[webkit-changes] [WebKit/WebKit] bf18b5: [JSC] Use signal handling for null check in wasm

Fri, 19 Sep 2025 14:01:32 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: bf18b5b709f304bc51a760be984b1292df47475c
      
https://github.com/WebKit/WebKit/commit/bf18b5b709f304bc51a760be984b1292df47475c
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-09-19 (Fri, 19 Sep 2025)

  Changed paths:
    M JSTests/wasm/gc/arrays.js
    M JSTests/wasm/gc/bug252299.js
    M JSTests/wasm/gc/packed-arrays.js
    M JSTests/wasm/gc/structs.js
    M Source/JavaScriptCore/llint/InPlaceInterpreter.asm
    M Source/JavaScriptCore/llint/InPlaceInterpreter64.asm
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp
    M Source/JavaScriptCore/wasm/WasmBBQPlan.cpp
    M Source/JavaScriptCore/wasm/WasmExceptionType.h
    M Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp
    M Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h
    M Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp
    M Source/JavaScriptCore/wasm/WasmOMGPlan.cpp
    M Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h

  Log Message:
  -----------
  [JSC] Use signal handling for null check in wasm
https://bugs.webkit.org/show_bug.cgi?id=299154
rdar://160915405

Reviewed by Yijia Huang.

This is commonly used optimizations in many engines. When accessing null
(jsNull) as wasm GC object, we are emitting null check to throw an
exception. But since null is just 0x2, these accesses can be handled via
wasm fault signal handler. This patch leverages this,

When offset is within the allowed size (0 <-> lowestAccessibleAddress),
we do not emit null check. And let the access to cause a fault and wasm
fault handler will extract this information and throw an error.

* JSTests/wasm/gc/arrays.js:
(testArrayGet):
* JSTests/wasm/gc/bug252299.js:
(arrayGetUninitializedLocal):
* JSTests/wasm/gc/packed-arrays.js:
* JSTests/wasm/gc/structs.js:
* Source/JavaScriptCore/llint/InPlaceInterpreter.asm:
* Source/JavaScriptCore/llint/InPlaceInterpreter64.asm:
* Source/JavaScriptCore/wasm/WasmBBQJIT.h:
* Source/JavaScriptCore/wasm/WasmBBQJIT32_64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArraySet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayLen):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArraySet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addArrayLen):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructGet):
(JSC::Wasm::BBQJITImpl::BBQJIT::addStructSet):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitRefTestOrCast):
(JSC::Wasm::BBQJITImpl::BBQJIT::addRefCast):
(JSC::Wasm::BBQJITImpl::BBQJIT::addRefTest):
(JSC::Wasm::BBQJITImpl::BBQJIT::emitThrowOnNullReferenceBeforeAccess):
(JSC::Wasm::BBQJITImpl::BBQJIT::addCallRef):
* Source/JavaScriptCore/wasm/WasmBBQPlan.cpp:
(JSC::Wasm::BBQPlan::BBQPlan):
* Source/JavaScriptCore/wasm/WasmExceptionType.h:
(JSC::Wasm::isTypeErrorExceptionType):
* Source/JavaScriptCore/wasm/WasmFaultSignalHandler.cpp:
(JSC::Wasm::trapHandler):
(JSC::Wasm::maxAcceptableOffsetForNullReference):
* Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h:
* Source/JavaScriptCore/wasm/WasmIPIntSlowPaths.cpp:
(JSC::IPInt::WASM_IPINT_EXTERN_CPP_DECL):
(JSC::IPInt::slow_path_wasm_throw_exception):
(JSC::IPInt::slow_path_wasm_unwind_exception):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::emitStructSet):
(JSC::Wasm::OMGIRGenerator::addArrayGet):
(JSC::Wasm::OMGIRGenerator::emitNullCheckBeforeAccess):
(JSC::Wasm::OMGIRGenerator::addArraySet):
(JSC::Wasm::OMGIRGenerator::addArrayLen):
(JSC::Wasm::OMGIRGenerator::addStructNew):
(JSC::Wasm::OMGIRGenerator::addStructNewDefault):
(JSC::Wasm::OMGIRGenerator::addStructGet):
(JSC::Wasm::OMGIRGenerator::addStructSet):
(JSC::Wasm::OMGIRGenerator::emitRefTestOrCast):
(JSC::Wasm::OMGIRGenerator::addCallRef):
(JSC::Wasm::OMGIRGenerator::emitLoadRTTFromFuncref): Deleted.
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator32_64.cpp:
(JSC::Wasm::OMGIRGenerator::addArrayGet):
(JSC::Wasm::OMGIRGenerator::addArraySet):
(JSC::Wasm::OMGIRGenerator::addArrayLen):
(JSC::Wasm::OMGIRGenerator::addStructGet):
(JSC::Wasm::OMGIRGenerator::addStructSet):
* Source/JavaScriptCore/wasm/WasmOMGPlan.cpp:
(JSC::Wasm::OMGPlan::OMGPlan):
* Source/JavaScriptCore/wasm/WasmOSREntryPlan.cpp:
(JSC::Wasm::OSREntryPlan::OSREntryPlan):
* Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h:

Canonical link: https://commits.webkit.org/300258@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to