| blob | 7aedbed1f858a5b7e821f3cfc1e0fc076a5face7 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 * vim: set ts=8 sts=2 et sw=2 tw=80:
3 *
4 * Copyright 2021 Mozilla Foundation
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 */
19 #ifndef wasm_type_def_h
20 #define wasm_type_def_h
43 //=========================================================================
44 // Function types
46 // The FuncType class represents a WebAssembly function signature which takes a
47 // list of value types and returns an expression type. The engine uses two
48 // in-memory representations of the argument Vector's memory (when elements do
49 // not fit inline): normal malloc allocation (via SystemAllocPolicy) and
50 // allocation in a LifoAlloc (via LifoAllocPolicy). The former FuncType objects
51 // can have any lifetime since they own the memory. The latter FuncType objects
52 // must not outlive the associated LifoAlloc mark/release interval (which is
53 // currently the duration of module validation+compilation). Thus, long-lived
54 // objects like WasmModule must use malloced allocation.
57 ValTypeVector args_;
58 ValTypeVector results_;
59 // A packed structural type identifier for use in the call_indirect type
60 // check in the prologue of functions. If this function type cannot fit in
61 // this immediate, it will be NO_IMMEDIATE_TYPE_ID.
62 //
63 // This is initialized in DecodeTypeSection once we have the full recursion
64 // group around.
67 // This function type cannot be packed into an immediate for call_indirect
68 // signature checks.
71 // Entry from JS to wasm via the JIT is currently unimplemented for
72 // functions that return multiple values.
75 }
76 // Calls out from wasm to JS that return multiple values is currently
77 // unsupported.
80 }
81 // For JS->wasm jit entries, temporarily disallow certain types until the
82 // stubs generator is improved.
83 // * ref params may be nullable externrefs
84 // * ref results may not be type indices
85 // V128 types are excluded per spec but are guarded against separately.
90 }
91 }
95 }
96 }
98 }
99 // For wasm->JS jit exits, temporarily disallow certain types until
100 // the stubs generator is improved.
101 // * ref results may be nullable externrefs
102 // Unexposable types must be guarded against separately.
108 }
109 }
111 }
126 }
138 }
142 }
144 // The lsb for every immediate type id is set to distinguish an immediate type
145 // id from a type id represented by a pointer to the global hash type set.
152 }
155 }
157 }
159 // Matches two function types for isorecursive equality. See
160 // "Matching type definitions" in WasmValType.h for more background.
166 }
171 }
172 }
177 }
178 }
180 }
182 // Checks if every arg and result of the specified function types are bitwise
183 // equal. Type references must therefore point to exactly the same type
184 // definition instance.
188 }
190 // Checks if two function types are compatible in a given subtyping
191 // relationship.
194 // A subtype must have exactly as many arguments as its supertype
197 }
199 // A subtype must have exactly as many returns as its supertype
202 }
204 // Function result types are covariant
208 }
209 }
211 // Function argument types are contravariant
215 }
216 }
219 }
228 }
229 }
231 }
237 }
238 }
242 }
243 }
245 }
249 };
251 //=========================================================================
252 // Structure types
254 // The Module owns a dense array of StructType values that represent the
255 // structure types that the module knows about. It is created from the sparse
256 // array of types in the ModuleEnvironment when the Module is created.
259 StorageType type;
268 }
270 // Checks if two struct fields are compatible in a given subtyping
271 // relationship.
274 // Mutable fields are invariant w.r.t. field types
277 }
279 // Immutable fields are covariant w.r.t. field types
282 }
285 }
286 };
297 InlineTraceOffsetVector inlineTraceOffsets_;
298 OutlineTraceOffsetVector outlineTraceOffsets_;
312 }
315 }
323 }
324 }
326 }
332 }
334 }
336 // Matches two struct types for isorecursive equality. See
337 // "Matching type definitions" in WasmValType.h for more background.
342 }
350 }
351 }
353 }
355 // Checks if two struct types are compatible in a given subtyping
356 // relationship.
