Changeset 246139 in webkit

Timestamp:

Jun 5, 2019 8:14:47 PM (5 years ago)

Author:

Justin Michaud

Message:

[WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
​https://bugs.webkit.org/show_bug.cgi?id=198398

Reviewed by Saam Barati.

JSTests:

• wasm/references/anyref_table.js: Added.

(string_appeared_here.doGCSet):
(doGCTest):
(doGCSet.doGCTest.let.count.0.doBarrierSet):

• wasm/references/anyref_table_import.js: Added.

(makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
(string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):

• wasm/references/is_null_error.js: Removed.
• wasm/references/validation.js: Added.

(assert.throws.new.WebAssembly.Module.bin):
(assert.throws):

• wasm/wasm.json:

Source/JavaScriptCore:

Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec).
Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to
support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because
we need to write barrier it (so it should not restrict how we implement threads). This patch does, however,
restrict the implementation of function references to require every Ref.func to have an associated wrapper. This
can be done statically, so this too should not restrict our threads implementation.

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::addTableGet):
(JSC::Wasm::AirIRGenerator::addTableSet):
(JSC::Wasm::AirIRGenerator::addCallIndirect):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::addLocal):
(JSC::Wasm::B3IRGenerator::addTableGet):
(JSC::Wasm::B3IRGenerator::addTableSet):
(JSC::Wasm::B3IRGenerator::addCallIndirect):

• wasm/WasmFormat.h:

(JSC::Wasm::TableInformation::TableInformation):
(JSC::Wasm::TableInformation::type const):

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

• wasm/WasmSectionParser.cpp:

(JSC::Wasm::SectionParser::parseTableHelper):

• wasm/WasmTable.cpp:

(JSC::Wasm::Table::Table):
(JSC::Wasm::Table::tryCreate):
(JSC::Wasm::Table::grow):
(JSC::Wasm::Table::clear):
(JSC::Wasm::Table::set):
(JSC::Wasm::Table::get):
(JSC::Wasm::Table::visitChildren):
(JSC::Wasm::FuncRefTable::FuncRefTable):
(JSC::Wasm::FuncRefTable::setFunction):
(JSC::Wasm::Table::~Table): Deleted.
(JSC::Wasm::Table::clearFunction): Deleted.
(JSC::Wasm::Table::setFunction): Deleted.

• wasm/WasmTable.h:

(JSC::Wasm::Table::length const):
(JSC::Wasm::Table::type const):
(JSC::Wasm::Table::setOwner):
(JSC::Wasm::FuncRefTable::offsetOfFunctions):
(JSC::Wasm::FuncRefTable::offsetOfInstances):
(JSC::Wasm::Table::offsetOfFunctions): Deleted.
(JSC::Wasm::Table::offsetOfInstances): Deleted.

• wasm/WasmValidate.cpp:

(JSC::Wasm::Validate::addTableGet):
(JSC::Wasm::Validate::addTableSet):
(JSC::Wasm::Validate::addCallIndirect):

• wasm/js/JSWebAssemblyTable.cpp:

(JSC::JSWebAssemblyTable::JSWebAssemblyTable):
(JSC::JSWebAssemblyTable::finishCreation):
(JSC::JSWebAssemblyTable::visitChildren):
(JSC::JSWebAssemblyTable::grow):
(JSC::JSWebAssemblyTable::get):
(JSC::JSWebAssemblyTable::set):
(JSC::JSWebAssemblyTable::clear):
(JSC::JSWebAssemblyTable::getFunction): Deleted.
(JSC::JSWebAssemblyTable::clearFunction): Deleted.
(JSC::JSWebAssemblyTable::setFunction): Deleted.

• wasm/js/JSWebAssemblyTable.h:
• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::link):
(JSC::WebAssemblyModuleRecord::evaluate):

• wasm/js/WebAssemblyTableConstructor.cpp:

(JSC::constructJSWebAssemblyTable):

• wasm/js/WebAssemblyTablePrototype.cpp:

(JSC::webAssemblyTableProtoFuncGet):
(JSC::webAssemblyTableProtoFuncSet):

• wasm/wasm.json:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/js-api/table.js (modified) (1 diff)
• JSTests/wasm/references/anyref_table.js (added)
• JSTests/wasm/references/anyref_table_import.js (added)
• JSTests/wasm/references/is_null_error.js (deleted)
• JSTests/wasm/references/validation.js (added)
• JSTests/wasm/wasm.json (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmFormat.h (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmSectionParser.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmTable.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmTable.h (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmValidate.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp (modified) (4 diffs)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (modified) (4 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyTableConstructor.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/wasm.json (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-06-05  Justin Michaud  <justin_michaud@apple.com>
+
+        [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
+        https://bugs.webkit.org/show_bug.cgi?id=198398
+
+        Reviewed by Saam Barati.
+
+        * wasm/references/anyref_table.js: Added.
+        (string_appeared_here.doGCSet):
+        (doGCTest):
+        (doGCSet.doGCTest.let.count.0.doBarrierSet):
+        * wasm/references/anyref_table_import.js: Added.
+        (makeImport):
+        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl.makeImport):
+        (string_appeared_here.fullGC.assert.eq.1.exports.get_tbl):
+        * wasm/references/is_null_error.js: Removed.
+        * wasm/references/validation.js: Added.
+        (assert.throws.new.WebAssembly.Module.bin):
+        (assert.throws):
+        * wasm/wasm.json:
+
 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
 

trunk/JSTests/wasm/js-api/table.js

@@ -133 +133 @@
     let badDescriptions = [
         [{initial: 10, element: "i32"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
         [{initial: 10, element: "f32"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
         [{initial: 10, element: "f64"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
         [{initial: 10, element: "i64"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
         [{initial: 10, maximum: 20, element: "i32"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -1 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
         [{initial: 10, maximum: 20, element: "f32"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -3 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
         [{initial: 10, maximum: 20, element: "f64"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -4 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
         [{initial: 10, maximum: 20, element: "i64"},
-         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
-         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
+         "WebAssembly.Module doesn't parse at byte 18: Table type should be anyfunc or anyref, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')",
+         "WebAssembly.Module doesn't parse at byte 26: Table type should be anyfunc or anyref, got -2 (evaluating 'new WebAssembly.Module(builder.WebAssembly().get())')"],
 
