Changeset 230273 in webkit

Timestamp:

Apr 4, 2018 1:29:43 PM (6 years ago)

Author:

fpizlo@apple.com

Message:

Remove poisoning of typed array vector
​https://bugs.webkit.org/show_bug.cgi?id=184313

Reviewed by Saam Barati.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::checkArray):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):

• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):

• jit/IntrinsicEmitter.cpp:

(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter64.asm:
• offlineasm/arm64.rb:
• offlineasm/x86.rb:
• runtime/CagedBarrierPtr.h:
• runtime/JSArrayBufferView.cpp:

(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::neuter):

• runtime/JSArrayBufferView.h:

(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::offsetOfVector):
(JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
(JSC::JSArrayBufferView::poisonFor): Deleted.
(JSC::JSArrayBufferView::Poison::key): Deleted.

• runtime/JSCPoison.cpp:

(JSC::initializePoison):

• runtime/JSCPoison.h:
• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):

• runtime/JSObject.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• dfg/DFGSpeculativeJIT.cpp (modified) (8 diffs)
• ftl/FTLAbstractHeapRepository.h (modified) (2 diffs)
• ftl/FTLLowerDFGToB3.cpp (modified) (5 diffs)
• jit/IntrinsicEmitter.cpp (modified) (2 diffs)
• jit/JITPropertyAccess.cpp (modified) (14 diffs)
• llint/LowLevelInterpreter.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (9 diffs)
• offlineasm/arm64.rb (modified) (1 diff)
• offlineasm/x86.rb (modified) (2 diffs)
• runtime/CagedBarrierPtr.h (modified) (5 diffs)
• runtime/JSArrayBufferView.cpp (modified) (4 diffs)
• runtime/JSArrayBufferView.h (modified) (6 diffs)
• runtime/JSCPoison.cpp (modified) (3 diffs)
• runtime/JSCPoison.h (modified) (1 diff)
• runtime/JSGenericTypedArrayViewInlines.h (modified) (4 diffs)
• runtime/JSObject.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-04-04  Filip Pizlo  <fpizlo@apple.com>
+
+        Remove poisoning of typed array vector
+        https://bugs.webkit.org/show_bug.cgi?id=184313
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::checkArray):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+        * jit/IntrinsicEmitter.cpp:
+        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/arm64.rb:
+        * offlineasm/x86.rb:
+        * runtime/CagedBarrierPtr.h:
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::JSArrayBufferView):
+        (JSC::JSArrayBufferView::finalize):
+        (JSC::JSArrayBufferView::neuter):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::vector const):
+        (JSC::JSArrayBufferView::offsetOfVector):
+        (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
+        (JSC::JSArrayBufferView::poisonFor): Deleted.
+        (JSC::JSArrayBufferView::Poison::key): Deleted.
+        * runtime/JSCPoison.cpp:
+        (JSC::initializePoison):
+        * runtime/JSCPoison.h:
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
+        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
+        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
+        * runtime/JSObject.h:
+
 2018-04-03  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2888 +2888 @@
         }
         
-        ASSERT(arrayMode.type() == Array::String || arrayMode.typedArrayType() != NotTypedArray);
         return m_insertionSet.insertNode(
             m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -2826 +2826 @@
             JITCompiler::Jump hasNullVector = m_jit.branchTestPtr(
                 MacroAssembler::Zero,
-                MacroAssembler::Address(base, JSArrayBufferView::offsetOfPoisonedVector()));
+                MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()));
             speculationCheck(Uncountable, JSValueSource(), node, hasNullVector);
             notWasteful.link(&m_jit);
@@ -6427 +6427 @@
         ASSERT_UNUSED(typedArrayType, isTypedView(typedArrayType));
 
-        m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfPoisonedVector()), storageReg);
-#if ENABLE(POISON)
-        m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSArrayBufferView::poisonFor(typedArrayType)), storageReg);
-#endif
+        m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfVector()), storageReg);
         cageTypedArrayStorage(storageReg);
         break;
@@ -6451 +6448 @@
     ASSERT(vectorGPR != dataGPR);
 
-#if ENABLE(POISON)
-    GPRTemporary poison(this);
-    GPRTemporary index(this);
-    GPRReg poisonGPR = poison.gpr();
-    GPRReg indexGPR = index.gpr();
-    GPRReg arrayBufferGPR = poisonGPR;
-#else
     GPRReg arrayBufferGPR = dataGPR;
-#endif
 
