/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- * * Copyright 2016 Mozilla Foundation * Copyright 2023 Moonchild Productions * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include "wasm/WasmInstance.h" #include "jit/BaselineJIT.h" #include "jit/JitCommon.h" #include "wasm/WasmModule.h" #include "jsobjinlines.h" #include "vm/ArrayBufferObject-inl.h" using namespace js; using namespace js::jit; using namespace js::wasm; using mozilla::BinarySearch; using mozilla::BitwiseCast; using mozilla::IsNaN; using mozilla::Swap; class SigIdSet { typedef HashMap Map; Map map_; public: ~SigIdSet() { MOZ_ASSERT_IF(!JSRuntime::hasLiveRuntimes(), !map_.initialized() || map_.empty()); } bool ensureInitialized(JSContext* cx) { if (!map_.initialized() && !map_.init()) { ReportOutOfMemory(cx); return false; } return true; } bool allocateSigId(JSContext* cx, const Sig& sig, const void** sigId) { Map::AddPtr p = map_.lookupForAdd(sig); if (p) { MOZ_ASSERT(p->value() > 0); p->value()++; *sigId = p->key(); return true; } UniquePtr clone = MakeUnique(); if (!clone || !clone->clone(sig) || !map_.add(p, clone.get(), 1)) { ReportOutOfMemory(cx); return false; } *sigId = clone.release(); MOZ_ASSERT(!(uintptr_t(*sigId) & SigIdDesc::ImmediateBit)); return true; } void deallocateSigId(const Sig& sig, const void* sigId) { Map::Ptr p = map_.lookup(sig); MOZ_RELEASE_ASSERT(p && p->key() == sigId && p->value() > 0); p->value()--; if (!p->value()) { js_delete(p->key()); map_.remove(p); } } }; ExclusiveData* sigIdSet = nullptr; bool js::wasm::InitInstanceStaticData() { MOZ_ASSERT(!sigIdSet); sigIdSet = js_new>(mutexid::WasmSigIdSet); return sigIdSet != nullptr; } void js::wasm::ShutDownInstanceStaticData() { MOZ_ASSERT(sigIdSet); js_delete(sigIdSet); sigIdSet = nullptr; } const void** Instance::addressOfSigId(const SigIdDesc& sigId) const { MOZ_ASSERT(sigId.globalDataOffset() >= InitialGlobalDataBytes); return (const void**)(codeSegment().globalData() + sigId.globalDataOffset()); } FuncImportTls& Instance::funcImportTls(const FuncImport& fi) { MOZ_ASSERT(fi.tlsDataOffset() >= InitialGlobalDataBytes); return *(FuncImportTls*)(codeSegment().globalData() + fi.tlsDataOffset()); } TableTls& Instance::tableTls(const TableDesc& td) const { MOZ_ASSERT(td.globalDataOffset >= InitialGlobalDataBytes); return *(TableTls*)(codeSegment().globalData() + td.globalDataOffset); } bool Instance::callImport(JSContext* cx, uint32_t funcImportIndex, unsigned argc, const uint64_t* argv, MutableHandleValue rval) { const FuncImport& fi = metadata().funcImports[funcImportIndex]; InvokeArgs args(cx); if (!args.init(cx, argc)) return false; bool hasI64Arg = false; MOZ_ASSERT(fi.sig().args().length() == argc); for (size_t i = 0; i < argc; i++) { switch (fi.sig().args()[i]) { case ValType::I32: args[i].set(Int32Value(*(int32_t*)&argv[i])); break; case ValType::F32: args[i].set(JS::CanonicalizedDoubleValue(*(float*)&argv[i])); break; case ValType::F64: args[i].set(JS::CanonicalizedDoubleValue(*(double*)&argv[i])); break; case ValType::I64: { if (!JitOptions.wasmTestMode) { JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_WASM_BAD_I64); return false; } RootedObject obj(cx, CreateI64Object(cx, *(int64_t*)&argv[i])); if (!obj) return false; args[i].set(ObjectValue(*obj)); hasI64Arg = true; break; } default: { MOZ_CRASH("unhandled type in callImport"); return false; } } } FuncImportTls& import = funcImportTls(fi); RootedFunction importFun(cx, &import.obj->as()); RootedValue fval(cx, ObjectValue(*import.obj)); RootedValue thisv(cx, UndefinedValue()); if (!Call(cx, fval, thisv, args, rval)) return false; // Throw an error if returning i64 and not in test mode. if (!JitOptions.wasmTestMode && fi.sig().ret() == ExprType::I64) { JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_WASM_BAD_I64); return false; } // Don't try to optimize if the function has at least one i64 arg or if // it returns an int64. GenerateJitExit relies on this, as does the // type inference code below in