         [{initial: 10, maximum: 9, element: "anyfunc"},

trunk/JSTests/wasm/wasm.json

@@ -19 +19 @@
     "value_type": ["i32", "i64", "f32", "f64", "anyref"],
     "block_type": ["i32", "i64", "f32", "f64", "void", "anyref"],
-    "elem_type": ["anyfunc"],
+    "elem_type": ["anyfunc","anyref"],
     "external_kind": {
         "Function": { "type": "uint8", "value": 0 },
@@ -67 +67 @@
         "get_global":          { "category": "special",    "value":  35, "return": ["any"],      "parameter": [],                       "immediate": [{"name": "global_index",   "type": "varuint32"}],                                            "description": "read a global variable" },
         "set_global":          { "category": "special",    "value":  36, "return": [],           "parameter": ["any"],                  "immediate": [{"name": "global_index",   "type": "varuint32"}],                                            "description": "write a global variable" },
+        "table.get":           { "category": "special",    "value":  37, "return": ["anyref"],   "parameter": ["i32"],                  "immediate": [],                                                                                           "description": "get a table value" },
+        "table.set":           { "category": "special",    "value":  38, "return": [],           "parameter": ["i32", "anyref"],        "immediate": [],                                                                                           "description": "set a table value" },
         "call":                { "category": "call",       "value":  16, "return": ["call"],     "parameter": ["call"],                 "immediate": [{"name": "function_index", "type": "varuint32"}],                                            "description": "call a function by its index" },
         "call_indirect":       { "category": "call",       "value":  17, "return": ["call"],     "parameter": ["call"],                 "immediate": [{"name": "type_index",     "type": "varuint32"}, {"name": "reserved", "type": "varuint1"}],  "description": "call a function indirect with an expected signature" },

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-06-05  Justin Michaud  <justin_michaud@apple.com>
+
+        [WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
+        https://bugs.webkit.org/show_bug.cgi?id=198398
+
+        Reviewed by Saam Barati.
+
+        Create a new table subtype called FuncRefTable (note: Anyfunc was renamed to Funcref in the references spec).
+        Table now write-barriers and visits its children's wrapper objects. FuncRefTable caches some extra data to
+        support calling from wasm. A JSWebAssemblyTable is required to set an anyref element, but this is only because
+        we need to write barrier it (so it should not restrict how we implement threads). This patch does, however,
+        restrict the implementation of function references to require every Ref.func to have an associated wrapper. This
+        can be done statically, so this too should not restrict our threads implementation. 
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addTableGet):
+        (JSC::Wasm::AirIRGenerator::addTableSet):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addLocal):
+        (JSC::Wasm::B3IRGenerator::addTableGet):
+        (JSC::Wasm::B3IRGenerator::addTableSet):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::TableInformation::TableInformation):
+        (JSC::Wasm::TableInformation::type const):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseTableHelper):
+        * wasm/WasmTable.cpp:
+        (JSC::Wasm::Table::Table):
+        (JSC::Wasm::Table::tryCreate):
+        (JSC::Wasm::Table::grow):
+        (JSC::Wasm::Table::clear):
+        (JSC::Wasm::Table::set):
+        (JSC::Wasm::Table::get):
+        (JSC::Wasm::Table::visitChildren):
+        (JSC::Wasm::FuncRefTable::FuncRefTable):
+        (JSC::Wasm::FuncRefTable::setFunction):
+        (JSC::Wasm::Table::~Table): Deleted.
+        (JSC::Wasm::Table::clearFunction): Deleted.
+        (JSC::Wasm::Table::setFunction): Deleted.
+        * wasm/WasmTable.h:
+        (JSC::Wasm::Table::length const):
+        (JSC::Wasm::Table::type const):
+        (JSC::Wasm::Table::setOwner):
+        (JSC::Wasm::FuncRefTable::offsetOfFunctions):
+        (JSC::Wasm::FuncRefTable::offsetOfInstances):
+        (JSC::Wasm::Table::offsetOfFunctions): Deleted.
+        (JSC::Wasm::Table::offsetOfInstances): Deleted.
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addTableGet):
+        (JSC::Wasm::Validate::addTableSet):
+        (JSC::Wasm::Validate::addCallIndirect):
+        * wasm/js/JSWebAssemblyTable.cpp:
+        (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
+        (JSC::JSWebAssemblyTable::finishCreation):
+        (JSC::JSWebAssemblyTable::visitChildren):
+        (JSC::JSWebAssemblyTable::grow):
+        (JSC::JSWebAssemblyTable::get):
+        (JSC::JSWebAssemblyTable::set):
+        (JSC::JSWebAssemblyTable::clear):
+        (JSC::JSWebAssemblyTable::getFunction): Deleted.
+        (JSC::JSWebAssemblyTable::clearFunction): Deleted.
+        (JSC::JSWebAssemblyTable::setFunction): Deleted.
+        * wasm/js/JSWebAssemblyTable.h:
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        (JSC::WebAssemblyModuleRecord::evaluate):
+        * wasm/js/WebAssemblyTableConstructor.cpp:
+        (JSC::constructJSWebAssemblyTable):
+        * wasm/js/WebAssemblyTablePrototype.cpp:
+        (JSC::webAssemblyTableProtoFuncGet):
+        (JSC::webAssemblyTableProtoFuncSet):
+        * wasm/wasm.json:
+
 2019-06-05  Justin Michaud  <justin_michaud@apple.com>
 

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -233 +233 @@
     ExpressionType addConstant(BasicBlock*, Type, uint64_t);
 
+    // References
     PartialResult WARN_UNUSED_RETURN addRefIsNull(ExpressionType& value, ExpressionType& result);
+
+    // Tables
+    PartialResult WARN_UNUSED_RETURN addTableGet(ExpressionType& idx, ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addTableSet(ExpressionType& idx, ExpressionType& value);
 
