| blob | a0d44e647b89736f820a4c6493eb0c0194a3709e |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 *
4 * Copyright 2021 Mozilla Foundation
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
19 #ifndef wasm_type_def_h
20 #define wasm_type_def_h
43 //=========================================================================
44 // Function types
46 // The FuncType class represents a WebAssembly function signature which takes a
47 // list of value types and returns an expression type. The engine uses two
48 // in-memory representations of the argument Vector's memory (when elements do
49 // not fit inline): normal malloc allocation (via SystemAllocPolicy) and
50 // allocation in a LifoAlloc (via LifoAllocPolicy). The former FuncType objects
51 // can have any lifetime since they own the memory. The latter FuncType objects
52 // must not outlive the associated LifoAlloc mark/release interval (which is
53 // currently the duration of module validation+compilation). Thus, long-lived
54 // objects like WasmModule must use malloced allocation.
57 ValTypeVector args_;
58 ValTypeVector results_;
59 // A packed structural type identifier for use in the call_indirect type
60 // check in the prologue of functions. If this function type cannot fit in
61 // this immediate, it will be NO_IMMEDIATE_TYPE_ID.
62 //
63 // This is initialized in DecodeTypeSection once we have the full recursion
64 // group around.
67 // This function type cannot be packed into an immediate for call_indirect
68 // signature checks.
71 // Entry from JS to wasm via the JIT is currently unimplemented for
72 // functions that return multiple values.
75 }
76 // Calls out from wasm to JS that return multiple values is currently
77 // unsupported.
80 }
81 // For JS->wasm jit entries, temporarily disallow certain types until the
82 // stubs generator is improved.
83 // * ref params may be nullable externrefs
84 // * ref results may not be type indices
85 // V128 types are excluded per spec but are guarded against separately.
90 }
91 }
95 }
96 }
98 }
99 // For wasm->JS jit exits, temporarily disallow certain types until
100 // the stubs generator is improved.
101 // * ref results may be nullable externrefs
102 // Unexposable types must be guarded against separately.
108 }
109 }
111 }
126 }
138 }
142 }
144 // The lsb for every immediate type id is set to distinguish an immediate type
145 // id from a type id represented by a pointer to the global hash type set.
152 }
155 }
157 }
159 // Matches two function types for isorecursive equality. See
160 // "Matching type definitions" in WasmValType.h for more background.
166 }
171 }
172 }
177 }
178 }
180 }
182 // Checks if every arg and result of the specified function types are bitwise
183 // equal. Type references must therefore point to exactly the same type
184 // definition instance.
188 }
190 // Checks if two function types are compatible in a given subtyping
191 // relationship.
194 // A subtype must have exactly as many arguments as its supertype
197 }
199 // A subtype must have exactly as many returns as its supertype
202 }
204 // Function result types are covariant
208 }
209 }
211 // Function argument types are contravariant
215 }
216 }
219 }
228 }
229 }
231 }
237 }
238 }
242 }
243 }
245 }
249 };
251 //=========================================================================
252 // Structure types
254 // The Module owns a dense array of StructType values that represent the
255 // structure types that the module knows about. It is created from the sparse
256 // array of types in the ModuleEnvironment when the Module is created.
259 StorageType type;
268 }
270 // Checks if two struct fields are compatible in a given subtyping
271 // relationship.
274 // Mutable fields are invariant w.r.t. field types
277 }
279 // Immutable fields are covariant w.r.t. field types
282 }
285 }
286 };
297 InlineTraceOffsetVector inlineTraceOffsets_;
298 OutlineTraceOffsetVector outlineTraceOffsets_;
312 }
315 }
323 }
324 }
326 }
332 }
334 }
336 // Matches two struct types for isorecursive equality. See
337 // "Matching type definitions" in WasmValType.h for more background.
342 }
350 }
351 }
353 }
355 // Checks if two struct types are compatible in a given subtyping
356 // relationship.