this function. if (hasI64Arg || fi.sig().ret() == ExprType::I64) return true; // The import may already have become optimized. void* jitExitCode = codeBase() + fi.jitExitCodeOffset(); if (import.code == jitExitCode) return true; // Test if the function is JIT compiled. if (!importFun->hasScript()) return true; JSScript* script = importFun->nonLazyScript(); if (!script->hasBaselineScript()) { MOZ_ASSERT(!script->hasIonScript()); return true; } // Don't enable jit entry when we have a pending ion builder. // Take the interpreter path which will link it and enable // the fast path on the next call. if (script->baselineScript()->hasPendingIonBuilder()) return true; // Currently we can't rectify arguments. Therefore disable if argc is too low. if (importFun->nargs() > fi.sig().args().length()) return true; // Ensure the argument types are included in the argument TypeSets stored in // the TypeScript. This is necessary for Ion, because the import will use // the skip-arg-checks entry point. // // Note that the TypeScript is never discarded while the script has a // BaselineScript, so if those checks hold now they must hold at least until // the BaselineScript is discarded and when that happens the import is // patched back. if (!TypeScript::ThisTypes(script)->hasType(TypeSet::UndefinedType())) return true; for (uint32_t i = 0; i < importFun->nargs(); i++) { TypeSet::Type type = TypeSet::UnknownType(); switch (fi.sig().args()[i]) { case ValType::I32: type = TypeSet::Int32Type(); break; case ValType::I64: MOZ_CRASH("can't happen because of above guard"); case ValType::F32: type = TypeSet::DoubleType(); break; case ValType::F64: type = TypeSet::DoubleType(); break; } if (!TypeScript::ArgTypes(script, i)->hasType(type)) return true; } // Let's optimize it! if (!script->baselineScript()->addDependentWasmImport(cx, *this, funcImportIndex)) return false; import.code = jitExitCode; import.baselineScript = script->baselineScript(); return true; } /* static */ int32_t Instance::callImport_void(Instance* instance, int32_t funcImportIndex, int32_t argc, uint64_t* argv) { JSContext* cx = instance->cx(); RootedValue rval(cx); return instance->callImport(cx, funcImportIndex, argc, argv, &rval); } /* static */ int32_t Instance::callImport_i32(Instance* instance, int32_t funcImportIndex, int32_t argc, uint64_t* argv) { JSContext* cx = instance->cx(); RootedValue rval(cx); if (!instance->callImport(cx, funcImportIndex, argc, argv, &rval)) return false; return ToInt32(cx, rval, (int32_t*)argv); } /* static */ int32_t Instance::callImport_i64(Instance* instance, int32_t funcImportIndex, int32_t argc, uint64_t* argv) { JSContext* cx = instance->cx(); RootedValue rval(cx); if (!instance->callImport(cx, funcImportIndex, argc, argv, &rval)) return false; return ReadI64Object(cx, rval, (int64_t*)argv); } /* static */ int32_t Instance::callImport_f64(Instance* instance, int32_t funcImportIndex, int32_t argc, uint64_t* argv) { JSContext* cx = instance->cx(); RootedValue rval(cx); if (!instance->callImport(cx, funcImportIndex, argc, argv, &rval)) return false; return ToNumber(cx, rval, (double*)argv); } /* static */ uint32_t Instance::growMemory_i32(Instance* instance, uint32_t delta) { MOZ_ASSERT(!instance->isAsmJS()); JSContext* cx = instance->cx(); RootedWasmMemoryObject memory(cx, instance->memory_); uint32_t ret = WasmMemoryObject::grow(memory, delta, cx); // If there has been a moving grow, this Instance should have been notified. MOZ_RELEASE_ASSERT(instance->tlsData_.memoryBase == instance->memory_->buffer().dataPointerEither()); return ret; } /* static */ uint32_t Instance::currentMemory_i32(Instance* instance) { uint32_t byteLength = instance->memoryLength(); MOZ_ASSERT(byteLength % wasm::PageSize == 0); return byteLength / wasm::PageSize; } Instance::Instance(JSContext* cx, Handle object, UniqueCode code, HandleWasmMemoryObject memory, SharedTableVector&& tables, Handle funcImports, const ValVector& globalImports) : compartment_(cx->compartment()), object_(object), code_(Move(code)), memory_(memory), tables_(Move(tables)) { MOZ_ASSERT(funcImports.length() == metadata().funcImports.length()); MOZ_ASSERT(tables_.length() == metadata().tables.length()); tlsData_.cx = cx; tlsData_.instance = this; tlsData_.globalData = code_->segment().globalData(); tlsData_.memoryBase = memory ? memory->buffer().dataPointerEither().unwrap() : nullptr; tlsData_.stackLimit = *(void**)cx->stackLimitAddressForJitCode(StackForUntrustedScript); for (size_t i = 0; i < metadata().funcImports.length(); i++) { HandleFunction f = funcImports[i]; const FuncImport& fi = metadata().funcImports[i]; FuncImportTls& import = funcImportTls(fi); if (!isAsmJS() && IsExportedWasmFunction(f)) { WasmInstanceObject* calleeInstanceObj = ExportedFunctionToInstanceObject(f); const CodeRange& codeRange = calleeInstanceObj->getExportedFunctionCodeRange(f); Instance& calleeInstance = calleeInstanceObj->instance(); import.tls = &calleeInstance.tlsData_; import.code = calleeInstance.codeSegment().base() + codeRange.funcNonProfilingEntry(); import.baselineScript = nullptr; import.obj = calleeInstanceObj; } else { import.tls = &tlsData_; import.code = codeBase() + fi.interpExitCodeOffset(); import.baselineScript = nullptr; import.obj = f; } } for (size_t i = 0; i < tables_.length(); i++) { const TableDesc& td = metadata().tables[i]; TableTls& table = tableTls(td); table.length = tables_[i]->length(); table.base = tables_[i]->base(); } uint8_t* globalData = code_->segment().globalData(); for (size_t i = 0; i < metadata().globals.length(); i++) { const GlobalDesc& global = metadata().globals[i]; if (global.isConstant()) continue; uint8_t* globalAddr = globalData + global.offset(); switch (global.kind()) { case GlobalKind::Import: { globalImports[global.importIndex()].writePayload(globalAddr); break; } case GlobalKind::Variable: { const InitExpr& init = global.initExpr(); switch (init.kind()) { case InitExpr::Kind::Constant: { init.val().writePayload(globalAddr); break; } case InitExpr::Kind::GetGlobal: { const GlobalDesc& imported = metadata().globals[init.globalIndex()]; globalImports[imported.importIndex()].writePayload(globalAddr); break; } } break; } case GlobalKind::Constant: { MOZ_CRASH("skipped at the top"); } } } } bool Instance::init(JSContext* cx) { if (memory_ && memory_->movingGrowable() && !memory_->addMovingGrowObserver(cx, object_)) return false; for (const SharedTable& table : tables_) { if (table->movingGrowable() && !table->addMovingGrowObserver(cx, object_)) return false; } if (!metadata().sigIds.empty()) { ExclusiveData::Guard lockedSigIdSet = sigIdSet->lock(); if (!lockedSigIdSet->ensureInitialized(cx)) return false; for (const SigWithId& sig : metadata().sigIds) { const void* sigId; if (!lockedSigIdSet->allocateSigId(cx, sig, &sigId)) return false; *addressOfSigId(sig.id) = sigId; } } return true; } Instance::~Instance() { compartment_->wasm.unregisterInstance(*this); for (unsigned i = 0; i < metadata().funcImports.length(); i++) { FuncImportTls& import = funcImportTls(metadata().funcImports[i]); if (import.baselineScript) import.baselineScript->removeDependentWasmImport(*this, i); } if (!metadata().sigIds.empty()) { ExclusiveData::Guard lockedSigIdSet = sigIdSet->lock(); for (const SigWithId& sig : metadata().sigIds) { if (const void* sigId = *addressOfSigId(sig.id)) lockedSigIdSet->deallocateSigId(sig, sigId); } } } size_t Instance::memoryMappedSize() const { return memory_->buffer().wasmMappedSize(); } bool Instance::memoryAccessInGuardRegion(uint8_t* addr, unsigned numBytes) const { MOZ_ASSERT(numBytes > 0); if (!metadata().usesMemory()) return false; uint8_t* base = memoryBase().unwrap(/* comparison */); if (addr < base) return false; size_t lastByteOffset = addr - base + (numBytes - 1); return lastByteOffset >= memoryLength() && lastByteOffset < memoryMappedSize(); } void Instance::tracePrivate(JSTracer* trc) { // This method is only called from WasmInstanceObject so the only reason why // TraceEdge is called is so that the pointer can be updated during a moving // GC. TraceWeakEdge may sound better, but it is less efficient given that // we know object_ is already marked. MOZ_ASSERT(!gc::IsAboutToBeFinalized(&object_)); TraceEdge(trc, &object_, "wasm instance object"); for (const FuncImport& fi : metadata().funcImports) TraceNullableEdge(trc, &funcImportTls(fi).obj, "wasm import"); for (const SharedTable& table : tables_) table->trace(trc); TraceNullableEdge(trc, &memory_, "wasm buffer"); } void Instance::trace(JSTracer* trc) { // Technically, instead of having this method, the caller could use // Instance::object() to get the owning WasmInstanceObject to mark, // but this method is simpler and more efficient. The trace hook of // WasmInstanceObject will call Instance::tracePrivate at which point we // can mark the rest of the children. TraceEdge(trc, &object_, "wasm instance object"); } SharedMem Instance::memoryBase() const { MOZ_ASSERT(metadata().usesMemory()); MOZ_ASSERT(tlsData_.memoryBase == memory_->buffer().dataPointerEither()); return memory_->buffer().dataPointerEither(); } size_t Instance::memoryLength() const { return memory_->buffer().byteLength(); } WasmInstanceObject* Instance::objectUnbarriered() const { return object_.unbarrieredGet(); } WasmInstanceObject* Instance::object() const { return object_; } bool Instance::callExport(JSContext* cx, uint32_t funcIndex, CallArgs args) { // If there has been a moving grow, this Instance should have been notified. MOZ_RELEASE_ASSERT(!memory_ || tlsData_.memoryBase == memory_->buffer().dataPointerEither()); if (!cx->compartment()->wasm.ensureProfilingState(cx)) return false; const FuncExport& func = metadata().lookupFuncExport(funcIndex); // The calling convention for an external call into wasm is to pass an // array of 16-byte values where each value contains either a coerced int32 // (in the low word), or a double value (in the low dword) value, with the // coercions specified by the wasm signature. The external entry point // unpacks this array into the system-ABI-specified registers and stack // memory and then calls into the internal entry point. The return value is // stored in the first element of the array (which, therefore, must have // length >= 1). Vector exportArgs(cx); if (!exportArgs.resize(Max(1, func.sig().args().length()))) return false; RootedValue v(cx); for (unsigned i = 0; i < func.sig().args().length(); ++i) { v = i < args.length() ? args[i] : UndefinedValue(); switch (func.sig().arg(i)) { case ValType::I32: if (!ToInt32(cx, v, (int32_t*)&exportArgs[i])) return false; break; case ValType::I64: if (!JitOptions.wasmTestMode) { JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_WASM_BAD_I64); return false; } if (!ReadI64Object(cx, v, (int64_t*)&exportArgs[i])) return false; break; case ValType::F32: if (JitOptions.wasmTestMode && v.isObject()) { if (!ReadCustomFloat32NaNObject(cx, v, (uint32_t*)&exportArgs[i])) return false; break; } if (!RoundFloat32(cx, v, (float*)&exportArgs[i])) return false; break; case ValType::F64: if (JitOptions.wasmTestMode && v.isObject()) { if (!ReadCustomDoubleNaNObject(cx, v, (uint64_t*)&exportArgs[i])) return false; break; } if (!ToNumber(cx, v, (double*)&exportArgs[i])) return false; break; } } { // Push a WasmActivation to describe the wasm frames we're about to push // when running this module. Additionally, push a JitActivation so that // the optimized wasm-to-Ion FFI call path (which we want to be very // fast) can avoid doing so. The JitActivation is marked as inactive so // stack iteration will skip over it. WasmActivation activation(cx); JitActivation jitActivation(cx, /* active */ false); // Call the per-exported-function trampoline created by GenerateEntry. auto funcPtr = JS_DATA_TO_FUNC_PTR(ExportFuncPtr, codeBase() + func.entryOffset()); if (!CALL_GENERATED_2(funcPtr, exportArgs.begin(), &tlsData_)) return false; } if (isAsmJS() && args.isConstructing()) { // By spec, when a JS function is called as a constructor and this // function returns a primary type, which is the case for all asm.js // exported functions, the returned value is discarded and an empty // object is returned instead. PlainObject* obj = NewBuiltinClassInstance(cx); if (!obj) return false; args.rval().set(ObjectValue(*obj)); return true; } void* retAddr = &exportArgs[0]; JSObject* retObj = nullptr; switch (func.sig().ret()) { case ExprType::Void: args.rval().set(UndefinedValue()); break; case ExprType::I32: args.rval().set(Int32Value(*(int32_t*)retAddr)); break; case ExprType::I64: if (!JitOptions.wasmTestMode) { JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr, JSMSG_WASM_BAD_I64); return false; } retObj = CreateI64Object(cx, *(int64_t*)retAddr); if (!retObj) return false; break; case ExprType::F32: if (JitOptions.wasmTestMode && IsNaN(*(float*)retAddr)) { retObj = CreateCustomNaNObject(cx, (float*)retAddr); if (!retObj) return false; break; } args.rval().set(NumberValue(*(float*)retAddr)); break; case ExprType::F64: if (JitOptions.wasmTestMode && IsNaN(*(double*)retAddr)) { retObj = CreateCustomNaNObject(cx, (double*)retAddr); if (!retObj) return false; break; } args.rval().set(NumberValue(*(double*)retAddr)); break; case ExprType::Limit: MOZ_CRASH("Limit"); } if (retObj) args.rval().set(ObjectValue(*retObj)); return true; } void Instance::onMovingGrowMemory(uint8_t* prevMemoryBase) { MOZ_ASSERT(!isAsmJS()); ArrayBufferObject& buffer = memory_->buffer().as(); tlsData_.memoryBase = buffer.dataPointer(); code_->segment().onMovingGrow(prevMemoryBase, metadata(), buffer); } void Instance::onMovingGrowTable() { MOZ_ASSERT(!isAsmJS()); MOZ_ASSERT(tables_.length() == 1); TableTls& table = tableTls(metadata().tables[0]); table.length = tables_[0]->length(); table.base = tables_[0]->base(); } void Instance::deoptimizeImportExit(uint32_t funcImportIndex) { const FuncImport& fi = metadata().funcImports[funcImportIndex]; FuncImportTls& import = funcImportTls(fi); import.code = codeBase() + fi.interpExitCodeOffset(); import.baselineScript = nullptr; } static void UpdateEntry(const Code& code, bool profilingEnabled, void** entry) { const CodeRange& codeRange = *code.lookupRange(*entry); void* from = code.segment().base() + codeRange.funcNonProfilingEntry(); void* to = code.segment().base() + codeRange.funcProfilingEntry(); if (!profilingEnabled) Swap(from, to); MOZ_ASSERT(*entry == from); *entry = to; } bool Instance::ensureProfilingState(JSContext* cx, bool newProfilingEnabled) { if (code_->profilingEnabled() == newProfilingEnabled) return true; if (!code_->ensureProfilingState(cx, newProfilingEnabled)) return false; // Imported wasm functions and typed function tables point directly to // either the profiling or non-profiling prologue and must therefore be // updated when the profiling mode is toggled. for (const FuncImport& fi : metadata().funcImports) { FuncImportTls& import = funcImportTls(fi); if (import.obj && import.obj->is()) { Code& code = import.obj->as().instance().code(); UpdateEntry(code, newProfilingEnabled, &import.code); } } for (const SharedTable& table : tables_) { if (!table->isTypedFunction()) continue; // This logic will have to be generalized to match the import logic // above if wasm can create typed function tables since a single table // can contain elements from multiple instances. MOZ_ASSERT(metadata().kind == ModuleKind::AsmJS); void** array = table->internalArray(); uint32_t length = table->length(); for (size_t i = 0; i < length; i++) { if (array[i]) UpdateEntry(*code_, newProfilingEnabled, &array[i]); } } return true; } void Instance::addSizeOfMisc(MallocSizeOf mallocSizeOf, Metadata::SeenSet* seenMetadata, ShareableBytes::SeenSet* seenBytes, Table::SeenSet* seenTables, size_t* code, size_t* data) const { *data += mallocSizeOf(this); code_->addSizeOfMisc(mallocSizeOf, seenMetadata, seenBytes, code, data); for (const SharedTable& table : tables_) *data += table->sizeOfIncludingThisIfNotSeen(mallocSizeOf, seenTables); }