Changeset 220441 in webkit

Timestamp:

Aug 8, 2017 8:48:44 PM (7 years ago)

Author:

fpizlo@apple.com

Message:

ICs should do caging
​https://bugs.webkit.org/show_bug.cgi?id=175295

Reviewed by Saam Barati.

Adds the appropriate cage() calls in our inline caches.

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

• bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/AccessCase.cpp (modified) (4 diffs)
• bytecode/InlineAccess.cpp (modified) (6 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-08-08  Filip Pizlo  <fpizlo@apple.com>
+
+        ICs should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175295
+
+        Reviewed by Saam Barati.
+        
+        Adds the appropriate cage() calls in our inline caches.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+
 2017-08-08  Devin Rousso  <drousso@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -528 +528 @@
                     CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
                     loadedValueGPR);
-                // FIXME: Do caging!
-                // https://bugs.webkit.org/show_bug.cgi?id=175295
+                jit.cage(Gigacage::JSValue, loadedValueGPR);
                 storageGPR = loadedValueGPR;
             }
@@ -880 +879 @@
 
                     jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
-                    // FIXME: Do caging!
-                    // https://bugs.webkit.org/show_bug.cgi?id=175295
+                    jit.cage(Gigacage::JSValue, scratchGPR3);
 
                     // We have scratchGPR = new storage, scratchGPR3 = old storage,
@@ -962 +960 @@
             if (!allocating) {
                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-                // FIXME: Do caging!
-                // https://bugs.webkit.org/show_bug.cgi?id=175295
+                jit.cage(Gigacage::JSValue, scratchGPR);
             }
             jit.storeValue(
@@ -1000 +997 @@
     case ArrayLength: {
         jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, scratchGPR);
         jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
         state.failAndIgnore.append(

trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

@@ -58 +58 @@
             CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
         jit.boxInt32(scratchGPR, regs);
@@ -76 +75 @@
             CCallHelpers::Address(base, JSObject::butterflyOffset()),
             value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         GPRReg storageGPR = value;
         jit.loadValue(
@@ -121 +119 @@
 
         jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         jit.storeValue(
             regs,
@@ -177 +174 @@
     else {
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value.payloadGPR());
         storage = value.payloadGPR();
     }
@@ -240 +236 @@
         ASSERT(storage != InvalidGPRReg);
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, storage);
     }
 
@@ -280 +275 @@
         CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
     jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
-    // FIXME: Do caging!
-    // https://bugs.webkit.org/show_bug.cgi?id=175295
+    jit.cage(Gigacage::JSValue, value.payloadGPR());
     jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
     jit.boxInt32(value.payloadGPR(), value);