     JITCompiler::Jump emptyByteOffset = m_jit.branch32(
@@ -6466 +6455 @@
         TrustedImm32(WastefulTypedArray));
 
-    m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfPoisonedVector()), vectorGPR);
+    m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
     JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR);
 
@@ -6472 +6461 @@
     m_jit.cage(Gigacage::JSValue, dataGPR);
 
-#if ENABLE(POISON)
-    m_jit.load8(JITCompiler::Address(baseGPR, JSCell::typeInfoTypeOffset()), indexGPR);
-    m_jit.move(JITCompiler::TrustedImmPtr(&g_typedArrayPoisons), poisonGPR);
-    m_jit.sub32(JITCompiler::TrustedImm32(FirstTypedArrayType), indexGPR);
-    m_jit.and32(JITCompiler::TrustedImm32(TypedArrayPoisonIndexMask), indexGPR);
-    m_jit.loadPtr(JITCompiler::BaseIndex(poisonGPR, indexGPR, JITCompiler::timesPtr()), poisonGPR);
-    m_jit.xorPtr(poisonGPR, vectorGPR);
-#endif
     cageTypedArrayStorage(vectorGPR);
 
@@ -9314 +9295 @@
         storageGPR, m_jit.vm()->primitiveGigacageAuxiliarySpace, scratchGPR, scratchGPR,
         scratchGPR2, slowCases);
-
+    
+    MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, sizeGPR);
     m_jit.move(sizeGPR, scratchGPR);
     if (elementSize(typedArrayType) != 4) {
@@ -9332 +9314 @@
         MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour));
     m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit);
+    done.link(&m_jit);
 
     auto butterfly = TrustedImmPtr(nullptr);
@@ -9338 +9321 @@
         slowCases);
 
-#if ENABLE(POISON)
-    m_jit.move(storageGPR, scratchGPR);
-    m_jit.xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(typedArrayType)), scratchGPR);
-    m_jit.storePtr(
-        scratchGPR,
-        MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfPoisonedVector()));
-#else
     m_jit.storePtr(
         storageGPR,
-        MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfPoisonedVector()));
-#endif
+        MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfVector()));
     m_jit.store32(
         sizeGPR,

trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

@@ -61 +61 @@
     macro(JSArrayBufferView_length, JSArrayBufferView::offsetOfLength()) \
     macro(JSArrayBufferView_mode, JSArrayBufferView::offsetOfMode()) \
-    macro(JSArrayBufferView_poisonedVector, JSArrayBufferView::offsetOfPoisonedVector()) \
+    macro(JSArrayBufferView_vector, JSArrayBufferView::offsetOfVector()) \
     macro(JSCell_cellState, JSCell::cellStateOffset()) \
     macro(JSCell_header, 0) \
@@ -150 +150 @@
     macro(HasOwnPropertyCache, 0, sizeof(HasOwnPropertyCache::Entry)) \
     macro(JSFixedArray_buffer, JSFixedArray::offsetOfData(), sizeof(EncodedJSValue)) \
-    macro(TypedArrayPoisons, 0, sizeof(uintptr_t)) \
-
+    
 #define FOR_EACH_NUMBERED_ABSTRACT_HEAP(macro) \
     macro(properties)

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -3496 +3496 @@
 
         DFG_ASSERT(m_graph, m_node, isTypedView(m_node->arrayMode().typedArrayType()), m_node->arrayMode().typedArrayType());
-        LValue poisonedVector = m_out.loadPtr(cell, m_heaps.JSArrayBufferView_poisonedVector);
-#if ENABLE(POISON)
-        auto typedArrayType = m_node->arrayMode().typedArrayType();
-        LValue vector = m_out.bitXor(m_out.constIntPtr(JSArrayBufferView::poisonFor(typedArrayType)), poisonedVector);
-#else
-        LValue vector = poisonedVector;
-#endif
+        LValue vector = m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector);
         setStorage(caged(Gigacage::Primitive, vector));
     }
@@ -3541 +3535 @@
         m_out.appendTo(wastefulCase, notNull);
 
