Changeset 208238 in webkit

Timestamp:

Nov 1, 2016 1:40:40 PM (7 years ago)

Author:

keith_miller@apple.com

Message:

Add a WASM function validator.
​https://bugs.webkit.org/show_bug.cgi?id=161707

Reviewed by Saam Barati.

This is a new template specialization of the Wasm FunctionParser class. Instead of having
the FunctionParser track what B3 values each stack entry refers to the validator has each
entry refer to the type of the stack entry. Additionally, the control stack tracks what type
of block the object is and what the result type of the block is. The validation functions
for unary, binary, and memory operations are autogenerated by the
generateWasmValidateInlinesHeader.py script.

There are still a couple issue with validating that will be addressed in follow-up patches.
1) We need to handle result types from basic blocks. ​https://bugs.webkit.org/show_bug.cgi?id=164100
2) We need to handle popping things from stacks when they don't exist. ​https://bugs.webkit.org/show_bug.cgi?id=164275

• CMakeLists.txt:
• DerivedSources.make:
• JavaScriptCore.xcodeproj/project.pbxproj:
• testWasm.cpp:

(runWasmTests):

• wasm/WasmB3IRGenerator.cpp:
• wasm/WasmFormat.cpp: Added.

(JSC::Wasm::toString):

• wasm/WasmFormat.h:
• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

• wasm/WasmPlan.cpp:

(JSC::Wasm::Plan::Plan):

• wasm/WasmValidate.cpp: Added.

(JSC::Wasm::Validate::ControlData::ControlData):
(JSC::Wasm::Validate::ControlData::dump):
(JSC::Wasm::Validate::ControlData::type):
(JSC::Wasm::Validate::ControlData::signature):
(JSC::Wasm::Validate::addConstant):
(JSC::Wasm::Validate::isContinuationReachable):
(JSC::Wasm::Validate::errorMessage):
(JSC::Wasm::Validate::Validate):
(JSC::Wasm::Validate::addArguments):
(JSC::Wasm::Validate::addLocal):
(JSC::Wasm::Validate::getLocal):
(JSC::Wasm::Validate::setLocal):
(JSC::Wasm::Validate::addBlock):
(JSC::Wasm::Validate::addLoop):
(JSC::Wasm::Validate::addIf):
(JSC::Wasm::Validate::addElse):
(JSC::Wasm::Validate::addReturn):
(JSC::Wasm::Validate::addBranch):
(JSC::Wasm::Validate::endBlock):
(JSC::Wasm::Validate::addCall):
(JSC::Wasm::Validate::unify):
(JSC::Wasm::Validate::dump):
(JSC::Wasm::validateFunction):

• wasm/WasmValidate.h: Added.
• wasm/generateWasmValidateInlinesHeader.py: Added.

(cppType):
(toCpp):
(unaryMacro):
(binaryMacro):
(loadMacro):
(storeMacro):

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (73 diffs)
• DerivedSources.make (modified) (2 diffs)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (16 diffs)
• testWasm.cpp (modified) (29 diffs)
• wasm/WasmB3IRGenerator.cpp (modified) (8 diffs)
• wasm/WasmFormat.cpp (added)
• wasm/WasmFormat.h (modified) (1 diff)
• wasm/WasmFunctionParser.h (modified) (5 diffs)
• wasm/WasmPlan.cpp (modified) (2 diffs)
• wasm/WasmValidate.cpp (added)
• wasm/WasmValidate.h (added)
• wasm/generateWasmValidateInlinesHeader.py (added)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -880 +880 @@
     wasm/WasmB3IRGenerator.cpp
     wasm/WasmCallingConvention.cpp
+    wasm/WasmFormat.cpp
     wasm/WasmMemory.cpp
     wasm/WasmModuleParser.cpp
     wasm/WasmPlan.cpp
+    wasm/WasmValidate.cpp
 
     wasm/js/JSWebAssemblyCompileError.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-11-01  Keith Miller  <keith_miller@apple.com>
+
+        Add a WASM function validator.
+        https://bugs.webkit.org/show_bug.cgi?id=161707
+
+        Reviewed by Saam Barati.
+
+        This is a new template specialization of the Wasm FunctionParser class.  Instead of having
+        the FunctionParser track what B3 values each stack entry refers to the validator has each
+        entry refer to the type of the stack entry. Additionally, the control stack tracks what type
+        of block the object is and what the result type of the block is. The validation functions
+        for unary, binary, and memory operations are autogenerated by the
+        generateWasmValidateInlinesHeader.py script.
+
+        There are still a couple issue with validating that will be addressed in follow-up patches.
+        1) We need to handle result types from basic blocks. https://bugs.webkit.org/show_bug.cgi?id=164100
+        2) We need to handle popping things from stacks when they don't exist. https://bugs.webkit.org/show_bug.cgi?id=164275
+
+        * CMakeLists.txt:
+        * DerivedSources.make:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * testWasm.cpp:
+        (runWasmTests):
+        * wasm/WasmB3IRGenerator.cpp:
+        * wasm/WasmFormat.cpp: Added.
+        (JSC::Wasm::toString):
+        * wasm/WasmFormat.h:
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+        * wasm/WasmPlan.cpp:
+        (JSC::Wasm::Plan::Plan):
+        * wasm/WasmValidate.cpp: Added.
+        (JSC::Wasm::Validate::ControlData::ControlData):
+        (JSC::Wasm::Validate::ControlData::dump):
+        (JSC::Wasm::Validate::ControlData::type):
+        (JSC::Wasm::Validate::ControlData::signature):
+        (JSC::Wasm::Validate::addConstant):
+        (JSC::Wasm::Validate::isContinuationReachable):
+        (JSC::Wasm::Validate::errorMessage):
+        (JSC::Wasm::Validate::Validate):
+        (JSC::Wasm::Validate::addArguments):
+        (JSC::Wasm::Validate::addLocal):
+        (JSC::Wasm::Validate::getLocal):
+        (JSC::Wasm::Validate::setLocal):
+        (JSC::Wasm::Validate::addBlock):
+        (JSC::Wasm::Validate::addLoop):
+        (JSC::Wasm::Validate::addIf):
+        (JSC::Wasm::Validate::addElse):
+        (JSC::Wasm::Validate::addReturn):
+        (JSC::Wasm::Validate::addBranch):
+        (JSC::Wasm::Validate::endBlock):
+        (JSC::Wasm::Validate::addCall):
+        (JSC::Wasm::Validate::unify):
+        (JSC::Wasm::Validate::dump):
+        (JSC::Wasm::validateFunction):
+        * wasm/WasmValidate.h: Added.
+        * wasm/generateWasmValidateInlinesHeader.py: Added.
+        (cppType):
+        (toCpp):
+        (unaryMacro):
+        (binaryMacro):
+        (loadMacro):
+        (storeMacro):
+
 2016-11-01  Saam Barati  <sbarati@apple.com>
 
