObject* imports, JSArrayBuffer* arrayBuffer)
     : m_vm(vm)
     , m_globalObject(vm, globalObject)
@@ -56 +57 @@
     , m_imports(vm, imports)
     , m_reader(static_cast<WebAssemblySourceProvider*>(source.provider())->data())
+    , m_module(vm, JSWASMModule::create(vm, globalObject->wasmModuleStructure(), arrayBuffer))
 {
 }
@@ -61 +63 @@
 JSWASMModule* WASMModuleParser::parse(ExecState* exec, String& errorMessage)
 {
-    m_module.set(m_vm, JSWASMModule::create(m_vm, m_globalObject->wasmModuleStructure()));
     parseModule(exec);
     if (!m_errorMessage.isNull()) {
@@ -94 +95 @@
     PROPAGATE_ERROR();
     parseExportSection();
+    PROPAGATE_ERROR();
+
+    FAIL_IF_FALSE(!m_module->arrayBuffer() || m_module->arrayBuffer()->impl()->byteLength() < (1u << 31), "The ArrayBuffer's length must be less than 2^31.");
 }
 
@@ -363 +367 @@
 }
 
-JSWASMModule* parseWebAssembly(ExecState* exec, const SourceCode& source, JSObject* imports, String& errorMessage)
-{
-    WASMModuleParser moduleParser(exec->vm(), exec->lexicalGlobalObject(), source, imports);
+JSWASMModule* parseWebAssembly(ExecState* exec, const SourceCode& source, JSObject* imports, JSArrayBuffer* arrayBuffer, String& errorMessage)
+{
+    WASMModuleParser moduleParser(exec->vm(), exec->lexicalGlobalObject(), source, imports, arrayBuffer);
     return moduleParser.parse(exec, errorMessage);
 }

trunk/Source/JavaScriptCore/wasm/WASMModuleParser.h

@@ -36 +36 @@
 
 class ExecState;
+class JSArrayBuffer;
 class JSGlobalObject;
 class JSWASMModule;
@@ -43 +44 @@
 class WASMModuleParser {
 public:
-    WASMModuleParser(VM&, JSGlobalObject*, const SourceCode&, JSObject* imports);
+    WASMModuleParser(VM&, JSGlobalObject*, const SourceCode&, JSObject* imports, JSArrayBuffer*);
     JSWASMModule* parse(ExecState*, String& errorMessage);
 
@@ -68 +69 @@
 };
 
-JS_EXPORT_PRIVATE JSWASMModule* parseWebAssembly(ExecState*, const SourceCode&, JSObject* imports, String& errorMessage);
+JS_EXPORT_PRIVATE JSWASMModule* parseWebAssembly(ExecState*, const SourceCode&, JSObject* imports, JSArrayBuffer*, String& errorMessage);
 
 } // namespace JSC