Changeset 210244 in webkit

Timestamp:

Jan 3, 2017 12:24:36 PM (7 years ago)

Author:

jfbastien@apple.com

Message:

WebAssembly JS API: check and test in-call / out-call values
​https://bugs.webkit.org/show_bug.cgi?id=164876
<rdar://problem/29844107>

Reviewed by Saam Barati.

JSTests:

• wasm.yaml:
• wasm/assert.js: add an assert for NaN comparison
• wasm/fuzz/export-function.js: Added. Generate random wasm export

signatures, and call them with random parameters.
(const.paramExporter):
(const.setBuffer):
(const.types.generate):
(generate):

• wasm/js-api/export-arity.js: Added.

(const.paramExporter): Test that mismatched arities when JS calls
wasm follow the defined semantics: i32 is 0, f32 / f64 are NaN.
​https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects

• wasm/js-api/export-void-is-undef.js: Added. Test that "void"

wasm functions return "undefined" in JS.

Source/JavaScriptCore:

• wasm/WasmBinding.cpp:

(JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
f64 which the assotiated tests inadvertently tripped on: the
previous code wasn't correctly performing JSValue boxing for
"double" values. This change is slightly involved because it
requires two scratch registers to materialize the
DoubleEncodeOffset value. This change therefore reorganizes the
code to first generate traps, then handle all integers (freeing
all GPRs), and then all the floating-point values.

• wasm/js/WebAssemblyFunction.cpp:

(JSC::callWebAssemblyFunction): Implement the defined semantics
for mismatched arities when JS calls wasm:
​https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects

• i32 is 0, f32 / f64 are NaN.
• wasm functions which return "void" are "undefined" in JS.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm.yaml (modified) (1 diff)
• JSTests/wasm/Builder.js (modified) (1 diff)
• JSTests/wasm/assert.js (modified) (1 diff)
• JSTests/wasm/fuzz (added)
• JSTests/wasm/fuzz/export-function.js (added)
• JSTests/wasm/js-api/export-arity.js (added)
• JSTests/wasm/js-api/export-void-is-undef.js (added)
• JSTests/wasm/self-test/test_BuilderJSON.js (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmBinding.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-01-03  JF Bastien  <jfbastien@apple.com>
+
+        WebAssembly JS API: check and test in-call / out-call values
+        https://bugs.webkit.org/show_bug.cgi?id=164876
+        <rdar://problem/29844107>
+
+        Reviewed by Saam Barati.
+
+        * wasm.yaml:
+        * wasm/assert.js: add an assert for NaN comparison
+        * wasm/fuzz/export-function.js: Added. Generate random wasm export
+        signatures, and call them with random parameters.
+        (const.paramExporter):
+        (const.setBuffer):
+        (const.types.generate):
+        (generate):
+        * wasm/js-api/export-arity.js: Added.
+        (const.paramExporter): Test that mismatched arities when JS calls
+        wasm follow the defined semantics: i32 is 0, f32 / f64 are NaN.
+        https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
+        * wasm/js-api/export-void-is-undef.js: Added. Test that "void"
+        wasm functions return "undefined" in JS.
+
 2017-01-02  JF Bastien  <jfbastien@apple.com>
 

trunk/JSTests/wasm.yaml

@@ -27 +27 @@
   cmd: runWebAssembly
 - path: wasm/function-tests
+  cmd: runWebAssembly
+- path: wasm/fuzz
   cmd: runWebAssembly
 

trunk/JSTests/wasm/Builder.js

@@ -753 +753 @@
             section: this._sections
         };
-        return JSON.stringify(obj);
+        // JSON.stringify serializes -0.0 as 0.0.
+        const replacer = (key, value) => {
+            if (value === 0.0 && 1.0 / value === -Infinity)
+                return "NEGATIVE_ZERO";
+            return value;
+        };
+        return JSON.stringify(obj, replacer);
     }
     AsmJS() {

trunk/JSTests/wasm/assert.js

@@ -73 +73 @@
 
 export const eq = (lhs, rhs, msg) => {
+    if (typeof lhs !== typeof rhs)
+        _fail(`Not the same: "${lhs}" and "${rhs}"`, msg);
     if (Array.isArray(lhs) && Array.isArray(rhs) && (lhs.length === rhs.length)) {
         for (let i = 0; i !== lhs.length; ++i)
             eq(lhs[i], rhs[i], msg);
-    } else if (lhs !== rhs)
+    } else if (lhs !== rhs) {
+        if (typeof lhs === "number" && isNaN(lhs) && isNaN(rhs))
+            return;
         _fail(`Not the same: "${lhs}" and "${rhs}"`, msg);
+    } else {
+        if (typeof lhs === "number" && (1.0 / lhs !== 1.0 / rhs)) // Distinguish -0.0 from 0.0.
+            _fail(`Not the same: "${lhs}" and "${rhs}"`, msg);
+    }
 };
 