@@ -1679 +1744 @@
         Async functions generate bytecode equivalent to the following, which is
         highly dependent on the Generator implementation:
-        
+
         ```
         // Before translation:
@@ -1701 +1766 @@
 
         There are some caveats to be addressed later:
-        
+
         1) the `op_to_this` is always performed, whether it's used or not, like normal generators. (https://bugs.webkit.org/show_bug.cgi?id=151586)
-        
+
         2) for async arrow functions, the home object is always stored on the "body" function, regardless of whether it's needed or
         not, for the same reason as #1 (and should also be fixed as part of https://bugs.webkit.org/show_bug.cgi?id=151586)
@@ -1811 +1876 @@
            behavior that is different than the set of cacheable put operations above.
            Hence, it should not claim that the property put is cacheable.
-    
+
         2. Cacheable puts are cached on the original structure of the object before the
            put operation.
@@ -2069 +2134 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         I want to introduce another HeapTimer. Prior to this change, that would have meant writing
         exact copies of that timer's logic for each platform that has a HeapTimer (CF, GLIB, and
@@ -2077 +2142 @@
         to add insult to injury, the USE(CF) version of HeapTimer would have to have an extra case
         for that new subclass since it doesn't use virtual methods effectively.
-        
+
         This changes HeapTimer on USE(CF) to know to get its runloop from Heap and to use virtual
         methods effectively so that it doesn't have to know about all of its subclasses.
-        
+
         This also moves IncrementalSweeper's code for scheduling timers into HeapTimer. This means
         that future subclasses of HeapTimer could simply use that logic.
-        
+
         This keeps changes to GCActivityCallback to a minimum. It still has a lot of
         platform-specific code and I'm not sure that this code can be trivially deduplicated since
@@ -2712 +2777 @@
 
         Reviewed by Keith Miller.
-        
+
         JSC often suffers from the inline cargo cult, and Heap is a prime example. This outlines a
         bunch of Heap methods that are either already very big, or call out-of-line methods, or call
         very big methods, or are not called often enough for inlining to matter.
-        
+
         This simplifies concurrent GC work because I'm so tired of recompiling the world when I touch
         one of these methods.
-        
+
         This looks to be perf-neutral.
 
@@ -3089 +3154 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         We need to know if we're currently in an allocation slow path, so that code can assert that
         it's not being used from inside a destructor that runs during a sweep. We need to know if
@@ -3097 +3162 @@
         full collection. If we are requesting a collection, we need to know if we're requesting an
         eden collection, a full collection, or any kind of collection.
-        
+
         Prior to this change, you would reason about all of these things using the HeapOperation. It
         had the following states: NoOperation, Allocation, FullCollection, EdenCollection, and
@@ -3105 +3170 @@
         Eden, because we just needed a variable to tell us which generation we were talking about.
         It was all very confusing.
-        
+
         Where it completely breaks down is the fact that a concurrent GC has two logical threads, the
         mutator and the collector, which can change state independently. The mutator can be
@@ -3115 +3180 @@
         collector not running, running eden, or running full. So, this change decouples mutator state
         from collector state and uses two separate fields with two different types.
-        
+
         Mutator state is described using MutatorState, which can be either MutatorState::Running,
         MutatorState::Allocating, or MutatorState::HelpingGC.
-        
+
         Collector state is described using Optional<CollectionScope>. CollectionScope describes how
         big the scope of the collection is, and it can be either CollectionScope::Eden or
@@ -3127 +3192 @@
         collection, which those methods take to mean that they can run any kind of collection (the
         old AnyCollection).
-        
+
         Another use of HeapOperation was to answer questions about whether the caller is running as
         part of the GC or as part of the mutator. Optional<CollectionScope> does not answer this,
@@ -3144 +3209 @@
         by checking with mayBeGCThread, which returns Optional<GCThreadType>; if engaged, then run as
         GC, else run as GC if MutatorState is HelpingGC, else run as mutator.
-        
+
         This doesn't change the way that the GC behaves, but it does change how the GC represents a
         fundamental piece of state. So, it's a big change. It should be perf-neutral (still testing).
@@ -3704 +3769 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         Change the JITWorklist to use AutomaticThread, so that the Baseline JIT's concurrent
         compiler thread shuts down automatically after inactivity.
-        
+
         With this change, all of JSC's threads shut down automatically. If you run splay for a few
         seconds (which fires up all threads - compiler and GC) and then go to sleep for a second,
@@ -3750 +3815 @@
 
         Reviewed by Mark Lam.
-        
+
         AutomaticThread is a new feature in WTF that allows you to easily create worker threads that
         shut down automatically. This changes DFG::Worklist to use AutomaticThread, so that its
         threads shut down automatically, too. This has the potential to save a lot of memory.
-        
+
         This required some improvements to AutomaticThread: Worklist likes to be able to keep state
         around for the whole lifetime of a thread, and so it likes knowing when threads are born and
         when they die. I added virtual methods for that. Also, Worklist uses notifyOne() so I added
         that, too.
-        
+
         This looks to be perf-neutral.
 
@@ -3923 +3988 @@
 
         Reviewed by Andreas Kling.
-        
+
         Added a sleepSeconds() function, which made it easier for me to test this change.
-        
+
         The WTF changes in this patch change how the JSC GC manages threads: the GC threads will now
         shut down automatically after 1 second of inactivity. Maybe this will save some memory.
@@ -3953 +4018 @@
 
         Reviewed by Geoffrey Garen and Saam Barati.
-        
+
         This adds a new kind of call inline cache for when the DFG can prove what the callee
         executable is. In those cases, we can skip some of the things that the traditional call IC
         would do:
-        
+
         - No need to check who the callee is.
         - No need to do arity checks.
-        
+
         This case isn't as simple as just emitting a call instruction since the callee may not be
         compiled at the time that the caller is compiled. So, we need lazy resolution. Also, the
@@ -3967 +4032 @@
         CallLinkInfo has. CallLinkInfo already knows about different kinds of calls. This patch
         teaches it about new "Direct" call types.
-        
+
         The direct non-tail call IC looks like this:
-        
+
                 set up arguments
             FastPath:
                 call _SlowPath
                 lea -FrameSize(%rbp), %rsp
-            
+
             SlowPath:
                 pop
@@ -3980 +4045 @@
                 check exception
                 jmp FastPath
-        
+
         The job of operationLinkDirectCall is to link the fast path's call entrypoint of the callee.
         This means that in steady state, a call is just that: a call. There are no extra branches or
         checks.
-        
+
         The direct tail call IC is a bit more complicated because the act of setting up arguments
         destroys our frame, which would prevent us from being able to throw an exception if we
         failed to compile the callee. So, direct tail call ICs look like this:
