Changeset 246504 in webkit

Timestamp:

Jun 17, 2019 11:44:18 AM (5 years ago)

Author:

Justin Michaud

Message:

[WASM-References] Add support for Funcref in parameters and return types
​https://bugs.webkit.org/show_bug.cgi?id=198157

Reviewed by Yusuke Suzuki.

JSTests:

• wasm/Builder.js:

(export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):

• wasm/references/anyref_globals.js:
• wasm/references/func_ref.js: Added.

(fullGC.gc.makeExportedFunction):
(makeExportedIdent):
(makeAnyfuncIdent):
(fun):
(assert.eq.instance.exports.fix.fun):
(assert.eq.instance.exports.fix):
(string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
(string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
(GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
(assert.throws):
(assert.throws.doTest):
(let.importedFun.of):
(makeAnyfuncIdent.fun):

• wasm/references/validation.js:

(assert.throws):

• wasm/wasm.json:

Source/JavaScriptCore:

Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to
a funcref (nee anyfunc), we first make sure it is an exported wasm function or null.

We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper
for it so that we never need to construct JSValues when handling references. This should make threads
easier to implement.

Finally, we add some missing bounds checks for table.get/set.

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::tmpForType):
(JSC::Wasm::AirIRGenerator::moveOpForValueType):
(JSC::Wasm::AirIRGenerator::AirIRGenerator):
(JSC::Wasm::AirIRGenerator::addLocal):
(JSC::Wasm::AirIRGenerator::addConstant):
(JSC::Wasm::AirIRGenerator::addRefFunc):
(JSC::Wasm::AirIRGenerator::addTableSet):
(JSC::Wasm::AirIRGenerator::setGlobal):
(JSC::Wasm::AirIRGenerator::addReturn):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::addLocal):
(JSC::Wasm::B3IRGenerator::addTableSet):
(JSC::Wasm::B3IRGenerator::addRefFunc):
(JSC::Wasm::B3IRGenerator::setGlobal):

• wasm/WasmBBQPlan.cpp:

(JSC::Wasm::BBQPlan::compileFunctions):

• wasm/WasmCallingConvention.h:

(JSC::Wasm::CallingConventionAir::marshallArgument const):
(JSC::Wasm::CallingConventionAir::setupCall const):

• wasm/WasmExceptionType.h:
• wasm/WasmFormat.h:

(JSC::Wasm::isValueType):
(JSC::Wasm::isSubtype):

• wasm/WasmFunctionParser.h:

(JSC::Wasm::FunctionParser<Context>::parseExpression):
(JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):

• wasm/WasmInstance.cpp:

(JSC::Wasm::Instance::Instance):
(JSC::Wasm::Instance::getFunctionWrapper const):
(JSC::Wasm::Instance::setFunctionWrapper):

• wasm/WasmInstance.h:
• wasm/WasmModuleInformation.h:

(JSC::Wasm::ModuleInformation::referencedFunctions const):
(JSC::Wasm::ModuleInformation::addReferencedFunction const):

• wasm/WasmSectionParser.cpp:

(JSC::Wasm::SectionParser::parseGlobal):
(JSC::Wasm::SectionParser::parseInitExpr):

• wasm/WasmValidate.cpp:

(JSC::Wasm::Validate::addTableGet):
(JSC::Wasm::Validate::addTableSet):
(JSC::Wasm::Validate::addRefIsNull):
(JSC::Wasm::Validate::addRefFunc):
(JSC::Wasm::Validate::setLocal):
(JSC::Wasm::Validate::addCall):
(JSC::Wasm::Validate::addCallIndirect):

• wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

• wasm/js/JSWebAssemblyHelpers.h:

(JSC::isWebAssemblyHostFunction):

• wasm/js/JSWebAssemblyInstance.cpp:

(JSC::JSWebAssemblyInstance::visitChildren):

• wasm/js/JSWebAssemblyRuntimeError.cpp:

(JSC::createJSWebAssemblyRuntimeError):

• wasm/js/JSWebAssemblyRuntimeError.h:
• wasm/js/WasmToJS.cpp:

(JSC::Wasm::handleBadI64Use):
(JSC::Wasm::wasmToJS):
(JSC::Wasm::emitWasmToJSException):

• wasm/js/WasmToJS.h:
• wasm/js/WebAssemblyFunction.cpp:

(JSC::callWebAssemblyFunction):
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

• wasm/js/WebAssemblyModuleRecord.cpp:

(JSC::WebAssemblyModuleRecord::link):

• wasm/wasm.json:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/Builder.js (modified) (1 diff)
• JSTests/wasm/references/anyref_globals.js (modified) (1 diff)
• JSTests/wasm/references/func_ref.js (added)
• JSTests/wasm/references/validation.js (modified) (2 diffs)
• JSTests/wasm/wasm.json (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (9 diffs)
• Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmBBQPlan.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmCallingConvention.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmExceptionType.h (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmFormat.h (modified) (4 diffs)
• Source/JavaScriptCore/wasm/WasmFunctionParser.h (modified) (5 diffs)
• Source/JavaScriptCore/wasm/WasmInstance.cpp (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmInstance.h (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmModuleInformation.h (modified) (3 diffs)
• Source/JavaScriptCore/wasm/WasmSectionParser.cpp (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmValidate.cpp (modified) (6 diffs)
• Source/JavaScriptCore/wasm/js/JSToWasm.cpp (modified) (6 diffs)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyRuntimeError.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/JSWebAssemblyRuntimeError.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WasmToJS.cpp (modified) (13 diffs)
• Source/JavaScriptCore/wasm/js/WasmToJS.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (modified) (5 diffs)
• Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp (modified) (6 diffs)
• Source/JavaScriptCore/wasm/wasm.json (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-06-17  Justin Michaud  <justin_michaud@apple.com>
+
+        [WASM-References] Add support for Funcref in parameters and return types
+        https://bugs.webkit.org/show_bug.cgi?id=198157
+
+        Reviewed by Yusuke Suzuki.
+
+        * wasm/Builder.js:
+        (export.default.Builder.prototype._registerSectionBuilders.const.section.in.WASM.description.section.switch.section.case.string_appeared_here.this.section):
+        * wasm/references/anyref_globals.js:
+        * wasm/references/func_ref.js: Added.
+        (fullGC.gc.makeExportedFunction):
+        (makeExportedIdent):
+        (makeAnyfuncIdent):
+        (fun):
+        (assert.eq.instance.exports.fix.fun):
+        (assert.eq.instance.exports.fix):
+        (string_appeared_here.End.End.Function.End.Code.End.WebAssembly.imp.ref):
+        (string_appeared_here.End.End.Function.End.Code.End.WebAssembly):
+        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.fun):
+        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly.assert.throws):
+        (GetLocal.0.I32Const.0.TableSet.End.End.WebAssembly):
+        (assert.throws):
+        (assert.throws.doTest):
+        (let.importedFun.of):
+        (makeAnyfuncIdent.fun):
+        * wasm/references/validation.js:
+        (assert.throws):
+        * wasm/wasm.json:
+
 2019-06-17  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/JSTests/wasm/Builder.js

@@ -535 +535 @@
                         GetGlobal: (type, initValue, mutability) => {
                             s.data.push({ type, op: "get_global", mutability: _normalizeMutability(mutability), initValue });
+                            return _errorHandlingProxyFor(globalBuilder);
+                        },
+                        RefFunc: (type, initValue, mutability) => {
+                            s.data.push({ type, op: "ref.func", mutability: _normalizeMutability(mutability), initValue });
                             return _errorHandlingProxyFor(globalBuilder);
                         },

trunk/JSTests/wasm/references/anyref_globals.js

@@ -57 +57 @@
 const obj = { test: "hi" }
 
-$1.exports.set_glob(obj); assert.eq($1.exports.get_glob(), obj);
+assert.throws(() => $1.exports.expglob2 = null, TypeError, "Attempted to assign to readonly property.")
+
+$1.exports.set_glob(obj); assert.eq($1.exports.get_glob(), obj); assert.eq($1.exports.expglob2, "hi")
 $1.exports.set_glob(5); assert.eq($1.exports.get_glob(), 5)
 $1.exports.set_glob(null); assert.eq($1.exports.get_glob(), null)

trunk/JSTests/wasm/references/validation.js

@@ -64 +64 @@
     bin.trim();
 