     // Locals
@@ -950 +955 @@
 }
 
+auto AirIRGenerator::addTableGet(ExpressionType& idx, ExpressionType& result) -> PartialResult
+{
+    // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
+    ASSERT(idx.tmp());
+    ASSERT(idx.type() == Type::I32);
+    result = tmpForType(Type::Anyref);
+
+    uint64_t (*doGet)(Instance*, int32_t) = [] (Instance* instance, int32_t idx) -> uint64_t {
+        return JSValue::encode(instance->table()->get(idx));
+    };
+
+    emitCCall(doGet, result, instanceValue(), idx);
+
+    return { };
+}
+
+auto AirIRGenerator::addTableSet(ExpressionType& idx, ExpressionType& value) -> PartialResult
+{
+    // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
+    ASSERT(idx.tmp());
+    ASSERT(idx.type() == Type::I32);
+    ASSERT(value.tmp());
+
+    void (*doSet)(Instance*, int32_t, uint64_t value) = [] (Instance* instance, int32_t idx, uint64_t value) -> void {
+        // FIXME: We need to box wasm Funcrefs once they are supported here.
+        // <https://bugs.webkit.org/show_bug.cgi?id=198157>
+        instance->table()->set(idx, JSValue::decode(value));
+    };
+
+    emitCCall(doSet, TypedTmp(), instanceValue(), idx, value);
+
+    return { };
+}
+
 auto AirIRGenerator::getLocal(uint32_t index, ExpressionType& result) -> PartialResult
 {
@@ -1842 +1881 @@
     ExpressionType calleeIndex = args.takeLast();
     ASSERT(signature.argumentCount() == args.size());
+    ASSERT(m_info.tableInformation.type() == TableElementType::Funcref);
 
     m_makesCalls = true;
@@ -1857 +1897 @@
     {
         RELEASE_ASSERT(Arg::isValidAddrForm(Instance::offsetOfTable(), B3::Width64));
-        RELEASE_ASSERT(Arg::isValidAddrForm(Table::offsetOfFunctions(), B3::Width64));
-        RELEASE_ASSERT(Arg::isValidAddrForm(Table::offsetOfInstances(), B3::Width64));
-        RELEASE_ASSERT(Arg::isValidAddrForm(Table::offsetOfLength(), B3::Width64));
+        RELEASE_ASSERT(Arg::isValidAddrForm(FuncRefTable::offsetOfFunctions(), B3::Width64));
+        RELEASE_ASSERT(Arg::isValidAddrForm(FuncRefTable::offsetOfInstances(), B3::Width64));
+        RELEASE_ASSERT(Arg::isValidAddrForm(FuncRefTable::offsetOfLength(), B3::Width64));
 
         append(Move, Arg::addr(instanceValue(), Instance::offsetOfTable()), callableFunctionBufferLength);
-        append(Move, Arg::addr(callableFunctionBufferLength, Table::offsetOfFunctions()), callableFunctionBuffer);
-        append(Move, Arg::addr(callableFunctionBufferLength, Table::offsetOfInstances()), instancesBuffer);
+        append(Move, Arg::addr(callableFunctionBufferLength, FuncRefTable::offsetOfFunctions()), callableFunctionBuffer);
+        append(Move, Arg::addr(callableFunctionBufferLength, FuncRefTable::offsetOfInstances()), instancesBuffer);
         append(Move32, Arg::addr(callableFunctionBufferLength, Table::offsetOfLength()), callableFunctionBufferLength);
     }

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -186 +186 @@
     ExpressionType addConstant(Type, uint64_t);
 
+    // References
     PartialResult WARN_UNUSED_RETURN addRefIsNull(ExpressionType& value, ExpressionType& result);
+
+    // Tables
+    PartialResult WARN_UNUSED_RETURN addTableGet(ExpressionType& idx, ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addTableSet(ExpressionType& idx, ExpressionType& value);
 
     // Locals
@@ -562 +567 @@
 }
 
+auto B3IRGenerator::addTableGet(ExpressionType& idx, ExpressionType& result) -> PartialResult
+{
+    // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
+    uint64_t (*doGet)(Instance*, int32_t) = [] (Instance* instance, int32_t idx) -> uint64_t {
+        return JSValue::encode(instance->table()->get(idx));
+    };
+
+    result = m_currentBlock->appendNew<CCallValue>(m_proc, toB3Type(Anyref), origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunctionPtr<void*>(doGet, B3CCallPtrTag)),
+        instanceValue(), idx);
+
+    return { };
+}
+
+auto B3IRGenerator::addTableSet(ExpressionType& idx, ExpressionType& value) -> PartialResult
+{
+    // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
+    void (*doSet)(Instance*, int32_t, uint64_t value) = [] (Instance* instance, int32_t idx, uint64_t value) -> void {
+        // FIXME: We need to box wasm Funcrefs once they are supported here.
+        // <https://bugs.webkit.org/show_bug.cgi?id=198157>
+        instance->table()->set(idx, JSValue::decode(value));
+    };
+
+    m_currentBlock->appendNew<CCallValue>(m_proc, B3::Void, origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunctionPtr<void*>(doSet, B3CCallPtrTag)),
+        instanceValue(), idx, value);
+
+    return { };
+}
+
 auto B3IRGenerator::getLocal(uint32_t index, ExpressionType& result) -> PartialResult
 {
@@ -1264 +1299 @@
             instanceValue(), safeCast<int32_t>(Instance::offsetOfTable()));
         callableFunctionBuffer = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
-            table, safeCast<int32_t>(Table::offsetOfFunctions()));
+            table, safeCast<int32_t>(FuncRefTable::offsetOfFunctions()));
         instancesBuffer = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, pointerType(), origin(),
-            table, safeCast<int32_t>(Table::offsetOfInstances()));
+            table, safeCast<int32_t>(FuncRefTable::offsetOfInstances()));
         callableFunctionBufferLength = m_currentBlock->appendNew<MemoryValue>(m_proc, Load, Int32, origin(),
             table, safeCast<int32_t>(Table::offsetOfLength()));

trunk/Source/JavaScriptCore/wasm/WasmFormat.h

@@ -55 +55 @@
 struct ModuleInformation;
 