-        
+
                 jmp _SlowPath
             FastPath:
                 set up arguments
                 jmp 0 // patch to jump to callee
-            
+
             SlowPath:
                 silent spill
@@ -4000 +4065 @@
                 check exception
                 jmp FastPath
-        
+
         The jmp to the slow path is patched to be a fall-through jmp when we link the call.
-        
+
         Direct calls mean less code at call sites, fewer checks on the steady state call fast path,
         and no need for arity fixup. This looks like a slight speed-up (~0.8%) on both Octane and
@@ -4163 +4228 @@
         MethodDefinitions which are not either class "constructor" methods or GeneratorMethods, AsyncFunctions,
         and ArrowFunctions.
-        
+
         For details, see the following spec text, and the difference between GeneratorMethod evaluation and
         the evaluation of other MethodDefinition forms.
-        
+
         - https://tc39.github.io/ecma262/#sec-method-definitions-runtime-semantics-propertydefinitionevaluation
         - https://tc39.github.io/ecma262/#sec-arrow-function-definitions-runtime-semantics-evaluation
         - https://tc39.github.io/ecmascript-asyncawait/#async-function-instances
         - https://tc39.github.io/ecma262/#sec-generator-function-definitions-runtime-semantics-propertydefinitionevaluation
-        
+
 
         * runtime/Executable.h:
@@ -4317 +4382 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         Before r207408, IRC had a mode where it would silently assign the first assignable register (so
         %rax, %xmm0, etc) to any tmp that was not colorable due to a pathological interference fencepost.
@@ -4328 +4393 @@
         corruption. Also, this can only happen for floating point registers, so it's hard to get an
         exciting crash. The worst case is that your numbers get all messed up.
-        
+
         This change fixes the issue:
-        
+
         - IRC will now crash if it can't color a tmp.
-        
+
         - IRC doesn't crash on our tests anymore because I added a padInterference() utility that works
           around the interference problem by inserting Nops to pad between those instructions where
           conflating their early and late actions into one interference fencepost could create an
           uncolorable graph.
-        
+
         See https://bugs.webkit.org/show_bug.cgi?id=163548#c2 for a detailed discussion of how the
         problem can arise.
-        
+
         This problem almost made me want to abandon our use of interference at instruction boundaries,
         and introduce something more comprehensive, like interference at various stages of an
@@ -4354 +4419 @@
         DCE, which includes eliminateDeadCode(), allocateStack(), and reportUsedRegisters(). In practice
         allocateStack() kills them.
-        
+
         This also finally refactors our passing of RegisterSet to pass it by value, since it's small
         enough that we're not gaining anything by using references. On x86, RegisterSet ought to be
@@ -4621 +4686 @@
 
         Reviewed by Mark Lam.
-        
+
         The worklist building function in IRC skips temporaries that have no degree. This doesn't appear
         to be necessary. This has been there since the original IRC commit. It hasn't caused bugs because
@@ -4627 +4692 @@
         while working on bug 163371, I hit a crazy corner case where a temporary would have no
         interference edges (i.e. no degree). Here's how it happens:
-        
+
         A spill tmp from a previous iteration of IRC may have no degree: imagine a tmp that is live
         everywhere and interferes with everyone, but has one use like:
@@ -4647 +4712 @@
         Then, we might coalesce %someOtherTmp with %newTmp.  Once this happens, if we make the %newTmp be
         the master, we're in deep trouble because %newTmp is not on any worklist.
-        
+
         I don't know how to reproduce this except through the patch in bug 163371. Removing the two lines
         of code that skipped no-degree tmps causes no regressions, and resolves the problem I was having.
@@ -5031 +5096 @@
 
         Reviewed by Mark Lam.
-        
+
         When I first added the concept of NewGrey/OldGrey, I had the SlotVisitor store the old cell
         state in itself, so that it could use it to decide what to do for reportExtraMemoryVisited().
-        
+
         Then I changed it in a recent commit, because I wanted the freedom to have SlotVisitor visit
         multiple objects in tandem. But I never ended up using this capability. Still, I liked the
@@ -5040 +5105 @@
         make the object's state reflect whether it was black for the first time or not. That seemed
         convenient.
-        
+
         Unfortunately it's wrong. After we blacken the object, a concurrent barrier could instantly
         grey it. Then we would forget that we are visiting this object for the first time.
         Subsequent visits will think that they are not the first. So, we will fail to do the right
         thing in reportExtraMemoryVisited().
-        
+
         So, this reverts that change. This is a little more than just a revert, though. I've changed
         the terminology a bit. For example, I got tired of reading Black and having to remind myself
@@ -5052 +5117 @@
         currently being scanned. I'm going to adopt Siebert's term for this: Anthracite [1]. So, our
         black CellState is now called AnthraciteOrBlack.
-        
+
         [1] https://pdfs.semanticscholar.org/7ae4/633265aead1f8835cf7966e179d02c2c8a4b.pdf
 
@@ -5152 +5217 @@
 
         Reviewed by Mark Lam.
-        
+
         It turns out that HeapSnapshot was not down with revisiting. The concurrent GC is going to be
         built around the idea that we can revisit objects many times. This means that any action that
         should only take place once per object must check the object's state. This fixes the snapshot
         code to do this.
-        
+
         While writing this code, I realized that we're actually doing this check incorrectly, so I
         filed bug 163343. That bug requires a race, so we aren't going to see it yet.
@@ -5188 +5253 @@
         (InjectedScript.prototype._describe):
         Provide a friendlier name, "Proxy" instead of "ProxyObject".
-        
+
         (InjectedScript.RemoteObject):
         When generating a preview for a Proxy object, generate it from the final target
@@ -5227 +5292 @@
         by the parser. This could get out of sync, or nodes could forget to
         emit debug hooks expected by the parser.
-        
+
         With this change, we always check and emit a debug hook for any
         node. The default behavior is for BytecodeGenerator::emitNode
@@ -5372 +5437 @@
 
         Reviewed by Mark Lam.
-        
+
         I guess that the idea of JITWriteBarrier was to make sure that if you slap some heap pointer
         bits into machine code, then you better execute a barrier on the code block. But it's a
@@ -5380 +5445 @@
         stored in machine code must always be shadowed in the GC heap. I think that convention has
         won by overwhelming majority, so we should finally remove JITWriteBarrier.
-        
+
         A practical outcome of this change is that it makes it easier to implement DirectCall ICs,
         which will have to store the callee in the CallLinkInfo but not in the machine code.
@@ -5429 +5494 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         It used to be that we would forget which objects are live the moment we started collection.
         That's because the flip at the beginning clears all mark bits.
-        
+
         But we already have a facility for tracking objects that are live-but-not-marked. It's called
         newlyAllocated. So, instead of clearing mark bits, we want to just transfer them to
         newlyAllocated. Then we want to clear all newlyAllocated after GC.
-        
+
         This implements such an approach, along with a versioning optimization for newlyAllocated.