-    assert.throws(() => new WebAssembly.Module(bin.get()), WebAssembly.CompileError, "WebAssembly.Module doesn't validate: table.set expects the table to have type Anyref, in function at index 0 (evaluating 'new WebAssembly.Module(bin.get())')");
+    assert.throws(() => new WebAssembly.Module(bin.get()), WebAssembly.CompileError, "WebAssembly.Module doesn't validate: table.set value to type Anyref expected Anyfunc, in function at index 0 (evaluating 'new WebAssembly.Module(bin.get())')");
 }
 
@@ -87 +87 @@
     bin.trim();
 
-    assert.throws(() => new WebAssembly.Module(bin.get()), WebAssembly.CompileError, "WebAssembly.Module doesn't validate: table.get expects the table to have type Anyref, in function at index 0 (evaluating 'new WebAssembly.Module(bin.get())')");
+    assert.throws(() => new WebAssembly.Module(bin.get()), WebAssembly.CompileError, "WebAssembly.Module doesn't validate: control flow returns with unexpected type, in function at index 0 (evaluating 'new WebAssembly.Module(bin.get())')");
 }
 

trunk/JSTests/wasm/wasm.json

@@ -12 +12 @@
         "f32":     { "type": "varint7", "value":  -3, "b3type": "B3::Float" },
         "f64":     { "type": "varint7", "value":  -4, "b3type": "B3::Double" },
-        "anyfunc": { "type": "varint7", "value": -16, "b3type": "B3::Void" },
+        "anyfunc": { "type": "varint7", "value": -16, "b3type": "B3::Int64" },
         "anyref":  { "type": "varint7", "value": -17, "b3type": "B3::Int64" },
         "func":    { "type": "varint7", "value": -32, "b3type": "B3::Void" },
         "void":    { "type": "varint7", "value": -64, "b3type": "B3::Void" }
     },
-    "value_type": ["i32", "i64", "f32", "f64", "anyref"],
-    "block_type": ["i32", "i64", "f32", "f64", "void", "anyref"],
+    "value_type": ["i32", "i64", "f32", "f64", "anyref", "anyfunc"],
+    "block_type": ["i32", "i64", "f32", "f64", "void", "anyref", "anyfunc"],
     "elem_type": ["anyfunc","anyref"],
     "external_kind": {
@@ -60 +60 @@
         "f64.const":           { "category": "special",    "value":  68, "return": ["f64"],      "parameter": [],                       "immediate": [{"name": "value",          "type": "double"}],                                               "description": "a constant value interpreted as f64" },
         "f32.const":           { "category": "special",    "value":  67, "return": ["f32"],      "parameter": [],                       "immediate": [{"name": "value",          "type": "float"}],                                                "description": "a constant value interpreted as f32" },
-        "ref.null":            { "category": "special",    "value": 208, "return": ["anyref"],   "parameter": [],                       "immediate": [],                                                                                           "description": "a constant null reference" },
+        "ref.null":            { "category": "special",    "value": 208, "return": ["anyfunc"],  "parameter": [],                       "immediate": [],                                                                                           "description": "a constant null reference" },
         "ref.is_null":         { "category": "special",    "value": 209, "return": ["i32"],      "parameter": ["anyref"],               "immediate": [],                                                                                           "description": "determine if a reference is null" },
+        "ref.func":            { "category": "special",    "value": 210, "return": ["anyfunc"],  "parameter": [],                       "immediate": [{"name": "function_index",  "type": "varuint32"}],                                           "description": "return a reference to the function at the given index" },
         "get_local":           { "category": "special",    "value":  32, "return": ["any"],      "parameter": [],                       "immediate": [{"name": "local_index",    "type": "varuint32"}],                                            "description": "read a local variable or parameter" },
         "set_local":           { "category": "special",    "value":  33, "return": [],           "parameter": ["any"],                  "immediate": [{"name": "local_index",    "type": "varuint32"}],                                            "description": "write a local variable or parameter" },

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-06-17  Justin Michaud  <justin_michaud@apple.com>
+
+        [WASM-References] Add support for Funcref in parameters and return types
+        https://bugs.webkit.org/show_bug.cgi?id=198157
+
+        Reviewed by Yusuke Suzuki.
+
+        Add support for funcref in parameters, globals, and in table.get/set. When converting a JSValue to 
+        a funcref (nee anyfunc), we first make sure it is an exported wasm function or null. 
+
+        We also add support for Ref.func. Anywhere a Ref.func is used, (statically) we construct a JS wrapper
+        for it so that we never need to construct JSValues when handling references. This should make threads
+        easier to implement.
+
+        Finally, we add some missing bounds checks for table.get/set.
+
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::tmpForType):
+        (JSC::Wasm::AirIRGenerator::moveOpForValueType):
+        (JSC::Wasm::AirIRGenerator::AirIRGenerator):
+        (JSC::Wasm::AirIRGenerator::addLocal):
+        (JSC::Wasm::AirIRGenerator::addConstant):
+        (JSC::Wasm::AirIRGenerator::addRefFunc):
+        (JSC::Wasm::AirIRGenerator::addTableSet):
+        (JSC::Wasm::AirIRGenerator::setGlobal):
+        (JSC::Wasm::AirIRGenerator::addReturn):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addLocal):
+        (JSC::Wasm::B3IRGenerator::addTableSet):
+        (JSC::Wasm::B3IRGenerator::addRefFunc):
+        (JSC::Wasm::B3IRGenerator::setGlobal):
+        * wasm/WasmBBQPlan.cpp:
+        (JSC::Wasm::BBQPlan::compileFunctions):
+        * wasm/WasmCallingConvention.h:
+        (JSC::Wasm::CallingConventionAir::marshallArgument const):
+        (JSC::Wasm::CallingConventionAir::setupCall const):
+        * wasm/WasmExceptionType.h:
+        * wasm/WasmFormat.h:
+        (JSC::Wasm::isValueType):
+        (JSC::Wasm::isSubtype):
+        * wasm/WasmFunctionParser.h:
+        (JSC::Wasm::FunctionParser<Context>::parseExpression):
+        (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
+        * wasm/WasmInstance.cpp:
+        (JSC::Wasm::Instance::Instance):
+        (JSC::Wasm::Instance::getFunctionWrapper const):
+        (JSC::Wasm::Instance::setFunctionWrapper):
+        * wasm/WasmInstance.h:
+        * wasm/WasmModuleInformation.h:
+        (JSC::Wasm::ModuleInformation::referencedFunctions const):
+        (JSC::Wasm::ModuleInformation::addReferencedFunction const):
+        * wasm/WasmSectionParser.cpp:
+        (JSC::Wasm::SectionParser::parseGlobal):
+        (JSC::Wasm::SectionParser::parseInitExpr):
+        * wasm/WasmValidate.cpp:
+        (JSC::Wasm::Validate::addTableGet):
+        (JSC::Wasm::Validate::addTableSet):
+        (JSC::Wasm::Validate::addRefIsNull):
+        (JSC::Wasm::Validate::addRefFunc):
+        (JSC::Wasm::Validate::setLocal):
+        (JSC::Wasm::Validate::addCall):
+        (JSC::Wasm::Validate::addCallIndirect):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/JSWebAssemblyHelpers.h:
+        (JSC::isWebAssemblyHostFunction):
+        * wasm/js/JSWebAssemblyInstance.cpp:
+        (JSC::JSWebAssemblyInstance::visitChildren):
+        * wasm/js/JSWebAssemblyRuntimeError.cpp:
+        (JSC::createJSWebAssemblyRuntimeError):
+        * wasm/js/JSWebAssemblyRuntimeError.h:
+        * wasm/js/WasmToJS.cpp:
+        (JSC::Wasm::handleBadI64Use):
+        (JSC::Wasm::wasmToJS):
+        (JSC::Wasm::emitWasmToJSException):
+        * wasm/js/WasmToJS.h:
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::callWebAssemblyFunction):
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+        * wasm/js/WebAssemblyModuleRecord.cpp:
+        (JSC::WebAssemblyModuleRecord::link):
+        * wasm/wasm.json:
+
 2019-06-16  Darin Adler  <darin@apple.com>
 

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -235 +235 @@
     // References
     PartialResult WARN_UNUSED_RETURN addRefIsNull(ExpressionType& value, ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addRefFunc(uint32_t index, ExpressionType& result);
 
