Changeset 220624 in webkit

Timestamp:

Aug 12, 2017 11:40:07 AM (7 years ago)

Author:

fpizlo@apple.com

Message:

ScopedArguments overflow storage needs to be in the JSValue gigacage
​https://bugs.webkit.org/show_bug.cgi?id=174923

Reviewed by Saam Barati.

ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
object into the JSValue gigacage.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitScopedArgumentsGetByVal):

• runtime/ScopedArguments.h:

(JSC::ScopedArguments::subspaceFor):
(JSC::ScopedArguments::overflowStorage const):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (1 diff)
• runtime/ScopedArguments.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-08-11  Filip Pizlo  <fpizlo@apple.com>
+
+        ScopedArguments overflow storage needs to be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174923
+
+        Reviewed by Saam Barati.
+        
+        ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
+        object into the JSValue gigacage.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::subspaceFor):
+        (JSC::ScopedArguments::overflowStorage const):
+
 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -6326 +6326 @@
     m_jit.neg32(scratch2Reg);
     
+    m_jit.cage(Gigacage::JSValue, baseReg);
+    
     m_jit.loadValue(
         MacroAssembler::BaseIndex(

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -3566 +3566 @@
             m_out.appendTo(overflowCase, continuation);
             
-            // FIXME: I guess we need to cage overflow storage?
-            // https://bugs.webkit.org/show_bug.cgi?id=174923
             address = m_out.baseIndex(
-                m_heaps.ScopedArguments_overflowStorage, base,
+                m_heaps.ScopedArguments_overflowStorage, caged(Gigacage::JSValue, base),
                 m_out.zeroExtPtr(m_out.sub(index, namedLength)));
             LValue overflowValue = m_out.load64(address);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1552 +1552 @@
     sub32(property, scratch2);
     neg32(scratch2);
+    cage(Gigacage::JSValue, base);
     loadValue(BaseIndex(base, scratch2, TimesEight, ScopedArguments::overflowStorageOffset()), result);
     slowCases.append(branchIfEmpty(result));

trunk/Source/JavaScriptCore/runtime/ScopedArguments.h

@@ -43 +43 @@
 
 public:
+    template<typename CellType>
+    static Subspace* subspaceFor(VM& vm)
+    {
+        RELEASE_ASSERT(!CellType::needsDestruction);
+        return &vm.jsValueGigacageCellSpace;
+    }
+
     // Creates an arguments object but leaves it uninitialized. This is dangerous if we GC right
     // after allocation.
@@ -155 +162 @@
     {
         return bitwise_cast<WriteBarrier<Unknown>*>(
-            bitwise_cast<char*>(this) + overflowStorageOffset());
+            bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + overflowStorageOffset());
     }
-    
     
     bool m_overrodeThings; // True if length, callee, and caller are fully materialized in the object.