Changeset 224564 in webkit


Ignore:
Timestamp:
Nov 7, 2017, 10:29:31 PM (8 years ago)
Author:
sbarati@apple.com
Message:

Only cage double butterfly accesses
https://bugs.webkit.org/show_bug.cgi?id=179202

Reviewed by Mark Lam.

This patch removes caging from all butterfly accesses except double loads/stores.
This is a performance vs security tradeoff. Double loads/stores are the only butterfly
loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
by caging. The other load/stores we are no longer caging to get back performance on
various benchmarks.

  • bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

  • bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

  • dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):

  • llint/LowLevelInterpreter64.asm:
  • runtime/AuxiliaryBarrier.h:

(JSC::AuxiliaryBarrier::operator-> const):

  • runtime/Butterfly.h:

(JSC::Butterfly::caged):
(JSC::Butterfly::contiguousDouble):

  • runtime/JSArray.cpp:

(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):

  • runtime/JSArrayInlines.h:

(JSC::JSArray::pushInline):

  • runtime/JSObject.cpp:

(JSC::JSObject::heapSnapshot):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::allocateMoreOutOfLineStorage):

  • runtime/JSObject.h:

(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::butterfly const):
(JSC::JSObject::butterfly):

Location:
trunk/Source/JavaScriptCore
Files:
16 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r224550 r224564  
     12017-11-07  Saam Barati  <sbarati@apple.com>
     2
     3        Only cage double butterfly accesses
     4        https://bugs.webkit.org/show_bug.cgi?id=179202
     5
     6        Reviewed by Mark Lam.
     7
     8        This patch removes caging from all butterfly accesses except double loads/stores.
     9        This is a performance vs security tradeoff. Double loads/stores are the only butterfly
     10        loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
     11        by caging. The other load/stores we are no longer caging to get back performance on
     12        various benchmarks.
     13
     14        * bytecode/AccessCase.cpp:
     15        (JSC::AccessCase::generateImpl):
     16        * bytecode/InlineAccess.cpp:
     17        (JSC::InlineAccess::dumpCacheSizesAndCrash):
     18        (JSC::InlineAccess::generateSelfPropertyAccess):
     19        (JSC::InlineAccess::generateSelfPropertyReplace):
     20        (JSC::InlineAccess::generateArrayLength):
     21        * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
     22        * dfg/DFGSpeculativeJIT.cpp:
     23        (JSC::DFG::SpeculativeJIT::compileCreateRest):
     24        (JSC::DFG::SpeculativeJIT::compileSpread):
     25        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
     26        * dfg/DFGSpeculativeJIT64.cpp:
     27        (JSC::DFG::SpeculativeJIT::compile):
     28        * ftl/FTLLowerDFGToB3.cpp:
     29        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
     30        * jit/JITPropertyAccess.cpp:
     31        (JSC::JIT::emitContiguousLoad):
     32        (JSC::JIT::emitArrayStorageLoad):
     33        (JSC::JIT::emitGenericContiguousPutByVal):
     34        (JSC::JIT::emitArrayStoragePutByVal):
     35        (JSC::JIT::emit_op_get_from_scope):
     36        (JSC::JIT::emit_op_put_to_scope):
     37        * llint/LowLevelInterpreter64.asm:
     38        * runtime/AuxiliaryBarrier.h:
     39        (JSC::AuxiliaryBarrier::operator-> const):
     40        * runtime/Butterfly.h:
     41        (JSC::Butterfly::caged):
     42        (JSC::Butterfly::contiguousDouble):
     43        * runtime/JSArray.cpp:
     44        (JSC::JSArray::setLength):
     45        (JSC::JSArray::pop):
     46        (JSC::JSArray::shiftCountWithAnyIndexingType):
     47        (JSC::JSArray::unshiftCountWithAnyIndexingType):
     48        (JSC::JSArray::fillArgList):
     49        (JSC::JSArray::copyToArguments):
     50        * runtime/JSArrayInlines.h:
     51        (JSC::JSArray::pushInline):
     52        * runtime/JSObject.cpp:
     53        (JSC::JSObject::heapSnapshot):
     54        (JSC::JSObject::createInitialIndexedStorage):
     55        (JSC::JSObject::createArrayStorage):
     56        (JSC::JSObject::convertUndecidedToInt32):
     57        (JSC::JSObject::ensureLengthSlow):
     58        (JSC::JSObject::reallocateAndShrinkButterfly):
     59        (JSC::JSObject::allocateMoreOutOfLineStorage):
     60        * runtime/JSObject.h:
     61        (JSC::JSObject::canGetIndexQuickly):
     62        (JSC::JSObject::getIndexQuickly):
     63        (JSC::JSObject::tryGetIndexQuickly const):
     64        (JSC::JSObject::canSetIndexQuickly):
     65        (JSC::JSObject::butterfly const):
     66        (JSC::JSObject::butterfly):
     67
    1682017-11-07  Mark Lam  <mark.lam@apple.com>
    269

  • trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

    r224539 r224564  
    625625                    CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
    626626                    loadedValueGPR);
    627                 jit.cage(Gigacage::JSValue, loadedValueGPR);
    628627                storageGPR = loadedValueGPR;
    629628            }
     
    976975
    977976                    jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
    978                     jit.cage(Gigacage::JSValue, scratchGPR3);
    979977
    980978                    // We have scratchGPR = new storage, scratchGPR3 = old storage,
     
    10571055                    offsetInInlineStorage(m_offset) * sizeof(JSValue)));
    10581056        } else {
    1059             if (!allocating) {
     1057            if (!allocating)
    10601058                jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
    1061                 jit.cage(Gigacage::JSValue, scratchGPR);
    1062             }
    10631059            jit.storeValue(
    10641060                valueRegs,
     
    10961092    case ArrayLength: {
    10971093        jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
    1098         jit.cage(Gigacage::JSValue, scratchGPR);
    10991094        jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
    11001095        state.failAndIgnore.append(

  • trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

    r224258 r224564  
    5858            CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
    5959        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
    60         jit.cage(Gigacage::JSValue, value);
    6160        jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
    6261        jit.boxInt32(scratchGPR, regs);
     
    7574            CCallHelpers::Address(base, JSObject::butterflyOffset()),
    7675            value);
    77         jit.cage(Gigacage::JSValue, value);
    7876        GPRReg storageGPR = value;
    7977        jit.loadValue(
     
    119117
    120118        jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
    121         jit.cage(Gigacage::JSValue, value);
    122119        jit.storeValue(
    123120            regs,
     
    174171    else {
    175172        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
    176         jit.cage(Gigacage::JSValue, value.payloadGPR());
    177173        storage = value.payloadGPR();
    178174    }
     
    236232        ASSERT(storage != InvalidGPRReg);
    237233        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
    238         jit.cage(Gigacage::JSValue, storage);
    239234    }
    240235
     
    275270        CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
    276271    jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
    277     jit.cage(Gigacage::JSValue, value.payloadGPR());
    278272    jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
    279273    jit.boxInt32(value.payloadGPR(), value);

  • trunk/Source/JavaScriptCore/dfg/DFGFixedButterflyAccessUncagingPhase.cpp

    r220118 r224564  
    7676                        if (!accessesOverlap(m_graph, node, Heap))
    7777                            break;
    78                    
     78                       
     79                        Node* toExclude = nullptr;
     80                        if (node->hasArrayMode() && node->arrayMode().type() != Array::Double) {
     81                            switch (node->op()) {
     82                            case ArrayPush:
     83                                toExclude = m_graph.varArgChild(node, 0).node();
     84                                break;
     85                            case ArrayIndexOf:
     86                                toExclude = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3).node();
     87                                break;
     88                            case ArrayPop:
     89                                toExclude = node->child2().node();
     90                                break;
     91                            case HasIndexedProperty:
     92                                toExclude = node->child3().node();
     93                                break;
     94                            case GetByVal:
     95                                toExclude = node->child3().node();
     96                                break;
     97                            case PutByVal:
     98                                toExclude = m_graph.varArgChild(node, 3).node();
     99                                break;
     100                            default:
     101                                break;
     102                            }
     103                        }
     104
    79105                        m_graph.doToChildren(
    80106                            node,
    81107                            [&] (Edge& edge) {
    82                                 changed |= needCaging.add(edge.node());
     108                                if (edge.node() != toExclude)
     109                                    changed |= needCaging.add(edge.node());
    83110                            });
    84111                        break;

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r224280 r224564  
    72707270
    72717271        m_jit.loadPtr(MacroAssembler::Address(arrayResultGPR, JSObject::butterflyOffset()), butterflyGPR);
    7272         m_jit.cage(Gigacage::JSValue, butterflyGPR);
    72737272
    72747273        CCallHelpers::Jump skipLoop = m_jit.branch32(MacroAssembler::Equal, arrayLengthGPR, TrustedImm32(0));
     