         Instead of walking the whole heap to clear newlyAllocated bits at the end of the GC, we bump
         the newlyAllocatedVersion, which causes MarkedBlock to treat newlyAllocated as if it was
         clear.
-        
+
         We could have even avoided allocating newlyAllocated in most cases, since empirically most
         blocks are either completely empty or completely full. An earlier version of this patch did
         this, but it was not better than this patch. In fact, it seemed to actually be worse for PLT
         and membuster.
-        
+
         To validate this change, we now run the conservative scan after the beginMarking flip. And it
         totally works!
-        
+
         This is a huge step towards concurrent GC. It means that we ought to be able to run the
         allocator while marking. Since we already separately made it possible to run the barrier
         while marking, this means that we're pretty much ready for some serious concurrency action.
-        
+
         This appears to be perf-neutral and space-neutral.
 
@@ -5610 +5675 @@
 
         Reviewed by Yusuke Suzuki.
-        
+
         We have a lot of defenses against emitting code that materializes huge contants. But if we do
         end up with such code in the backend, it's better to convert those materializations into add
@@ -5625 +5690 @@
 
         Reviewed by Mark Lam.
-        
+
         When writing the lea patch (r207039), I was very careful about how I convert a Shl into a
         BaseIndex scale. But I forgot to check if the older code for creating BaseIndexes for
         effectiveAddr() got this right. It turns out that the older code missed the <<32 corner
         case.
-        
+
         It's sad that the two paths can't share all of their code, but it's somewhat inevitable due
         to how matching an address and matching a lea have to do very different things. Matching a
@@ -5640 +5705 @@
         more sane by adding a scaleForShl() helper that handles this weird case. It's based on the
         new Shl handling from r207039, and exposes it as an API for effectiveAddr() to use.
-        
+
         The testLoadBaseIndexShift32() used to crash. I don't think that this case affects JS
         content, since <<32 is such a bizarre outlier. I don't think we even have a path along
@@ -5691 +5756 @@
 
         Reviewed by Saam Barati.
-        
+
         This adds comprehensive support for emitting lea on x86.
-        
+
         When adding this, I found that it was useful to also finally add more reassociation. That
         reduces the amount of patterns that the instruction selector has to deal with.
@@ -5832 +5897 @@
 
         Reviewed by Keith Miller.
-        
+
         You can now call Procedure::pinRegister(), or Code::pinRegister(), and it will make this
         register behave as follows:
-        
+
         - B3 and Air will emit no code that modifies the value in this register, except if that
           happens via a Patchpoint or stackmap constraint (i.e. the user explicitly asked for it).
@@ -5846 +5911 @@
           to use them by (1) excluding them from any clobber set (easy, since they're callee save)
           and (2) emitting ArgumentReg to grab their value. There's a test that does this.
-        
-        This is accomplished by taking regsInPriorityOrder() and making it a method of Code. Air 
+
+        This is accomplished by taking regsInPriorityOrder() and making it a method of Code. Air
         already used this API when choosing registers in register allocation. Code now also vends a
         mutableRegs() set, which is derived from regsInPriorityOrder(), that can quickly tell you if
         a register can be mutated. Doing it this way means that most of this is a purely mechanical
         change. The calls to mutableRegs() are the places where we had to change logic:
-        
+
         - The register allocators needs to know that coalescing with a precolored pinned tmp is free.
         - The callee-save handler needs to know that we're not supposed to save/restore pinned
           registers.
-        
+
         Note that in this scheme, pinned registers are simply registers that do not appear in
         regsInPriorityOrder(). This means, for example, that we will now say that FP is pinned. So,
@@ -5911 +5976 @@
 
         Reviewed by Keith Miller.
-        
+
         If we have mutable pinned registers then we need to know which operations mutate them. At
         first I considered making this into a heap range thing, but I think that this would be very
@@ -6912 +6977 @@
         Air::generate() to use labelIgnoringWatchpoints() to create pcToOriginMap
         entries to eliminate unneccesary NOPs.
-        
+
         * b3/air/AirGenerate.cpp:
         (JSC::B3::Air::generate):
@@ -6946 +7011 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         While writing some documentation, I found some small holes in the code.
 
@@ -7045 +7110 @@
 
         Reviewed by Dan Bernstein.
-        
+
         This function has become dead code. This change removes it.
 
@@ -7100 +7165 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         This adds a traps flag to B3::Kind. It also makes B3::Kind work more like Air::Kind, in the
         sense that it's a bag of distinct bits - it doesn't need to be a union unless we get enough
         things that it would make a difference.
-        
+
         The only analysis that needs to know about traps is effects. It now knows that traps implies
         sideExits, which means that this turns off DCE. The only optimization that needs to know
         about traps is eliminateCommonSubexpressions(), which needs to pessimize its store
         elimination if the store traps.
-        
+
         The hard part of this change is teaching the instruction selector to faithfully carry the
         traps flag down to Air. I got this to work by making ArgPromise a non-copyable object that
@@ -7117 +7182 @@
         correctly carry the trap bit: if any of the B3 loads or stores involved traps then you get
         traps in Air.
-        
+
         This framework also sets us up to do bug 162688, since the ArgPromise::inst() hook is
         powerful enough to allow wrapping the instruction with a Patch.
-        
+
         I added some tests to testb3 that verify that optimizations are appropriately inhibited and
         that the traps flag survives until the bitter end of Air.
@@ -7191 +7256 @@
 
         Reviewed by Saam Barati.
-        
+
         There are some interesting cases where we can reduce the number of constant materializations if
         we teach moveConstants() how to edit code. The two examples that this patch supports are:
-        
+
             - Loads and stores from a constant pointer. Since loads and stores get an offset for free
               and the instruction selector is really good at handling it, and since we can query Air to
@@ -7200 +7265 @@
               is specific to the absolute address of that load and instead pick some other constant
               that is within offset distance of ours.
-            
+
             - Add and Sub by a constant (x + c, x - c). Since x + c = x - -c and x - c = x + -c, we can
               flip Add to Sub or vice versa if the negated constant is available.
-        
+
         This change makes moveConstants() pick the most dominant constant that works for an value. In
         the case of memory accesses, it uses Air::Arg::isValidAddrForm() to work out what other
@@ -7210 +7275 @@
         most dominant constant that works - so if an Add's constant is already most dominant then
         nothing changes, but if the negated one is more dominant then it becomes a Sub.
-        
+
         This is a 0.5% speed-up on LongSpider and neutral elsewhere. It's a speed-up because the
         absolute address thing reduces the number of address materializations that we have to do, while
@@ -7506 +7571 @@
         resolve the breakpoint location before setting the
         breakpoint. The different paths are:
-        
+
         - setBreakpoint(scriptId, location)
           - Here we know the SourceProvider by its SourceID
             - resolve and set
-        
+
         - setBreakpointByURL(url, location)
           - Search for existing Scripts that match the URL
@@ -7516 +7581 @@
           - When new Scripts are parsed that match the URL
             - resolve and set
-            
+
 
 2016-09-30  Joseph Pecoraro  <pecoraro@apple.com>
@@ -7655 +7720 @@
         (JSC::Debugger::exception):
         (JSC::Debugger::didReachBreakpoint):
-        
+
         Use new variable names, and clarify if we should attempt
         to pause or not.
@@ -7667 +7732 @@
         (JSC::Debugger::pauseIfNeeded):
         Allow updateCallFrame to either attempt a pause or not.
-        
+
         (JSC::Debugger::atStatement):
         Attempt pause and reset the at first expression flag.
@@ -7683 +7748 @@
         If the user did a step-over and is leaving the
         function, then behave like step-out.
-        
+
         (JSC::Debugger::unwindEvent):
         Behave like return except don't change any
@@ -7702 +7767 @@
         our state so we don't errantly pause on the next
         JavaScript microtask that gets executed.
-        
+
         (JSC::Debugger::clearNextPauseState):
         Helper to clear all of the pause states now that
@@ -7785 +7850 @@
 
         Reviewed by Mark Lam.
-        
+
         This follows a similar change in B3 (r206595) and replaces Air::Opcode with Air::Kind,
         which holds onto the opcode and some additional flags. Because Air is an orthogonal ISA
@@ -7792 +7857 @@
         meant to be orthogonal to opcode. This allows us to say things like Add32<Trap>, which
         makes sense if any of the operands to the Add32 are addresses.
-        
+
         To demonstrate the flags facility this partly adds a trap flag to Air. B3 doesn't use it
         yet, but I made sure that Air respects it. Basically that means blocking DCE when the flag
@@ -7876 +7941 @@
 
         Reviewed by Keith Miller.
-        
+
         The put_by_id-in-put_by_val optimization had the write barrier in the wrong place and
         incorrectly filtered on value instead of base.
-        
+
         No reduced test case. You really need to run Dromaeo/jslib to catch it. I love Dromaeo's
         ability to catch GC bugs.
@@ -7932 +7997 @@
         actually did. This change replaces Opcode with Kind, which is a tuple of opcode and other
         stuff.
-        
+
         Opcodes are great, and that's how most compilers work. But opcodes are one-dimensional. Here
         is how this manifests. Say you have an opcode, like Load. You will be happy if your IR has
@@ -7938 +8003 @@
         done in B3. B3 has one dimension of Load opcodes, which determines something like the C type
         of the load. But in the very near future, we will want to add two more dimensions to Loads:
-        
+
         - A flag to say if the load traps.
         - A flag to say if the load has acquire semantics.
-        
+
         Mapping these three dimensions (type, trap, acquire) onto the one-dimensional Opcode space
         would create mayham: Load8S, Load8STrap, Load8SAcquire, Load8STrapAcquire, Load8Z,
         Load8ZTrap, etc.
-        
+
         This happens in other parts of the IR. For example, we have a dimension of arithmetic
         operations: add, sub, mul, div, mod, etc. Then we have the chill flag. But since opcodes
@@ -7951 +8016 @@
         compiler that case on both Div and ChillDiv, or case on both Mod and ChillMod, since they
         are only interested in the kind of arithmetic being done and not the chillness.
-        
+
         Though the examples all involve bits (chill or not, trapping or not, etc), I can imagine
         other properties that behave more like small enums, like if we fill out more memory ordering
         modes other than just "acquire? yes/no". There will eventually have to be something like a
         std::memory_order associated with memory accesses.
-        
+
         One approach to this problem is to have a Value subclass that contains fields with the meta
         data. I don't like this for two reasons:
-        
+
         - In bug 162688, I want to make trapping memory accesses have stackmaps. This means that a
           trapping memory access would have a different Value subclass than a non-trapping memory
           access. So, this meta-data needs to channel into ValueType::accepts(). Currently that
           takes Opcode and nothing else.
-        
+
         - Compiler IRs are all about making common tasks easy. If it becomes commonplace for opcodes
           to require a custom Value subclass just for a bit then that's not very easy.
-        
+
         This change addresses this problem by making the compiler pass around Kinds rather than
         Opcodes. A Kind contains an Opcode as well as any number of opcode-specific bits. This
@@ -7976 +8041 @@
 
             Int32 @38 = Div<Chill>(@36, @37, DFG:@24, ControlDependent)
-        
+
         Where "Div<Chill>" is how a Kind that hasExtraBits() dumps itself. If a Kind does not
         hasExtraBits() (the normal case) then it dumps like a normal Opcode (without the "<>").
-        
+
         I replaced many uses of Opcode with Kind. New code has to be mindful that Opcode may not be
         the right way to summarize what a value does, and so in many cases it's better to carry
@@ -7987 +8052 @@
         Opcode. But most opcodes don't get any extra Kind bits, and so the code that operates on
         those opcodes is largely unchanged.
-        
+
         * CMakeLists.txt:
         * JavaScriptCore.xcodeproj/project.pbxproj:
@@ -8114 +8179 @@
 
         Reviewed by Geoffrey Garen.
-        
+
         This makes our write barrier behave correctly when it races with the collector. The
         collector wants to do this when visiting:
-        
+
             object->cellState = black
             visit(object)
-        
+
         The mutator wants to do this when storing:
-        
+
             object->property = newValue
             if (object->cellState == black)
                 remember(object)
-        
+
         Prior to this change, this didn't work right because the compiler would sometimes place
         barriers before the store to the property and because the mutator did not have adequate
         fences.
-        
+
         Prior to this change, the DFG and FTL would emit this:
-        
+
             if (object->cellState == black)
                 remember(object)
             object->property = newValue
-        
+
         Which is wrong, because the object could start being scanned just after the cellState
         check, at which point the store would be lost. We need to confirm that the state was not
@@ -8147 +8212 @@
         don't have any way to represent any of the GC's other state, which means that B3 does not
         have to worry about aliasing with any of that).
-        
+
         The collector already uses a store-load fence on x86 just after setting the cellState and
         before visiting the object. The mutator needs to do the same. But we cannot put a
@@ -8156 +8221 @@
         would lift throughput-while-collecting from 0% of peak to 85% of peak. This changes the
         barrier so that it looks like this:
-        
+
             if (object->cellState <= heap.sneakyBlackThreshold)
                 slowPath(object)
-        
+
         Where sneakyBlackThreshold is the normal blackThreshold when we're not collecting, or a
         tautoligical threshold (that makes everything look black) when we are collecting. This
@@ -8167 +8232 @@
         check if we are concurrently collecting; if so, it does a fence and rechecks if the object
         really did need that barrier.
-        
+
         This also reintroduces elimination of redundant store barriers, which was lost in the last
         store barrier change. We can only do it when there is no possibility of GC, exit, or
@@ -8177 +8242 @@
         that it uses a constant black threshold rather than the sneaky one, thereby saving one
         load.
-        