359 // A subtype must have at least as many fields as its supertype
362 }
364 // Every field that is in both superType and subType must be compatible
369 }
370 }
372 }
378 };
382 // Utility for computing field offset and alignments, and total size for
383 // structs and tags. This is complicated by fact that a WasmStructObject has
384 // an inline area, which is used first, and if that fills up an optional
385 // C++-heap-allocated outline area is used. We need to be careful not to
386 // split any data item across the boundary. This is ensured as follows:
387 //
388 // (1) the possible field sizes are 1, 2, 4, 8 and 16 only.
389 // (2) each field is "naturally aligned" -- aligned to its size.
390 // (3) MaxInlineBytes (the size of the inline area) % 16 == 0.
391 //
392 // From (1) and (2), it follows that all fields are placed so that their first
393 // and last bytes fall within the same 16-byte chunk. That is,
394 // offset_of_first_byte_of_field / 16 == offset_of_last_byte_of_field / 16.
395 //
396 // Given that, it follows from (3) that all fields fall completely within
397 // either the inline or outline areas; no field crosses the boundary.
403 // The field adders return the offset of the the field.
406 // The close method rounds up the structure size to the appropriate
407 // alignment and returns that size.
409 };
411 //=========================================================================
412 // Array types
416 // The kind of value stored in this array
417 StorageType elementType_;
418 // Whether this array is mutable or not
436 }
445 }
447 // Matches two array types for isorecursive equality. See
448 // "Matching type definitions" in WasmValType.h for more background.
454 }
456 // Checks if two arrays are compatible in a given subtyping relationship.
459 // Mutable fields are invariant w.r.t. field types
462 }
464 // Immutable fields are covariant w.r.t. field types
468 }
471 }
474 };
480 //=========================================================================
481 // SuperTypeVector
483 // [SMDOC] Super type vector
484 //
485 // A super type vector is a vector representation of the linked list of super
486 // types that a type definition has. Every element is a raw pointer to another
487 // super type vector - they are one-to-one with type definitions, so they are
488 // functionally equivalent. It is possible to form a vector here because
489 // subtypes in wasm form trees, not DAGs, with every type having at most one
490 // super type.
491 //
492 // The first element in the vector is the 'root' type definition without a
493 // super type. The last element is to the type definition itself.
494 //
495 // ## Subtype checking
496 //
497 // The only purpose of a super type vector is to support constant time
498 // subtyping checks. This is not free, it comes at the cost of worst case N^2
499 // metadata size growth. We limit the max subtyping depth to counter this.
500 //
501 // To perform a subtype check we rely on the following:
502 // (1) a type A is a subtype (<:) of type B iff:
503 // type A == type B OR
504 // type B is reachable by following declared super types of type A
505 // (2) we order super type vectors from least to most derived types
506 // (3) the 'subtyping depth' of all type definitions is statically known
507 //
508 // With the above, we know that if type B is a super type of type A, that it
509 // must be in A's super type vector at type B's subtyping depth. We can
510 // therefore just do an index and comparison to determine if that's the case.
511 //
512 // ## Example
513 //
514 // For the following type section:
515 // ..
516 // 12: (type (struct))
517 // ..
518 // 34: (type (sub 12 (struct)))
519 // ..
520 // 56: (type (sub 34 (struct)))
521 // ..
522 // 78: (type (sub 56 (struct)))
523 // ..
524 //
525 // (type 12) would have the following super type vector:
526 // [(type 12)]
527 //
528 // (type 78) would have the following super type vector:
529 // [(type 12), (type 34), (type 56), (type 78)]
530 //
531 // Checking that (type 78) <: (type 12) can use the fact that (type 12) will
532 // always be present at depth 0 of any super type vector it is in, and
533 // therefore check the vector at that index.
534 //
535 // ## Minimum sizing
536 //
537 // As a further optimization to avoid bounds checking, we guarantee that all
538 // super type vectors are at least `MinSuperTypeVectorLength`. All checks
539 // against indices that we know statically are at/below that can skip bounds
540 // checking. Extra entries added to reach the minimum size are initialized to
541 // null.
545 // The TypeDef for which this is the supertype vector. That TypeDef should
546 // point back to this SuperTypeVector.
549 // A cached copy of subTypingDepth from TypeDef.
552 // The length of types stored inline below.
556 // Raw pointers to the super types of this type definition. Ordered from
557 // least-derived to most-derived. Do not add any fields after this point.
560 // Batch allocate super type vectors for all the types in a recursion group.
561 // Returns a pointer to the first super type vector, which can be used to
562 // free all vectors.
573 }
575 // The length of a super type vector for a specific type def.
577 // The byte size of a super type vector for a specific type def.
582 }
586 };
588 };
590 // Ensure it is safe to use `sizeof(SuperTypeVector)` to find the offset of
591 // `types_[0]`.
594 //=========================================================================
595 // TypeDef and supporting types
597 // A tagged container for the various types that can be present in a wasm
598 // module's type section.
602 Func,
603 Struct,
604 Array,
605 };
610 // The supertype vector for this TypeDef. That SuperTypeVector should point
611 // back to this TypeDef.
617 TypeDefKind kind_;
619 FuncType funcType_;
620 StructType structType_;
621 ArrayType arrayType_;
622 };
630 }
641 }
656 }
657 }
664 }
671 }
678 }
684 }
690 }
694 }
706 }
721 }
726 }
731 }
736 }
741 }
746 }
748 // Get a value that can be used for matching type definitions across
749 // different recursion groups.
769 }
771 }
773 // Matches two type definitions for isorecursive equality. See
774 // "Matching type definitions" in WasmValType.h for more background.
778 }
781 }
785 }
798 }
800 }
802 // Checks if two type definitions are compatible in a given subtyping
803 // relationship.
807 }
809 // A subtype can't declare a final super type.
812 }
826 }
828 }
833 }
837 // Checks if `subTypeDef` is a declared sub type of `superTypeDef`.
840 // Fast path for when the types are equal
843 }
846 // During construction of a recursion group, the super type vector may not
847 // have been computed yet, in which case we need to fall back to a linear
848 // search.
853 }
855 }
857 }
859 // The supertype vector does exist. So check it points back here.
862 // We need to check if `superTypeDef` is one of `subTypeDef`s super types
863 // by checking in `subTypeDef`s super type vector. We can use the static
864 // information of the depth of `superTypeDef` to index directly into the
865 // vector.
869 }
876 }
880 };
890 SystemAllocPolicy>;
892 //=========================================================================
893 // RecGroup
895 // A recursion group is a set of type definitions that may refer to each other
896 // or to type definitions in another recursion group. There is an ordering
897 // restriction on type references such that references across recursion groups
898 // must be acyclic.
899 //
900 // Type definitions are stored inline in their containing recursion group, and
901 // have an offset to their containing recursion group. Recursion groups are
902 // atomically refcounted and hold strong references to other recursion groups
903 // they depend on.
904 //
905 // Type equality is structural in WebAssembly, and we canonicalize recursion
906 // groups while building them so that pointer equality of types implies
907 // equality of types. There is a global hash set of weak pointers to recursion
908 // groups that holds the current canonical instance of a recursion group.
910 // Whether this recursion group has been finished and acquired strong
911 // references to external recursion groups.
913 // The number of types stored in this recursion group.
915 // The batch allocated super type vectors for all type definitions in this
916 // recursion group.
918 // The first type definition stored inline in this recursion group.
926 // Compute the size in bytes of a recursion group with the specified amount
927 // of types.
931 }
933 // Allocate a recursion group with the specified amount of types. The type
934 // definitions will be ready to be filled in. Users must call `finish` once
935 // type definitions are initialized so that strong references to external
936 // recursion groups are taken.
938 // Allocate the recursion group with the correct size
942 }
944 // Construct the recursion group and types that are stored inline
948 }
950 }
952 // Finish initialization by acquiring strong references to groups referenced
953 // by type definitions.
956 // Super type vectors are only needed for GC and have a size/time impact
957 // that we don't want to encur until we're ready for it. Only use them when
958 // GC is built into the binary.
962 }
966 }
968 // Visit every external recursion group that is referenced by the types in
969 // this recursion group.
975 }
976 };
980 }
981 };
989 }
996 }
999 }
1001 }
1006 }
1008 }
1013 }
1016 }
1017 }
1018 }
1019 }
1023 // Release the referenced recursion groups if we acquired references to
1024 // them. Do this before the type definitions are destroyed below.
1029 }
1034 }
1036 // Call destructors on all the type definitions.
1039 }
1040 }
1042 // Recursion groups cannot be copied or moved
1046 // Get the type definition at the group type index (not module type index).
1048 // We cannot mutate type definitions after we've finalized them
1051 }
1054 }
1056 // The number of types stored in this recursion group.
1059 // Get the index of a type definition that's in this recursion group.
1065 }
1071 }
1073 }
1075 // Matches two recursion groups for isorecursive equality. See
1076 // "Matching type definitions" in WasmValType.h for more background.
1080 }
1084 }
1085 }
1087 }
1088 };
1090 // Remove all types from the canonical type set that are not referenced from
1091 // outside the type set.
1098 //=========================================================================
1099 // TypeContext
1101 // A type context holds the recursion groups and corresponding type definitions
1102 // defined in a module.
1104 FeatureArgs features_;
1105 // The pending recursion group that is currently being constructed
1106 MutableRecGroup pendingRecGroup_;
1107 // An in-order list of all the recursion groups defined in this module
1108 SharedRecGroupVector recGroups_;
1109 // An in-order list of the type definitions in the module. Each type is
1110 // stored in a recursion group.
1111 TypeDefPtrVector types_;
1112 // A map from type definition to the original module index.
1113 TypeDefPtrToIndexMap moduleIndices_;
1125 }
1127 // Disallow copy, allow move initialization
1133 // Begin creating a recursion group with the specified number of types.
1134 // Returns a recursion group to be filled in with type definitions. This must
1135 // be paired with `endGroup`.
1137 // We must not have a pending group
1140 // Create the group and add it to the list of groups
1144 }
1146 // Store this group for later use in endRecGroup
1149 }
1151 // Finish creation of a recursion group after type definitions have been
1152 // initialized. This must be paired with `startGroup`.
1154 // We must have started a recursion group
1159 // Finalize the type definitions in the recursion group
1162 }
1164 // Canonicalize the recursion group
1168 }
1170 // Nothing left to do if this group became the canonical group
1173 }
1175 // Store the canonical group into the list
1178 // Overwrite all the entries we stored into the index space maps when we
1179 // started this group.
1182 groupTypeIndex++) {
1190 // Ensure there is an module index entry pointing to the canonical type
1191 // definition. Don't overwrite it if it already exists, serialization
1192 // relies on the module index map pointing to the first occurrence of a
1193 // type definition to avoid creating forward references that didn't exist
1194 // in the original module.
1199 }
1200 }
1203 }
1205 // Finish creation of a recursion group after type definitions have been
1206 // initialized. This must be paired with `startGroup`.
1208 // We must not have a pending group
1211 // Add it to the list of groups
1214 }
1216 // Store the types of the group into our index space maps. These may get
1217 // overwritten if this group is being added by `startRecGroup` and we
1218 // overwrite it with a canonical group in `endRecGroup`. We need to do
1219 // this before finishing though, because these entries will be used by
1220 // decoding and error printing.
1222 groupTypeIndex++) {
1227 }
1228 }
1230 }
1237 }
1241 }
1243 }
1253 // Map from type definition to index
1259 }
1260 };
1265 //=========================================================================
1266 // TypeHandle
1268 // An unambiguous strong reference to a type definition in a specific type
1269 // context.
1272 SharedTypeContext context_;
1279 }
1289 };
1291 //=========================================================================
1292 // misc
1294 /* static */
1297 // TypeDef is aligned sufficiently to allow a tag to distinguish a local type
1298 // reference (index) from a non-local type reference (pointer).