    73407339
    73417340        m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), lengthGPR);
    7342         m_jit.cage(Gigacage::JSValue, lengthGPR);
     7341        m_jit.cage(Gigacage::JSValue, lengthGPR); // We may do a double memcpy loop below, so we conservatively cage.
    73437342        m_jit.load32(MacroAssembler::Address(lengthGPR, Butterfly::offsetOfPublicLength()), lengthGPR);
    73447343        static_assert(sizeof(JSValue) == 8 && 1 << 3 == 8, "This is strongly assumed in the code below.");
     
    73517350
    73527351        m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), scratch1GPR);
    7353         m_jit.cage(Gigacage::JSValue, scratch1GPR);
     7352        m_jit.cage(Gigacage::JSValue, scratch1GPR); // We may do a double memcpy loop below, so we conservatively cage.
    73547353
    73557354        MacroAssembler::JumpList done;
     
    73747373        isDoubleArray.link(&m_jit);
    73757374        {
    7376 
    73777375            done.append(m_jit.branchTest32(MacroAssembler::Zero, lengthGPR));
    73787376            auto loopStart = m_jit.label();
     
    74617459        m_jit.move(TrustedImm32(0), indexGPR);
    74627460        m_jit.loadPtr(MacroAssembler::Address(resultGPR, JSObject::butterflyOffset()), storageGPR);
    7463         m_jit.cage(Gigacage::JSValue, storageGPR);
    74647461
    74657462        for (unsigned i = 0; i < node->numChildren(); ++i) {

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r224302 r224564  
    57845784        outOfLineAccess.link(&m_jit);
    57855785        m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratch2GPR);
    5786         m_jit.cage(Gigacage::JSValue, scratch2GPR);
    57875786        m_jit.move(indexGPR, scratch1GPR);
    57885787        m_jit.sub32(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), scratch1GPR);

  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r224302 r224564  
    93509350        int32_t offsetOfFirstProperty = static_cast<int32_t>(offsetInButterfly(firstOutOfLineOffset)) * sizeof(EncodedJSValue);
    93519351        ValueFromBlock outOfLineResult = m_out.anchor(
    9352             m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(), caged(Gigacage::JSValue, storage), realIndex, ScaleEight, offsetOfFirstProperty)));
     9352            m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(), storage, realIndex, ScaleEight, offsetOfFirstProperty)));
    93539353        m_out.jump(continuation);
    93549354

  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r223824 r224564  
    188188    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
    189189    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    190     cage(Gigacage::JSValue, regT2);
    191190    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    192191    load64(BaseIndex(regT2, regT1, TimesEight), regT0);
     
    204203
    205204    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    206     cage(Gigacage::JSValue, regT2);
    207205    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    208206
     
    346344   
    347345    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    348     cage(Gigacage::JSValue, regT2);
     346    if (indexingShape == DoubleShape)
     347        cage(Gigacage::JSValue, regT2);
    349348    Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
    350349
     
    402401    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
    403402    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    404     cage(Gigacage::JSValue, regT2);
    405403    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    406404
     
    878876            }
    879877            loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
    880             cage(Gigacage::JSValue, scratch);
    881878            neg32(offset);
    882879            signExtend32ToPtr(offset, offset);
     
    998995           
    999996            loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
    1000             cage(Gigacage::JSValue, regT0);
    1001997            loadPtr(operandSlot, regT1);
    1002998            negPtr(regT1);

  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

    r224487 r224564  
    12251225macro loadPropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value)
    12261226    bilt propertyOffsetAsInt, firstOutOfLineOffset, .isInline
    1227     loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr JSVALUE_GIGACAGE_MASK, JSObject::m_butterfly[objectAndStorage], objectAndStorage, value)
     1227    loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
    12281228    negi propertyOffsetAsInt
    12291229    sxi2q propertyOffsetAsInt, propertyOffsetAsInt
     
    12361236
    12371237
    1238 macro storePropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value, scratch)
     1238macro storePropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value)
    12391239    bilt propertyOffsetAsInt, firstOutOfLineOffset, .isInline
    1240     loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr JSVALUE_GIGACAGE_MASK, JSObject::m_butterfly[objectAndStorage], objectAndStorage, scratch)
     1240    loadp JSObject::m_butterfly[objectAndStorage], objectAndStorage
    12411241    negi propertyOffsetAsInt
    12421242    sxi2q propertyOffsetAsInt, propertyOffsetAsInt
     
    14611461    loadConstantOrVariable(t1, t2)
    14621462    loadisFromInstruction(5, t1)
    1463     storePropertyAtVariableOffset(t1, t0, t2, t3)
     1463    storePropertyAtVariableOffset(t1, t0, t2)
    14641464    writeBarrierOnOperands(1, 3)
    14651465    dispatch(constexpr op_put_by_id_length)
     