+enum class TableElementType : uint8_t {
+    Anyref,
+    Funcref
+};
+
 inline bool isValueType(Type type)
 {
@@ -215 +220 @@
     }
 
-    TableInformation(uint32_t initial, Optional<uint32_t> maximum, bool isImport)
+    TableInformation(uint32_t initial, Optional<uint32_t> maximum, bool isImport, TableElementType type)
         : m_initial(initial)
         , m_maximum(maximum)
         , m_isImport(isImport)
         , m_isValid(true)
+        , m_type(type)
     {
         ASSERT(*this);
@@ -228 +234 @@
     uint32_t initial() const { return m_initial; }
     Optional<uint32_t> maximum() const { return m_maximum; }
+    TableElementType type() const { return m_type; }
 
 private:
@@ -234 +241 @@
     bool m_isImport { false };
     bool m_isValid { false };
+    TableElementType m_type;
 };
     

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -282 +282 @@
     }
 
+    case TableGet: {
+        WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
+        ExpressionType result, idx;
+        WASM_TRY_POP_EXPRESSION_STACK_INTO(idx, "table.get");
+        WASM_TRY_ADD_TO_CONTEXT(addTableGet(idx, result));
+        m_expressionStack.append(result);
+        return { };
+    }
+
+    case TableSet: {
+        WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
+        ExpressionType val, idx;
+        WASM_TRY_POP_EXPRESSION_STACK_INTO(val, "table.set");
+        WASM_TRY_POP_EXPRESSION_STACK_INTO(idx, "table.set");
+        WASM_TRY_ADD_TO_CONTEXT(addTableSet(idx, val));
+        return { };
+    }
+
     case RefNull: {
         WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
@@ -374 +392 @@
         WASM_PARSER_FAIL_IF(reserved, "call_indirect's 'reserved' varuint1 must be 0x0");
         WASM_PARSER_FAIL_IF(m_info.usedSignatures.size() <= signatureIndex, "call_indirect's signature index ", signatureIndex, " exceeds known signatures ", m_info.usedSignatures.size());
+        WASM_PARSER_FAIL_IF(m_info.tableInformation.type() != TableElementType::Funcref, "call_indirect is only valid when a table has type anyfunc");
 
         const Signature& calleeSignature = m_info.usedSignatures[signatureIndex].get();
@@ -655 +674 @@
     }
 
+    case TableGet:
+    case TableSet:
+    case RefIsNull:
     case RefNull: {
-        WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
-        return { };
-    }
-
-    case RefIsNull: {
         WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
         return { };

trunk/Source/JavaScriptCore/wasm/WasmSectionParser.cpp

@@ -197 +197 @@
     int8_t type;
     WASM_PARSER_FAIL_IF(!parseInt7(type), "can't parse Table type");
-    WASM_PARSER_FAIL_IF(type != Wasm::Anyfunc, "Table type should be anyfunc, got ", type);
+    WASM_PARSER_FAIL_IF(type != Wasm::Anyfunc && type != Wasm::Anyref, "Table type should be anyfunc or anyref, got ", type);
 
     uint32_t initial;
@@ -208 +208 @@
     ASSERT(!maximum || *maximum >= initial);
 
-    m_info->tableInformation = TableInformation(initial, maximum, isImport);
+    TableElementType tableType = type == Wasm::Anyfunc ? TableElementType::Funcref : TableElementType::Anyref;
+    m_info->tableInformation = TableInformation(initial, maximum, isImport, tableType);
 
     return { };

trunk/Source/JavaScriptCore/wasm/WasmTable.cpp

@@ -48 +48 @@
 }
 
-RefPtr<Table> Table::tryCreate(uint32_t initial, Optional<uint32_t> maximum)
-{
-    if (!isValidLength(initial))
-        return nullptr;
-    return adoptRef(new (NotNull, fastMalloc(sizeof(Table))) Table(initial, maximum));
-}
-
-Table::~Table()
-{
-}
-
-Table::Table(uint32_t initial, Optional<uint32_t> maximum)
+Table::Table(uint32_t initial, Optional<uint32_t> maximum, TableElementType type)
+    : m_type(type)
+    , m_maximum(maximum)
+    , m_owner(nullptr)
 {
     setLength(initial);
-    m_maximum = maximum;
     ASSERT(!m_maximum || *m_maximum >= m_length);
 
     // FIXME: It might be worth trying to pre-allocate maximum here. The spec recommends doing so.
     // But for now, we're not doing that.
-    m_importableFunctions = MallocPtr<WasmToWasmImportableFunction>::malloc((sizeof(WasmToWasmImportableFunction) * Checked<size_t>(allocatedLength(m_length))).unsafeGet());
     // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
-    m_instances = MallocPtr<Instance*>::malloc((sizeof(Instance*) * Checked<size_t>(allocatedLength(m_length))).unsafeGet());
+    m_jsValues = MallocPtr<WriteBarrier<Unknown>>::malloc((sizeof(WriteBarrier<Unknown>) * Checked<size_t>(allocatedLength(m_length))).unsafeGet());
     for (uint32_t i = 0; i < allocatedLength(m_length); ++i) {
-        new (&m_importableFunctions.get()[i]) WasmToWasmImportableFunction();
-        ASSERT(m_importableFunctions.get()[i].signatureIndex == Wasm::Signature::invalidIndex); // We rely on this in compiled code.
-        m_instances.get()[i] = nullptr;
+        new (&m_jsValues.get()[i]) WriteBarrier<Unknown>();
+        m_jsValues.get()[i].setStartingValue(jsNull());
+    }
+}
+
+RefPtr<Table> Table::tryCreate(uint32_t initial, Optional<uint32_t> maximum, TableElementType type)
+{
+    if (!isValidLength(initial))
+        return nullptr;
+    switch (type) {
+    case TableElementType::Funcref:
+        return adoptRef(new FuncRefTable(initial, maximum));
+    case TableElementType::Anyref:
+        return adoptRef(new Table(initial, maximum));
     }
 }
@@ -79 +80 @@
 Optional<uint32_t> Table::grow(uint32_t delta)
 {
+    RELEASE_ASSERT(m_owner);
     if (delta == 0)
         return length();
+
+    auto locker = holdLock(m_owner->cellLock());
 
     using Checked = Checked<uint32_t, RecordOverflow>;
@@ -109 +113 @@
     };
 