-        LValue poisonedVector = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_poisonedVector);
-        ValueFromBlock nullVectorOut = m_out.anchor(poisonedVector);
-        m_out.branch(poisonedVector, unsure(notNull), unsure(continuation));
+        LValue vector = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
+        ValueFromBlock nullVectorOut = m_out.anchor(vector);
+        m_out.branch(vector, unsure(notNull), unsure(continuation));
 
         m_out.appendTo(notNull, continuation);
@@ -3550 +3544 @@
         LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
 
-#if ENABLE(POISON)
-        LValue jsType = m_out.load8ZeroExt32(basePtr, m_heaps.JSCell_typeInfoType);
-        LValue typeIndex = m_out.sub(jsType, m_out.constInt32(FirstTypedArrayType));
-        LValue maskedTypeIndex = m_out.zeroExtPtr(m_out.bitAnd(typeIndex, m_out.constInt32(TypedArrayPoisonIndexMask)));
-        LValue poisonsBasePtr = m_out.constIntPtr(&g_typedArrayPoisons);
-        LValue poison = m_out.loadPtr(m_out.baseIndex(m_heaps.TypedArrayPoisons, poisonsBasePtr, maskedTypeIndex));
-        poisonedVector = m_out.bitXor(poisonedVector, poison);
-#endif
-        LValue vectorPtr = caged(Gigacage::Primitive, poisonedVector);
+        LValue vectorPtr = caged(Gigacage::Primitive, vector);
 
         // FIXME: This needs caging.
@@ -5926 +5912 @@
                 allocateObject<JSArrayBufferView>(structure, m_out.intPtrZero, slowCase);
 
-#if ENABLE(POISON)
-            storage = m_out.bitXor(m_out.constIntPtr(JSArrayBufferView::poisonFor(typedArrayType)), storage);
-#endif
-            m_out.storePtr(storage, fastResultValue, m_heaps.JSArrayBufferView_poisonedVector);
+            m_out.storePtr(storage, fastResultValue, m_heaps.JSArrayBufferView_vector);
             m_out.store32(size, fastResultValue, m_heaps.JSArrayBufferView_length);
             m_out.store32(m_out.constInt32(FastTypedArray), fastResultValue, m_heaps.JSArrayBufferView_mode);
@@ -15426 +15409 @@
 
         LBasicBlock lastNext = m_out.appendTo(isWasteful, continuation);
-        LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_poisonedVector);
+        LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_vector);
         speculate(Uncountable, jsValueValue(vector), m_node, m_out.isZero64(vector));
         m_out.jump(continuation);

trunk/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -108 +108 @@
         GPRReg scratchGPR = state.scratchGPR;
 
-        CCallHelpers::Jump notEmptyByteOffset = jit.branch32(
-            MacroAssembler::Equal,
+        CCallHelpers::Jump emptyByteOffset = jit.branch32(
+            MacroAssembler::NotEqual,
             MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfMode()),
             TrustedImm32(WastefulTypedArray));
 
-        jit.move(TrustedImmPtr(nullptr), valueGPR);
-        CCallHelpers::Jump done = jit.jump();
-
-        notEmptyByteOffset.link(&jit);
-
-        // We need to load the butterfly before the vector because baseGPR and valueGPR
-        // can be the same register.
         jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-        jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfPoisonedVector()), valueGPR);
-        CCallHelpers::Jump nullVector = jit.branchTestPtr(MacroAssembler::Zero, valueGPR);
-
-#if ENABLE(POISON)
-        auto typedArrayType = structure()->classInfo()->typedArrayStorageType;
-        jit.xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(typedArrayType)), valueGPR);
-#endif
+        jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), valueGPR);
         jit.loadPtr(MacroAssembler::Address(scratchGPR, Butterfly::offsetOfArrayBuffer()), scratchGPR);
         jit.loadPtr(MacroAssembler::Address(scratchGPR, ArrayBuffer::offsetOfData()), scratchGPR);
         jit.subPtr(scratchGPR, valueGPR);
 
-        nullVector.link(&jit);
+        CCallHelpers::Jump done = jit.jump();
+        
+        emptyByteOffset.link(&jit);
+        jit.move(TrustedImmPtr(nullptr), valueGPR);
+        
         done.link(&jit);
         

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1461 +1461 @@
 }
 
-JIT::JumpList JIT::emitIntTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType typeArrayType)
-{
-    ASSERT(isInt(typeArrayType));
+JIT::JumpList JIT::emitIntTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType type)
+{
+    ASSERT(isInt(type));
     
