[wasm] Increase maximum number of canonicalized types

jakobkummerow · V8 LUCI CQ · commit 2b431212d6e8 · 2024-06-11T11:49:18.000Z
By no longer encoding canonicalized types in {ValueType}s, we can support more of them. Change-Id: I0bdb0a3319e422dad76d7a0bbd03001d25346690 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5615591 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Clemens Backes <clemensb@chromium.org> Cr-Commit-Position: refs/heads/main@{#94368}
diff --git a/src/builtins/wasm.tq b/src/builtins/wasm.tq
@@ -76,7 +76,7 @@ extern runtime WasmStringViewWtf8Slice(Context, ByteArray, Number, Number):
 extern runtime WasmStringFromCodePoint(Context, Number): String;
 extern runtime WasmStringHash(NoContext, String): Smi;
 extern runtime WasmSubstring(Context, String, Smi, Smi): String;
-extern runtime WasmJSToWasmObject(Context, JSAny, Smi): JSAny;
+extern runtime WasmJSToWasmObject(Context, JSAny, Smi, Smi): JSAny;
 
 extern runtime PropagateException(NoContext): JSAny;
 }
@@ -1492,7 +1492,7 @@ builtin WasmAnyConvertExtern(externObject: JSAny): JSAny {
   const context = LoadContextFromInstanceData(trustedData);
 
   tail runtime::WasmJSToWasmObject(
-      context, externObject, SmiConstant(kAnyType));
+      context, externObject, SmiConstant(kAnyType), SmiConstant(0));
 }
 
 extern macro CallOrConstructBuiltinsAssembler::GetCompatibleReceiver(
diff --git a/src/compiler/wasm-compiler.cc b/src/compiler/wasm-compiler.cc
@@ -7360,20 +7360,22 @@ class WasmWrapperGraphBuilder : public WasmGraphBuilder {
             // Make sure ValueType fits in a Smi.
             static_assert(wasm::ValueType::kLastUsedBit + 1 <= kSmiValueSize);
 
+            uint32_t canonical_index = wasm::kInvalidCanonicalIndex;
             if (type.has_index()) {
               DCHECK_NOT_NULL(module);
-              uint32_t canonical_index =
+              canonical_index =
                   module->isorecursive_canonical_type_ids[type.ref_index()];
-              type = wasm::ValueType::RefMaybeNull(canonical_index,
-                                                   type.nullability());
+              DCHECK_LE(canonical_index, kSmiMaxValue);
             }
 
-            Node* inputs[] = {
-                input, mcgraph()->IntPtrConstant(
-                           IntToSmi(static_cast<int>(type.raw_bit_field())))};
+            Node* inputs[] = {input,
+                              mcgraph()->IntPtrConstant(IntToSmi(
+                                  static_cast<int>(type.raw_bit_field()))),
+                              mcgraph()->IntPtrConstant(
+                                  IntToSmi(static_cast<int>(canonical_index)))};
 
             return BuildCallToRuntimeWithContext(Runtime::kWasmJSToWasmObject,
-                                                 js_context, inputs, 2);
+                                                 js_context, inputs, 3);
           }
         }
       }
diff --git a/src/runtime/runtime-wasm.cc b/src/runtime/runtime-wasm.cc
@@ -162,46 +162,49 @@ RUNTIME_FUNCTION(Runtime_WasmGenericJSToWasmObject) {
   int raw_type = args.smi_value_at(2);
 
   wasm::ValueType type = wasm::ValueType::FromRawBitField(raw_type);
+  uint32_t canonical_index = wasm::kInvalidCanonicalIndex;
   if (type.has_index()) {
     DirectHandle<WasmTrustedInstanceData> trusted_instance_data(
         WasmTrustedInstanceData::cast(args[0]), isolate);
     const wasm::WasmModule* module = trusted_instance_data->module();
     DCHECK_NOT_NULL(module);
-    uint32_t canonical_index =
-        module->isorecursive_canonical_type_ids[type.ref_index()];
-    type = wasm::ValueType::RefMaybeNull(canonical_index, type.nullability());
+    canonical_index = module->isorecursive_canonical_type_ids[type.ref_index()];
   }
   const char* error_message;
   Handle<Object> result;
-  if (!JSToWasmObject(isolate, value, type, &error_message).ToHandle(&result)) {
+  if (!JSToWasmObject(isolate, value, type, canonical_index, &error_message)
+           .ToHandle(&result)) {
     return isolate->Throw(*isolate->factory()->NewTypeError(
         MessageTemplate::kWasmTrapJSTypeError));
   }
   return *result;
 }
 