trunk/JSTests/wasm/self-test/test_BuilderJSON.js

@@ -511 +511 @@
         assert.eq(j.section[1].data[0].code[0].arguments.length, 0);
         assert.eq(j.section[1].data[0].code[0].immediates.length, 1);
-        assert.eq(j.section[1].data[0].code[0].immediates[0], c);
+        assert.eq(j.section[1].data[0].code[0].immediates[0] === "NEGATIVE_ZERO" ? -0.0 : j.section[1].data[0].code[0].immediates[0], c);
     }
 })();
@@ -527 +527 @@
         assert.eq(j.section[1].data[0].code[0].arguments.length, 0);
         assert.eq(j.section[1].data[0].code[0].immediates.length, 1);
-        assert.eq(j.section[1].data[0].code[0].immediates[0], c);
+        assert.eq(j.section[1].data[0].code[0].immediates[0] === "NEGATIVE_ZERO" ? -0.0 : j.section[1].data[0].code[0].immediates[0], c);
     }
 })();

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-01-03  JF Bastien  <jfbastien@apple.com>
+
+        WebAssembly JS API: check and test in-call / out-call values
+        https://bugs.webkit.org/show_bug.cgi?id=164876
+        <rdar://problem/29844107>
+
+        Reviewed by Saam Barati.
+
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToJs): fix the wasm -> JS call coercions for f32 /
+        f64 which the assotiated tests inadvertently tripped on: the
+        previous code wasn't correctly performing JSValue boxing for
+        "double" values. This change is slightly involved because it
+        requires two scratch registers to materialize the
+        `DoubleEncodeOffset` value. This change therefore reorganizes the
+        code to first generate traps, then handle all integers (freeing
+        all GPRs), and then all the floating-point values.
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction): Implement the defined semantics
+        for mismatched arities when JS calls wasm:
+        https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects
+          - i32 is 0, f32 / f64 are NaN.
+          - wasm functions which return "void" are "undefined" in JS.
+
 2017-01-03  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp

@@ -75 +75 @@
     jit.subPtr(MacroAssembler::TrustedImm32(stackOffset), MacroAssembler::stackPointerRegister);
     JIT::Address calleeFrame = CCallHelpers::Address(MacroAssembler::stackPointerRegister, -static_cast<ptrdiff_t>(sizeof(CallerFrameAndPC)));
-
-    // FIXME make this a loop which switches on Signature if there are many arguments on the stack. It'll otherwise be huge for huge signatures. https://bugs.webkit.org/show_bug.cgi?id=165547
-    unsigned marshalledGPRs = 0;
-    unsigned marshalledFPRs = 0;
-    unsigned calleeFrameOffset = CallFrameSlot::firstArgument * static_cast<int>(sizeof(Register));
-    unsigned frOffset = CallFrameSlot::firstArgument * static_cast<int>(sizeof(Register));
+    
     for (unsigned argNum = 0; argNum < argCount; ++argNum) {
         Type argType = signature->argument(argNum);
@@ -87 +82 @@
         case Func:
         case Anyfunc:
-        case I64:
-            // FIXME: Figure out the correct behavior here. I suspect we want such a stub to throw an exception immediately
+        case I64: {
+            // FIXME: Figure out the correct behavior here. I suspect we want such a stub to throw an exception immediately.
             // if called. https://bugs.webkit.org/show_bug.cgi?id=165991
             jit.breakpoint();
-            break;
-        case I32: {
-            GPRReg gprReg;
-            if (marshalledGPRs < wasmCC.m_gprArgs.size())
-                gprReg = wasmCC.m_gprArgs[marshalledGPRs].gpr();
-            else {
-                // We've already spilled all arguments, these registers are available as scratch.
-                gprReg = GPRInfo::argumentGPR0;
-                jit.load64(JIT::Address(GPRInfo::callFrameRegister, frOffset), gprReg);
-                frOffset += sizeof(Register);
-            }
-            ++marshalledGPRs;
-            jit.boxInt32(gprReg, JSValueRegs(gprReg), DoNotHaveTagRegisters);
-            jit.store64(gprReg, calleeFrame.withOffset(calleeFrameOffset));
-            calleeFrameOffset += sizeof(Register);
-            break;
+            LinkBuffer patchBuffer(*vm, jit, GLOBAL_THUNK_ID);
+            return FINALIZE_CODE(patchBuffer, ("WebAssembly import[%i] stub for signature %i", importIndex, signatureIndex));
         }
-        case F32: {
-            FPRReg fprReg;
-            if (marshalledFPRs < wasmCC.m_fprArgs.size())
-                fprReg = wasmCC.m_fprArgs[marshalledFPRs].fpr();
-            else {
-                // We've already spilled all arguments, these registers are available as scratch.
-                fprReg = FPRInfo::argumentFPR0;
-                jit.loadFloat(JIT::Address(GPRInfo::callFrameRegister, frOffset), fprReg);
-                frOffset += sizeof(Register);
-            }
-            jit.convertFloatToDouble(fprReg, fprReg);
-            jit.purifyNaN(fprReg);
-            jit.storeDouble(fprReg, calleeFrame.withOffset(calleeFrameOffset));
-            calleeFrameOffset += sizeof(Register);
-            ++marshalledFPRs;
-            break;
+        case I32:
+        case F32:
+        case F64:
+            continue;
         }
-        case F64: {
-            FPRReg fprReg;
-            if (marshalledFPRs < wasmCC.m_fprArgs.size())
-                fprReg = wasmCC.m_fprArgs[marshalledFPRs].fpr();
-            else {
-                // We've already spilled all arguments, these registers are available as scratch.
-                fprReg = FPRInfo::argumentFPR0;
-                jit.loadDouble(JIT::Address(GPRInfo::callFrameRegister, frOffset), fprReg);
-                frOffset += sizeof(Register);
-            }
-            jit.purifyNaN(fprReg);
-            jit.storeDouble(fprReg, calleeFrame.withOffset(calleeFrameOffset));
-            calleeFrameOffset += sizeof(Register);
-            ++marshalledFPRs;
-            break;
+    }
+
+    // FIXME make these loops which switch on Signature if there are many arguments on the stack. It'll otherwise be huge for huge signatures. https://bugs.webkit.org/show_bug.cgi?id=165547
+    
+    // First go through the integer parameters, freeing up their register for use afterwards.
+    {
+        unsigned marshalledGPRs = 0;
+        unsigned marshalledFPRs = 0;
+        unsigned calleeFrameOffset = CallFrameSlot::firstArgument * static_cast<int>(sizeof(Register));
+        unsigned frOffset = CallFrameSlot::firstArgument * static_cast<int>(sizeof(Register));
+        for (unsigned argNum = 0; argNum < argCount; ++argNum) {
+            Type argType = signature->argument(argNum);
+            switch (argType) {
+            case Void:
+            case Func:
+            case Anyfunc:
+            case I64:
+                RELEASE_ASSERT_NOT_REACHED(); // Handled above.
+            case I32: {
+                GPRReg gprReg;
+                if (marshalledGPRs < wasmCC.m_gprArgs.size())
+                    gprReg = wasmCC.m_gprArgs[marshalledGPRs].gpr();
+                else {
+                    // We've already spilled all arguments, these registers are available as scratch.
+                    gprReg = GPRInfo::argumentGPR0;
+                    jit.load64(JIT::Address(GPRInfo::callFrameRegister, frOffset), gprReg);
+                    frOffset += sizeof(Register);
+                }
+                ++marshalledGPRs;