     // The best way to test the array type is to use the classInfo. We need to do so without
@@ -1484 +1484 @@
     
     JumpList slowCases;
-    JSType jsType = typeForTypedArrayType(typeArrayType);
-
+    
     load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
-    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(jsType));
+    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
-    loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), scratch);
-#if ENABLE(POISON)
-    xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), scratch);
-#endif
+    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
     cageConditionally(Gigacage::Primitive, scratch, scratch2);
 
-    switch (elementSize(typeArrayType)) {
+    switch (elementSize(type)) {
     case 1:
-        if (JSC::isSigned(typeArrayType))
+        if (JSC::isSigned(type))
             load8SignedExtendTo32(BaseIndex(scratch, property, TimesOne), resultPayload);
         else
@@ -1503 +1499 @@
         break;
     case 2:
-        if (JSC::isSigned(typeArrayType))
+        if (JSC::isSigned(type))
             load16SignedExtendTo32(BaseIndex(scratch, property, TimesTwo), resultPayload);
         else
@@ -1516 +1512 @@
     
     Jump done;
-    if (typeArrayType == TypeUint32) {
+    if (type == TypeUint32) {
         Jump canBeInt = branch32(GreaterThanOrEqual, resultPayload, TrustedImm32(0));
         
@@ -1542 +1538 @@
 }
 
-JIT::JumpList JIT::emitFloatTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType typeArrayType)
-{
-    ASSERT(isFloat(typeArrayType));
+JIT::JumpList JIT::emitFloatTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType type)
+{
+    ASSERT(isFloat(type));
     
 #if USE(JSVALUE64)
@@ -1562 +1558 @@
     
     JumpList slowCases;
-    JSType jsType = typeForTypedArrayType(typeArrayType);
 
     load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
-    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(jsType));
+    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
-    loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), scratch);
-#if ENABLE(POISON)
-    xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), scratch);
-#endif
+    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
     cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
-    switch (elementSize(typeArrayType)) {
+    switch (elementSize(type)) {
     case 4:
         loadFloat(BaseIndex(scratch, property, TimesFour), fpRegT0);
@@ -1600 +1592 @@
 }
 
-JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType typeArrayType)
+JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
 {
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ASSERT(isInt(typeArrayType));
+    ASSERT(isInt(type));
     
     int value = currentInstruction[3].u.operand;
@@ -1622 +1614 @@
     
     JumpList slowCases;
-    JSType jsType = typeForTypedArrayType(typeArrayType);
-
+    
     load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
-    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(jsType));
+    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
     Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
     emitArrayProfileOutOfBoundsSpecialCase(profile);
@@ -1641 +1632 @@
     // We would be loading this into base as in get_by_val, except that the slow
     // path expects the base to be unclobbered.
-    loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), lateScratch);
-#if ENABLE(POISON)
-    xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), lateScratch);
-#endif
+    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
-    if (isClamped(typeArrayType)) {
-        ASSERT(elementSize(typeArrayType) == 1);
-        ASSERT(!JSC::isSigned(typeArrayType));
+    if (isClamped(type)) {
+        ASSERT(elementSize(type) == 1);
+        ASSERT(!JSC::isSigned(type));
         Jump inBounds = branch32(BelowOrEqual, earlyScratch, TrustedImm32(0xff));
         Jump tooBig = branch32(GreaterThan, earlyScratch, TrustedImm32(0xff));
@@ -1660 +1648 @@
     }
     
-    switch (elementSize(typeArrayType)) {
+    switch (elementSize(type)) {
     case 1:
         store8(earlyScratch, BaseIndex(lateScratch, property, TimesOne));
@@ -1677 +1665 @@
 }
 
-JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType typeArrayType)
+JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
 {
     ArrayProfile* profile = currentInstruction[4].u.arrayProfile;
-    ASSERT(isFloat(typeArrayType));
+    ASSERT(isFloat(type));
     
     int value = currentInstruction[3].u.operand;
@@ -1699 +1687 @@
     
     JumpList slowCases;
-    JSType jsType = typeForTypedArrayType(typeArrayType);
-
+    
     load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
-    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(jsType));
+    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
     Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
     emitArrayProfileOutOfBoundsSpecialCase(profile);
@@ -1731 +1718 @@
     // We would be loading this into base as in get_by_val, except that the slow
     // path expects the base to be unclobbered.
-    loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), lateScratch);
-#if ENABLE(POISON)
-    xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), lateScratch);
-#endif
+    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
-    switch (elementSize(typeArrayType)) {
+    switch (elementSize(type)) {
     case 4:
         convertDoubleToFloat(fpRegT0, fpRegT0);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -404 +404 @@
 const FirstTypedArrayType = constexpr FirstTypedArrayType
 const NumberOfTypedArrayTypesExcludingDataView = constexpr NumberOfTypedArrayTypesExcludingDataView
-const TypedArrayPoisonIndexMask = constexpr TypedArrayPoisonIndexMask
 