-// Takes a JS object and a wasm type as Smi. Type checks the object against the
-// type; if the check succeeds, returns the object in its wasm representation;
-// otherwise throws a type error.
+// Parameters:
+// args[0]: the object, any JS value.
+// args[1]: the expected ValueType, Smi-tagged.
+// args[2]: the expected canonical type index, Smi-tagged, if the type is
+//          an indexed reftype.
+// Type checks the object against the type; if the check succeeds, returns the
+// object in its wasm representation; otherwise throws a type error.
 RUNTIME_FUNCTION(Runtime_WasmJSToWasmObject) {
   // TODO(manoskouk): Use {SaveAndClearThreadInWasmFlag} in runtime-internal.cc
   // and runtime-strings.cc.
   bool thread_in_wasm = trap_handler::IsThreadInWasm();
   if (thread_in_wasm) trap_handler::ClearThreadInWasm();
   HandleScope scope(isolate);
-  DCHECK_EQ(2, args.length());
-  // 'raw_instance' can be either a WasmInstanceObject or undefined.
+  DCHECK_EQ(3, args.length());
   Handle<Object> value(args[0], isolate);
   // Make sure ValueType fits properly in a Smi.
   static_assert(wasm::ValueType::kLastUsedBit + 1 <= kSmiValueSize);
   int raw_type = args.smi_value_at(1);
+  int canonical_index = args.smi_value_at(2);
 
-  wasm::ValueType expected_canonical =
-      wasm::ValueType::FromRawBitField(raw_type);
+  wasm::ValueType expected = wasm::ValueType::FromRawBitField(raw_type);
   const char* error_message;
   Handle<Object> result;
   bool success =
-      JSToWasmObject(isolate, value, expected_canonical, &error_message)
+      JSToWasmObject(isolate, value, expected, canonical_index, &error_message)
           .ToHandle(&result);
   Tagged<Object> ret = success
                            ? *result
diff --git a/src/runtime/runtime.h b/src/runtime/runtime.h
@@ -652,7 +652,7 @@ namespace internal {
   F(WasmTableCopy, 6, 1)                      \
   F(WasmTableGrow, 3, 1)                      \
   F(WasmTableFill, 5, 1)                      \
-  F(WasmJSToWasmObject, 2, 1)                 \
+  F(WasmJSToWasmObject, 3, 1)                 \
   F(WasmGenericJSToWasmObject, 3, 1)          \
   F(WasmGenericWasmToJSObject, 1, 1)          \
   F(WasmCompileLazy, 2, 1)                    \
diff --git a/src/wasm/canonical-types.cc b/src/wasm/canonical-types.cc
@@ -22,12 +22,15 @@ TypeCanonicalizer::TypeCanonicalizer() {
   AddPredefinedArrayType(kPredefinedArrayI16Index, kWasmI16);
 }
 
-// We currently store canonical indices in {ValueType} instances, so they
-// must fit into the range of valid module-relative (non-canonical) type
-// indices.
-// TODO(jkummerow): Raise this limit, to make long-lived WasmEngines scale
-// better. Plan: stop constructing ValueTypes from canonical type indices.
-static constexpr size_t kMaxCanonicalTypes = kV8MaxWasmTypes;
+// For convenience, limit canonicalized type indices to Smi range.
+// We could squeeze out a few more bits if necessary by passing them
+// from compiled wrappers to runtime functions as Smi-tagged unsigned ints.
+// That would give us "uint31" range on 32-bit platforms, and allow
+// uint32_t (or even more) on 64-bit platforms. But we probably don't want
+// to store that many types in the TypeCanonicalizer anyway.
+static constexpr size_t kMaxCanonicalTypes = kSmiMaxValue;
+static_assert(kMaxCanonicalTypes >= kV8MaxWasmTypes);
+static_assert(kInvalidCanonicalIndex > kMaxCanonicalTypes);
 