     // Tables
-    PartialResult WARN_UNUSED_RETURN addTableGet(ExpressionType& idx, ExpressionType& result);
-    PartialResult WARN_UNUSED_RETURN addTableSet(ExpressionType& idx, ExpressionType& value);
+    PartialResult WARN_UNUSED_RETURN addTableGet(ExpressionType& index, ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addTableSet(ExpressionType& index, ExpressionType& value);
 
     // Locals
@@ -371 +372 @@
         case Type::I64:
         case Type::Anyref:
+        case Type::Anyfunc:
             return g64();
         case Type::F32:
@@ -555 +557 @@
         case Type::I64:
         case Type::Anyref:
+        case Type::Anyfunc:
             return Move;
         case Type::F32:
@@ -800 +803 @@
         case Type::I64:
         case Type::Anyref:
+        case Type::Anyfunc:
             append(Move, arg, m_locals[i]);
             break;
@@ -885 +889 @@
         switch (type) {
         case Type::Anyref:
+        case Type::Anyfunc:
             append(Move, Arg::imm(JSValue::encode(jsNull())), local);
             break;
@@ -919 +924 @@
     case Type::I64:
     case Type::Anyref:
+    case Type::Anyfunc:
         append(block, Move, Arg::bigImm(value), result);
         break;
@@ -954 +960 @@
 }
 
-auto AirIRGenerator::addTableGet(ExpressionType& idx, ExpressionType& result) -> PartialResult
+auto AirIRGenerator::addRefFunc(uint32_t index, ExpressionType& result) -> PartialResult
 {
     // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
-    ASSERT(idx.tmp());
-    ASSERT(idx.type() == Type::I32);
+    result = tmpForType(Type::Anyfunc);
+    emitCCall(&doWasmRefFunc, result, instanceValue(), addConstant(Type::I32, index));
+
+    return { };
+}
+
+auto AirIRGenerator::addTableGet(ExpressionType& index, ExpressionType& result) -> PartialResult
+{
+    // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
+    ASSERT(index.tmp());
+    ASSERT(index.type() == Type::I32);
     result = tmpForType(Type::Anyref);
 
-    uint64_t (*doGet)(Instance*, int32_t) = [] (Instance* instance, int32_t idx) -> uint64_t {
-        return JSValue::encode(instance->table()->get(idx));
-    };
-
-    emitCCall(doGet, result, instanceValue(), idx);
-
-    return { };
-}
-
-auto AirIRGenerator::addTableSet(ExpressionType& idx, ExpressionType& value) -> PartialResult
+    emitCCall(&getWasmTableElement, result, instanceValue(), index);
+    emitCheck([&] {
+        return Inst(BranchTest32, nullptr, Arg::resCond(MacroAssembler::Zero), result, result);
+    }, [=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+        this->emitThrowException(jit, ExceptionType::OutOfBoundsTableAccess);
+    });
+
+    return { };
+}
+
+auto AirIRGenerator::addTableSet(ExpressionType& index, ExpressionType& value) -> PartialResult
 {
     // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
-    ASSERT(idx.tmp());
-    ASSERT(idx.type() == Type::I32);
+    ASSERT(index.tmp());
+    ASSERT(index.type() == Type::I32);
     ASSERT(value.tmp());
 
-    void (*doSet)(Instance*, int32_t, uint64_t value) = [] (Instance* instance, int32_t idx, uint64_t value) -> void {
-        // FIXME: We need to box wasm Funcrefs once they are supported here.
-        // <https://bugs.webkit.org/show_bug.cgi?id=198157>
-        instance->table()->set(idx, JSValue::decode(value));
-    };
-
-    emitCCall(doSet, TypedTmp(), instanceValue(), idx, value);
+    auto shouldThrow = g32();
+    emitCCall(&setWasmTableElement, shouldThrow, instanceValue(), index, value);
+
+    emitCheck([&] {
+        return Inst(BranchTest32, nullptr, Arg::resCond(MacroAssembler::Zero), shouldThrow, shouldThrow);
+    }, [=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+        this->emitThrowException(jit, ExceptionType::OutOfBoundsTableAccess);
+    });
 
     return { };
@@ -1104 +1121 @@
     }
 
-    if (type == Anyref)
+    if (isSubtype(type, Anyref))
         emitWriteBarrierForJSWrapper();
 
@@ -1624 +1641 @@
         case Type::I64:
         case Type::Anyref:
+        case Type::Anyfunc:
             append(Move, returnValues[0], returnValueGPR);
             append(Ret64, returnValueGPR);

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -188 +188 @@
     // References
     PartialResult WARN_UNUSED_RETURN addRefIsNull(ExpressionType& value, ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addRefFunc(uint32_t index, ExpressionType& result);
 
     // Tables
-    PartialResult WARN_UNUSED_RETURN addTableGet(ExpressionType& idx, ExpressionType& result);
-    PartialResult WARN_UNUSED_RETURN addTableSet(ExpressionType& idx, ExpressionType& value);
+    PartialResult WARN_UNUSED_RETURN addTableGet(ExpressionType& index, ExpressionType& result);
+    PartialResult WARN_UNUSED_RETURN addTableSet(ExpressionType& index, ExpressionType& value);
 
     // Locals
@@ -539 +540 @@
         Variable* local = m_proc.addVariable(toB3Type(type));
         m_locals.uncheckedAppend(local);
-        auto val = type == Anyref ? JSValue::encode(jsNull()) : 0;
+        auto val = isSubtype(type, Anyref) ? JSValue::encode(jsNull()) : 0;
         m_currentBlock->appendNew<VariableValue>(m_proc, Set, Origin(), local, constant(toB3Type(type), val, Origin()));
     }
@@ -566 +567 @@
 }
 
-auto B3IRGenerator::addTableGet(ExpressionType& idx, ExpressionType& result) -> PartialResult
+auto B3IRGenerator::addTableGet(ExpressionType& index, ExpressionType& result) -> PartialResult
 {
     // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
-    uint64_t (*doGet)(Instance*, int32_t) = [] (Instance* instance, int32_t idx) -> uint64_t {
-        return JSValue::encode(instance->table()->get(idx));
-    };
-
     result = m_currentBlock->appendNew<CCallValue>(m_proc, toB3Type(Anyref), origin(),
-        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunctionPtr<void*>(doGet, B3CCallPtrTag)),
-        instanceValue(), idx);
-
-    return { };
-}
-
-auto B3IRGenerator::addTableSet(ExpressionType& idx, ExpressionType& value) -> PartialResult
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunctionPtr<void*>(&getWasmTableElement, B3CCallPtrTag)),
+        instanceValue(), index);
+
+    {
+        CheckValue* check = m_currentBlock->appendNew<CheckValue>(m_proc, Check, origin(),
+            m_currentBlock->appendNew<Value>(m_proc, Equal, origin(), result, m_currentBlock->appendNew<Const64Value>(m_proc, origin(), 0)));
+
+        check->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsTableAccess);
+        });
+    }
+
+    return { };
+}
+
+auto B3IRGenerator::addTableSet(ExpressionType& index, ExpressionType& value) -> PartialResult
 {
     // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
-    void (*doSet)(Instance*, int32_t, uint64_t value) = [] (Instance* instance, int32_t idx, uint64_t value) -> void {
-        // FIXME: We need to box wasm Funcrefs once they are supported here.
-        // <https://bugs.webkit.org/show_bug.cgi?id=198157>
-        instance->table()->set(idx, JSValue::decode(value));
-    };
-
-    m_currentBlock->appendNew<CCallValue>(m_proc, B3::Void, origin(),
-        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunctionPtr<void*>(doSet, B3CCallPtrTag)),
-        instanceValue(), idx, value);
+    auto shouldThrow = m_currentBlock->appendNew<CCallValue>(m_proc, B3::Int32, origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunctionPtr<void*>(&setWasmTableElement, B3CCallPtrTag)),
+        instanceValue(), index, value);
+
+    {
+        CheckValue* check = m_currentBlock->appendNew<CheckValue>(m_proc, Check, origin(),
+            m_currentBlock->appendNew<Value>(m_proc, Equal, origin(), shouldThrow, m_currentBlock->appendNew<Const32Value>(m_proc, origin(), 0)));
+
+        check->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
+            this->emitExceptionCheck(jit, ExceptionType::OutOfBoundsTableAccess);
+        });
+    }
+
+    return { };
+}
+
+auto B3IRGenerator::addRefFunc(uint32_t index, ExpressionType& result) -> PartialResult
+{
+    // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
+
+    result = m_currentBlock->appendNew<CCallValue>(m_proc, B3::Int64, origin(),
+        m_currentBlock->appendNew<ConstPtrValue>(m_proc, origin(), tagCFunctionPtr<void*>(&doWasmRefFunc, B3CCallPtrTag)),
+        instanceValue(), addConstant(Type::I32, index));
 
     return { };
@@ -680 +700 @@
     m_currentBlock->appendNew<MemoryValue>(m_proc, Store, origin(), value, globalsArray, safeCast<int32_t>(index * sizeof(Register)));
 