-    if (!checkedGrow(m_importableFunctions))
-        return WTF::nullopt;
-    if (!checkedGrow(m_instances))
+    if (auto* funcRefTable = asFuncrefTable()) {
+        if (!checkedGrow(funcRefTable->m_importableFunctions))
+            return WTF::nullopt;
+        if (!checkedGrow(funcRefTable->m_instances))
+            return WTF::nullopt;
+    }
+
+    if (!checkedGrow(m_jsValues))
         return WTF::nullopt;
 
     setLength(newLength);
-
     return newLength;
 }
 
-void Table::clearFunction(uint32_t index)
+void Table::clear(uint32_t index)
 {
     RELEASE_ASSERT(index < length());
-    m_importableFunctions.get()[index & m_mask] = WasmToWasmImportableFunction();
-    ASSERT(m_importableFunctions.get()[index & m_mask].signatureIndex == Wasm::Signature::invalidIndex); // We rely on this in compiled code.
-    m_instances.get()[index & m_mask] = nullptr;
+    RELEASE_ASSERT(m_owner);
+    if (auto* funcRefTable = asFuncrefTable()) {
+        funcRefTable->m_importableFunctions.get()[index & m_mask] = WasmToWasmImportableFunction();
+        ASSERT(funcRefTable->m_importableFunctions.get()[index & m_mask].signatureIndex == Wasm::Signature::invalidIndex); // We rely on this in compiled code.
+        funcRefTable->m_instances.get()[index & m_mask] = nullptr;
+    }
+    m_jsValues.get()[index & m_mask].setStartingValue(jsNull());
 }
 
-void Table::setFunction(uint32_t index, WasmToWasmImportableFunction function, Instance* instance)
+void Table::set(uint32_t index, JSValue value)
 {
     RELEASE_ASSERT(index < length());
+    RELEASE_ASSERT(isAnyrefTable());
+    RELEASE_ASSERT(m_owner);
+    clear(index);
+    m_jsValues.get()[index & m_mask].set(*m_owner->vm(), m_owner, value);
+}
+
+JSValue Table::get(uint32_t index) const
+{
+    RELEASE_ASSERT(index < length());
+    RELEASE_ASSERT(m_owner);
+    return m_jsValues.get()[index & m_mask].get();
+}
+
+void Table::visitChildren(SlotVisitor& visitor)
+{
+    RELEASE_ASSERT(m_owner);
+    auto locker = holdLock(m_owner->cellLock());
+    for (unsigned i = 0; i < m_length; ++i)
+        visitor.append(m_jsValues.get()[i]);
+}
+
+FuncRefTable* Table::asFuncrefTable()
+{
+    return m_type == TableElementType::Funcref ? static_cast<FuncRefTable*>(this) : nullptr;
+}
+
+FuncRefTable::FuncRefTable(uint32_t initial, Optional<uint32_t> maximum)
+    : Table(initial, maximum, TableElementType::Funcref)
+{
+    // FIXME: It might be worth trying to pre-allocate maximum here. The spec recommends doing so.
+    // But for now, we're not doing that.
+    m_importableFunctions = MallocPtr<WasmToWasmImportableFunction>::malloc((sizeof(WasmToWasmImportableFunction) * Checked<size_t>(allocatedLength(m_length))).unsafeGet());
+    // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
+    m_instances = MallocPtr<Instance*>::malloc((sizeof(Instance*) * Checked<size_t>(allocatedLength(m_length))).unsafeGet());
+    for (uint32_t i = 0; i < allocatedLength(m_length); ++i) {
+        new (&m_importableFunctions.get()[i]) WasmToWasmImportableFunction();
+        ASSERT(m_importableFunctions.get()[i].signatureIndex == Wasm::Signature::invalidIndex); // We rely on this in compiled code.
+        m_instances.get()[i] = nullptr;
+    }
+}
+
+void FuncRefTable::setFunction(uint32_t index, JSObject* optionalWrapper, WasmToWasmImportableFunction function, Instance* instance)
+{
+    RELEASE_ASSERT(index < length());
+    RELEASE_ASSERT(m_owner);
+    clear(index);
+    if (optionalWrapper)
+        m_jsValues.get()[index & m_mask].set(*m_owner->vm(), m_owner, optionalWrapper);
     m_importableFunctions.get()[index & m_mask] = function;
     m_instances.get()[index & m_mask] = instance;

trunk/Source/JavaScriptCore/wasm/WasmTable.h

@@ -30 +30 @@
 #include "WasmFormat.h"
 #include "WasmLimits.h"
+#include "WriteBarrier.h"
 #include <wtf/MallocPtr.h>
 #include <wtf/Optional.h>
@@ -38 +39 @@
 
 class Instance;
+class FuncRefTable;
 
 class Table : public ThreadSafeRefCounted<Table> {
+    WTF_MAKE_NONCOPYABLE(Table);
+    WTF_MAKE_FAST_ALLOCATED(Table);
 public:
-    static RefPtr<Table> tryCreate(uint32_t initial, Optional<uint32_t> maximum);
+    static RefPtr<Table> tryCreate(uint32_t initial, Optional<uint32_t> maximum, TableElementType);
 
-    JS_EXPORT_PRIVATE ~Table();
+    JS_EXPORT_PRIVATE ~Table() = default;
 
     Optional<uint32_t> maximum() const { return m_maximum; }
     uint32_t length() const { return m_length; }
-    Optional<uint32_t> grow(uint32_t delta) WARN_UNUSED_RETURN;
-    void clearFunction(uint32_t);
-    void setFunction(uint32_t, WasmToWasmImportableFunction, Instance*);
 