+
         Even with all of those optimizations, I still had problems with barrier cost. I found that one
         of the benchmarks that was being hit particularly hard was JetStream/regexp-2010. Fortunately
@@ -8187 +8252 @@
         to have a DeferralContext object that houses a boolean that is false by default, but the GC
         writes true into it if it would have wanted to GC. You thread a pointer to the deferralContext
-        through all of your allocations. This kind of mechanism has the overhead of a zero 
+        through all of your allocations. This kind of mechanism has the overhead of a zero
         initialization on the stack on entry and a zero check on exit. This is probably even efficient
         enough that we could start thinking about having the DFG use it, for example if we found a
@@ -8193 +8258 @@
         wacky. This optimization took this patch from 0.68% JetStream regressed to neutral, according
         to my latest data.
-        
+
         Finally, an earlier version of this change put the store-load fence in B3 IR, so I ended up
         adding FTLOutput support for it and AbstractHeapRepository magic for decorating the heaps.
@@ -8569 +8634 @@
         Make the subclass of CallSlowPathGenerator that takes arguments variadic
         so it can take any number of arguments. Also updates the slowPathCall helper
-        function to be variadic. I had to move the spill mode and exception check 
+        function to be variadic. I had to move the spill mode and exception check
         requirement parameters to before the arguments since the variadic arguments
         must be at the end. As a convenience, I added an overload of slowPathCall that

trunk/Source/JavaScriptCore/DerivedSources.make

@@ -65 +65 @@
     YarrCanonicalizeUnicode.cpp \
     WasmOps.h \
+    WasmValidateInlines.h \
 #
 
@@ -302 +303 @@
         $(PYTHON) $(JavaScriptCore)/wasm/generateWasmOpsHeader.py $(JavaScriptCore)/wasm/wasm.json ./WasmOps.h
 
+WasmValidateInlines.h: $(JavaScriptCore)/wasm/generateWasmValidateInlinesHeader.py $(JavaScriptCore)/wasm/generateWasm.py $(JavaScriptCore)/wasm/wasm.json
+        $(PYTHON) $(JavaScriptCore)/wasm/generateWasmValidateInlinesHeader.py $(JavaScriptCore)/wasm/wasm.json ./WasmValidateInlines.h
+
 # Dynamically-defined targets are listed below. Static targets belong up top.
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1231 +1231 @@
                 531374BD1D5CE67600AF7A0B /* WasmPlan.h in Headers */ = {isa = PBXBuildFile; fileRef = 531374BC1D5CE67600AF7A0B /* WasmPlan.h */; };
                 531374BF1D5CE95000AF7A0B /* WasmPlan.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 531374BE1D5CE95000AF7A0B /* WasmPlan.cpp */; };
+                533B15DF1DC7F463004D500A /* WasmOps.h in Headers */ = {isa = PBXBuildFile; fileRef = 533B15DE1DC7F463004D500A /* WasmOps.h */; };
                 5341FC701DAC33E500E7E4D7 /* B3WasmBoundsCheckValue.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5341FC6F1DAC33E500E7E4D7 /* B3WasmBoundsCheckValue.cpp */; };
                 5341FC721DAC343C00E7E4D7 /* B3WasmBoundsCheckValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 5341FC711DAC343C00E7E4D7 /* B3WasmBoundsCheckValue.h */; };
@@ -1254 +1255 @@
                 53F40E8D1D5901F20099A1B6 /* WasmParser.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F40E8C1D5901F20099A1B6 /* WasmParser.h */; };
                 53F40E8F1D5902820099A1B6 /* WasmB3IRGenerator.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 53F40E8E1D5902820099A1B6 /* WasmB3IRGenerator.cpp */; };
-                53F40E911D5903020099A1B6 /* WasmOps.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F40E901D5903020099A1B6 /* WasmOps.h */; };
                 53F40E931D5A4AB30099A1B6 /* WasmB3IRGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F40E921D5A4AB30099A1B6 /* WasmB3IRGenerator.h */; };
                 53F40E951D5A7AEF0099A1B6 /* WasmModuleParser.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F40E941D5A7AEF0099A1B6 /* WasmModuleParser.h */; };
@@ -1263 +1263 @@
                 53FD04D31D7AB277003287D3 /* WasmCallingConvention.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 53FD04D11D7AB187003287D3 /* WasmCallingConvention.cpp */; };
                 53FD04D41D7AB291003287D3 /* WasmCallingConvention.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FD04D21D7AB187003287D3 /* WasmCallingConvention.h */; };
-                5C4E8E961DBEBE620036F1FC /* JSONParseTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5C4E8E941DBEBDA20036F1FC /* JSONParseTest.cpp */; };
+                53FF7F991DBFCD9000A26CCC /* WasmValidate.h in Headers */ = {isa = PBXBuildFile; fileRef = 53FF7F981DBFCD9000A26CCC /* WasmValidate.h */; };
+                53FF7F9B1DBFD2B900A26CCC /* WasmValidate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 53FF7F9A1DBFD2B900A26CCC /* WasmValidate.cpp */; };
+                53FF7F9D1DC00DB100A26CCC /* WasmFormat.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 53FF7F9C1DC00DB100A26CCC /* WasmFormat.cpp */; };
                 5B70CFDE1DB69E6600EC23F9 /* JSAsyncFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = 5B70CFD81DB69E5C00EC23F9 /* JSAsyncFunction.h */; };
                 5B70CFDF1DB69E6600EC23F9 /* JSAsyncFunction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5B70CFD91DB69E5C00EC23F9 /* JSAsyncFunction.cpp */; };
@@ -1270 +1272 @@
                 5B70CFE21DB69E6600EC23F9 /* AsyncFunctionConstructor.h in Headers */ = {isa = PBXBuildFile; fileRef = 5B70CFDC1DB69E5C00EC23F9 /* AsyncFunctionConstructor.h */; };
                 5B70CFE31DB69E6600EC23F9 /* AsyncFunctionConstructor.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5B70CFDD1DB69E5C00EC23F9 /* AsyncFunctionConstructor.cpp */; };
+                5C4E8E961DBEBE620036F1FC /* JSONParseTest.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5C4E8E941DBEBDA20036F1FC /* JSONParseTest.cpp */; };
                 5D5D8AD10E0D0EBE00F9C692 /* libedit.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 5D5D8AD00E0D0EBE00F9C692 /* libedit.dylib */; };
                 5DBB151B131D0B310056AD36 /* testapi.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 14D857740A4696C80032146C /* testapi.js */; };
@@ -3559 +3562 @@
                 531374BC1D5CE67600AF7A0B /* WasmPlan.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmPlan.h; sourceTree = "<group>"; };
                 531374BE1D5CE95000AF7A0B /* WasmPlan.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmPlan.cpp; sourceTree = "<group>"; };
+                533B15DE1DC7F463004D500A /* WasmOps.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmOps.h; sourceTree = "<group>"; };
                 5341FC6F1DAC33E500E7E4D7 /* B3WasmBoundsCheckValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = B3WasmBoundsCheckValue.cpp; path = b3/B3WasmBoundsCheckValue.cpp; sourceTree = "<group>"; };
                 5341FC711DAC343C00E7E4D7 /* B3WasmBoundsCheckValue.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = B3WasmBoundsCheckValue.h; path = b3/B3WasmBoundsCheckValue.h; sourceTree = "<group>"; };
@@ -3586 +3590 @@
                 53F40E8C1D5901F20099A1B6 /* WasmParser.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmParser.h; sourceTree = "<group>"; };
                 53F40E8E1D5902820099A1B6 /* WasmB3IRGenerator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmB3IRGenerator.cpp; sourceTree = "<group>"; };
-                53F40E901D5903020099A1B6 /* WasmOps.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmOps.h; sourceTree = "<group>"; };
                 53F40E921D5A4AB30099A1B6 /* WasmB3IRGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmB3IRGenerator.h; sourceTree = "<group>"; };
                 53F40E941D5A7AEF0099A1B6 /* WasmModuleParser.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmModuleParser.h; sourceTree = "<group>"; };
@@ -3595 +3598 @@
                 53FD04D11D7AB187003287D3 /* WasmCallingConvention.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmCallingConvention.cpp; sourceTree = "<group>"; };
