Changeset 220628 in webkit


Ignore:
Timestamp:
Aug 12, 2017 6:59:16 PM (7 years ago)
Author:
fpizlo@apple.com
Message:

FTL's compileGetTypedArrayByteOffset needs to do caging
https://bugs.webkit.org/show_bug.cgi?id=175366

Reviewed by Saam Barati.

While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):

  • runtime/ArrayBuffer.h:
  • runtime/ArrayBufferView.h:
  • runtime/JSArrayBufferView.h:
Location:
trunk/Source/JavaScriptCore
Files:
6 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r220627 r220628  
     12017-08-12  Filip Pizlo  <fpizlo@apple.com>
     2
     3        FTL's compileGetTypedArrayByteOffset needs to do caging
     4        https://bugs.webkit.org/show_bug.cgi?id=175366
     5
     6        Reviewed by Saam Barati.
     7       
     8        While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
     9        fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
     10
     11        * dfg/DFGSpeculativeJIT.cpp:
     12        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
     13        * ftl/FTLLowerDFGToB3.cpp:
     14        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
     15        (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
     16        * runtime/ArrayBuffer.h:
     17        * runtime/ArrayBufferView.h:
     18        * runtime/JSArrayBufferView.h:
     19
    1202017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
    221

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r220624 r220628  
    61996199    nullVector.link(&m_jit);
    62006200    m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), dataGPR);
     6201    // FIXME: This needs caging.
     6202    // https://bugs.webkit.org/show_bug.cgi?id=175515
    62016203    m_jit.loadPtr(MacroAssembler::Address(dataGPR, ArrayBuffer::offsetOfData()), dataGPR);
    62026204    m_jit.subPtr(dataGPR, vectorGPR);

  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r220625 r220628  
    33103310        m_out.appendTo(wastefulCase, continuation);
    33113311
    3312         // FIXME: This needs to do caging.
    3313         // https://bugs.webkit.org/show_bug.cgi?id=175366
    3314         LValue vectorPtr = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
    3315         LValue butterflyPtr = m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly);
     3312        LValue vectorPtr = cagedMayBeNull(
     3313            Gigacage::Primitive,
     3314            m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector));
     3315        LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly));
    33163316        LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
     3317        // FIXME: This needs caging.
     3318        // https://bugs.webkit.org/show_bug.cgi?id=175515
    33173319        LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data);
    33183320
     
    1164211644        // https://bugs.webkit.org/show_bug.cgi?id=175493
    1164311645        return m_out.opaque(result);
     11646    }
     11647   
     11648    LValue cagedMayBeNull(Gigacage::Kind kind, LValue ptr)
     11649    {
     11650        LBasicBlock notNull = m_out.newBlock();
     11651        LBasicBlock continuation = m_out.newBlock();
     11652       
     11653        LBasicBlock lastNext = m_out.insertNewBlocksBefore(notNull);
     11654       
     11655        ValueFromBlock nullResult = m_out.anchor(ptr);
     11656        m_out.branch(ptr, unsure(notNull), unsure(continuation));
     11657       
     11658        m_out.appendTo(notNull, continuation);
     11659        ValueFromBlock notNullResult = m_out.anchor(caged(kind, ptr));
     11660        m_out.jump(continuation);
     11661       
     11662        m_out.appendTo(continuation, lastNext);
     11663        return m_out.phi(pointerType(), nullResult, notNullResult);
    1164411664    }
    1164511665   

  • trunk/Source/JavaScriptCore/runtime/ArrayBuffer.h

    r217052 r220628  
    5151   
    5252private:
     53    // FIXME: This should be CagedPtr<>.
     54    // https://bugs.webkit.org/show_bug.cgi?id=175515
    5355    void* m_data;
    5456    ArrayBufferDestructorFunction m_destructor;
     
    9698    ArrayBufferDestructorFunction m_destructor;
    9799    RefPtr<SharedArrayBufferContents> m_shared;
     100    // FIXME: This should be CagedPtr<>.
     101    // https://bugs.webkit.org/show_bug.cgi?id=175515
    98102    void* m_data;
    99103    unsigned m_sizeInBytes;

  • trunk/Source/JavaScriptCore/runtime/ArrayBufferView.h

    r212535 r220628  
    148148
    149149    // This is the address of the ArrayBuffer's storage, plus the byte offset.
     150    // FIXME: This should be CagedPtr<>.
     151    // https://bugs.webkit.org/show_bug.cgi?id=175515
    150152    void* m_baseAddress;
    151153

  • trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

    r215345 r220628  
    141141    private:
    142142        Structure* m_structure;
     143        // FIXME: This should be CagedPtr<>.
     144        // https://bugs.webkit.org/show_bug.cgi?id=175515
    143145        void* m_vector;
    144146        uint32_t m_length;
     
    191193    static String toStringName(const JSObject*, ExecState*);
    192194
     195    // FIXME: This should be CagedBarrierPtr<>.
     196    // https://bugs.webkit.org/show_bug.cgi?id=175515
    193197    AuxiliaryBarrier<void*> m_vector;
    194198    uint32_t m_length;
Note: See TracChangeset for help on using the changeset viewer.