Changeset 256665 in webkit

Timestamp:

Feb 14, 2020 6:57:49 PM (4 years ago)

Author:

Tadeu Zagallo

Message:

[WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
​https://bugs.webkit.org/show_bug.cgi?id=207727

JSTests:

Reviewed by Mark Lam.

• wasm/regress/llint-callee-saves-with-fast-memory.js: Added.
• wasm/regress/llint-callee-saves-without-fast-memory.js: Added.

Source/JavaScriptCore:

Reviewed by Mark Lam.

The Wasm JIT has unusual calling conventions, which were further complicated by the addition
of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly
saving and restoring the callee save registers used for the memory base and size). Here's a summary
of the calling convention:

• When entering Wasm from JS, the wrapper must:
  • Preserve the base and size when entering LLInt regardless of the mode. (Prior to this patch we only preserved the base in Signaling mode)
  • Preserve the memory base in either mode, and the size for BoundsChecking.
• Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB and wasmInstance, but must *not* preserve memoryBase and memorySize.
• Changes to memoryBase and memorySize are visible to the caller. This means that:
  • Intra-module calls can assume these registers are up-to-date even if the memory was resized. The only exception here is if the LLInt calls a signaling JIT, in which case the JIT will not update the size register, since it won't be using it.
  • Inter-module and JS calls require the caller to reload these registers. These calls may result in memory changes (e.g. the callee may call memory.grow).
  • A Signaling JIT caller must be aware that the LLInt may trash the size register, since it always bounds checks.

• llint/WebAssembly.asm:
• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::addCall):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::addCall):

• wasm/WasmCallee.cpp:

(JSC::Wasm::LLIntCallee::calleeSaveRegisters):

• wasm/WasmCallingConvention.h:
• wasm/WasmLLIntPlan.cpp:

(JSC::Wasm::LLIntPlan::didCompleteCompilation):

• wasm/WasmMemoryInformation.cpp:

(JSC::Wasm::PinnedRegisterInfo::get):
(JSC::Wasm::getPinnedRegisters): Deleted.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/wasm/regress/llint-callee-saves-with-fast-memory.js (added)
• JSTests/wasm/regress/llint-callee-saves-without-fast-memory.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/llint/WebAssembly.asm (modified) (2 diffs)
• Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmCallee.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmCallingConvention.h (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp (modified) (1 diff)
• Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-02-14  Tadeu Zagallo  <tzagallo@apple.com>
+
+        [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
+        https://bugs.webkit.org/show_bug.cgi?id=207727
+
+        Reviewed by Mark Lam.
+
+        * wasm/regress/llint-callee-saves-with-fast-memory.js: Added.
+        * wasm/regress/llint-callee-saves-without-fast-memory.js: Added.
+
 2020-02-13  Caio Lima  <ticaiolima@gmail.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-02-14  Tadeu Zagallo  <tzagallo@apple.com> and Michael Saboff  <msaboff@apple.com>
+
+        [WASM] Wasm interpreter's calling convention doesn't match Wasm JIT's convention.
+        https://bugs.webkit.org/show_bug.cgi?id=207727
+
+        Reviewed by Mark Lam.
+
+        The Wasm JIT has unusual calling conventions, which were further complicated by the addition
+        of the interpreter, and the interpreter did not correctly follow these conventions (by incorrectly
+        saving and restoring the callee save registers used for the memory base and size). Here's a summary
+        of the calling convention:
+
+        - When entering Wasm from JS, the wrapper must:
+            - Preserve the base and size when entering LLInt regardless of the mode. (Prior to this
+              patch we only preserved the base in Signaling mode)
+            - Preserve the memory base in either mode, and the size for BoundsChecking.
+        - Both tiers must preserve every *other* register they use. e.g. the LLInt must preserve PB
+          and wasmInstance, but must *not* preserve memoryBase and memorySize.
+        - Changes to memoryBase and memorySize are visible to the caller. This means that:
+            - Intra-module calls can assume these registers are up-to-date even if the memory was
+              resized. The only exception here is if the LLInt calls a signaling JIT, in which case
+              the JIT will not update the size register, since it won't be using it.
+            - Inter-module and JS calls require the caller to reload these registers. These calls may
+              result in memory changes (e.g. the callee may call memory.grow).
+            - A Signaling JIT caller must be aware that the LLInt may trash the size register, since
+              it always bounds checks.
+
+        * llint/WebAssembly.asm:
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::addCall):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::addCall):
+        * wasm/WasmCallee.cpp:
+        (JSC::Wasm::LLIntCallee::calleeSaveRegisters):
+        * wasm/WasmCallingConvention.h:
+        * wasm/WasmLLIntPlan.cpp:
+        (JSC::Wasm::LLIntPlan::didCompleteCompilation):
+        * wasm/WasmMemoryInformation.cpp:
+        (JSC::Wasm::PinnedRegisterInfo::get):
+        (JSC::Wasm::getPinnedRegisters): Deleted.
+
 2020-02-13  Stephan Szabo  <stephan.szabo@sony.com>
 