 # Type flags constants.

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -392 +392 @@
 end
 
-macro loadTypedArrayCaged(basePtr, mask, source, typeIndex, dest, scratch)
-    if POISON
-        leap _g_typedArrayPoisons, dest
-        loadp (typeIndex - FirstTypedArrayType) * 8[dest], dest
-        loadp source, scratch
-        xorp scratch, dest
-    else
-        loadp source, dest
-    end
-    uncage(basePtr, mask, dest, scratch)
-end
-
 macro loadVariable(operand, value)
     loadisFromInstruction(operand, value)
@@ -1637 +1625 @@
 
     # We have Int8ArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int8ArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     loadbs [t3, t1], t0
     finishIntGetByVal(t0, t1)
@@ -1645 +1633 @@
 
     # We have Uint8ArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint8ArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     loadb [t3, t1], t0
     finishIntGetByVal(t0, t1)
@@ -1651 +1639 @@
 .opGetByValUint8ClampedArray:
     # We have Uint8ClampedArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint8ClampedArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     loadb [t3, t1], t0
     finishIntGetByVal(t0, t1)
@@ -1660 +1648 @@
 
     # We have Int16ArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int16ArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     loadhs [t3, t1, 2], t0
     finishIntGetByVal(t0, t1)
@@ -1666 +1654 @@
 .opGetByValUint16Array:
     # We have Uint16ArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint16ArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     loadh [t3, t1, 2], t0
     finishIntGetByVal(t0, t1)
@@ -1678 +1666 @@
 
     # We have Int32ArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int32ArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     loadi [t3, t1, 4], t0
     finishIntGetByVal(t0, t1)
@@ -1684 +1672 @@
 .opGetByValUint32Array:
     # We have Uint32ArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint32ArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     # This is the hardest part because of large unsigned values.
     loadi [t3, t1, 4], t0
@@ -1696 +1684 @@
 
     # We have Float64ArrayType.
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Float64ArrayType, t3, t2)
+    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
     loadd [t3, t1, 8], ft0
     bdnequn ft0, ft0, .opGetByValSlow

trunk/Source/JavaScriptCore/offlineasm/arm64.rb

@@ -273 +273 @@
                     newList << Instruction.new(codeOrigin, "globaladdr", [LabelReference.new(node.codeOrigin, labelRef.label), tmp])
                     newList << Instruction.new(codeOrigin, node.opcode, [Address.new(node.codeOrigin, tmp, Immediate.new(node.codeOrigin, labelRef.offset)), node.operands[1]])
-                else
-                    newList << node
-                end
-            when "leai", "leap", "leaq"
-                labelRef = node.operands[0]
-                if labelRef.is_a? LabelReference
-                    newList << Instruction.new(codeOrigin, "globaladdr", [LabelReference.new(node.codeOrigin, labelRef.label), node.operands[1]])
                 else
                     newList << node

trunk/Source/JavaScriptCore/offlineasm/x86.rb

@@ -468 +468 @@
         $asm.puts "movq #{asmLabel}@GOTPCREL(%rip), #{dst.x86Operand(:ptr)}"
         "#{offset}(#{dst.x86Operand(kind)})"
-    end
-    def x86AddressOperand(addressKind)
-        # FIXME: Implement this on platforms that aren't Mach-O.
-        # https://bugs.webkit.org/show_bug.cgi?id=175104
-        "#{asmLabel}@GOTPCREL(%rip)"
     end
 end
@@ -1552 +1547 @@
             $asm.puts "jnz #{operands[0].asmLabel}"
         when "leai"
-            emitX86Lea(operands[0], operands[1], :int)
+            $asm.puts "lea#{x86Suffix(:int)} #{orderOperands(operands[0].x86AddressOperand(:int), operands[1].x86Operand(:int))}"
         when "leap"
-            emitX86Lea(operands[0], operands[1], :ptr)
+            $asm.puts "lea#{x86Suffix(:ptr)} #{orderOperands(operands[0].x86AddressOperand(:ptr), operands[1].x86Operand(:ptr))}"
         when "memfence"
             sp = RegisterID.new(nil, "sp")