-    static ptrdiff_t offsetOfFunctions() { return OBJECT_OFFSETOF(Table, m_importableFunctions); }
-    static ptrdiff_t offsetOfInstances() { return OBJECT_OFFSETOF(Table, m_instances); }
     static ptrdiff_t offsetOfLength() { return OBJECT_OFFSETOF(Table, m_length); }
     static ptrdiff_t offsetOfMask() { return OBJECT_OFFSETOF(Table, m_mask); }
@@ -58 +57 @@
     static uint32_t allocatedLength(uint32_t length);
     uint32_t mask() const { return m_mask; }
+
+    void setOwner(JSObject* owner)
+    {
+        ASSERT(!m_owner);
+        ASSERT(owner);
+        m_owner = owner;
+    }
+
+    TableElementType type() const { return m_type; }
+    bool isAnyrefTable() const { return m_type == TableElementType::Anyref; }
+    FuncRefTable* asFuncrefTable();
+
     static bool isValidLength(uint32_t length) { return length < maxTableEntries; }
 
-private:
-    Table(uint32_t initial, Optional<uint32_t> maximum);
+    void clear(uint32_t);
+    void set(uint32_t, JSValue);
+    JSValue get(uint32_t) const;
+
+    Optional<uint32_t> grow(uint32_t delta);
+
+    void visitChildren(SlotVisitor&);
+
+protected:
+    Table(uint32_t initial, Optional<uint32_t> maximum, TableElementType = TableElementType::Anyref);
 
     void setLength(uint32_t);
+
+    uint32_t m_length;
+    uint32_t m_mask;
+    const TableElementType m_type;
+    const Optional<uint32_t> m_maximum;
+
+    MallocPtr<WriteBarrier<Unknown>> m_jsValues;
+    JSObject* m_owner;
+};
+
+class FuncRefTable : public Table {
+public:
+    JS_EXPORT_PRIVATE ~FuncRefTable() = default;
+
+    void setFunction(uint32_t, JSObject*, WasmToWasmImportableFunction, Instance*);
+
+    static ptrdiff_t offsetOfFunctions() { return OBJECT_OFFSETOF(FuncRefTable, m_importableFunctions); }
+    static ptrdiff_t offsetOfInstances() { return OBJECT_OFFSETOF(FuncRefTable, m_instances); }
+
+private:
+    FuncRefTable(uint32_t initial, Optional<uint32_t> maximum);
 
     MallocPtr<WasmToWasmImportableFunction> m_importableFunctions;
     // call_indirect needs to do an Instance check to potentially context switch when calling a function to another instance. We can hold raw pointers to Instance here because the embedder ensures that Table keeps all the instances alive. We couldn't hold a Ref here because it would cause cycles.
     MallocPtr<Instance*> m_instances;
-    uint32_t m_length;
-    uint32_t m_mask;
-    Optional<uint32_t> m_maximum;
+
+    friend class Table;
 };
 

trunk/Source/JavaScriptCore/wasm/WasmValidate.cpp

@@ -101 +101 @@
     ExpressionType addConstant(Type type, uint64_t) { return type; }
 
+    // References
     Result WARN_UNUSED_RETURN addRefIsNull(ExpressionType& value, ExpressionType& result);
+
+    // Tables
+    Result WARN_UNUSED_RETURN addTableGet(ExpressionType& idx, ExpressionType& result);
+    Result WARN_UNUSED_RETURN addTableSet(ExpressionType& idx, ExpressionType& value);
 
     // Locals
@@ -172 +177 @@
 }
 
+auto Validate::addTableGet(ExpressionType& idx, ExpressionType& result) -> Result
+{
+    result = Type::Anyref;
+    WASM_VALIDATOR_FAIL_IF(Type::I32 != idx, "table.get index to type ", idx, " expected ", Type::I32);
+    WASM_VALIDATOR_FAIL_IF(TableElementType::Anyref != m_module.tableInformation.type(), "table.get expects the table to have type ", Type::Anyref);
+
+    return { };
+}
+
+auto Validate::addTableSet(ExpressionType& idx, ExpressionType& value) -> Result
+{
+    WASM_VALIDATOR_FAIL_IF(Type::I32 != idx, "table.set index to type ", idx, " expected ", Type::I32);
+    WASM_VALIDATOR_FAIL_IF(Type::Anyref != value, "table.set value to type ", value, " expected ", Type::Anyref);
+    WASM_VALIDATOR_FAIL_IF(TableElementType::Anyref != m_module.tableInformation.type(), "table.set expects the table to have type ", Type::Anyref);
+
+    return { };
+}
+
 auto Validate::addRefIsNull(ExpressionType& value, ExpressionType& result) -> Result
 {
@@ -347 +370 @@
 auto Validate::addCallIndirect(const Signature& signature, const Vector<ExpressionType>& args, ExpressionType& result) -> Result
 {
+    WASM_VALIDATOR_FAIL_IF(m_module.tableInformation.type() != TableElementType::Funcref, "Table must have type Anyfunc to call");
     const auto argumentCount = signature.argumentCount();
     WASM_VALIDATOR_FAIL_IF(argumentCount != args.size() - 1, "arity mismatch in call_indirect, got ", args.size() - 1, " arguments, expected ", argumentCount);

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.cpp

@@ -48 +48 @@
 
     auto* instance = new (NotNull, allocateCell<JSWebAssemblyTable>(vm.heap)) JSWebAssemblyTable(vm, structure, WTFMove(table));
+    instance->table()->setOwner(instance);
     instance->finishCreation(vm);
     return instance;
@@ -61 +62 @@
     , m_table(WTFMove(table))
 {
-    // FIXME: It might be worth trying to pre-allocate maximum here. The spec recommends doing so.
-    // But for now, we're not doing that.
-    // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
-    m_jsFunctions = MallocPtr<WriteBarrier<JSObject>>::malloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(allocatedLength())).unsafeGet());
-    for (uint32_t i = 0; i < allocatedLength(); ++i)
-        new(&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
 }
 