trunk/Source/JavaScriptCore/llint/WebAssembly.asm

@@ -179 +179 @@
 
 macro preserveCalleeSavesUsedByWasm()
+    # NOTE: We intentionally don't save memoryBase and memorySize here. See the comment
+    # in restoreCalleeSavesUsedByWasm() below for why.
     subp CalleeSaveSpaceStackAligned, sp
     if ARM64 or ARM64E
-        emit "stp x23, x26, [x29, #-16]"
-        emit "stp x19, x22, [x29, #-32]"
+        emit "stp x19, x26, [x29, #-16]"
     elsif X86_64
-        storep memorySize, -0x08[cfr]
-        storep memoryBase, -0x10[cfr]
-        storep PB, -0x18[cfr]
-        storep wasmInstance, -0x20[cfr]
+        storep PB, -0x8[cfr]
+        storep wasmInstance, -0x10[cfr]
     else
         error
@@ -194 +193 @@
 
 macro restoreCalleeSavesUsedByWasm()
+    # NOTE: We intentionally don't restore memoryBase and memorySize here. These are saved
+    # and restored when entering Wasm by the JSToWasm wrapper and changes to them are meant
+    # to be observable within the same Wasm module.
     if ARM64 or ARM64E
-        emit "ldp x23, x26, [x29, #-16]"
-        emit "ldp x19, x22, [x29, #-32]"
+        emit "ldp x19, x26, [x29, #-16]"
     elsif X86_64
-        loadp -0x08[cfr], memorySize
-        loadp -0x10[cfr], memoryBase
-        loadp -0x18[cfr], PB
-        loadp -0x20[cfr], wasmInstance
+        loadp -0x8[cfr], PB
+        loadp -0x10[cfr], wasmInstance
     else
         error

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -2174 +2174 @@
     } else {
         auto* patchpoint = emitCallPatchpoint(m_currentBlock, signature, results, args);
+        // We need to clobber the size register since the LLInt always bounds checks
+        if (m_mode == MemoryMode::Signaling)
+            patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().sizeRegister });
         patchpoint->setGenerator([unlinkedWasmToWasmCalls, functionIndex] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
             AllowMacroScratchRegisterUsage allowScratch(jit);

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -1727 +1727 @@
                 patchpoint->effects.readsPinned = true;
 
+                // We need to clobber the size register since the LLInt always bounds checks
+                if (m_mode == MemoryMode::Signaling)
+                    patchpoint->clobberLate(RegisterSet { PinnedRegisterInfo::get().sizeRegister });
                 patchpoint->setGenerator([unlinkedWasmToWasmCalls, functionIndex] (CCallHelpers& jit, const B3::StackmapGenerationParams&) {
                     AllowMacroScratchRegisterUsage allowScratch(jit);

trunk/Source/JavaScriptCore/wasm/WasmCallee.cpp

@@ -95 +95 @@
 #error Unsupported architecture.
 #endif
-        registers.set(GPRInfo::regCS3); // Memory base
-        registers.set(GPRInfo::regCS4); // Memory size
         ASSERT(registers.numberOfSetRegisters() == numberOfLLIntCalleeSaveRegisters);
         calleeSaveRegisters.construct(WTFMove(registers));

trunk/Source/JavaScriptCore/wasm/WasmCallingConvention.h

@@ -47 +47 @@
 namespace JSC { namespace Wasm {
 
-constexpr unsigned numberOfLLIntCalleeSaveRegisters = 4;
+constexpr unsigned numberOfLLIntCalleeSaveRegisters = 2;
 
 using ArgumentLocation = B3::ValueRep;

trunk/Source/JavaScriptCore/wasm/WasmLLIntPlan.cpp

@@ -147 +147 @@
             const Signature& signature = SignatureInformation::get(signatureIndex);
             CCallHelpers jit;
-            std::unique_ptr<InternalFunction> function = createJSToWasmWrapper(jit, signature, &m_unlinkedWasmToWasmCalls[functionIndex], m_moduleInformation.get(), m_mode, functionIndex);
+            // The LLInt always bounds checks
+            MemoryMode mode = MemoryMode::BoundsChecking;
+            std::unique_ptr<InternalFunction> function = createJSToWasmWrapper(jit, signature, &m_unlinkedWasmToWasmCalls[functionIndex], m_moduleInformation.get(), mode, functionIndex);
 
             LinkBuffer linkBuffer(jit, nullptr, JITCompilationCanFail);

trunk/Source/JavaScriptCore/wasm/WasmMemoryInformation.cpp

@@ -36 +36 @@
 namespace JSC { namespace Wasm {
 
-static Vector<GPRReg> getPinnedRegisters(unsigned remainingPinnedRegisters)
-{
-    Vector<GPRReg> registers;
-    jsCallingConvention().calleeSaveRegisters.forEach([&] (Reg reg) {
-        if (!reg.isGPR())
-            return;
-        GPRReg gpr = reg.gpr();
-        if (!remainingPinnedRegisters || RegisterSet::stackRegisters().get(reg))
-            return;
-        if (RegisterSet::runtimeTagRegisters().get(reg)) {
-            // Since we don't need to, we currently don't pick from the tag registers to allow
-            // JS->Wasm stubs to freely use these registers.
-            return;
-        }
-        --remainingPinnedRegisters;
-        registers.append(gpr);
-    });
-    return registers;
-}
-
 const PinnedRegisterInfo& PinnedRegisterInfo::get()
 {
@@ -64 +44 @@
         if (!Context::useFastTLS())
             ++numberOfPinnedRegisters;
-        Vector<GPRReg> pinnedRegs = getPinnedRegisters(numberOfPinnedRegisters);
-
         GPRReg baseMemoryPointer = GPRInfo::regCS3;
         GPRReg sizeRegister = GPRInfo::regCS4;