[webkit-changes] [WebKit/WebKit] 29ac32: [Wasm] Build JS Wrappers and JSToWasmCallees Lazily

Sat, 16 May 2026 08:58:30 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 29ac32293df6aedf716001999056f180b7145eaa
      
https://github.com/WebKit/WebKit/commit/29ac32293df6aedf716001999056f180b7145eaa
  Author: Keith Miller <[email protected]>
  Date:   2026-05-16 (Sat, 16 May 2026)

  Changed paths:
    M 
Source/JavaScriptCore/SaferCPPExpectations/MemoryUnsafeCastCheckerExpectations
    M 
Source/JavaScriptCore/SaferCPPExpectations/UncountedCallArgsCheckerExpectations
    M 
Source/JavaScriptCore/SaferCPPExpectations/UncountedLocalVarsCheckerExpectations
    M Source/JavaScriptCore/runtime/NativeCallee.h
    M Source/JavaScriptCore/wasm/WasmCalleeGroup.cpp
    M Source/JavaScriptCore/wasm/WasmCalleeGroup.h
    M Source/JavaScriptCore/wasm/WasmConstExprGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h
    M Source/JavaScriptCore/wasm/WasmIPIntPlan.cpp
    M Source/JavaScriptCore/wasm/WasmIPIntPlan.h
    M Source/JavaScriptCore/wasm/WasmModuleInformation.h
    M Source/JavaScriptCore/wasm/WasmOperationsInlines.h
    M Source/JavaScriptCore/wasm/WasmSectionParser.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.cpp
    M Source/JavaScriptCore/wasm/js/JSWebAssemblyInstance.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
    M Source/JavaScriptCore/wasm/js/WebAssemblyFunction.h
    M Source/JavaScriptCore/wasm/js/WebAssemblyModuleRecord.cpp

  Log Message:
  -----------
  [Wasm] Build JS Wrappers and JSToWasmCallees Lazily
https://bugs.webkit.org/show_bug.cgi?id=314910
rdar://177187656

Reviewed by Yusuke Suzuki.

Wasm instantiation eagerly built two things that are commonly unused:

1. A WebAssemblyFunction (or WebAssemblyWrapperFunction) wrapper for every
function listed in ModuleInformation::referencedFunctions() — the union of
exports, ref.func targets, and element-segment entries. Many modules never
expose most of those functions to JS.

2. A Wasm::JSToWasmCallee for every defined Wasm function, built inside
IPIntPlan and stored in CalleeGroup::m_jsToWasmCallees. Most internal
functions are never called from JS, so the thunk and frame-size
computation were wasted.

This patch makes both lazy. The resulting eagerness matrix is:

| Function kind                      | Wrapper                      | JS->Wasm 
callee |
|------------------------------------|------------------------------|-----------------|
| Exported                           | eager (instantiation)        | 
eager-on-create |
| In an active element segment       | eager (table-init at link)   | 
eager-on-create |
| Only via passive/dec element seg   | lazy (table.init/table.copy) | 
eager-on-create |
| Only via ref.func                  | lazy (ref.func execution)    | 
eager-on-create |
| Host import                        | lazy                         | n/a       
      |

Wrappers for non-exports are now materialized on demand by the new
JSWebAssemblyInstance::ensureFunctionWrapper(FunctionSpaceIndex), which
folds in the previous makeFunctionWrapper lambda from
WebAssemblyModuleRecord. The eager loop over referencedFunctions() is
replaced with a smaller exports-only loop in WebAssemblyModuleRecord.
Active element segments still create wrappers at instantiation, but only
for the functions they actually contain (via the table-init code path),
not the precomputed union of all referenced functions. ref.func, table
init/copy, const-expr evaluation, and the start-function path all now
route through ensureFunctionWrapper.

JSToWasmCallee construction is removed from IPIntPlan
(takeJSToWasmCallees, ensureEntrypoint, m_entrypoints, m_jsToWasmCallees
are gone). CalleeGroup::ensureJSToWasmCallee(const ModuleInformation&,
FunctionSpaceIndex) creates and caches the JSToWasmCallee on first
demand, guarded by a dedicated m_jsToWasmCalleesLock so it does not
contend with the rest of CalleeGroup::m_lock. WebAssemblyFunction owns a
RefPtr to the boxed callee and exposes ensureJSToWasmCallee, which is
called from WebAssemblyFunction::create so the LLInt and JIT JS->Wasm
entry trampolines (which read m_boxedJSToWasmCallee and m_frameSize
directly via fixed offsets, bypassing callWebAssemblyFunction) always
observe a populated value. WebAssemblyFunction is single-threaded so no
extra locking is needed there.

Also, remove the ModuleInformation::referencedFunctions() function and
related BitVector. The referencedFunctions list was only used to
determine which functions to create wrappers for.

No new tests, no behavior change. Covered by existing tests.

Canonical link: https://commits.webkit.org/313362@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to