359 // A subtype must have at least as many fields as its supertype
362 }
364 // Every field that is in both superType and subType must be compatible
369 }
370 }
372 }
376 };
380 // Utility for computing field offset and alignments, and total size for
381 // structs and tags. This is complicated by fact that a WasmStructObject has
382 // an inline area, which is used first, and if that fills up an optional
383 // C++-heap-allocated outline area is used. We need to be careful not to
384 // split any data item across the boundary. This is ensured as follows:
385 //
386 // (1) the possible field sizes are 1, 2, 4, 8 and 16 only.
387 // (2) each field is "naturally aligned" -- aligned to its size.
388 // (3) MaxInlineBytes (the size of the inline area) % 16 == 0.
389 //
390 // From (1) and (2), it follows that all fields are placed so that their first
391 // and last bytes fall within the same 16-byte chunk. That is,
392 // offset_of_first_byte_of_field / 16 == offset_of_last_byte_of_field / 16.
393 //
394 // Given that, it follows from (3) that all fields fall completely within
395 // either the inline or outline areas; no field crosses the boundary.
401 // The field adders return the offset of the the field.
404 // The close method rounds up the structure size to the appropriate
405 // alignment and returns that size.
407 };
409 //=========================================================================
410 // Array types
414 // The kind of value stored in this array
415 StorageType elementType_;
416 // Whether this array is mutable or not
434 }
443 }
445 // Matches two array types for isorecursive equality. See
446 // "Matching type definitions" in WasmValType.h for more background.
452 }
454 // Checks if two arrays are compatible in a given subtyping relationship.
457 // Mutable fields are invariant w.r.t. field types
460 }
462 // Immutable fields are covariant w.r.t. field types
466 }
469 }
472 };
478 //=========================================================================
479 // SuperTypeVector
481 // [SMDOC] Super type vector
482 //
483 // A super type vector is a vector representation of the linked list of super
484 // types that a type definition has. Every element is a raw pointer to another
485 // super type vector - they are one-to-one with type definitions, so they are
486 // functionally equivalent. It is possible to form a vector here because
487 // subtypes in wasm form trees, not DAGs, with every type having at most one
488 // super type.
489 //
490 // The first element in the vector is the 'root' type definition without a
491 // super type. The last element is to the type definition itself.
492 //
493 // ## Subtype checking
494 //
495 // The only purpose of a super type vector is to support constant time
496 // subtyping checks. This is not free, it comes at the cost of worst case N^2
497 // metadata size growth. We limit the max subtyping depth to counter this.
498 //
499 // To perform a subtype check we rely on the following:
500 // (1) a type A is a subtype (<:) of type B iff:
501 // type A == type B OR
502 // type B is reachable by following declared super types of type A
503 // (2) we order super type vectors from least to most derived types
504 // (3) the 'subtyping depth' of all type definitions is statically known
505 //
506 // With the above, we know that if type B is a super type of type A, that it
507 // must be in A's super type vector at type B's subtyping depth. We can
508 // therefore just do an index and comparison to determine if that's the case.
509 //
510 // ## Example
511 //
512 // For the following type section:
513 // ..
514 // 12: (type (struct))
515 // ..
516 // 34: (type (sub 12 (struct)))
517 // ..
518 // 56: (type (sub 34 (struct)))
519 // ..
520 // 78: (type (sub 56 (struct)))
521 // ..
522 //
523 // (type 12) would have the following super type vector:
524 // [(type 12)]
525 //
526 // (type 78) would have the following super type vector:
527 // [(type 12), (type 34), (type 56), (type 78)]
528 //
529 // Checking that (type 78) <: (type 12) can use the fact that (type 12) will
530 // always be present at depth 0 of any super type vector it is in, and
531 // therefore check the vector at that index.
532 //
533 // ## Minimum sizing
534 //
535 // As a further optimization to avoid bounds checking, we guarantee that all
536 // super type vectors are at least `MinSuperTypeVectorLength`. All checks
537 // against indices that we know statically are at/below that can skip bounds
538 // checking. Extra entries added to reach the minimum size are initialized to
539 // null.