-    if (m_info.globals[index].type == Anyref)
+    if (isSubtype(m_info.globals[index].type, Anyref))
         emitWriteBarrierForJSWrapper();
 

trunk/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp

@@ -287 +287 @@
         m_wasmInternalFunctions[functionIndex] = WTFMove(*parseAndCompileResult);
 
-        if (m_exportedFunctionIndices.contains(functionIndex)) {
+        if (m_exportedFunctionIndices.contains(functionIndex) || m_moduleInformation->referencedFunctions().contains(functionIndex)) {
             auto locker = holdLock(m_lock);
             auto result = m_embedderToWasmInternalFunctions.add(functionIndex, m_createEmbedderWrapper(m_compilationContexts[functionIndex], signature, &m_unlinkedWasmToWasmCalls[functionIndex], m_moduleInformation.get(), m_mode, functionIndex));

trunk/Source/JavaScriptCore/wasm/WasmCallingConvention.h

@@ -237 +237 @@
         case Type::I64:
         case Type::Anyref:
+        case Wasm::Anyfunc:
             marshallArgumentImpl(m_gprArgs, gpArgumentCount, stackOffset, regFunc, stackFunc);
             break;
@@ -302 +303 @@
         case Type::I64:
         case Type::Anyref:
+        case Wasm::Anyfunc:
             patchpoint->resultConstraint = B3::ValueRep::reg(GPRInfo::returnValueGPR);
             break;

trunk/Source/JavaScriptCore/wasm/WasmExceptionType.h

@@ -34 +34 @@
 #define FOR_EACH_EXCEPTION(macro) \
     macro(OutOfBoundsMemoryAccess,  "Out of bounds memory access") \
+    macro(OutOfBoundsTableAccess,  "Out of bounds table access") \
     macro(OutOfBoundsCallIndirect, "Out of bounds call_indirect") \
     macro(NullTableEntry,  "call_indirect to a null table entry") \
@@ -43 +44 @@
     macro(StackOverflow, "Stack overflow") \
     macro(I64ArgumentType, "WebAssembly function with an i64 argument can't be called from JavaScript") \
-    macro(I64ReturnType, "WebAssembly function that returns i64 can't be called from JavaScript")
+    macro(I64ReturnType, "WebAssembly function that returns i64 can't be called from JavaScript") \
+    macro(FuncrefNotWasm, "Anyfunc must be an exported wasm function")
 
 enum class ExceptionType : uint32_t {

trunk/Source/JavaScriptCore/wasm/WasmFormat.h

@@ -69 +69 @@
         return true;
     case Anyref:
+    case Anyfunc:
         return Options::useWebAssemblyReferences();
     default:
@@ -74 +75 @@
     }
     return false;
+}
+
+inline bool isSubtype(Type sub, Type parent)
+{
+    if (sub == parent)
+        return true;
+    return sub == Anyfunc && parent == Anyref;
 }
     
@@ -139 +147 @@
         IsImport,
         FromGlobalImport,
+        FromRefFunc,
         FromExpression
     };
@@ -235 +244 @@
     Optional<uint32_t> maximum() const { return m_maximum; }
     TableElementType type() const { return m_type; }
+    Wasm::Type wasmType() const { return m_type == TableElementType::Funcref ? Type::Anyfunc : Type::Anyref; }
 
 private:

trunk/Source/JavaScriptCore/wasm/WasmFunctionParser.h

@@ -284 +284 @@
     case TableGet: {
         WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
-        ExpressionType result, idx;
-        WASM_TRY_POP_EXPRESSION_STACK_INTO(idx, "table.get");
-        WASM_TRY_ADD_TO_CONTEXT(addTableGet(idx, result));
+        ExpressionType result, index;
+        WASM_TRY_POP_EXPRESSION_STACK_INTO(index, "table.get");
+        WASM_TRY_ADD_TO_CONTEXT(addTableGet(index, result));
         m_expressionStack.append(result);
         return { };
@@ -293 +293 @@
     case TableSet: {
         WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
-        ExpressionType val, idx;
+        ExpressionType val, index;
         WASM_TRY_POP_EXPRESSION_STACK_INTO(val, "table.set");
-        WASM_TRY_POP_EXPRESSION_STACK_INTO(idx, "table.set");
-        WASM_TRY_ADD_TO_CONTEXT(addTableSet(idx, val));
+        WASM_TRY_POP_EXPRESSION_STACK_INTO(index, "table.set");
+        WASM_TRY_ADD_TO_CONTEXT(addTableSet(index, val));
         return { };
     }
@@ -302 +302 @@
     case RefNull: {
         WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
-        m_expressionStack.append(m_context.addConstant(Anyref, JSValue::encode(jsNull())));
+        m_expressionStack.append(m_context.addConstant(Anyfunc, JSValue::encode(jsNull())));
         return { };
     }
@@ -311 +311 @@
         WASM_TRY_POP_EXPRESSION_STACK_INTO(value, "ref.is_null");
         WASM_TRY_ADD_TO_CONTEXT(addRefIsNull(value, result));
+        m_expressionStack.append(result);
+        return { };
+    }
+
+    case RefFunc: {
+        uint32_t index;
+        ExpressionType result;
+        WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
+        WASM_PARSER_FAIL_IF(!parseVarUInt32(index), "can't get index for ref.func");
+
+        WASM_TRY_ADD_TO_CONTEXT(addRefFunc(index, result));
         m_expressionStack.append(result);
         return { };
@@ -682 +693 @@
     }
 
+    case RefFunc: {
+        uint32_t unused;
+        WASM_PARSER_FAIL_IF(!parseVarUInt32(unused), "can't get immediate for ", m_currentOpcode, " in unreachable context");
+        WASM_PARSER_FAIL_IF(!Options::useWebAssemblyReferences(), "references are not enabled");
+        return { };
+    }
+
     case GrowMemory:
     case CurrentMemory: {

trunk/Source/JavaScriptCore/wasm/WasmInstance.cpp

@@ -30 +30 @@
 
 #include "JSCInlines.h"
+#include "JSWebAssemblyHelpers.h"
 #include "JSWebAssemblyInstance.h"
 #include "Register.h"
@@ -58 +59 @@
     memset(static_cast<void*>(m_globals.get()), 0, globalMemoryByteSize(m_module.get()));
     for (unsigned i = 0; i < m_module->moduleInformation().globals.size(); ++i) {
-        if (m_module.get().moduleInformation().globals[i].type == Anyref)
+        if (isSubtype(m_module.get().moduleInformation().globals[i].type, Anyref))
             m_globalsToMark.set(i);
     }
@@ -81 +82 @@
 }
 