trunk/Source/JavaScriptCore/runtime/CagedBarrierPtr.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 
 #include "AuxiliaryBarrier.h"
-#include <type_traits>
 #include <wtf/CagedPtr.h>
-
-namespace WTF {
-
-template<typename Poison, typename T> struct PoisonedPtrTraits;
-
-} // namespace WTF
 
 namespace JSC {
@@ -43 +36 @@
 // This is a convenient combo of AuxiliaryBarrier and CagedPtr.
 
-template<Gigacage::Kind passedKind, typename T, typename PtrTraits = WTF::DumbPtrTraits<T>>
+template<Gigacage::Kind passedKind, typename T>
 class CagedBarrierPtr {
 public:
@@ -93 +86 @@
     
 private:
-    AuxiliaryBarrier<CagedPtr<kind, T, PtrTraits>> m_barrier;
+    AuxiliaryBarrier<CagedPtr<kind, T>> m_barrier;
 };
 
-template<Gigacage::Kind passedKind, typename PtrTraits>
-class CagedBarrierPtr<passedKind, void, PtrTraits> {
+template<Gigacage::Kind passedKind>
+class CagedBarrierPtr<passedKind, void> {
 public:
     static constexpr Gigacage::Kind kind = passedKind;
@@ -140 +133 @@
     
 private:
-    AuxiliaryBarrier<CagedPtr<kind, void, PtrTraits>> m_barrier;
+    AuxiliaryBarrier<CagedPtr<kind, void>> m_barrier;
 };
 
-template<typename Poison, Gigacage::Kind passedKind, typename T>
-using PoisonedCagedBarrierPtr = CagedBarrierPtr<passedKind, T, WTF::PoisonedPtrTraits<Poison, T>>;
-
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -133 +133 @@
 {
     setButterfly(vm, context.butterfly());
-    m_poisonedVector.setWithoutBarrier(context.vector());
+    m_vector.setWithoutBarrier(context.vector());
 }
 
@@ -195 +195 @@
     ASSERT(thisObject->m_mode == OversizeTypedArray || thisObject->m_mode == WastefulTypedArray);
     if (thisObject->m_mode == OversizeTypedArray)
-        Gigacage::free(Gigacage::Primitive, thisObject->m_poisonedVector.get());
+        Gigacage::free(Gigacage::Primitive, thisObject->m_vector.get());
 }
 
@@ -213 +213 @@
     RELEASE_ASSERT(!isShared());
     m_length = 0;
-    m_poisonedVector.clear();
+    m_vector.clear();
 }
 

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 
 #include "AuxiliaryBarrier.h"
-#include "CagedBarrierPtr.h"
-#include "JSCPoison.h"
 #include "JSObject.h"
-#include "TypedArrayType.h"
-#include <wtf/MathExtras.h>
 
 namespace JSC {
 
 class LLIntOffsetsExtractor;
-
-// Since we'll be indexing into the g_typedArrayPoisons array based on the TypedArray type,
-// we'll index mask the index value and round up to the array size to the next power of 2 to
-// ensure that we'll never be able to access beyond the bounds of this array.
-static constexpr uint32_t NumberOfTypedArrayPoisons = WTF::roundUpToPowerOfTwo(NumberOfTypedArrayTypes);
-static constexpr uint32_t TypedArrayPoisonIndexMask = NumberOfTypedArrayPoisons - 1;
 
 // This class serves two purposes:
@@ -178 +168 @@
     void neuter();
     
-    void* vector() const { return m_poisonedVector.getMayBeNull(); }
+    void* vector() const { return m_vector.getMayBeNull(); }
     
     unsigned byteOffset();
@@ -185 +175 @@
     DECLARE_EXPORT_INFO;
     