+                jit.boxInt32(gprReg, JSValueRegs(gprReg), DoNotHaveTagRegisters);
+                jit.store64(gprReg, calleeFrame.withOffset(calleeFrameOffset));
+                calleeFrameOffset += sizeof(Register);
+                break;
+            }
+            case F32:
+            case F64:
+                // Skipped: handled below.
+                if (marshalledFPRs >= wasmCC.m_fprArgs.size())
+                    frOffset += sizeof(Register);
+                ++marshalledFPRs;
+                calleeFrameOffset += sizeof(Register);
+                break;
+            }
         }
+    }
+    
+    {
+        // Integer registers have already been spilled, these are now available.
+        GPRReg doubleEncodeOffsetGPRReg = GPRInfo::argumentGPR0;
+        GPRReg scratch = GPRInfo::argumentGPR1;
+        bool hasMaterializedDoubleEncodeOffset = false;
+        auto materializeDoubleEncodeOffset = [&hasMaterializedDoubleEncodeOffset, &jit] (GPRReg dest) {
+            if (!hasMaterializedDoubleEncodeOffset) {
+                static_assert(DoubleEncodeOffset == 1ll << 48, "codegen assumes this below");
+                jit.move(JIT::TrustedImm32(1), dest);
+                jit.lshift64(JIT::TrustedImm32(48), dest);
+                hasMaterializedDoubleEncodeOffset = true;
+            }
+        };
+
+        unsigned marshalledGPRs = 0;
+        unsigned marshalledFPRs = 0;
+        unsigned calleeFrameOffset = CallFrameSlot::firstArgument * static_cast<int>(sizeof(Register));
+        unsigned frOffset = CallFrameSlot::firstArgument * static_cast<int>(sizeof(Register));
+        for (unsigned argNum = 0; argNum < argCount; ++argNum) {
+            Type argType = signature->argument(argNum);
+            switch (argType) {
+            case Void:
+            case Func:
+            case Anyfunc:
+            case I64:
+                RELEASE_ASSERT_NOT_REACHED(); // Handled above.
+            case I32:
+                // Skipped: handled above.
+                if (marshalledGPRs < wasmCC.m_gprArgs.size())
+                    frOffset += sizeof(Register);
+                ++marshalledGPRs;
+                calleeFrameOffset += sizeof(Register);
+                break;
+            case F32: {
+                FPRReg fprReg;
+                if (marshalledFPRs < wasmCC.m_fprArgs.size())
+                    fprReg = wasmCC.m_fprArgs[marshalledFPRs].fpr();
+                else {
+                    // We've already spilled all arguments, these registers are available as scratch.
+                    fprReg = FPRInfo::argumentFPR0;
+                    jit.loadFloat(JIT::Address(GPRInfo::callFrameRegister, frOffset), fprReg);
+                    frOffset += sizeof(Register);
+                }
+                jit.convertFloatToDouble(fprReg, fprReg);
+                jit.purifyNaN(fprReg);
+                jit.moveDoubleTo64(fprReg, scratch);
+                materializeDoubleEncodeOffset(doubleEncodeOffsetGPRReg);
+                jit.add64(doubleEncodeOffsetGPRReg, scratch);
+                jit.store64(scratch, calleeFrame.withOffset(calleeFrameOffset));
+                calleeFrameOffset += sizeof(Register);
+                ++marshalledFPRs;
+                break;
+            }
+            case F64: {
+                FPRReg fprReg;
+                if (marshalledFPRs < wasmCC.m_fprArgs.size())
+                    fprReg = wasmCC.m_fprArgs[marshalledFPRs].fpr();
+                else {
+                    // We've already spilled all arguments, these registers are available as scratch.
+                    fprReg = FPRInfo::argumentFPR0;
+                    jit.loadDouble(JIT::Address(GPRInfo::callFrameRegister, frOffset), fprReg);
+                    frOffset += sizeof(Register);
+                }
+                jit.purifyNaN(fprReg);
+                jit.moveDoubleTo64(fprReg, scratch);
+                materializeDoubleEncodeOffset(doubleEncodeOffsetGPRReg);
+                jit.add64(doubleEncodeOffsetGPRReg, scratch);
+                jit.store64(scratch, calleeFrame.withOffset(calleeFrameOffset));
+                calleeFrameOffset += sizeof(Register);
+                ++marshalledFPRs;
+                break;
+            }
+            }
         }
     }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

@@ -57 +57 @@
     const Wasm::Signature* signature = Wasm::SignatureInformation::get(&vm, signatureIndex);
 
-    // FIXME is this the right behavior? https://bugs.webkit.org/show_bug.cgi?id=164876
-    if (exec->argumentCount() != signature->argumentCount())
-        return JSValue::encode(throwException(exec, scope, createNotEnoughArgumentsError(exec, defaultSourceAppender)));
-
     {
         // Check if we have a disallowed I64 use.
@@ -79 +75 @@
     }
 
-    // FIXME is this boxing correct? https://bugs.webkit.org/show_bug.cgi?id=164876
     Vector<JSValue> boxedArgs;
     for (unsigned argIndex = 0; argIndex < signature->argumentCount(); ++argIndex) {
-        JSValue arg = exec->uncheckedArgument(argIndex);
+        JSValue arg = exec->argument(argIndex);
         switch (signature->argument(argIndex)) {
         case Wasm::I32:
@@ -128 +123 @@
     RETURN_IF_EXCEPTION(scope, { });
 
-    // FIXME is this correct? https://bugs.webkit.org/show_bug.cgi?id=164876
     switch (signature->returnType()) {
     case Wasm::Void: