Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 0d872184b6e17f15c34fe5f5c8ddd50a3269a129 https://github.com/WebKit/WebKit/commit/0d872184b6e17f15c34fe5f5c8ddd50a3269a129 Author: Asumu Takikawa <as...@igalia.com> Date: 2022-12-15 (Thu, 15 Dec 2022)
Changed paths: M JSTests/wasm/gc-spec-tests/type-subtyping.wast.js M JSTests/wasm/gc/sub.js M Source/JavaScriptCore/wasm/WasmFormat.h M Source/JavaScriptCore/wasm/WasmSectionParser.cpp M Source/JavaScriptCore/wasm/WasmSectionParser.h M Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp M Source/JavaScriptCore/wasm/WasmTypeDefinition.h Log Message: ----------- [Wasm-GC] Fix some interactions between subtyping and recursion https://bugs.webkit.org/show_bug.cgi?id=247536 Reviewed by Justin Michaud. Interactions between recursive types and subtyping can be tricky, because a `sub` clause can refer to another member of the same recursion group as a supertype. How this supertype is dereferenced can affect whether subtyping/type equality holds correctly. This patch makes a few fixes to the representation of subtypes to accommodate recursion. The supertype index of a Subtype should be a recursive placeholder when pointing to another member of the same recursion group (i.e., it should resolve to the projection). And the structural subtype check needs to be deferred until after projections are constructed. In addition, reference subtype checking via displays is abstracted out of the Subtype and put into a new RTT data structure. Every type in the type section has a canonical RTT. This RTT is looked up to check subtyping between references. Splitting out the RTT provides a better logical separation between subtype declaration and checking, and makes Subtype construction cleaner (as RTT creation can happen after recursive references can be fully resolved). The RTT can be used in the future to implement subtype-aware runtime casts. * JSTests/wasm/gc-spec-tests/type-subtyping.wast.js: * JSTests/wasm/gc/sub.js: (testSubDeclaration): * Source/JavaScriptCore/wasm/WasmFormat.h: (JSC::Wasm::isSubtypeIndex): * Source/JavaScriptCore/wasm/WasmSectionParser.cpp: (JSC::Wasm::SectionParser::parseType): (JSC::Wasm::SectionParser::parseRecursionGroup): (JSC::Wasm::SectionParser::checkSubtypeValidity): (JSC::Wasm::SectionParser::parseSubtype): * Source/JavaScriptCore/wasm/WasmSectionParser.h: * Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp: (JSC::Wasm::Projection::dump const): (JSC::Wasm::TypeDefinition::tryCreateSubtype): (JSC::Wasm::substituteParent): (JSC::Wasm::TypeDefinition::replacePlaceholders const): (JSC::Wasm::TypeDefinition::hasRecursiveReference const): (JSC::Wasm::RTT::tryCreateRTT): (JSC::Wasm::RTT::isSubRTT const): (JSC::Wasm::SubtypeParameterTypes::translate): (JSC::Wasm::TypeInformation::registerCanonicalRTTForType): (JSC::Wasm::TypeInformation::canonicalRTTForType): (JSC::Wasm::TypeInformation::tryCleanup): * Source/JavaScriptCore/wasm/WasmTypeDefinition.h: (JSC::Wasm::RecursionGroup::getType): (JSC::Wasm::Subtype::Subtype): (JSC::Wasm::Subtype::underlyingType const): (JSC::Wasm::Subtype::getUnderlyingType): (JSC::Wasm::RTT::RTT): (JSC::Wasm::RTT::displaySize const): (JSC::Wasm::RTT::displayEntry const): (JSC::Wasm::RTT::setDisplayEntry): (JSC::Wasm::RTT::allocatedRTTSize): (JSC::Wasm::RTT::payload): (JSC::Wasm::TypeDefinition::allocatedSubtypeSize): (JSC::Wasm::Subtype::displayType const): Deleted. (JSC::Wasm::Subtype::displaySize const): Deleted. (JSC::Wasm::Subtype::getDisplayType): Deleted. Canonical link: https://commits.webkit.org/257945@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes