Changeset 220404 in webkit


Ignore:
Timestamp:
Aug 8, 2017 9:00:06 AM (7 years ago)
Author:
Ryan Haddad
Message:

Unreviewed, rolling out r220368.

This change caused WK1 tests to exit early with crashes.

Reverted changeset:

"Baseline JIT should do caging"
https://bugs.webkit.org/show_bug.cgi?id=175037
http://trac.webkit.org/changeset/220368

Location:
trunk/Source
Files:
14 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r220403 r220404  
     12017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
     2
     3        Unreviewed, rolling out r220368.
     4
     5        This change caused WK1 tests to exit early with crashes.
     6
     7        Reverted changeset:
     8
     9        "Baseline JIT should do caging"
     10        https://bugs.webkit.org/show_bug.cgi?id=175037
     11        http://trac.webkit.org/changeset/220368
     12
    1132017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
    214
  • trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

    r220368 r220404  
    528528                    CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
    529529                    loadedValueGPR);
    530                 // FIXME: Do caging!
    531                 // https://bugs.webkit.org/show_bug.cgi?id=175295
    532530                storageGPR = loadedValueGPR;
    533531            }
     
    880878
    881879                    jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
    882                     // FIXME: Do caging!
    883                     // https://bugs.webkit.org/show_bug.cgi?id=175295
    884880
    885881                    // We have scratchGPR = new storage, scratchGPR3 = old storage,
     
    960956                    offsetInInlineStorage(m_offset) * sizeof(JSValue)));
    961957        } else {
    962             if (!allocating) {
     958            if (!allocating)
    963959                jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
    964                 // FIXME: Do caging!
    965                 // https://bugs.webkit.org/show_bug.cgi?id=175295
    966             }
    967960            jit.storeValue(
    968961                valueRegs,
     
    1000993    case ArrayLength: {
    1001994        jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
    1002         // FIXME: Do caging!
    1003         // https://bugs.webkit.org/show_bug.cgi?id=175295
    1004995        jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
    1005996        state.failAndIgnore.append(
  • trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

    r220368 r220404  
    5858            CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
    5959        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
    60         // FIXME: Do caging!
    61         // https://bugs.webkit.org/show_bug.cgi?id=175295
    6260        jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
    6361        jit.boxInt32(scratchGPR, regs);
     
    7674            CCallHelpers::Address(base, JSObject::butterflyOffset()),
    7775            value);
    78         // FIXME: Do caging!
    79         // https://bugs.webkit.org/show_bug.cgi?id=175295
    8076        GPRReg storageGPR = value;
    8177        jit.loadValue(
     
    121117
    122118        jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
    123         // FIXME: Do caging!
    124         // https://bugs.webkit.org/show_bug.cgi?id=175295
    125119        jit.storeValue(
    126120            regs,
     
    177171    else {
    178172        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
    179         // FIXME: Do caging!
    180         // https://bugs.webkit.org/show_bug.cgi?id=175295
    181173        storage = value.payloadGPR();
    182174    }
     
    240232        ASSERT(storage != InvalidGPRReg);
    241233        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
    242         // FIXME: Do caging!
    243         // https://bugs.webkit.org/show_bug.cgi?id=175295
    244234    }
    245235
     
    280270        CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
    281271    jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
    282     // FIXME: Do caging!
    283     // https://bugs.webkit.org/show_bug.cgi?id=175295
    284272    jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
    285273    jit.boxInt32(value.payloadGPR(), value);
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r220368 r220404  
    1161711617    LValue caged(Gigacage::Kind kind, LValue ptr)
    1161811618    {
    11619         if (!Gigacage::shouldBeEnabled())
    11620             return ptr;
    11621        
    11622         if (kind == Gigacage::Primitive && Gigacage::canPrimitiveGigacageBeDisabled()) {
     11619        if (kind == Gigacage::Primitive) {
    1162311620            if (vm().primitiveGigacageEnabled().isStillValid())
    1162411621                m_graph.watchpoints().addLazily(vm().primitiveGigacageEnabled());
  • trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

    r220368 r220404  
    13101310        storeFence();
    13111311        ok.link(this);
    1312     }
    1313    
    1314     void cage(Gigacage::Kind kind, GPRReg storage)
    1315     {
    1316 #if GIGACAGE_ENABLED
    1317         if (!Gigacage::shouldBeEnabled())
    1318             return;
    1319        
    1320         andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
    1321         addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
    1322 #else
    1323         UNUSED_PARAM(kind);
    1324         UNUSED_PARAM(storage);
    1325 #endif
    1326     }
    1327    
    1328     void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)
    1329     {
    1330 #if GIGACAGE_ENABLED
    1331         if (!Gigacage::shouldBeEnabled())
    1332             return;
    1333        
    1334         if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
    1335             return cage(kind, storage);
    1336        
    1337         loadPtr(Gigacage::basePtr(kind), scratch);
    1338         Jump done = branchTestPtr(Zero, scratch);
    1339         andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
    1340         addPtr(scratch, storage);
    1341         done.link(this);
    1342 #else
    1343         UNUSED_PARAM(kind);
    1344         UNUSED_PARAM(storage);
    1345         UNUSED_PARAM(scratch);
    1346 #endif
    13471312    }
    13481313   
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r220368 r220404  
    173173   
    174174    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
     175    // FIXME: Should do caging.
     176    // https://bugs.webkit.org/show_bug.cgi?id=175037
    175177    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    176     cage(Gigacage::JSValue, regT2);
    177178    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    178179    loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
     
    187188   
    188189    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
     190    // FIXME: Should do caging.
     191    // https://bugs.webkit.org/show_bug.cgi?id=175037
    189192    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    190     cage(Gigacage::JSValue, regT2);
    191193    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    192194    load64(BaseIndex(regT2, regT1, TimesEight), regT0);
     
    203205    badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
    204206
     207    // FIXME: Should do caging.
     208    // https://bugs.webkit.org/show_bug.cgi?id=175037
    205209    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    206     cage(Gigacage::JSValue, regT2);
    207210    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    208211
     
    351354    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
    352355   
     356    // FIXME: Should do caging.
     357    // https://bugs.webkit.org/show_bug.cgi?id=175037
    353358    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    354     cage(Gigacage::JSValue, regT2);
    355359    Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
    356360
     
    407411   
    408412    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
     413    // FIXME: Should do caging.
     414    // https://bugs.webkit.org/show_bug.cgi?id=175037
    409415    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    410     cage(Gigacage::JSValue, regT2);
    411416    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    412417
     
    919924                isOutOfLine.link(this);
    920925            }
     926            // FIXME: Should do caging.
     927            // https://bugs.webkit.org/show_bug.cgi?id=175037
    921928            loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
    922             cage(Gigacage::JSValue, scratch);
    923929            neg32(offset);
    924930            signExtend32ToPtr(offset, offset);
     
    10611067            emitGetVirtualRegister(value, regT2);
    10621068           
     1069            // FIXME: Should do caging.
     1070            // https://bugs.webkit.org/show_bug.cgi?id=175037
    10631071            loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
    1064             cage(Gigacage::JSValue, regT0);
    10651072            loadPtr(operandSlot, regT1);
    10661073            negPtr(regT1);
     
    15701577    RegisterID resultPayload = regT0;
    15711578    RegisterID scratch = regT3;
    1572     RegisterID scratch2 = regT4;
    15731579#else
    15741580    RegisterID base = regT0;
     
    15771583    RegisterID resultTag = regT1;
    15781584    RegisterID scratch = regT3;
    1579     RegisterID scratch2 = regT4;
    15801585#endif
    15811586   
     
    15851590    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    15861591    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
     1592    // FIXME: Should do caging.
     1593    // https://bugs.webkit.org/show_bug.cgi?id=175037
    15871594    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    1588     cageConditionally(Gigacage::Primitive, scratch, scratch2);
    15891595   
    15901596    switch (elementSize(type)) {
     
    16441650    RegisterID resultPayload = regT0;
    16451651    RegisterID scratch = regT3;
    1646     RegisterID scratch2 = regT4;
    16471652#else
    16481653    RegisterID base = regT0;
     
    16511656    RegisterID resultTag = regT1;
    16521657    RegisterID scratch = regT3;
    1653     RegisterID scratch2 = regT4;
    16541658#endif
    16551659   
     
    16591663    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    16601664    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
     1665    // FIXME: Should do caging.
     1666    // https://bugs.webkit.org/show_bug.cgi?id=175037
    16611667    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    1662     cageConditionally(Gigacage::Primitive, scratch, scratch2);
    16631668   
    16641669    switch (elementSize(type)) {
     
    17011706    RegisterID earlyScratch = regT3;
    17021707    RegisterID lateScratch = regT2;
    1703     RegisterID lateScratch2 = regT4;
    17041708#else
    17051709    RegisterID base = regT0;
     
    17071711    RegisterID earlyScratch = regT3;
    17081712    RegisterID lateScratch = regT1;
    1709     RegisterID lateScratch2 = regT4;
    17101713#endif
    17111714   
     
    17291732    // We would be loading this into base as in get_by_val, except that the slow
    17301733    // path expects the base to be unclobbered.
     1734    // FIXME: Should do caging.
     1735    // https://bugs.webkit.org/show_bug.cgi?id=175037
    17311736    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
    1732     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    17331737   
    17341738    if (isClamped(type)) {
     
    17741778    RegisterID earlyScratch = regT3;
    17751779    RegisterID lateScratch = regT2;
    1776     RegisterID lateScratch2 = regT4;
    17771780#else
    17781781    RegisterID base = regT0;
     
    17801783    RegisterID earlyScratch = regT3;
    17811784    RegisterID lateScratch = regT1;
    1782     RegisterID lateScratch2 = regT4;
    17831785#endif
    17841786   
     
    18151817    // We would be loading this into base as in get_by_val, except that the slow
    18161818    // path expects the base to be unclobbered.
     1819    // FIXME: Should do caging.
     1820    // https://bugs.webkit.org/show_bug.cgi?id=175037
    18171821    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
    1818     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    18191822   
    18201823    switch (elementSize(type)) {
  • trunk/Source/JavaScriptCore/jsc.cpp

    r220368 r220404  
    38033803}
    38043804
     3805static void primitiveGigacageDisabled(void*)
     3806{
     3807    dataLog("Primitive gigacage disabled! Aborting.\n");
     3808    UNREACHABLE_FOR_PLATFORM();
     3809}
     3810
    38053811int jscmain(int argc, char** argv)
    38063812{
     
    38213827    JSC::Wasm::enableFastMemory();
    38223828#endif
    3823     Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
     3829    if (Gigacage::shouldBeEnabled())
     3830        Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
    38243831
    38253832    int result;
  • trunk/Source/WTF/ChangeLog

    r220403 r220404  
     12017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
     2
     3        Unreviewed, rolling out r220368.
     4
     5        This change caused WK1 tests to exit early with crashes.
     6
     7        Reverted changeset:
     8
     9        "Baseline JIT should do caging"
     10        https://bugs.webkit.org/show_bug.cgi?id=175037
     11        http://trac.webkit.org/changeset/220368
     12
    1132017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
    214
  • trunk/Source/WTF/wtf/Gigacage.h

    r220368 r220404  
    5050inline void removePrimitiveDisableCallback(void (*)(void*), void*) { }
    5151
    52 inline void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
    53 
    54 inline bool isDisablingPrimitiveGigacageDisabled() { return false; }
    55 inline bool isPrimitiveGigacagePermanentlyEnabled() { return false; }
    56 inline bool canPrimitiveGigacageBeDisabled() { return true; }
    57 
    5852ALWAYS_INLINE const char* name(Kind kind)
    5953{
  • trunk/Source/WebKit/ChangeLog

    r220403 r220404  
     12017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
     2
     3        Unreviewed, rolling out r220368.
     4
     5        This change caused WK1 tests to exit early with crashes.
     6
     7        Reverted changeset:
     8
     9        "Baseline JIT should do caging"
     10        https://bugs.webkit.org/show_bug.cgi?id=175037
     11        http://trac.webkit.org/changeset/220368
     12
    1132017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
    214
  • trunk/Source/WebKit/WebProcess/WebProcess.cpp

    r220368 r220404  
    147147namespace WebKit {
    148148
     149static void primitiveGigacageDisabled(void*)
     150{
     151    UNREACHABLE_FOR_PLATFORM();
     152}
     153
    149154WebProcess& WebProcess::singleton()
    150155{
     
    198203    });
    199204
    200     Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
     205    if (Gigacage::shouldBeEnabled())
     206        Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
    201207}
    202208
  • trunk/Source/bmalloc/ChangeLog

    r220368 r220404  
     12017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
     2
     3        Unreviewed, rolling out r220368.
     4
     5        This change caused WK1 tests to exit early with crashes.
     6
     7        Reverted changeset:
     8
     9        "Baseline JIT should do caging"
     10        https://bugs.webkit.org/show_bug.cgi?id=175037
     11        http://trac.webkit.org/changeset/220368
     12
    1132017-08-07  Filip Pizlo  <fpizlo@apple.com>
    214
  • trunk/Source/bmalloc/bmalloc/Gigacage.cpp

    r220368 r220404  
    4141
    4242namespace Gigacage {
    43 
    44 static bool s_isDisablingPrimitiveGigacageDisabled;
    4543
    4644struct Callback {
     
    134132}
    135133
    136 static bool False;
    137 
    138 static void primitiveGigacageDisabled(void*)
    139 {
    140     fprintf(stderr, "FATAL: Primitive gigacage disabled, but we don't want that in this process\n");
    141     if (!False)
    142         BCRASH();
    143 }
    144 
    145 void disableDisablingPrimitiveGigacageIfShouldBeEnabled()
    146 {
    147     if (shouldBeEnabled()) {
    148         addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
    149         s_isDisablingPrimitiveGigacageDisabled = true;
    150     }
    151 }
    152 
    153 bool isDisablingPrimitiveGigacageDisabled()
    154 {
    155     return s_isDisablingPrimitiveGigacageDisabled;
    156 }
    157 
    158134bool shouldBeEnabled()
    159135{
  • trunk/Source/bmalloc/bmalloc/Gigacage.h

    r220368 r220404  
    6464BEXPORT void removePrimitiveDisableCallback(void (*)(void*), void*);
    6565
    66 BEXPORT void disableDisablingPrimitiveGigacageIfShouldBeEnabled();
    67 
    68 BEXPORT bool isDisablingPrimitiveGigacageDisabled();
    69 inline bool isPrimitiveGigacagePermanentlyEnabled() { return isDisablingPrimitiveGigacageDisabled(); }
    70 inline bool canPrimitiveGigacageBeDisabled() { return !isDisablingPrimitiveGigacageDisabled(); }
    71 
    7266BINLINE const char* name(Kind kind)
    7367{
Note: See TracChangeset for help on using the changeset viewer.