-    static ptrdiff_t offsetOfPoisonedVector() { return OBJECT_OFFSETOF(JSArrayBufferView, m_poisonedVector); }
+    static ptrdiff_t offsetOfVector() { return OBJECT_OFFSETOF(JSArrayBufferView, m_vector); }
     static ptrdiff_t offsetOfLength() { return OBJECT_OFFSETOF(JSArrayBufferView, m_length); }
     static ptrdiff_t offsetOfMode() { return OBJECT_OFFSETOF(JSArrayBufferView, m_mode); }
@@ -191 +181 @@
     static RefPtr<ArrayBufferView> toWrapped(VM&, JSValue);
 
-    static uintptr_t poisonFor(JSType type)
-    {
-        return g_typedArrayPoisons[(type - FirstTypedArrayType) & TypedArrayPoisonIndexMask];
-    }
-
-    static uintptr_t poisonFor(TypedArrayType typedArrayType)
-    {
-        ASSERT(isTypedView(typedArrayType));
-        return poisonFor(typeForTypedArrayType(typedArrayType));
-    }
-
 private:
     static void finalize(JSCell*);
@@ -212 +191 @@
     static String toStringName(const JSObject*, ExecState*);
 
-    class Poison {
-    public:
-        template<typename PoisonedType>
-        inline static uintptr_t key(const PoisonedType* poisonedPtr)
-        {
-            uintptr_t poisonedVectorAddress = bitwise_cast<uintptr_t>(poisonedPtr);
-            uintptr_t baseAddress = poisonedVectorAddress - OBJECT_OFFSETOF(JSArrayBufferView, m_poisonedVector);
-            JSArrayBufferView* thisObject = bitwise_cast<JSArrayBufferView*>(baseAddress);
-            return poisonFor(thisObject->type());
-        }
-    };
-
-    PoisonedCagedBarrierPtr<Poison, Gigacage::Primitive, void> m_poisonedVector;
+    CagedBarrierPtr<Gigacage::Primitive, void> m_vector;
     uint32_t m_length;
     TypedArrayMode m_mode;

trunk/Source/JavaScriptCore/runtime/JSCPoison.cpp

@@ -27 +27 @@
 #include "JSCPoison.h"
 
-#include "JSArrayBufferView.h"
 #include "Options.h"
 #include <mutex>
@@ -37 +36 @@
     uintptr_t POISON_KEY_NAME(poisonID);
 FOR_EACH_JSC_POISON(DEFINE_POISON)
-
-uintptr_t g_typedArrayPoisons[NumberOfTypedArrayPoisons];
 
 void initializePoison()
@@ -51 +48 @@
 
         FOR_EACH_JSC_POISON(INITIALIZE_POISON)
-
-        for (uint32_t i = 0; i < NumberOfTypedArrayPoisons; ++i)
-            g_typedArrayPoisons[i] = makePoison();
     });
 }

trunk/Source/JavaScriptCore/runtime/JSCPoison.h

@@ -67 +67 @@
 #undef DECLARE_POISON
 
-extern "C" JS_EXPORT_PRIVATE uintptr_t g_typedArrayPoisons[];
-
 struct ClassInfo;
 

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -505 +505 @@
     if (thisObject->m_mode == OversizeTypedArray)
         return Base::estimatedSize(thisObject) + thisObject->byteSize();
-    if (thisObject->m_mode == FastTypedArray && thisObject->m_poisonedVector)
+    if (thisObject->m_mode == FastTypedArray && thisObject->m_vector)
         return Base::estimatedSize(thisObject) + thisObject->byteSize();
 
@@ -518 +518 @@
     switch (thisObject->m_mode) {
     case FastTypedArray: {
-        if (void* vector = thisObject->m_poisonedVector.getMayBeNull())
+        if (void* vector = thisObject->m_vector.getMayBeNull())
             visitor.markAuxiliary(vector);
         break;
@@ -585 +585 @@
 
     thisObject->butterfly()->indexingHeader()->setArrayBuffer(buffer.get());
-    thisObject->m_poisonedVector.setWithoutBarrier(buffer->data());
+    thisObject->m_vector.setWithoutBarrier(buffer->data());
     WTF::storeStoreFence();
     thisObject->m_mode = WastefulTypedArray;

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -25 +25 @@
 #include "ArrayConventions.h"
 #include "ArrayStorage.h"
-#include "AuxiliaryBarrier.h"
 #include "Butterfly.h"
 #include "CPU.h"
+#include "CagedBarrierPtr.h"
 #include "CallFrame.h"
 #include "ClassInfo.h"