+JSValue Instance::getFunctionWrapper(unsigned i) const
+{
+    JSValue value = m_functionWrappers.get(i).get();
+    if (value.isEmpty())
+        return jsNull();
+    return value;
+}
+
+void Instance::setFunctionWrapper(unsigned i, JSValue value)
+{
+    ASSERT(m_owner);
+    ASSERT(value.isFunction(*owner<JSWebAssemblyInstance>()->vm()));
+    ASSERT(!m_functionWrappers.contains(i));
+    auto locker = holdLock(owner<JSWebAssemblyInstance>()->cellLock());
+    m_functionWrappers.set(i, WriteBarrier<Unknown>(*owner<JSWebAssemblyInstance>()->vm(), owner<JSWebAssemblyInstance>(), value));
+    ASSERT(getFunctionWrapper(i) == value);
+}
+
+EncodedJSValue getWasmTableElement(Instance* instance, int32_t signedIndex)
+{
+    if (signedIndex < 0)
+        return 0;
+
+    uint32_t index = signedIndex;
+    if (index >= instance->table()->length())
+        return 0;
+
+    return JSValue::encode(instance->table()->get(index));
+}
+
+bool setWasmTableElement(Instance* instance, int32_t signedIndex, EncodedJSValue encValue)
+{
+    if (signedIndex < 0)
+        return false;
+
+    uint32_t index = signedIndex;
+    if (index >= instance->table()->length())
+        return false;
+
+    JSValue value = JSValue::decode(encValue);
+    if (instance->table()->type() == Wasm::TableElementType::Anyref)
+        instance->table()->set(index, value);
+    else if (instance->table()->type() == Wasm::TableElementType::Funcref) {
+        WebAssemblyFunction* wasmFunction;
+        WebAssemblyWrapperFunction* wasmWrapperFunction;
+
+        if (isWebAssemblyHostFunction(*instance->owner<JSObject>()->vm(), value, wasmFunction, wasmWrapperFunction)) {
+            ASSERT(!!wasmFunction || !!wasmWrapperFunction);
+            if (wasmFunction)
+                instance->table()->asFuncrefTable()->setFunction(index, jsCast<JSObject*>(value), wasmFunction->importableFunction(), &wasmFunction->instance()->instance());
+            else
+                instance->table()->asFuncrefTable()->setFunction(index, jsCast<JSObject*>(value), wasmWrapperFunction->importableFunction(), &wasmWrapperFunction->instance()->instance());
+        } else if (value.isNull())
+            instance->table()->clear(index);
+        else
+            ASSERT_NOT_REACHED();
+    } else
+        ASSERT_NOT_REACHED();
+
+    return true;
+}
+
+EncodedJSValue doWasmRefFunc(Instance* instance, uint32_t index)
+{
+    JSValue value = instance->getFunctionWrapper(index);
+    ASSERT(value.isFunction(*instance->owner<JSObject>()->vm()));
+    return JSValue::encode(value);
+}
+
 } } // namespace JSC::Wasm
 

trunk/Source/JavaScriptCore/wasm/WasmInstance.h

@@ -40 +40 @@
 
 struct Context;
+class Instance;
+
+EncodedJSValue getWasmTableElement(Instance*, int32_t);
+bool setWasmTableElement(Instance*, int32_t, EncodedJSValue encValue);
+EncodedJSValue doWasmRefFunc(Instance*, uint32_t);
 
 class Instance : public ThreadSafeRefCounted<Instance>, public CanMakeWeakPtr<Instance> {
 public:
     using StoreTopCallFrameCallback = WTF::Function<void(void*)>;
+    using FunctionWrapperMap = HashMap<uint32_t, WriteBarrier<Unknown>, IntHash<uint32_t>, WTF::UnsignedWithZeroKeyHashTraits<uint32_t>>;
 
     static Ref<Instance> create(Context*, Ref<Module>&&, EntryFrame** pointerToTopEntryFrame, void** pointerToActualStackLimit, StoreTopCallFrameCallback&&);
@@ -92 +98 @@
     void setGlobal(unsigned, JSValue);
     const BitVector& globalsToMark() { return m_globalsToMark; }
+    JSValue getFunctionWrapper(unsigned) const;
+    typename FunctionWrapperMap::ValuesConstIteratorRange functionWrappers() const { return m_functionWrappers.values(); }
+    void setFunctionWrapper(unsigned, JSValue);
 
     static ptrdiff_t offsetOfMemory() { return OBJECT_OFFSETOF(Instance, m_memory); }
@@ -160 +169 @@
     };
     MallocPtr<GlobalValue> m_globals;
+    FunctionWrapperMap m_functionWrappers;
     BitVector m_globalsToMark;
     EntryFrame** m_pointerToTopEntryFrame { nullptr };

trunk/Source/JavaScriptCore/wasm/WasmModuleInformation.h

@@ -30 +30 @@
 #include "WasmFormat.h"
 
+#include <wtf/BitVector.h>
 #include <wtf/Optional.h>
 
@@ -67 +68 @@
     uint32_t tableCount() const { return tableInformation ? 1 : 0; }
 
+    const BitVector& referencedFunctions() const { return m_referencedFunctions; }
+    void addReferencedFunction(unsigned index) const { m_referencedFunctions.set(index); }
+
     Vector<Import> imports;
     Vector<SignatureIndex> importFunctionSignatureIndices;
@@ -85 +89 @@
     Vector<CustomSection> customSections;
     Ref<NameSection> nameSection;
+    
+    mutable BitVector m_referencedFunctions;
 };
 

trunk/Source/JavaScriptCore/wasm/WasmSectionParser.cpp

@@ -292 +292 @@
         if (initOpcode == GetGlobal)
             global.initializationType = Global::FromGlobalImport;
+        else if (initOpcode == RefFunc)
+            global.initializationType = Global::FromRefFunc;
         else
             global.initializationType = Global::FromExpression;
-        WASM_PARSER_FAIL_IF(typeForInitOpcode != global.type, "Global init_expr opcode of type ", typeForInitOpcode, " doesn't match global's type ", global.type);
+        WASM_PARSER_FAIL_IF(!isSubtype(typeForInitOpcode, global.type), "Global init_expr opcode of type ", typeForInitOpcode, " doesn't match global's type ", global.type);
 
         m_info->globals.uncheckedAppend(WTFMove(global));
@@ -480 +482 @@
 
     case RefNull: {
-        resultType = Anyref;
+        resultType = Anyfunc;
         bitsOrImportNumber = JSValue::encode(jsNull());
+        break;
+    }
+
+    case RefFunc: {
+        uint32_t index;
+        WASM_PARSER_FAIL_IF(!parseVarUInt32(index), "can't get ref.func index");
+        WASM_PARSER_FAIL_IF(index >= m_info->functions.size(), "ref.func index", index, " exceeds the number of functions ", m_info->functions.size());
+
+        resultType = Anyfunc;
+        bitsOrImportNumber = index;
         break;
     }

trunk/Source/JavaScriptCore/wasm/WasmValidate.cpp

@@ -104 +104 @@
     // References
     Result WARN_UNUSED_RETURN addRefIsNull(ExpressionType& value, ExpressionType& result);
+    Result WARN_UNUSED_RETURN addRefFunc(uint32_t index, ExpressionType& result);
 
     // Tables
-    Result WARN_UNUSED_RETURN addTableGet(ExpressionType& idx, ExpressionType& result);
-    Result WARN_UNUSED_RETURN addTableSet(ExpressionType& idx, ExpressionType& value);
+    Result WARN_UNUSED_RETURN addTableGet(ExpressionType& index, ExpressionType& result);
+    Result WARN_UNUSED_RETURN addTableSet(ExpressionType& index, ExpressionType& value);
 
     // Locals
@@ -178 +179 @@
 }
 
-auto Validate::addTableGet(ExpressionType& idx, ExpressionType& result) -> Result
-{
-    result = Type::Anyref;
-    WASM_VALIDATOR_FAIL_IF(Type::I32 != idx, "table.get index to type ", idx, " expected ", Type::I32);
-    WASM_VALIDATOR_FAIL_IF(TableElementType::Anyref != m_module.tableInformation.type(), "table.get expects the table to have type ", Type::Anyref);
-
-    return { };
-}
-
-auto Validate::addTableSet(ExpressionType& idx, ExpressionType& value) -> Result
-{
-    WASM_VALIDATOR_FAIL_IF(Type::I32 != idx, "table.set index to type ", idx, " expected ", Type::I32);
-    WASM_VALIDATOR_FAIL_IF(Type::Anyref != value, "table.set value to type ", value, " expected ", Type::Anyref);
-    WASM_VALIDATOR_FAIL_IF(TableElementType::Anyref != m_module.tableInformation.type(), "table.set expects the table to have type ", Type::Anyref);
+auto Validate::addTableGet(ExpressionType& index, ExpressionType& result) -> Result
+{
+    result = m_module.tableInformation.wasmType();
+    WASM_VALIDATOR_FAIL_IF(Type::I32 != index, "table.get index to type ", index, " expected ", Type::I32);
+
+    return { };
+}
+
+auto Validate::addTableSet(ExpressionType& index, ExpressionType& value) -> Result
+{
+    auto type = m_module.tableInformation.wasmType();
+    WASM_VALIDATOR_FAIL_IF(Type::I32 != index, "table.set index to type ", index, " expected ", Type::I32);
+    WASM_VALIDATOR_FAIL_IF(!isSubtype(value, type), "table.set value to type ", value, " expected ", type);
+    WASM_VALIDATOR_FAIL_IF(m_module.tableInformation.type() != TableElementType::Anyref
+        && m_module.tableInformation.type() != TableElementType::Funcref, "table.set expects the table to have type anyref or anyfunc");
 
