[JSC] Do not check Cell / WebAssemblyGCObject types when incoming static type proves it

https://bugs.webkit.org/show_bug.cgi?id=297638
rdar://158734753

Reviewed by Justin Michaud.

Now input types are propagated well, and we can easily remove
unnecessary cell checks / WebAssemblyGCObject checks based on the proven
types of the input value. This patch adds definitelyIsCellOrNull and
definitelyIsWasmGCObjectOrNull, and using them to remove unnecessary
checks in wasm RefTest / RefCast.

* Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp:
(JSC::Wasm::BBQJITImpl::BBQJIT::emitRefTestOrCast):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::emitRefTestOrCast):
* Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp:
(JSC::Wasm::Type::definitelyIsCellOrNull const):
(JSC::Wasm::Type::definitelyIsWasmGCObjectOrNull const):
* Source/JavaScriptCore/wasm/generateWasmOpsHeader.py:

Canonical link: https://commits.webkit.org/298961@main

Author: Constellation

Source/JavaScriptCore/wasm/WasmBBQJIT64.cpp

@@ -2404,8 +2404,10 @@ void BBQJIT::emitRefTestOrCast(const TypedExpression& typedValue, GPRReg valueGP
             doneCases.append(m_jit.jump());
 
             checkObjectCase.link(m_jit);
-            failureCases.append(m_jit.branchIfNotCell(valueGPR, DoNotHaveTagRegisters));
-            failureCases.append(m_jit.branchIfNotType(valueGPR, JSType::WebAssemblyGCObjectType));
+            if (!typedValue.type().definitelyIsCellOrNull())
+                failureCases.append(m_jit.branchIfNotCell(valueGPR, DoNotHaveTagRegisters));
+            if (!typedValue.type().definitelyIsWasmGCObjectOrNull())
+                failureCases.append(m_jit.branchIfNotType(valueGPR, JSType::WebAssemblyGCObjectType));
             break;
         }
         case Wasm::TypeKind::I31ref: {
@@ -2416,8 +2418,10 @@ void BBQJIT::emitRefTestOrCast(const TypedExpression& typedValue, GPRReg valueGP
         }
         case Wasm::TypeKind::Arrayref:
         case Wasm::TypeKind::Structref: {
-            failureCases.append(m_jit.branchIfNotCell(valueGPR, DoNotHaveTagRegisters));
-            failureCases.append(m_jit.branchIfNotType(valueGPR, JSType::WebAssemblyGCObjectType));
+            if (!typedValue.type().definitelyIsCellOrNull())
+                failureCases.append(m_jit.branchIfNotCell(valueGPR, DoNotHaveTagRegisters));
+            if (!typedValue.type().definitelyIsWasmGCObjectOrNull())
+                failureCases.append(m_jit.branchIfNotType(valueGPR, JSType::WebAssemblyGCObjectType));
             m_jit.emitLoadStructure(valueGPR, wasmScratchGPR);
             m_jit.loadPtr(Address(wasmScratchGPR, WebAssemblyGCStructure::offsetOfRTT()), wasmScratchGPR);
             failureCases.append(m_jit.branch8(CCallHelpers::NotEqual, Address(wasmScratchGPR, RTT::offsetOfKind()), TrustedImm32(static_cast<int32_t>(static_cast<TypeKind>(toHeapType) == Wasm::TypeKind::Arrayref ? RTTKind::Array : RTTKind::Struct))));
@@ -2432,9 +2436,10 @@ void BBQJIT::emitRefTestOrCast(const TypedExpression& typedValue, GPRReg valueGP
             m_jit.loadPtr(Address(valueGPR, WebAssemblyFunctionBase::offsetOfRTT()), wasmScratchGPR);
         else {
             // The cell check is only needed for non-functions, as the typechecker does not allow non-Cell values for funcref casts.
-            // FIXME: We only need this check if reference has a type that could include non-cells.
-            failureCases.append(m_jit.branchIfNotCell(valueGPR, DoNotHaveTagRegisters));
-            failureCases.append(m_jit.branchIfNotType(valueGPR, JSType::WebAssemblyGCObjectType));
+            if (!typedValue.type().definitelyIsCellOrNull())
+                failureCases.append(m_jit.branchIfNotCell(valueGPR, DoNotHaveTagRegisters));
+            if (!typedValue.type().definitelyIsWasmGCObjectOrNull())
+                failureCases.append(m_jit.branchIfNotType(valueGPR, JSType::WebAssemblyGCObjectType));
             m_jit.emitLoadStructure(valueGPR, wasmScratchGPR);
             m_jit.loadPtr(Address(wasmScratchGPR, WebAssemblyGCStructure::offsetOfRTT()), wasmScratchGPR);
         }

Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp

@@ -3697,9 +3697,12 @@ void OMGIRGenerator::emitRefTestOrCast(CastKind castKind, TypedExpression refere
             endBlock->addPredecessor(m_currentBlock);
 