1302 // Return a tagged index for local type references
1305 }
1307 // Return an untagged pointer for non-local type references
1309 }
1311 /* static */
1314 MatchTypeCode mtc = {};
1319 }
1325 }
1327 }
1332 }
1334 }
1339 }
1341 }
1345 }
1347 }
1375 }
1376 }
1378 }
1388 }
1390 }
1394 }
1397 }
1400 }
1403 }
1405 /* static */
1407 // Anything is a subtype of itself.
1410 }
1412 // A subtype must have the same nullability as the supertype or the
1413 // supertype must be nullable.
1416 }
1418 // Non type-index references are subtypes if they have the same kind
1422 }
1424 // eqref is a subtype of anyref
1427 }
1429 // i31ref is a subtype of eqref
1432 }
1434 // structref/arrayref are subtypes of eqref and anyref
1438 }
1440 // Structs are subtypes of structref, eqref and anyref
1444 }
1446 // Arrays are subtypes of arrayref, eqref and anyref
1450 }
1452 // Funcs are subtypes of funcref
1456 }
1458 // Type references can be subtypes
1461 }
1463 // No func is the bottom type of the func hierarchy
1466 }
1468 // No extern is the bottom type of the extern hierarchy
1472 }
1474 // None is the bottom type of the any hierarchy
1477 }
1480 }
1482 /* static */
1484 // Nullable types always have null in common.
1487 }
1489 // At least one of the types is non-nullable, so the only common values can be
1490 // non-null. Therefore, if either type is a bottom type, common values are
1491 // impossible.
1494 }
1496 // After excluding bottom types, our type hierarchy is a tree, and after
1497 // excluding nulls, subtype relationships are sufficient to tell if the types
1498 // share any values. If neither type is a subtype of the other, then they are
1499 // on different branches of the tree and completely disjoint.
1504 }
1506 //=========================================================================
1507 // [SMDOC] Signatures and runtime types
1508 //
1509 // TypeIdDesc describes the runtime representation of a TypeDef suitable for
1510 // type equality checks. The kind of representation depends on whether the type
1511 // is a function or a GC type. This design is in flux and will evolve.
1512 //
1513 // # Function types
1514 //
1515 // For functions in the general case, a FuncType is allocated and stored in a
1516 // process-wide hash table, so that pointer equality implies structural
1517 // equality. This process does not correctly handle type references (which would
1518 // require hash-consing of infinite-trees), but that's okay while
1519 // function-references and gc-types are experimental.
1520 //
1521 // A pointer to the hash table entry is stored in the global data
1522 // area for each instance, and TypeIdDesc gives the offset to this entry.
1523 //
1524 // ## Immediate function types
1525 //
1526 // As an optimization for the 99% case where the FuncType has a small number of
1527 // parameters, the FuncType is bit-packed into a uint32 immediate value so that
1528 // integer equality implies structural equality. Both cases can be handled with
1529 // a single comparison by always setting the LSB for the immediates
1530 // (the LSB is necessarily 0 for allocated FuncType pointers due to alignment).
1531 //
1532 // # GC types
1533 //
1534 // For GC types, an entry is always created in the global data area and a
1535 // unique RttValue (see wasm/WasmGcObject.h) is stored there. This RttValue
1536 // is the value given by 'rtt.canon $t' for each type definition. As each entry
1537 // is given a unique value and no canonicalization is done (which would require
1538 // hash-consing of infinite-trees), this is not yet spec compliant.
1539 //
1540 // # wasm::Instance and the global type context
1541 //
1542 // As GC objects may outlive the module they are created in, types are
1543 // additionally transferred to a wasm::Context (which is part of JSContext) upon
1544 // instantiation. This wasm::Context contains the 'global type context' that
1545 // RTTValues refer to by type index. Types are never freed from the global type
1546 // context as that would shift the index space. In the future, this will be
1547 // fixed.