543 // The TypeDef for which this is the supertype vector. That TypeDef should
544 // point back to this SuperTypeVector.
547 // A cached copy of subTypingDepth from TypeDef.
550 // The length of types stored inline below.
554 // Raw pointers to the super types of this type definition. Ordered from
555 // least-derived to most-derived. Do not add any fields after this point.
558 // Batch allocate super type vectors for all the types in a recursion group.
559 // Returns a pointer to the first super type vector, which can be used to
560 // free all vectors.
571 }
573 // The length of a super type vector for a specific type def.
575 // The byte size of a super type vector for a specific type def.
580 }
584 };
586 };
588 // Ensure it is safe to use `sizeof(SuperTypeVector)` to find the offset of
589 // `types_[0]`.
592 //=========================================================================
593 // TypeDef and supporting types
595 // A tagged container for the various types that can be present in a wasm
596 // module's type section.
600 Func,
601 Struct,
602 Array,
603 };
608 // The supertype vector for this TypeDef. That SuperTypeVector should point
609 // back to this TypeDef.
615 TypeDefKind kind_;
617 FuncType funcType_;
618 StructType structType_;
619 ArrayType arrayType_;
620 };
628 }
639 }
654 }
655 }
662 }
669 }
676 }
682 }
688 }
692 }
704 }
719 }
724 }
729 }
734 }
739 }
744 }
746 // Get a value that can be used for matching type definitions across
747 // different recursion groups.
767 }
769 }
771 // Matches two type definitions for isorecursive equality. See
772 // "Matching type definitions" in WasmValType.h for more background.
776 }
779 }
783 }
796 }
798 }
800 // Checks if two type definitions are compatible in a given subtyping
801 // relationship.
805 }
807 // A subtype can't declare a final super type.
810 }
824 }
826 }
831 }
835 // Checks if `subTypeDef` is a declared sub type of `superTypeDef`.
838 // Fast path for when the types are equal
841 }
844 // During construction of a recursion group, the super type vector may not
845 // have been computed yet, in which case we need to fall back to a linear
846 // search.
851 }
853 }
855 }
857 // The supertype vector does exist. So check it points back here.
860 // We need to check if `superTypeDef` is one of `subTypeDef`s super types
861 // by checking in `subTypeDef`s super type vector. We can use the static
862 // information of the depth of `superTypeDef` to index directly into the
863 // vector.
867 }
874 }
878 };
888 SystemAllocPolicy>;
890 //=========================================================================
891 // RecGroup
893 // A recursion group is a set of type definitions that may refer to each other
894 // or to type definitions in another recursion group. There is an ordering
895 // restriction on type references such that references across recursion groups
896 // must be acyclic.
897 //
898 // Type definitions are stored inline in their containing recursion group, and
899 // have an offset to their containing recursion group. Recursion groups are
900 // atomically refcounted and hold strong references to other recursion groups
901 // they depend on.
902 //
903 // Type equality is structural in WebAssembly, and we canonicalize recursion
904 // groups while building them so that pointer equality of types implies
905 // equality of types. There is a global hash set of weak pointers to recursion
906 // groups that holds the current canonical instance of a recursion group.
908 // Whether this recursion group has been finished and acquired strong
909 // references to external recursion groups.
911 // The number of types stored in this recursion group.
913 // The batch allocated super type vectors for all type definitions in this
914 // recursion group.
916 // The first type definition stored inline in this recursion group.
924 // Compute the size in bytes of a recursion group with the specified amount
925 // of types.
929 }
931 // Allocate a recursion group with the specified amount of types. The type
932 // definitions will be ready to be filled in. Users must call `finish` once
933 // type definitions are initialized so that strong references to external
934 // recursion groups are taken.
936 // Allocate the recursion group with the correct size
940 }
942 // Construct the recursion group and types that are stored inline
946 }
948 }
950 // Finish initialization by acquiring strong references to groups referenced
951 // by type definitions.