             m_currentBlock = checkObject;
-            emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, BitAnd, origin(), value, constant(pointerType(), JSValue::NotCellMask)), castFailure, falseBlock);
-            Value* jsType = m_currentBlock->appendNew<MemoryValue>(m_proc, Load8Z, Int32, origin(), value, safeCast<int32_t>(JSCell::typeInfoTypeOffset()));
-            emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, NotEqual, origin(), jsType, constant(Int32, JSType::WebAssemblyGCObjectType)), castFailure, falseBlock);
+            if (!reference.type().definitelyIsCellOrNull())
+                emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, BitAnd, origin(), value, constant(pointerType(), JSValue::NotCellMask)), castFailure, falseBlock);
+            if (!reference.type().definitelyIsWasmGCObjectOrNull()) {
+                Value* jsType = m_currentBlock->appendNew<MemoryValue>(m_proc, Load8Z, Int32, origin(), value, safeCast<int32_t>(JSCell::typeInfoTypeOffset()));
+                emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, NotEqual, origin(), jsType, constant(Int32, JSType::WebAssemblyGCObjectType)), castFailure, falseBlock);
+            }
             break;
         }
         case Wasm::TypeKind::I31ref: {
@@ -3711,9 +3714,12 @@ void OMGIRGenerator::emitRefTestOrCast(CastKind castKind, TypedExpression refere
         }
         case Wasm::TypeKind::Arrayref:
         case Wasm::TypeKind::Structref: {
-            emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, BitAnd, origin(), value, constant(pointerType(), JSValue::NotCellMask)), castFailure, falseBlock);
-            Value* jsType = m_currentBlock->appendNew<MemoryValue>(m_proc, Load8Z, Int32, origin(), value, safeCast<int32_t>(JSCell::typeInfoTypeOffset()));
-            emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, NotEqual, origin(), jsType, constant(Int32, JSType::WebAssemblyGCObjectType)), castFailure, falseBlock);
+            if (!reference.type().definitelyIsCellOrNull())
+                emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, BitAnd, origin(), value, constant(pointerType(), JSValue::NotCellMask)), castFailure, falseBlock);
+            if (!reference.type().definitelyIsWasmGCObjectOrNull()) {
+                Value* jsType = m_currentBlock->appendNew<MemoryValue>(m_proc, Load8Z, Int32, origin(), value, safeCast<int32_t>(JSCell::typeInfoTypeOffset()));
+                emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, NotEqual, origin(), jsType, constant(Int32, JSType::WebAssemblyGCObjectType)), castFailure, falseBlock);
+            }
             Value* rtt = emitLoadRTTFromObject(value);
             emitCheckOrBranchForCast(castKind, emitNotRTTKind(rtt, static_cast<TypeKind>(toHeapType) == Wasm::TypeKind::Arrayref ? RTTKind::Array : RTTKind::Struct), castFailure, falseBlock);
             break;
@@ -3730,10 +3736,12 @@ void OMGIRGenerator::emitRefTestOrCast(CastKind castKind, TypedExpression refere
             rtt = emitLoadRTTFromFuncref(value);
         else {
             // The cell check is only needed for non-functions, as the typechecker does not allow non-Cell values for funcref casts.
-            // FIXME: We only need this check if reference has a type that could include non-cells.
-            emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, BitAnd, origin(), value, constant(Int64, JSValue::NotCellMask)), castFailure, falseBlock);
-            Value* jsType = m_currentBlock->appendNew<MemoryValue>(m_proc, Load8Z, Int32, origin(), value, safeCast<int32_t>(JSCell::typeInfoTypeOffset()));
-            emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, NotEqual, origin(), jsType, constant(Int32, JSType::WebAssemblyGCObjectType)), castFailure, falseBlock);
+            if (!reference.type().definitelyIsCellOrNull())
+                emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, BitAnd, origin(), value, constant(Int64, JSValue::NotCellMask)), castFailure, falseBlock);
+            if (!reference.type().definitelyIsWasmGCObjectOrNull()) {
+                Value* jsType = m_currentBlock->appendNew<MemoryValue>(m_proc, Load8Z, Int32, origin(), value, safeCast<int32_t>(JSCell::typeInfoTypeOffset()));
+                emitCheckOrBranchForCast(castKind, m_currentBlock->appendNew<Value>(m_proc, NotEqual, origin(), jsType, constant(Int32, JSType::WebAssemblyGCObjectType)), castFailure, falseBlock);
+            }
             rtt = emitLoadRTTFromObject(value);
         }
 

Source/JavaScriptCore/wasm/WasmTypeDefinition.cpp

@@ -1176,6 +1176,48 @@ void TypeInformation::tryCleanup()
     } while (changed);
 }
 
+bool Type::definitelyIsCellOrNull() const
+{
+    if (!isRefType(*this))
+        return false;
+
+    if (typeIndexIsType(index)) {
+        switch (static_cast<TypeKind>(index)) {
+        case TypeKind::Funcref:
+        case TypeKind::Arrayref:
+        case TypeKind::Structref:
+        case TypeKind::Exn:
+            return true;
+        default:
+            return false;
+        }
+    }
+    return true;
+}
+
+bool Type::definitelyIsWasmGCObjectOrNull() const
+{
+    if (!isRefType(*this))
+        return false;
+
+    if (typeIndexIsType(index)) {
+        switch (static_cast<TypeKind>(index)) {
+        case TypeKind::Arrayref:
+        case TypeKind::Structref:
+            return true;
+        default:
+            return false;
+        }
+    }
+
+    const TypeDefinition& def = TypeInformation::get(index).expand();
+    if (def.is<Wasm::StructType>())
+        return true;
+    if (def.is<Wasm::ArrayType>())
+        return true;
+    return false;
+}
+
 } } // namespace JSC::Wasm
 
 WTF_ALLOW_UNSAFE_BUFFER_USAGE_END

Source/JavaScriptCore/wasm/generateWasmOpsHeader.py

@@ -276,6 +276,10 @@ def atomicMemoryLog2AlignmentGenerator(filter):
         return kind == TypeKind::RefNull || kind == TypeKind::Externref || kind == TypeKind::Funcref;
     }
 
+    // Saying conservatively.
+    bool definitelyIsCellOrNull() const;
+    bool definitelyIsWasmGCObjectOrNull() const;
+
     void dump(PrintStream& out) const;
     Width width() const;