     return { };
@@ -199 +201 @@
 {
     result = Type::I32;
-    WASM_VALIDATOR_FAIL_IF(Type::Anyref != value, "ref.is_null to type ", value, " expected ", Type::Anyref);
+    WASM_VALIDATOR_FAIL_IF(!isSubtype(value, Type::Anyref), "ref.is_null to type ", value, " expected ", Type::Anyref);
+
+    return { };
+}
+
+auto Validate::addRefFunc(uint32_t index, ExpressionType& result) -> Result
+{
+    result = Type::Anyfunc;
+    WASM_VALIDATOR_FAIL_IF(index >= m_module.functionIndexSpaceSize(), "ref.func index ", index, " is too large, max is ", m_module.functionIndexSpaceSize());
+    m_module.addReferencedFunction(index);
 
     return { };
@@ -225 +236 @@
     ExpressionType localType;
     WASM_FAIL_IF_HELPER_FAILS(getLocal(index, localType));
-    WASM_VALIDATOR_FAIL_IF(localType != value, "set_local to type ", value, " expected ", localType);
+    WASM_VALIDATOR_FAIL_IF(!isSubtype(value, localType), "set_local to type ", value, " expected ", localType);
     return { };
 }
@@ -363 +374 @@
 
     for (unsigned i = 0; i < args.size(); ++i)
-        WASM_VALIDATOR_FAIL_IF(args[i] != signature.argument(i), "argument type mismatch in call, got ", args[i], ", expected ", signature.argument(i));
+        WASM_VALIDATOR_FAIL_IF(!isSubtype(args[i], signature.argument(i)), "argument type mismatch in call, got ", args[i], ", expected ", signature.argument(i));
 
     result = signature.returnType();
@@ -376 +387 @@
 
     for (unsigned i = 0; i < argumentCount; ++i)
-        WASM_VALIDATOR_FAIL_IF(args[i] != signature.argument(i), "argument type mismatch in call_indirect, got ", args[i], ", expected ", signature.argument(i));
+        WASM_VALIDATOR_FAIL_IF(!isSubtype(args[i], signature.argument(i)), "argument type mismatch in call_indirect, got ", args[i], ", expected ", signature.argument(i));
 
     WASM_VALIDATOR_FAIL_IF(args.last() != I32, "non-i32 call_indirect index ", args.last());

trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

@@ -32 +32 @@
 #include "DisallowMacroScratchRegisterUsage.h"
 #include "JSCInlines.h"
+#include "JSWebAssemblyHelpers.h"
 #include "JSWebAssemblyInstance.h"
 #include "JSWebAssemblyRuntimeError.h"
@@ -84 +85 @@
         case Wasm::I32:
         case Wasm::Anyref:
+        case Wasm::Anyfunc:
             if (numGPRs >= wasmCallingConvention().m_gprArgs.size())
                 totalFrameSize += sizeof(void*);
@@ -123 +125 @@
         }
 
-        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR2, Instance::offsetOfPointerToTopEntryFrame()), GPRInfo::argumentGPR0);
-        jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0), GPRInfo::argumentGPR0);
-        jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(GPRInfo::argumentGPR0);
-        jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
-        jit.move(CCallHelpers::TrustedImm32(static_cast<int32_t>(argumentsIncludeI64 ? ExceptionType::I64ArgumentType : ExceptionType::I64ReturnType)), GPRInfo::argumentGPR1);
-
-        CCallHelpers::Call call = jit.call(OperationPtrTag);
-
-        jit.jump(GPRInfo::returnValueGPR, ExceptionHandlerPtrTag);
-        jit.breakpoint(); // We should not reach this.
-
-        jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
-            linkBuffer.link(call, FunctionPtr<OperationPtrTag>(wasmToJSException));
-        });
+        emitThrowWasmToJSException(jit, GPRInfo::argumentGPR2, argumentsIncludeI64 ? ExceptionType::I64ArgumentType : ExceptionType::I64ReturnType);
         return result;
     }
@@ -166 +155 @@
             case Wasm::I32:
             case Wasm::I64:
+            case Wasm::Anyfunc:
             case Wasm::Anyref:
                 if (numGPRs >= wasmCallingConvention().m_gprArgs.size()) {
@@ -251 +241 @@
         break;
     case Wasm::Anyref:
-        // FIXME: We need to box wasm Funcrefs once they are supported here.
+    case Wasm::Anyfunc:
         break;
     case Wasm::I32:
@@ -269 +259 @@
     case Wasm::I64:
     case Wasm::Func:
-    case Wasm::Anyfunc:
         jit.breakpoint();
         break;

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyHelpers.h

@@ -123 +123 @@
 
 
-ALWAYS_INLINE bool isWebAssemblyHostFunction(VM& vm, JSObject* object)
+ALWAYS_INLINE bool isWebAssemblyHostFunction(VM& vm, JSValue object)
 {
     WebAssemblyFunction* unused;

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp

@@ -92 +92 @@
         visitor.append(*thisObject->instance().importFunction<WriteBarrier<JSObject>>(i)); // This also keeps the functions' JSWebAssemblyInstance alive.
 
-    for (size_t i : thisObject->instance().globalsToMark()) {
-        // FIXME: We need to box wasm Funcrefs once they are supported here.
-        // <https://bugs.webkit.org/show_bug.cgi?id=198157>
+    for (size_t i : thisObject->instance().globalsToMark())
         visitor.appendUnbarriered(JSValue::decode(thisObject->instance().loadI64Global(i)));
-    }
+
+    auto locker = holdLock(cell->cellLock());
+    for (auto& wrapper : thisObject->instance().functionWrappers())
+        visitor.appendUnbarriered(wrapper.get());
 }
 

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyRuntimeError.cpp

@@ -49 +49 @@
 const ClassInfo JSWebAssemblyRuntimeError::s_info = { "WebAssembly.RuntimeError", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(JSWebAssemblyRuntimeError) };
 
+JSObject* createJSWebAssemblyRuntimeError(ExecState* exec, VM& vm, const String& message)
+{
+    ASSERT(!message.isEmpty());
+    JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+    return JSWebAssemblyRuntimeError::create(exec, vm, globalObject->webAssemblyRuntimeErrorStructure(), message);
+}
     
 } // namespace JSC

trunk/Source/JavaScriptCore/wasm/js/JSWebAssemblyRuntimeError.h

@@ -44 +44 @@
 };
 
+JSObject* createJSWebAssemblyRuntimeError(ExecState*, VM&, const String&);
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/wasm/js/WasmToJS.cpp

@@ -33 +33 @@
 #include "JITExceptions.h"
 #include "JSCInlines.h"
+#include "JSWebAssemblyHelpers.h"
 #include "JSWebAssemblyInstance.h"
 #include "JSWebAssemblyRuntimeError.h"
@@ -66 +67 @@
         case Void:
         case Func:
-        case Anyfunc:
             RELEASE_ASSERT_NOT_REACHED();
 
@@ -163 +163 @@
             case Void:
             case Func:
-            case Anyfunc:
             case I64:
                 RELEASE_ASSERT_NOT_REACHED();
             case Anyref:
+            case Anyfunc:
             case I32: {
                 GPRReg gprReg;
@@ -238 +238 @@
                     case Void:
                     case Func:
-                    case Anyfunc:
                     case I64:
                         RELEASE_ASSERT_NOT_REACHED();
@@ -244 +243 @@
                         arg = jsNumber(static_cast<int32_t>(buffer[argNum]));
                         break;
+                    case Anyfunc: {
+                        arg = JSValue::decode(buffer[argNum]);
+                        ASSERT(isWebAssemblyHostFunction(*vm, arg) || arg.isNull());
+                        break;
+                    }
                     case Anyref:
-                        // FIXME: We need to box wasm Funcrefs once they are supported here.
                         arg = JSValue::decode(buffer[argNum]);
                         break;
@@ -269 +272 @@
                 switch (signature.returnType()) {
                 case Func:
-                case Anyfunc:
                 case I64:
                     RELEASE_ASSERT_NOT_REACHED();
@@ -277 +279 @@
                 case I32: {
                     realResult = static_cast<uint64_t>(static_cast<uint32_t>(result.toInt32(exec)));
+                    break;
+                }
+                case Anyfunc: {
+                    realResult = JSValue::encode(result);
+                    ASSERT(result.isFunction(*vm) || result.isNull());
                     break;
                 }
@@ -372 +379 @@
             case Void:
             case Func:
-            case Anyfunc:
             case I64:
                 RELEASE_ASSERT_NOT_REACHED(); // Handled above.
             case Anyref:
+            case Anyfunc:
             case I32: {
                 GPRReg gprReg;
@@ -391 +398 @@
                     jit.boxInt32(gprReg, JSValueRegs(gprReg), DoNotHaveTagRegisters);
                 }
-                // FIXME: We need to box wasm Funcrefs once they are supported here.
                 jit.store64(gprReg, calleeFrame.withOffset(calleeFrameOffset));
                 calleeFrameOffset += sizeof(Register);
@@ -442 +448 @@
             case Void:
             case Func:
-            case Anyfunc:
             case I64:
                 RELEASE_ASSERT_NOT_REACHED(); // Handled above.
             case Anyref:
+            case Anyfunc:
             case I32:
                 // Skipped: handled above.
@@ -520 +526 @@
         break;
     case Func:
-    case Anyfunc:
         // For the JavaScript embedding, imports with these types in their signature return are a WebAssembly.Module validation error.
         RELEASE_ASSERT_NOT_REACHED();
@@ -554 +559 @@
         break;
     }
+    case Anyfunc:
     case Anyref:
         break;
@@ -696 +702 @@
 }
 
+void emitThrowWasmToJSException(CCallHelpers& jit, GPRReg wasmInstance, Wasm::ExceptionType type)
+{
+    ASSERT(wasmInstance != GPRInfo::argumentGPR0);
+    jit.loadPtr(CCallHelpers::Address(wasmInstance, Wasm::Instance::offsetOfPointerToTopEntryFrame()), GPRInfo::argumentGPR0);
+    jit.loadPtr(CCallHelpers::Address(GPRInfo::argumentGPR0), GPRInfo::argumentGPR0);
+    jit.copyCalleeSavesToEntryFrameCalleeSavesBuffer(GPRInfo::argumentGPR0);
+    jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+    jit.move(CCallHelpers::TrustedImm32(static_cast<int32_t>(type)), GPRInfo::argumentGPR1);
+
+    CCallHelpers::Call call = jit.call(OperationPtrTag);
+
+    jit.jump(GPRInfo::returnValueGPR, ExceptionHandlerPtrTag);
+    jit.breakpoint(); // We should not reach this.
+
+    jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
+        linkBuffer.link(call, FunctionPtr<OperationPtrTag>(Wasm::wasmToJSException));
+    });
+}
+
 } } // namespace JSC::Wasm
 

trunk/Source/JavaScriptCore/wasm/js/WasmToJS.h

@@ -46 +46 @@
 
 void* wasmToJSException(ExecState*, Wasm::ExceptionType, Instance*);
+void emitThrowWasmToJSException(CCallHelpers&, GPRReg wasmInstance, Wasm::ExceptionType);
 
 } } // namespace JSC::Wasm

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

@@ -85 +85 @@
             arg = JSValue::decode(arg.toInt32(exec));
             break;
+        case Wasm::Anyfunc: {
+            if (!isWebAssemblyHostFunction(vm, arg) && !arg.isNull())
+                return JSValue::encode(throwException(exec, scope, createJSWebAssemblyRuntimeError(exec, vm, "Anyfunc must be an exported wasm function")));
+            break;
+        }
         case Wasm::Anyref:
             break;
@@ -98 +103 @@
         case Wasm::Void:
         case Wasm::Func:
-        case Wasm::Anyfunc:
             RELEASE_ASSERT_NOT_REACHED();
         }
@@ -229 +233 @@
             break;
         case Wasm::Anyref:
+        case Wasm::Anyfunc:
         case Wasm::I32:
             if (numGPRs >= Wasm::wasmCallingConvention().m_gprArgs.size())
@@ -304 +309 @@
                 }
                 break;
+            case Wasm::Anyfunc: {
+                // FIXME: Emit this inline <https://bugs.webkit.org/show_bug.cgi?id=198506>.
+                bool (*shouldThrow)(Wasm::Instance*, JSValue) = [] (Wasm::Instance* wasmInstance, JSValue arg) -> bool {
+                    JSWebAssemblyInstance* instance = wasmInstance->owner<JSWebAssemblyInstance>();
+                    JSGlobalObject* globalObject = instance->globalObject();
+                    VM& vm = globalObject->vm();
+                    return !isWebAssemblyHostFunction(vm, arg) && !arg.isNull();
+                };
+                jit.move(CCallHelpers::TrustedImmPtr(&instance()->instance()), GPRInfo::argumentGPR0);
+                jit.load64(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), GPRInfo::argumentGPR1);
+                jit.setupArguments<decltype(shouldThrow)>(GPRInfo::argumentGPR0, GPRInfo::argumentGPR1);
+                auto call = jit.call(OperationPtrTag);
+
+                jit.addLinkTask([=] (LinkBuffer& linkBuffer) {
+                    linkBuffer.link(call, FunctionPtr<OperationPtrTag>(shouldThrow));
+                });
+
+                slowPath.append(jit.branchTest32(CCallHelpers::NonZero, GPRInfo::returnValueGPR));
+
+                FALLTHROUGH;
+            }
             case Wasm::Anyref: {
                 jit.load64(CCallHelpers::Address(GPRInfo::callFrameRegister, jsOffset), scratchGPR);
@@ -467 +493 @@
         break;
     }
-    case Wasm::Anyref: {
-        // FIXME: We need to box wasm Funcrefs once they are supported here.
+    case Wasm::Anyfunc:
+    case Wasm::Anyref:
         break;
-    }
     case Wasm::I64:
     case Wasm::Func:
-    case Wasm::Anyfunc:
         return nullptr;
     default:

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

@@ -236 +236 @@
             if (moduleInformation.globals[import.kindIndex].type == Wasm::I64)
                 return exception(createJSWebAssemblyLinkError(exec, vm, importFailMessage(import, "imported global", "cannot be an i64")));
-            if (moduleInformation.globals[import.kindIndex].type != Wasm::Anyref && !value.isNumber())
+            if (!isSubtype(moduleInformation.globals[import.kindIndex].type, Wasm::Anyref) && !value.isNumber())
                 return exception(createJSWebAssemblyLinkError(exec, vm, importFailMessage(import, "imported global", "must be a number")));
             // iii. Append ToWebAssemblyValue(v) to imports.
             switch (moduleInformation.globals[import.kindIndex].type) {
+            case Wasm::Anyfunc:
+                if (!isWebAssemblyHostFunction(vm, value) && !value.isNull())
+                    return exception(createJSWebAssemblyLinkError(exec, vm, importFailMessage(import, "imported global", "must be a wasm exported function or null")));
+                m_instance->instance().setGlobal(import.kindIndex, value);
+                break;
             case Wasm::Anyref:
                 m_instance->instance().setGlobal(import.kindIndex, value);
@@ -320 +325 @@
     }
 