@@ -86 +81 @@
 
     Base::visitChildren(thisObject, visitor);
-
-    for (unsigned i = 0; i < thisObject->length(); ++i)
-        visitor.append(thisObject->m_jsFunctions.get()[i]);
+    thisObject->table()->visitChildren(visitor);
 }
 
@@ -95 +88 @@
     if (delta == 0)
         return true;
-
-    size_t oldLength = length();
-
-    auto grew = m_table->grow(delta);
-    if (!grew)
-        return false;
-
-    size_t newLength = grew.value();
-    if (newLength > m_table->allocatedLength(oldLength))
-        // FIXME this over-allocates and could be smarter about not committing all of that memory https://bugs.webkit.org/show_bug.cgi?id=181425
-        m_jsFunctions.realloc((sizeof(WriteBarrier<JSObject>) * Checked<size_t>(m_table->allocatedLength(newLength))).unsafeGet());
-
-    for (size_t i = oldLength; i < m_table->allocatedLength(newLength); ++i)
-        new (&m_jsFunctions.get()[i]) WriteBarrier<JSObject>();
-
-    return true;
+    return !!m_table->grow(delta);
 }
 
-JSObject* JSWebAssemblyTable::getFunction(uint32_t index)
+JSValue JSWebAssemblyTable::get(uint32_t index)
 {
     RELEASE_ASSERT(index < length());
-    return m_jsFunctions.get()[index & m_table->mask()].get();
+    return m_table->get(index);
 }
 
-void JSWebAssemblyTable::clearFunction(uint32_t index)
+void JSWebAssemblyTable::set(uint32_t index, JSValue value)
 {
-    m_table->clearFunction(index);
-    m_jsFunctions.get()[index & m_table->mask()] = WriteBarrier<JSObject>();
+    RELEASE_ASSERT(index < length());
+    RELEASE_ASSERT(m_table->isAnyrefTable());
+    m_table->set(index, value);
 }
 
-void JSWebAssemblyTable::setFunction(VM& vm, uint32_t index, WebAssemblyFunction* function)
+void JSWebAssemblyTable::set(uint32_t index, WebAssemblyFunction* function)
 {
-    m_table->setFunction(index, function->importableFunction(), &function->instance()->instance());
-    m_jsFunctions.get()[index & m_table->mask()].set(vm, this, function);
+    RELEASE_ASSERT(index < length());
+    RELEASE_ASSERT(m_table->asFuncrefTable());
+    auto& subThis = *static_cast<Wasm::FuncRefTable*>(&m_table.get());
+    subThis.setFunction(index, function, function->importableFunction(), &function->instance()->instance());
 }
 
-void JSWebAssemblyTable::setFunction(VM& vm, uint32_t index, WebAssemblyWrapperFunction* function)
+void JSWebAssemblyTable::set(uint32_t index, WebAssemblyWrapperFunction* function)
 {
-    m_table->setFunction(index, function->importableFunction(), &function->instance()->instance());
-    m_jsFunctions.get()[index & m_table->mask()].set(vm, this, function);
+    RELEASE_ASSERT(index < length());
+    RELEASE_ASSERT(m_table->asFuncrefTable());
+    auto& subThis = *static_cast<Wasm::FuncRefTable*>(&m_table.get());
+    subThis.setFunction(index, function, function->importableFunction(), &function->instance()->instance());
+}
+
+void JSWebAssemblyTable::clear(uint32_t index)
+{
+    RELEASE_ASSERT(index < length());
+    m_table->clear(index);
 }
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h

@@ -53 +53 @@
     uint32_t allocatedLength() const { return m_table->allocatedLength(length()); }
     bool grow(uint32_t delta) WARN_UNUSED_RETURN;
-    JSObject* getFunction(uint32_t);
-    void clearFunction(uint32_t);
-    void setFunction(VM&, uint32_t, WebAssemblyFunction*);
-    void setFunction(VM&, uint32_t, WebAssemblyWrapperFunction*);
+    JSValue get(uint32_t);
+    void set(uint32_t, WebAssemblyFunction*);
+    void set(uint32_t, WebAssemblyWrapperFunction*);
+    void set(uint32_t, JSValue);
+    void clear(uint32_t);
 
     Wasm::Table* table() { return m_table.ptr(); }
@@ -67 +68 @@
 
     Ref<Wasm::Table> m_table;
-    MallocPtr<WriteBarrier<JSObject>> m_jsFunctions;
 };
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -281 +281 @@
             }
 
+            auto expectedType = moduleInformation.tableInformation.type();
+            auto actualType = table->table()->type();
+            if (expectedType != actualType)
+                return exception(createJSWebAssemblyLinkError(exec, vm, importFailMessage(import, "Table import", "provided a 'type' that is wrong")));
+
             // ii. Append v to tables.
             // iii. Append v.[[Table]] to imports.
@@ -302 +307 @@
             RELEASE_ASSERT(!moduleInformation.tableInformation.isImport());
             // We create a Table when it's a Table definition.
-            RefPtr<Wasm::Table> wasmTable = Wasm::Table::tryCreate(moduleInformation.tableInformation.initial(), moduleInformation.tableInformation.maximum());
+            RefPtr<Wasm::Table> wasmTable = Wasm::Table::tryCreate(moduleInformation.tableInformation.initial(), moduleInformation.tableInformation.maximum(), moduleInformation.tableInformation.type());
             if (!wasmTable)
                 return exception(createJSWebAssemblyLinkError(exec, vm, "couldn't create Table"));
@@ -537 +542 @@
                     // the only type this could be is WebAssemblyFunction.
                     RELEASE_ASSERT(wasmFunction);
-                    table->setFunction(vm, tableIndex, wasmFunction);
+                    table->set(tableIndex, wasmFunction);
                     ++tableIndex;
                     continue;
                 }
 
-                table->setFunction(vm, tableIndex,
+                table->set(tableIndex,
                     WebAssemblyWrapperFunction::create(vm, globalObject, globalObject->webAssemblyWrapperFunctionStructure(), functionImport, functionIndex, m_instance.get(), signatureIndex));
                 ++tableIndex;
@@ -558 +563 @@
                 vm, globalObject, globalObject->webAssemblyFunctionStructure(), signature.argumentCount(), String(), m_instance.get(), embedderEntrypointCallee, entrypointLoadLocation, signatureIndex);
 