                 53FD04D21D7AB187003287D3 /* WasmCallingConvention.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmCallingConvention.h; sourceTree = "<group>"; };
-                5C4E8E941DBEBDA20036F1FC /* JSONParseTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSONParseTest.cpp; path = API/tests/JSONParseTest.cpp; sourceTree = "<group>"; };
-                5C4E8E951DBEBDA20036F1FC /* JSONParseTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSONParseTest.h; path = API/tests/JSONParseTest.h; sourceTree = "<group>"; };
+                53FF7F981DBFCD9000A26CCC /* WasmValidate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmValidate.h; sourceTree = "<group>"; };
+                53FF7F9A1DBFD2B900A26CCC /* WasmValidate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmValidate.cpp; sourceTree = "<group>"; };
+                53FF7F9C1DC00DB100A26CCC /* WasmFormat.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmFormat.cpp; sourceTree = "<group>"; };
                 5B70CFD81DB69E5C00EC23F9 /* JSAsyncFunction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSAsyncFunction.h; sourceTree = "<group>"; };
                 5B70CFD91DB69E5C00EC23F9 /* JSAsyncFunction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSAsyncFunction.cpp; sourceTree = "<group>"; };
@@ -3604 +3608 @@
                 5B70CFDD1DB69E5C00EC23F9 /* AsyncFunctionConstructor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = AsyncFunctionConstructor.cpp; sourceTree = "<group>"; };
                 5B8243041DB7AA4900EA6384 /* AsyncFunctionPrototype.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; path = AsyncFunctionPrototype.js; sourceTree = "<group>"; };
+                5C4E8E941DBEBDA20036F1FC /* JSONParseTest.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSONParseTest.cpp; path = API/tests/JSONParseTest.cpp; sourceTree = "<group>"; };
+                5C4E8E951DBEBDA20036F1FC /* JSONParseTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSONParseTest.h; path = API/tests/JSONParseTest.h; sourceTree = "<group>"; };
                 5D5D8AD00E0D0EBE00F9C692 /* libedit.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libedit.dylib; path = /usr/lib/libedit.dylib; sourceTree = "<absolute>"; };
                 5DAFD6CB146B686300FBEFB4 /* JSC.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = JSC.xcconfig; sourceTree = "<group>"; };
@@ -5846 +5852 @@
                                 996B73141BD9FA2C00331B84 /* SymbolPrototype.lut.h */,
                                 65A946141C8E9F6F00A7209A /* YarrCanonicalizeUnicode.cpp */,
+                                533B15DE1DC7F463004D500A /* WasmOps.h */,
                         );
                         name = "Derived Sources";
@@ -5882 +5889 @@
                                 53FD04D11D7AB187003287D3 /* WasmCallingConvention.cpp */,
                                 53FD04D21D7AB187003287D3 /* WasmCallingConvention.h */,
-                                53F40E901D5903020099A1B6 /* WasmOps.h */,
+                                53FF7F9C1DC00DB100A26CCC /* WasmFormat.cpp */,
                                 7BC547D21B69599B00959B58 /* WasmFormat.h */,
                                 53F40E8A1D5901BB0099A1B6 /* WasmFunctionParser.h */,
@@ -5893 +5900 @@
                                 53F40E8C1D5901F20099A1B6 /* WasmParser.h */,
                                 53F40E841D58F9770099A1B6 /* WasmSections.h */,
+                                53FF7F9A1DBFD2B900A26CCC /* WasmValidate.cpp */,
+                                53FF7F981DBFCD9000A26CCC /* WasmValidate.h */,
                         );
                         path = wasm;
@@ -7997 +8006 @@
                                 0F2BDC4B1522809D00CD8910 /* DFGVariableEventStream.h in Headers */,
                                 0FFFC96014EF90BD00C72532 /* DFGVirtualRegisterAllocationPhase.h in Headers */,
+                                53FF7F991DBFCD9000A26CCC /* WasmValidate.h in Headers */,
                                 0FC97F4218202119002C9B26 /* DFGWatchpointCollectionPhase.h in Headers */,
                                 0FDB2CE8174830A2007B3C1B /* DFGWorklist.h in Headers */,
@@ -8400 +8410 @@
                                 FE1220271BE7F58C0039E6F2 /* JITAddGenerator.h in Headers */,
                                 0F919D11157F332C004A4E7D /* JSSegmentedVariableObject.h in Headers */,
-                                53F40E911D5903020099A1B6 /* WasmOps.h in Headers */,
                                 A7299D9E17D12837005F5FF9 /* JSSet.h in Headers */,
                                 A790DD70182F499700588807 /* JSSetIterator.h in Headers */,
@@ -8781 +8790 @@
                                 14E84FA214EE1ACC00D6D5D4 /* WeakImpl.h in Headers */,
                                 14BE7D3317135CF400D1807A /* WeakInlines.h in Headers */,
+                                533B15DF1DC7F463004D500A /* WasmOps.h in Headers */,
                                 A7CA3AE417DA41AE006538AF /* WeakMapConstructor.h in Headers */,
                                 A7CA3AEC17DA5168006538AF /* WeakMapData.h in Headers */,
@@ -9942 +9952 @@
                                 A7E2EA6C0FB460CF00601F06 /* LiteralParser.cpp in Sources */,
                                 A5A1A0951D8CB341004C2EB8 /* DebuggerParseData.cpp in Sources */,
+                                53FF7F9D1DC00DB100A26CCC /* WasmFormat.cpp in Sources */,
                                 FE3913541B794F6E00EDAF71 /* LiveObjectList.cpp in Sources */,
                                 FE20CE9D15F04A9500DF3430 /* LLIntCLoop.cpp in Sources */,
@@ -10100 +10111 @@
                                 70EC0EC61AA0D7DA00B6AAFA /* StringIteratorPrototype.cpp in Sources */,
                                 14469DEC107EC7E700650446 /* StringObject.cpp in Sources */,
+                                53FF7F9B1DBFD2B900A26CCC /* WasmValidate.cpp in Sources */,
                                 14469DED107EC7E700650446 /* StringPrototype.cpp in Sources */,
                                 9335F24D12E6765B002B5553 /* StringRecursionChecker.cpp in Sources */,

trunk/Source/JavaScriptCore/testWasm.cpp

@@ -270 +270 @@
 }
 
+static void checkPlan(Plan& plan, unsigned expectedNumberOfFunctions)
+{
+    if (plan.failed()) {
+        dataLogLn("Module failed to compile with error: ", plan.errorMessage());
+        CRASH();
+    }
+
+    if (plan.resultSize() != expectedNumberOfFunctions) {
+        dataLogLn("Incorrect number of functions");
+        CRASH();
+    }
+
+    for (unsigned i = 0; i < expectedNumberOfFunctions; ++i) {
+        if (!plan.result(i)) {
+            dataLogLn("Function at index, " , i, " failed to compile correctly");
+            CRASH();
+        }
+    }
+
+}
+
 // For now we inline the test files.
 static void runWasmTests()
@@ -291 +312 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 2 || !plan.result(0) || !plan.result(1)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 2);
 
         // Test this doesn't crash.
@@ -320 +338 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 2 || !plan.result(0) || !plan.result(1)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 2);
 
         // Test this doesn't crash.
@@ -354 +369 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 2 || !plan.result(0) || !plan.result(1)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 2);
 
         // Test this doesn't crash.
@@ -388 +400 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -448 +457 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 2 || !plan.result(0) || !plan.result(1)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 2);
 
         // Test this doesn't crash.
@@ -464 +470 @@
     {
         // Generated from:
-        // (module
-        //  (memory 1)
-        //  (func (export "i32_load8_s") (param $i i32) (param $ptr i32) (result i32)
-        //   (i64.store (get_local $ptr) (get_local $i))
-        //   (return (i64.load (get_local $ptr)))
-        //   )
-        //  )
+        //    (module
+        //     (memory 1)
+        //     (func (export "i64") (param $i i64) (param $ptr i32) (result i64)
+        //      (i64.store (get_local $ptr) (get_local $i))
+        //      (return (i64.load (get_local $ptr)))
+        //      )
+        //     )
         Vector<uint8_t> vector = {
             0x00, 0x61, 0x73, 0x6d, 0x0c, 0x00, 0x00, 0x00, 0x01, 0x87, 0x80, 0x80, 0x80, 0x00, 0x01, 0x40,
             0x02, 0x02, 0x01, 0x01, 0x02, 0x03, 0x82, 0x80, 0x80, 0x80, 0x00, 0x01, 0x00, 0x05, 0x83, 0x80,
-            0x80, 0x80, 0x00, 0x01, 0x01, 0x01, 0x07, 0x8f, 0x80, 0x80, 0x80, 0x00, 0x01, 0x0b, 0x69, 0x33,
-            0x32, 0x5f, 0x6c, 0x6f, 0x61, 0x64, 0x38, 0x5f, 0x73, 0x00, 0x00, 0x0a, 0x95, 0x80, 0x80, 0x80,
-            0x00, 0x01, 0x8f, 0x80, 0x80, 0x80, 0x00, 0x00, 0x14, 0x01, 0x14, 0x00, 0x34, 0x03, 0x00, 0x14,
-            0x01, 0x2b, 0x03, 0x00, 0x09, 0x0f
-        };
-
-        Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+            0x80, 0x80, 0x00, 0x01, 0x01, 0x01, 0x07, 0x87, 0x80, 0x80, 0x80, 0x00, 0x01, 0x03, 0x69, 0x36,
+            0x34, 0x00, 0x00, 0x0a, 0x95, 0x80, 0x80, 0x80, 0x00, 0x01, 0x8f, 0x80, 0x80, 0x80, 0x00, 0x00,
+            0x14, 0x01, 0x14, 0x00, 0x34, 0x03, 0x00, 0x14, 0x01, 0x2b, 0x03, 0x00, 0x09, 0x0f
+        };
+
+        Plan plan(*vm, vector);
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -511 +513 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -551 +550 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
         ASSERT(plan.memory()->size());
 
@@ -606 +602 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
         ASSERT(plan.memory()->size());
 
@@ -650 +643 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
         ASSERT(plan.memory()->size());
 
@@ -681 +671 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -711 +698 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -742 +726 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -782 +763 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
         ASSERT(plan.memory()->size());
 
@@ -837 +815 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
         ASSERT(plan.memory()->size());
 
@@ -881 +856 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
         ASSERT(plan.memory()->size());
 
@@ -912 +884 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -942 +911 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -983 +949 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1010 +973 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1031 +991 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1051 +1008 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1071 +1025 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1090 +1041 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1119 +1067 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1155 +1100 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1199 +1141 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.
@@ -1252 +1191 @@
 
         Plan plan(*vm, vector);
-        if (plan.failed() || plan.resultSize() != 1 || !plan.result(0)) {
-            dataLogLn("Module failed to compile correctly.");
-            CRASH();
-        }
+        checkPlan(plan, 1);
 
         // Test this doesn't crash.

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -88 +88 @@
         }
 
+        LazyBlock()
+        {
+        }
+
         explicit operator bool() const { return !!m_block; }
 
@@ -117 +121 @@
             if (signature != Void)
                 result.append(proc.addVariable(toB3Type(signature)));
+        }
+
+        ControlData()
+        {
         }
 
@@ -173 +181 @@
     B3IRGenerator(Memory*, Procedure&, Vector<UnlinkedCall>& unlinkedCalls);
 
-    void addArguments(const Vector<Type>&);
-    void addLocal(Type, uint32_t);
+    bool WARN_UNUSED_RETURN addArguments(const Vector<Type>&);
+    bool WARN_UNUSED_RETURN addLocal(Type, uint32_t);
     ExpressionType addConstant(Type, uint64_t);
 
@@ -192 +200 @@
     ControlData WARN_UNUSED_RETURN addBlock(Type signature);
     ControlData WARN_UNUSED_RETURN addLoop(Type signature);
-    ControlData WARN_UNUSED_RETURN addIf(ExpressionType condition, Type signature);
-    bool WARN_UNUSED_RETURN addElse(ControlData&);
+    bool WARN_UNUSED_RETURN addIf(ExpressionType condition, Type signature, ControlData& result);
+    bool WARN_UNUSED_RETURN addElse(ControlData&, const ExpressionList&);
 
     bool WARN_UNUSED_RETURN addReturn(const ExpressionList& returnValues);
@@ -246 +254 @@
 }
 
-void B3IRGenerator::addLocal(Type type, uint32_t count)
-{
-    m_locals.reserveCapacity(m_locals.size() + count);
+bool B3IRGenerator::addLocal(Type type, uint32_t count)
+{
+    if (!m_locals.tryReserveCapacity(m_locals.size() + count))
+        return false;
+
     for (uint32_t i = 0; i < count; ++i)
-        m_locals.append(m_proc.addVariable(toB3Type(type)));
-}
-
-void B3IRGenerator::addArguments(const Vector<Type>& types)
+        m_locals.uncheckedAppend(m_proc.addVariable(toB3Type(type)));
+    return true;
+}
+
+bool B3IRGenerator::addArguments(const Vector<Type>& types)
 {
     ASSERT(!m_locals.size());
+    if (!m_locals.tryReserveCapacity(types.size()))
+        return false;
+
     m_locals.grow(types.size());
     wasmCallingConvention().loadArguments(types, m_proc, m_currentBlock, Origin(),
@@ -263 +277 @@
             m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), argumentVariable, argument);
         });
+    return true;
 }
 
@@ -494 +509 @@
 }
 
-B3IRGenerator::ControlData B3IRGenerator::addIf(ExpressionType condition, Type signature)
+bool B3IRGenerator::addIf(ExpressionType condition, Type signature, ControlType& result)
 {
     // FIXME: This needs to do some kind of stack passing.
@@ -508 +523 @@
 
     m_currentBlock = taken;
-    return ControlData(m_proc, signature, notTaken, continuation);
-}
-
-bool B3IRGenerator::addElse(ControlData& data)
+    result = ControlData(m_proc, signature, notTaken, continuation);
+    return true;
+}
+
+bool B3IRGenerator::addElse(ControlData& data, const ExpressionList&)
 {
     ASSERT(data.continuation);

trunk/Source/JavaScriptCore/wasm/WasmFormat.h

@@ -98 +98 @@
 }
 
+const char* toString(Type);
 
 struct Signature {

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -74 +74 @@
     if (verbose)
         dataLogLn("Parsing function starting at: ", (uintptr_t)functionStart, " of length: ", functionLength);
-    m_context.addArguments(m_signature->arguments);
 }
 
@@ -80 +79 @@
 bool FunctionParser<Context>::parse()
 {
+    if (!m_context.addArguments(m_signature->arguments))
+        return false;
+
     uint32_t localCount;
     if (!parseVarUInt32(localCount))
@@ -93 +95 @@
             return false;
 
-        m_context.addLocal(typeOfLocal, numberOfLocals);
+        if (!m_context.addLocal(typeOfLocal, numberOfLocals))
+            return false;
     }
 
@@ -283 +286 @@
 
         ExpressionType condition = m_expressionStack.takeLast();
-        m_controlStack.append(m_context.addIf(condition, inlineSignature));
+        ControlType control;
+        if (!m_context.addIf(condition, inlineSignature, control))
+            return false;
+
+        m_controlStack.append(control);
         return true;
     }
 
     case OpType::Else: {
-        return m_context.addElse(m_controlStack.last());
+        return m_context.addElse(m_controlStack.last(), m_expressionStack);
     }
 
@@ -350 +357 @@
         ASSERT(data.type() == BlockType::If);
         m_unreachableBlocks = 0;
-        return m_context.addElse(data);
+        return m_context.addElse(data, m_expressionStack);
     }
 

trunk/Source/JavaScriptCore/wasm/WasmPlan.cpp

@@ -33 +33 @@
 #include "WasmCallingConvention.h"
 #include "WasmModuleParser.h"
+#include "WasmValidate.h"
 #include <wtf/DataLog.h>
 
@@ -64 +65 @@
         size_t functionLength = info.end - info.start;
         ASSERT(functionLength <= sourceLength);
+
+        String error = validateFunction(functionStart, functionLength, info.signature, moduleParser.functionInformation());
+        if (!error.isNull()) {
+            m_errorMessage = error;
+            return;
+        }
+
         m_result.append(parseAndCompile(vm, functionStart, functionLength, moduleParser.memory().get(), info.signature, moduleParser.functionInformation()));
     }