954 // Super type vectors are only needed for GC and have a size/time impact
955 // that we don't want to encur until we're ready for it. Only use them when
956 // GC is built into the binary.
960 }
964 }
966 // Visit every external recursion group that is referenced by the types in
967 // this recursion group.
973 }
974 };
978 }
979 };
987 }
994 }
997 }
999 }
1004 }
1006 }
1011 }
1014 }
1015 }
1016 }
1017 }
1021 // Release the referenced recursion groups if we acquired references to
1022 // them. Do this before the type definitions are destroyed below.
1027 }
1032 }
1034 // Call destructors on all the type definitions.
1037 }
1038 }
1040 // Recursion groups cannot be copied or moved
1044 // Get the type definition at the group type index (not module type index).
1046 // We cannot mutate type definitions after we've finalized them
1049 }
1052 }
1054 // The number of types stored in this recursion group.
1057 // Get the index of a type definition that's in this recursion group.
1063 }
1069 }
1071 }
1073 // Matches two recursion groups for isorecursive equality. See
1074 // "Matching type definitions" in WasmValType.h for more background.
1078 }
1082 }
1083 }
1085 }
1086 };
1088 // Remove all types from the canonical type set that are not referenced from
1089 // outside the type set.
1096 //=========================================================================
1097 // TypeContext
1099 // A type context holds the recursion groups and corresponding type definitions
1100 // defined in a module.
1102 FeatureArgs features_;
1103 // The pending recursion group that is currently being constructed
1104 MutableRecGroup pendingRecGroup_;
1105 // An in-order list of all the recursion groups defined in this module
1106 SharedRecGroupVector recGroups_;
1107 // An in-order list of the type definitions in the module. Each type is
1108 // stored in a recursion group.
1109 TypeDefPtrVector types_;
1110 // A map from type definition to the original module index.
1111 TypeDefPtrToIndexMap moduleIndices_;
1123 }
1125 // Disallow copy, allow move initialization
1131 // Begin creating a recursion group with the specified number of types.
1132 // Returns a recursion group to be filled in with type definitions. This must
1133 // be paired with `endGroup`.
1135 // We must not have a pending group
1138 // Create the group and add it to the list of groups
1142 }
1144 // Store this group for later use in endRecGroup
1147 }
1149 // Finish creation of a recursion group after type definitions have been
1150 // initialized. This must be paired with `startGroup`.
1152 // We must have started a recursion group
1157 // Finalize the type definitions in the recursion group
1160 }
1162 // Canonicalize the recursion group
1166 }
1168 // Nothing left to do if this group became the canonical group
1171 }
1173 // Store the canonical group into the list
1176 // Overwrite all the entries we stored into the index space maps when we
1177 // started this group.
1180 groupTypeIndex++) {
1188 // Ensure there is an module index entry pointing to the canonical type
1189 // definition. Don't overwrite it if it already exists, serialization
1190 // relies on the module index map pointing to the first occurrence of a
1191 // type definition to avoid creating forward references that didn't exist
1192 // in the original module.
1197 }
1198 }
1201 }
1203 // Finish creation of a recursion group after type definitions have been
1204 // initialized. This must be paired with `startGroup`.
1206 // We must not have a pending group
1209 // Add it to the list of groups
1212 }
1214 // Store the types of the group into our index space maps. These may get
1215 // overwritten if this group is being added by `startRecGroup` and we
1216 // overwrite it with a canonical group in `endRecGroup`. We need to do
1217 // this before finishing though, because these entries will be used by
1218 // decoding and error printing.
1220 groupTypeIndex++) {
1225 }
1226 }
1228 }
1235 }
1238 }
1248 // Map from type definition to index
1254 }
1255 };
1260 //=========================================================================
1261 // TypeHandle
1263 // An unambiguous strong reference to a type definition in a specific type
1264 // context.
1267 SharedTypeContext context_;
1274 }
1284 };
1286 //=========================================================================
1287 // misc
1289 /* static */
1292 // TypeDef is aligned sufficiently to allow a tag to distinguish a local type
1293 // reference (index) from a non-local type reference (pointer).