-            table->setFunction(vm, tableIndex, function);
+            table->set(tableIndex, function);
             ++tableIndex;
         }

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyTableConstructor.cpp

@@ -59 +59 @@
     }
 
+    Wasm::TableElementType type;
     {
         Identifier elementIdent = Identifier::fromString(&vm, "element");
@@ -65 +66 @@
         String elementString = elementValue.toWTFString(exec);
         RETURN_IF_EXCEPTION(throwScope, encodedJSValue());
-        if (elementString != "anyfunc")
-            return JSValue::encode(throwException(exec, throwScope, createTypeError(exec, "WebAssembly.Table expects its 'element' field to be the string 'anyfunc'"_s)));
+        if (elementString == "anyfunc")
+            type = Wasm::TableElementType::Funcref;
+        else if (elementString == "anyref")
+            type = Wasm::TableElementType::Anyref;
+        else
+            return JSValue::encode(throwException(exec, throwScope, createTypeError(exec, "WebAssembly.Table expects its 'element' field to be the string 'anyfunc' or 'anyref'"_s)));
     }
 
@@ -91 +96 @@
     }
 
-    RefPtr<Wasm::Table> wasmTable = Wasm::Table::tryCreate(initial, maximum);
+    RefPtr<Wasm::Table> wasmTable = Wasm::Table::tryCreate(initial, maximum, type);
     if (!wasmTable) {
         return JSValue::encode(throwException(exec, throwScope,

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyTablePrototype.cpp

@@ -110 +110 @@
         return JSValue::encode(throwException(exec, throwScope, createRangeError(exec, "WebAssembly.Table.prototype.get expects an integer less than the length of the table"_s)));
 
-    if (JSObject* result = table->getFunction(index))
-        return JSValue::encode(result);
-    return JSValue::encode(jsNull());
+    return JSValue::encode(table->get(index));
 }
 
@@ -124 +122 @@
 
     JSValue value = exec->argument(1);
-    WebAssemblyFunction* wasmFunction;
-    WebAssemblyWrapperFunction* wasmWrapperFunction;
-    if (!value.isNull() && !isWebAssemblyHostFunction(vm, value, wasmFunction, wasmWrapperFunction))
-        return JSValue::encode(throwException(exec, throwScope, createTypeError(exec, "WebAssembly.Table.prototype.set expects the second argument to be null or an instance of WebAssembly.Function"_s)));
 
     uint32_t index = toNonWrappingUint32(exec, exec->argument(0));
@@ -135 +129 @@
         return JSValue::encode(throwException(exec, throwScope, createRangeError(exec, "WebAssembly.Table.prototype.set expects an integer less than the length of the table"_s)));
 
-    if (value.isNull())
-        table->clearFunction(index);
-    else {
-        ASSERT(value.isObject() && isWebAssemblyHostFunction(vm, jsCast<JSObject*>(value), wasmFunction, wasmWrapperFunction));
-        ASSERT(!!wasmFunction || !!wasmWrapperFunction);
-        if (wasmFunction)
-            table->setFunction(vm, index, wasmFunction);
-        else
-            table->setFunction(vm, index, wasmWrapperFunction);
-    }
+    if (table->table()->asFuncrefTable()) {
+        WebAssemblyFunction* wasmFunction;
+        WebAssemblyWrapperFunction* wasmWrapperFunction;
+        if (!value.isNull() && !isWebAssemblyHostFunction(vm, value, wasmFunction, wasmWrapperFunction))
+            return JSValue::encode(throwException(exec, throwScope, createTypeError(exec, "WebAssembly.Table.prototype.set expects the second argument to be null or an instance of WebAssembly.Function"_s)));
+
+        if (value.isNull())
+            table->clear(index);
+        else {
+            ASSERT(value.isObject() && isWebAssemblyHostFunction(vm, jsCast<JSObject*>(value), wasmFunction, wasmWrapperFunction));
+            ASSERT(!!wasmFunction || !!wasmWrapperFunction);
+            if (wasmFunction)
+                table->set(index, wasmFunction);
+            else
+                table->set(index, wasmWrapperFunction);
+        }
+    } else
+        table->set(index, value);
     
     return JSValue::encode(jsUndefined());

trunk/Source/JavaScriptCore/wasm/wasm.json

@@ -19 +19 @@
     "value_type": ["i32", "i64", "f32", "f64", "anyref"],
     "block_type": ["i32", "i64", "f32", "f64", "void", "anyref"],
-    "elem_type": ["anyfunc"],
+    "elem_type": ["anyfunc","anyref"],
     "external_kind": {
         "Function": { "type": "uint8", "value": 0 },
@@ -67 +67 @@
         "get_global":          { "category": "special",    "value":  35, "return": ["any"],      "parameter": [],                       "immediate": [{"name": "global_index",   "type": "varuint32"}],                                            "description": "read a global variable" },
         "set_global":          { "category": "special",    "value":  36, "return": [],           "parameter": ["any"],                  "immediate": [{"name": "global_index",   "type": "varuint32"}],                                            "description": "write a global variable" },
+        "table.get":           { "category": "special",    "value":  37, "return": ["anyref"],   "parameter": ["i32"],                  "immediate": [],                                                                                           "description": "get a table value" },
+        "table.set":           { "category": "special",    "value":  38, "return": [],           "parameter": ["i32", "anyref"],        "immediate": [],                                                                                           "description": "set a table value" },
         "call":                { "category": "call",       "value":  16, "return": ["call"],     "parameter": ["call"],                 "immediate": [{"name": "function_index", "type": "varuint32"}],                                            "description": "call a function by its index" },
         "call_indirect":       { "category": "call",       "value":  17, "return": ["call"],     "parameter": ["call"],                 "immediate": [{"name": "type_index",     "type": "varuint32"}, {"name": "reserved", "type": "varuint1"}],  "description": "call a function indirect with an expected signature" },