 void TypeCanonicalizer::CheckMaxCanonicalIndex() const {
   if (canonical_supertypes_.size() > kMaxCanonicalTypes) {
@@ -154,6 +157,7 @@ uint32_t TypeCanonicalizer::AddRecursiveGroup(const FunctionSig* sig) {
   group.type.is_relative_supertype = false;
   int canonical_index = FindCanonicalGroup(group);
   if (canonical_index >= 0) return canonical_index;
+  static_assert(kMaxCanonicalTypes <= kMaxInt);
   canonical_index = static_cast<int>(canonical_supertypes_.size());
   // We need to copy the signature in the local zone, or else we risk
   // storing a dangling pointer in the future.
@@ -303,6 +307,7 @@ int TypeCanonicalizer::FindCanonicalGroup(const CanonicalGroup& group) const {
 int TypeCanonicalizer::FindCanonicalGroup(
     const CanonicalSingletonGroup& group) const {
   auto it = canonical_singleton_groups_.find(group);
+  static_assert(kMaxCanonicalTypes <= kMaxInt);
   return it == canonical_singleton_groups_.end() ? -1 : it->second;
 }
 
diff --git a/src/wasm/constant-expression-interface.cc b/src/wasm/constant-expression-interface.cc
@@ -56,7 +56,7 @@ void ConstantExpressionInterface::UnOp(FullDecoder* decoder, WasmOpcode opcode,
     case kExprAnyConvertExtern: {
       const char* error_message = nullptr;
       result->runtime_value = WasmValue(
-          JSToWasmObject(isolate_, input.runtime_value.to_ref(), kWasmAnyRef,
+          JSToWasmObject(isolate_, input.runtime_value.to_ref(), kWasmAnyRef, 0,
                          &error_message)
               .ToHandleChecked(),
           ValueType::RefMaybeNull(HeapType::kAny, input.type.nullability()));
diff --git a/src/wasm/wasm-constants.h b/src/wasm/wasm-constants.h
@@ -171,6 +171,13 @@ constexpr uint32_t kExceptionAttribute = 0;
 
 constexpr int kAnonymousFuncIndex = -1;
 
+// This needs to survive round-tripping through a Smi without changing
+// its value.
+constexpr uint32_t kInvalidCanonicalIndex = static_cast<uint32_t>(-1);
+static_assert(static_cast<uint32_t>(Internals::SmiValue(Internals::IntToSmi(
+                  static_cast<int>(kInvalidCanonicalIndex)))) ==
+              kInvalidCanonicalIndex);
+
 // The number of calls to an exported Wasm function that will be handled
 // by the generic wrapper. Once the budget is exhausted, a specific wrapper
 // is to be compiled for the function's signature.
diff --git a/src/wasm/wasm-js.cc b/src/wasm/wasm-js.cc
@@ -1763,8 +1763,9 @@ void WebAssemblyGlobalImpl(const v8::FunctionCallbackInfo<v8::Value>& info) {
         // no way to specify such types in `new WebAssembly.Global(...)`.
         // TODO(14034): Fix this if that changes.
         DCHECK(!type.has_index());
+        uint32_t unused_canonical_index = 0;
         if (!i::wasm::JSToWasmObject(i_isolate, value_handle, type,
-                                     &error_message)
+                                     unused_canonical_index, &error_message)
                  .ToHandle(&value_handle)) {
           thrower.TypeError("%s", error_message);
           break;
@@ -1974,21 +1975,19 @@ void EncodeExceptionValues(
       case i::wasm::kRefNull: {
         const char* error_message;
         i::Handle<i::Object> value_handle = Utils::OpenHandle(*value);
-
+        uint32_t canonical_index = i::wasm::kInvalidCanonicalIndex;
         if (type.has_index()) {
           // Canonicalize the type using the tag's original module.
           i::Tagged<i::HeapObject> maybe_instance = tag_object->instance();
-          CHECK(!i::IsUndefined(maybe_instance));
+          // Indexed types are guaranteed to come from an instance.
+          CHECK(i::IsWasmInstanceObject(maybe_instance));
           auto instance = i::WasmInstanceObject::cast(maybe_instance);
           const i::wasm::WasmModule* module = instance->module();
-          uint32_t canonical_index =
+          canonical_index =
               module->isorecursive_canonical_type_ids[type.ref_index()];
-          type = i::wasm::ValueType::RefMaybeNull(canonical_index,
-                                                  type.nullability());
         }
-
-        if (!internal::wasm::JSToWasmObject(i_isolate, value_handle, type,
-                                            &error_message)
+        if (!i::wasm::JSToWasmObject(i_isolate, value_handle, type,
+                                     canonical_index, &error_message)
                  .ToHandle(&value_handle)) {
           thrower->TypeError("%s", error_message);
           return;
diff --git a/src/wasm/wasm-objects.cc b/src/wasm/wasm-objects.cc
@@ -2580,11 +2580,11 @@ Handle<Object> CanonicalizeSmi(Handle<Object> smi, Isolate* isolate) {
 
 namespace wasm {
 MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
-                                   ValueType expected_canonical,
+                                   ValueType expected, uint32_t canonical_index,
                                    const char** error_message) {
-  DCHECK(expected_canonical.is_object_reference());
-  if (expected_canonical.kind() == kRefNull && IsNull(*value, isolate)) {
-    switch (expected_canonical.heap_representation()) {
+  DCHECK(expected.is_object_reference());
+  if (expected.kind() == kRefNull && IsNull(*value, isolate)) {
+    switch (expected.heap_representation()) {
       case HeapType::kStringViewWtf8:
         *error_message = "stringview_wtf8 has no JS representation";
         return {};
@@ -2602,7 +2602,7 @@ MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
         return {};
       default: {
         HeapType::Representation repr =
-            expected_canonical.heap_representation_non_shared();
+            expected.heap_representation_non_shared();
         bool is_extern_subtype =
             repr == HeapType::kExtern || repr == HeapType::kNoExtern ||
             repr == HeapType::kExn || repr == HeapType::kNoExn;
@@ -2611,7 +2611,7 @@ MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
     }
   }
 
-  switch (expected_canonical.heap_representation_non_shared()) {
+  switch (expected.heap_representation_non_shared()) {
     case HeapType::kFunc: {
       if (!(WasmExternalFunction::IsWasmExternalFunction(*value) ||
             WasmCapiFunction::IsWasmCapiFunction(*value))) {
@@ -2707,24 +2707,24 @@ MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
     }
     default: {
       auto type_canonicalizer = GetWasmEngine()->type_canonicalizer();
+      DCHECK_NE(canonical_index, kInvalidCanonicalIndex);
 
       if (WasmExportedFunction::IsWasmExportedFunction(*value)) {
         Tagged<WasmExportedFunction> function =
             WasmExportedFunction::cast(*value);
         uint32_t real_type_index = function->shared()
                                        ->wasm_exported_function_data()
                                        ->canonical_type_index();
-        if (!type_canonicalizer->IsCanonicalSubtype(
-                real_type_index, expected_canonical.ref_index())) {
+        if (!type_canonicalizer->IsCanonicalSubtype(real_type_index,
+                                                    canonical_index)) {
           *error_message =
               "assigned exported function has to be a subtype of the "
               "expected type";
           return {};
         }
         return handle(WasmExternalFunction::cast(*value)->func_ref(), isolate);
       } else if (WasmJSFunction::IsWasmJSFunction(*value)) {
-        if (!WasmJSFunction::cast(*value)->MatchesSignature(
-                expected_canonical.ref_index())) {
+        if (!WasmJSFunction::cast(*value)->MatchesSignature(canonical_index)) {
           *error_message =
               "assigned WebAssembly.Function has to be a subtype of the "
               "expected type";
@@ -2733,7 +2733,7 @@ MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
         return handle(WasmExternalFunction::cast(*value)->func_ref(), isolate);
       } else if (WasmCapiFunction::IsWasmCapiFunction(*value)) {
         if (!WasmCapiFunction::cast(*value)->MatchesSignature(
-                expected_canonical.ref_index())) {
+                canonical_index)) {
           *error_message =
               "assigned C API function has to be a subtype of the expected "
               "type";
@@ -2748,8 +2748,8 @@ MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
             WasmInstanceObject::cast(type_info->instance())->module();
         uint32_t real_canonical_index =
             real_module->isorecursive_canonical_type_ids[real_idx];
-        if (!type_canonicalizer->IsCanonicalSubtype(
-                real_canonical_index, expected_canonical.ref_index())) {
+        if (!type_canonicalizer->IsCanonicalSubtype(real_canonical_index,
+                                                    canonical_index)) {
           *error_message = "object is not a subtype of expected type";
           return {};
         }
@@ -2766,14 +2766,13 @@ MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
 MaybeHandle<Object> JSToWasmObject(Isolate* isolate, const WasmModule* module,
                                    Handle<Object> value, ValueType expected,
                                    const char** error_message) {
-  ValueType expected_canonical = expected;
-  if (expected_canonical.has_index()) {
-    uint32_t canonical_index =
-        module->isorecursive_canonical_type_ids[expected_canonical.ref_index()];
-    expected_canonical = ValueType::RefMaybeNull(
-        canonical_index, expected_canonical.nullability());
-  }
-  return JSToWasmObject(isolate, value, expected_canonical, error_message);
+  uint32_t canonical_index = kInvalidCanonicalIndex;
+  if (expected.has_index()) {
+    canonical_index =
+        module->isorecursive_canonical_type_ids[expected.ref_index()];
+  }
+  return JSToWasmObject(isolate, value, expected, canonical_index,
+                        error_message);
 }
 
 Handle<Object> WasmToJSObject(Isolate* isolate, Handle<Object> value) {
diff --git a/src/wasm/wasm-objects.h b/src/wasm/wasm-objects.h
@@ -1309,7 +1309,7 @@ namespace wasm {
 // {expected}. If the typecheck succeeds, returns the wasm representation of the
 // object; otherwise, returns the empty handle.
 MaybeHandle<Object> JSToWasmObject(Isolate* isolate, Handle<Object> value,
-                                   ValueType expected_canonical,
+                                   ValueType expected, uint32_t canonical_index,
                                    const char** error_message);
 
 // Utility which canonicalizes {expected} in addition.
diff --git a/src/wasm/wrappers.cc b/src/wasm/wrappers.cc
@@ -983,17 +983,19 @@ class WasmWrapperTSGraphBuilder : public WasmGraphBuilderBase {
             // Make sure ValueType fits in a Smi.
             static_assert(wasm::ValueType::kLastUsedBit + 1 <= kSmiValueSize);
 
+            uint32_t canonical_index = kInvalidCanonicalIndex;
             if (type.has_index()) {
               DCHECK_NOT_NULL(module);
-              uint32_t canonical_index =
+              canonical_index =
                   module->isorecursive_canonical_type_ids[type.ref_index()];
-              type = wasm::ValueType::RefMaybeNull(canonical_index,
-                                                   type.nullability());
+              DCHECK_LE(canonical_index, kSmiMaxValue);
             }
 
             std::initializer_list<const OpIndex> inputs = {
-                input, __ IntPtrConstant(
-                           IntToSmi(static_cast<int>(type.raw_bit_field())))};
+                input,
+                __ IntPtrConstant(
+                    IntToSmi(static_cast<int>(type.raw_bit_field()))),
+                __ IntPtrConstant(IntToSmi(static_cast<int>(canonical_index)))};
             return CallRuntime(__ phase_zone(), Runtime::kWasmJSToWasmObject,
                                inputs, context);
           }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ extern runtime WasmStringViewWtf8Slice(Context, ByteArray, Number, Number):`
`76`	`76`	`extern runtime WasmStringFromCodePoint(Context, Number): String;`
`77`	`77`	`extern runtime WasmStringHash(NoContext, String): Smi;`
`78`	`78`	`extern runtime WasmSubstring(Context, String, Smi, Smi): String;`
`79`		`-extern runtime WasmJSToWasmObject(Context, JSAny, Smi): JSAny;`
	`79`	`+extern runtime WasmJSToWasmObject(Context, JSAny, Smi, Smi): JSAny;`
`80`	`80`
`81`	`81`	`extern runtime PropagateException(NoContext): JSAny;`
`82`	`82`	`}`
`@@ -1492,7 +1492,7 @@ builtin WasmAnyConvertExtern(externObject: JSAny): JSAny {`
`1492`	`1492`	`const context = LoadContextFromInstanceData(trustedData);`
`1493`	`1493`
`1494`	`1494`	`tail runtime::WasmJSToWasmObject(`
`1495`		`- context, externObject, SmiConstant(kAnyType));`
	`1495`	`+ context, externObject, SmiConstant(kAnyType), SmiConstant(0));`
`1496`	`1496`	`}`
`1497`	`1497`
`1498`	`1498`	`extern macro CallOrConstructBuiltinsAssembler::GetCompatibleReceiver(`