1297 // Return a tagged index for local type references
1300 }
1302 // Return an untagged pointer for non-local type references
1304 }
1306 /* static */
1309 MatchTypeCode mtc = {};
1314 }
1320 }
1322 }
1327 }
1329 }
1334 }
1336 }
1340 }
1342 }
1370 }
1371 }
1373 }
1383 }
1385 }
1389 }
1392 }
1395 }
1398 }
1400 /* static */
1402 // Anything is a subtype of itself.
1405 }
1407 // A subtype must have the same nullability as the supertype or the
1408 // supertype must be nullable.
1411 }
1413 // Non type-index references are subtypes if they have the same kind
1417 }
1419 // eqref is a subtype of anyref
1422 }
1424 // i31ref is a subtype of eqref
1427 }
1429 // structref/arrayref are subtypes of eqref and anyref
1433 }
1435 // Structs are subtypes of structref, eqref and anyref
1439 }
1441 // Arrays are subtypes of arrayref, eqref and anyref
1445 }
1447 // Funcs are subtypes of funcref
1451 }
1453 // Type references can be subtypes
1456 }
1458 // No func is the bottom type of the func hierarchy
1461 }
1463 // No extern is the bottom type of the extern hierarchy
1467 }
1469 // None is the bottom type of the any hierarchy
1472 }
1475 }
1477 /* static */
1479 // Nullable types always have null in common.
1482 }
1484 // At least one of the types is non-nullable, so the only common values can be
1485 // non-null. Therefore, if either type is a bottom type, common values are
1486 // impossible.
1489 }
1491 // After excluding bottom types, our type hierarchy is a tree, and after
1492 // excluding nulls, subtype relationships are sufficient to tell if the types
1493 // share any values. If neither type is a subtype of the other, then they are
1494 // on different branches of the tree and completely disjoint.
1499 }
1501 //=========================================================================
1502 // [SMDOC] Signatures and runtime types
1503 //
1504 // TypeIdDesc describes the runtime representation of a TypeDef suitable for
1505 // type equality checks. The kind of representation depends on whether the type
1506 // is a function or a GC type. This design is in flux and will evolve.
1507 //
1508 // # Function types
1509 //
1510 // For functions in the general case, a FuncType is allocated and stored in a
1511 // process-wide hash table, so that pointer equality implies structural
1512 // equality. This process does not correctly handle type references (which would
1513 // require hash-consing of infinite-trees), but that's okay while
1514 // function-references and gc-types are experimental.
1515 //
1516 // A pointer to the hash table entry is stored in the global data
1517 // area for each instance, and TypeIdDesc gives the offset to this entry.
1518 //
1519 // ## Immediate function types
1520 //
1521 // As an optimization for the 99% case where the FuncType has a small number of
1522 // parameters, the FuncType is bit-packed into a uint32 immediate value so that
1523 // integer equality implies structural equality. Both cases can be handled with
1524 // a single comparison by always setting the LSB for the immediates
1525 // (the LSB is necessarily 0 for allocated FuncType pointers due to alignment).
1526 //
1527 // # GC types
1528 //
1529 // For GC types, an entry is always created in the global data area and a
1530 // unique RttValue (see wasm/WasmGcObject.h) is stored there. This RttValue
1531 // is the value given by 'rtt.canon $t' for each type definition. As each entry
1532 // is given a unique value and no canonicalization is done (which would require
1533 // hash-consing of infinite-trees), this is not yet spec compliant.
1534 //
1535 // # wasm::Instance and the global type context
1536 //
1537 // As GC objects may outlive the module they are created in, types are
1538 // additionally transferred to a wasm::Context (which is part of JSContext) upon
1539 // instantiation. This wasm::Context contains the 'global type context' that
1540 // RTTValues refer to by type index. Types are never freed from the global type
1541 // context as that would shift the index space. In the future, this will be
1542 // fixed.