+    unsigned functionImportCount = codeBlock->functionImportCount();
+    auto makeFunctionWrapper = [&] (const String& field, uint32_t index) -> JSValue {
+        // If we already made a wrapper, do not make a new one.
+        JSValue wrapper = m_instance->instance().getFunctionWrapper(index);
+
+        if (!wrapper.isNull())
+            return wrapper;
+
+        // 1. If e is a closure c:
+        //   i. If there is an Exported Function Exotic Object func in funcs whose func.[[Closure]] equals c, then return func.
+        //   ii. (Note: At most one wrapper is created for any closure, so func is unique, even if there are multiple occurrances in the list. Moreover, if the item was an import that is already an Exported Function Exotic Object, then the original function object will be found. For imports that are regular JS functions, a new wrapper will be created.)
+        if (index < functionImportCount) {
+            JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(index)->get();
+            if (isWebAssemblyHostFunction(vm, functionImport))
+                wrapper = functionImport;
+            else {
+                Wasm::SignatureIndex signatureIndex = module->signatureIndexFromFunctionIndexSpace(index);
+                wrapper = WebAssemblyWrapperFunction::create(vm, globalObject, globalObject->webAssemblyWrapperFunctionStructure(), functionImport, index, m_instance.get(), signatureIndex);
+            }
+        } else {
+            //   iii. Otherwise:
+            //     a. Let func be an Exported Function Exotic Object created from c.
+            //     b. Append func to funcs.
+            //     c. Return func.
+            Wasm::Callee& embedderEntrypointCallee = codeBlock->embedderEntrypointCalleeFromFunctionIndexSpace(index);
+            Wasm::WasmToWasmImportableFunction::LoadLocation entrypointLoadLocation = codeBlock->entrypointLoadLocationFromFunctionIndexSpace(index);
+            Wasm::SignatureIndex signatureIndex = module->signatureIndexFromFunctionIndexSpace(index);
+            const Wasm::Signature& signature = Wasm::SignatureInformation::get(signatureIndex);
+            WebAssemblyFunction* function = WebAssemblyFunction::create(vm, globalObject, globalObject->webAssemblyFunctionStructure(), signature.argumentCount(), field, m_instance.get(), embedderEntrypointCallee, entrypointLoadLocation, signatureIndex);
+            wrapper = function;
+        }
+
+        ASSERT(wrapper.isFunction(vm));
+        m_instance->instance().setFunctionWrapper(index, wrapper);
+
+        return wrapper;
+    };
+
+    for (auto index : moduleInformation.referencedFunctions())
+        makeFunctionWrapper("Referenced function", index);
+
     // Globals
     {
@@ -328 +374 @@
                 ASSERT(global.initialBitsOrImportNumber < moduleInformation.firstInternalGlobal);
                 m_instance->instance().setGlobal(globalIndex, m_instance->instance().loadI64Global(global.initialBitsOrImportNumber));
+            } else if (global.initializationType == Wasm::Global::FromRefFunc) {
+                ASSERT(global.initialBitsOrImportNumber < moduleInformation.functionIndexSpaceSize());
+                ASSERT(makeFunctionWrapper("Global init expr", global.initialBitsOrImportNumber).isFunction(vm));
+                m_instance->instance().setGlobal(globalIndex, JSValue::encode(makeFunctionWrapper("Global init expr", global.initialBitsOrImportNumber)));
             } else
                 m_instance->instance().setGlobal(globalIndex, global.initialBitsOrImportNumber);
@@ -334 +384 @@
 
     SymbolTable* exportSymbolTable = module->exportSymbolTable();
-    unsigned functionImportCount = codeBlock->functionImportCount();
 
     // Let exports be a list of (string, JS value) pairs that is mapped from each external value e in instance.exports as follows:
@@ -342 +391 @@
         switch (exp.kind) {
         case Wasm::ExternalKind::Function: {
-            // 1. If e is a closure c:
-            //   i. If there is an Exported Function Exotic Object func in funcs whose func.[[Closure]] equals c, then return func.
-            //   ii. (Note: At most one wrapper is created for any closure, so func is unique, even if there are multiple occurrances in the list. Moreover, if the item was an import that is already an Exported Function Exotic Object, then the original function object will be found. For imports that are regular JS functions, a new wrapper will be created.)
-            if (exp.kindIndex < functionImportCount) {
-                unsigned functionIndex = exp.kindIndex;
-                JSObject* functionImport = m_instance->instance().importFunction<WriteBarrier<JSObject>>(functionIndex)->get();
-                if (isWebAssemblyHostFunction(vm, functionImport))
-                    exportedValue = functionImport;
-                else {
-                    Wasm::SignatureIndex signatureIndex = module->signatureIndexFromFunctionIndexSpace(functionIndex);
-                    exportedValue = WebAssemblyWrapperFunction::create(vm, globalObject, globalObject->webAssemblyWrapperFunctionStructure(), functionImport, functionIndex, m_instance.get(), signatureIndex);
-                }
-            } else {
-                //   iii. Otherwise:
-                //     a. Let func be an Exported Function Exotic Object created from c.
-                //     b. Append func to funcs.
-                //     c. Return func.
-                Wasm::Callee& embedderEntrypointCallee = codeBlock->embedderEntrypointCalleeFromFunctionIndexSpace(exp.kindIndex);
-                Wasm::WasmToWasmImportableFunction::LoadLocation entrypointLoadLocation = codeBlock->entrypointLoadLocationFromFunctionIndexSpace(exp.kindIndex);
-                Wasm::SignatureIndex signatureIndex = module->signatureIndexFromFunctionIndexSpace(exp.kindIndex);
-                const Wasm::Signature& signature = Wasm::SignatureInformation::get(signatureIndex);
-                WebAssemblyFunction* function = WebAssemblyFunction::create(vm, globalObject, globalObject->webAssemblyFunctionStructure(), signature.argumentCount(), String::fromUTF8(exp.field), m_instance.get(), embedderEntrypointCallee, entrypointLoadLocation, signatureIndex);
-                exportedValue = function;
-            }
+            exportedValue = makeFunctionWrapper(String::fromUTF8(exp.field), exp.kindIndex);
+            ASSERT(exportedValue.isFunction(vm));
+            ASSERT(makeFunctionWrapper(String::fromUTF8(exp.field), exp.kindIndex) == exportedValue);
             break;
         }
@@ -389 +417 @@
             switch (global.type) {
             case Wasm::Anyref:
-                // FIXME: We need to box wasm Funcrefs once they are supported here.
-                // <https://bugs.webkit.org/show_bug.cgi?id=198157>
+            case Wasm::Anyfunc:
                 exportedValue = JSValue::decode(m_instance->instance().loadI64Global(exp.kindIndex));
                 break;

trunk/Source/JavaScriptCore/wasm/wasm.json

@@ -12 +12 @@
         "f32":     { "type": "varint7", "value":  -3, "b3type": "B3::Float" },
         "f64":     { "type": "varint7", "value":  -4, "b3type": "B3::Double" },
-        "anyfunc": { "type": "varint7", "value": -16, "b3type": "B3::Void" },
+        "anyfunc": { "type": "varint7", "value": -16, "b3type": "B3::Int64" },
         "anyref":  { "type": "varint7", "value": -17, "b3type": "B3::Int64" },
         "func":    { "type": "varint7", "value": -32, "b3type": "B3::Void" },
         "void":    { "type": "varint7", "value": -64, "b3type": "B3::Void" }
     },
-    "value_type": ["i32", "i64", "f32", "f64", "anyref"],
-    "block_type": ["i32", "i64", "f32", "f64", "void", "anyref"],
+    "value_type": ["i32", "i64", "f32", "f64", "anyref", "anyfunc"],
+    "block_type": ["i32", "i64", "f32", "f64", "void", "anyref", "anyfunc"],
     "elem_type": ["anyfunc","anyref"],
     "external_kind": {
@@ -60 +60 @@
         "f64.const":           { "category": "special",    "value":  68, "return": ["f64"],      "parameter": [],                       "immediate": [{"name": "value",          "type": "double"}],                                               "description": "a constant value interpreted as f64" },
         "f32.const":           { "category": "special",    "value":  67, "return": ["f32"],      "parameter": [],                       "immediate": [{"name": "value",          "type": "float"}],                                                "description": "a constant value interpreted as f32" },
-        "ref.null":            { "category": "special",    "value": 208, "return": ["anyref"],   "parameter": [],                       "immediate": [],                                                                                           "description": "a constant null reference" },
+        "ref.null":            { "category": "special",    "value": 208, "return": ["anyfunc"],  "parameter": [],                       "immediate": [],                                                                                           "description": "a constant null reference" },
         "ref.is_null":         { "category": "special",    "value": 209, "return": ["i32"],      "parameter": ["anyref"],               "immediate": [],                                                                                           "description": "determine if a reference is null" },
+        "ref.func":            { "category": "special",    "value": 210, "return": ["anyfunc"],  "parameter": [],                       "immediate": [{"name": "function_index", "type": "varuint32"}],                                            "description": "return a reference to the function at the given index" },
         "get_local":           { "category": "special",    "value":  32, "return": ["any"],      "parameter": [],                       "immediate": [{"name": "local_index",    "type": "varuint32"}],                                            "description": "read a local variable or parameter" },
         "set_local":           { "category": "special",    "value":  33, "return": [],           "parameter": ["any"],                  "immediate": [{"name": "local_index",    "type": "varuint32"}],                                            "description": "write a local variable or parameter" },