    23222322    loadConstantOrVariable(t1, t2)
    23232323    loadisFromInstruction(6, t1)
    2324     storePropertyAtVariableOffset(t1, t0, t2, t3)
     2324    storePropertyAtVariableOffset(t1, t0, t2)
    23252325end
    23262326

  • trunk/Source/JavaScriptCore/runtime/AuxiliaryBarrier.h

    r220352 r224564  
    5757    template<typename U>
    5858    void setWithoutBarrier(U&& value) { m_value = std::forward<U>(value); }
     59
     60    T operator->() const { return get(); }
    5961   
    6062private:

  • trunk/Source/JavaScriptCore/runtime/Butterfly.h

    r218794 r224564  
    2828#include "IndexingHeader.h"
    2929#include "PropertyStorage.h"
     30#include <wtf/Gigacage.h>
    3031#include <wtf/Noncopyable.h>
    3132
     
    103104   
    104105    char* pointer() { return reinterpret_cast<char*>(this); }
     106    Butterfly* caged() { return Gigacage::caged(Gigacage::JSValue, this); }
    105107   
    106108    static ptrdiff_t offsetOfIndexingHeader() { return IndexingHeader::offsetOfIndexingHeader(); }
     
    130132    ContiguousJSValues contiguousInt32() { return ContiguousJSValues(indexingPayload<WriteBarrier<Unknown>>(), vectorLength()); }
    131133
    132     ContiguousDoubles contiguousDouble() { return ContiguousDoubles(indexingPayload<double>(), vectorLength()); }
     134    ContiguousDoubles contiguousDouble() { return ContiguousDoubles(caged()->indexingPayload<double>(), vectorLength()); }
    133135    ContiguousJSValues contiguous() { return ContiguousJSValues(indexingPayload<WriteBarrier<Unknown>>(), vectorLength()); }
    134136   

  • trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h

    r220352 r224564  
    108108        return create(vm, intendedOwner, 0, newPropertyCapacity, false, IndexingHeader(), 0);
    109109
     110    oldButterfly = oldButterfly->caged();
     111
    110112    size_t preCapacity = oldButterfly->indexingHeader()->preCapacity(structure);
    111113    size_t indexingPayloadSizeInBytes = oldButterfly->indexingHeader()->indexingPayloadSizeInBytes(structure);

  • trunk/Source/JavaScriptCore/runtime/JSArray.cpp

    r223746 r224564  
    559559    auto scope = DECLARE_THROW_SCOPE(vm);
    560560
    561     Butterfly* butterfly = m_butterfly.getMayBeNull();
     561    Butterfly* butterfly = this->butterfly();
    562562    switch (indexingType()) {
    563563    case ArrayClass:
     
    629629    auto scope = DECLARE_THROW_SCOPE(vm);
    630630
    631     Butterfly* butterfly = m_butterfly.getMayBeNull();
     631    Butterfly* butterfly = this->butterfly();
    632632   
    633633    switch (indexingType()) {
     
    880880    RELEASE_ASSERT(count > 0);
    881881
    882     Butterfly* butterfly = m_butterfly.getMayBeNull();
     882    Butterfly* butterfly = this->butterfly();
    883883   
    884884    switch (indexingType()) {
     
    10361036    auto scope = DECLARE_THROW_SCOPE(vm);
    10371037
    1038     Butterfly* butterfly = m_butterfly.getMayBeNull();
     1038    Butterfly* butterfly = this->butterfly();
    10391039   
    10401040    switch (indexingType()) {
     
    10591059            return false;
    10601060        }
    1061         butterfly = m_butterfly.getMayBeNull();
     1061        butterfly = this->butterfly();
    10621062
    10631063        // We have to check for holes before we start moving things around so that we don't get halfway
     
    11031103            return false;
    11041104        }
    1105         butterfly = m_butterfly.getMayBeNull();
     1105        butterfly = this->butterfly();
    11061106       
    11071107        // We have to check for holes before we start moving things around so that we don't get halfway
     
    11461146    WriteBarrier<Unknown>* vector;
    11471147
    1148     Butterfly* butterfly = m_butterfly.getMayBeNull();
     1148    Butterfly* butterfly = this->butterfly();
    11491149   
    11501150    switch (indexingType()) {
     
    12191219    ASSERT(length == this->length());
    12201220
    1221     Butterfly* butterfly = m_butterfly.getMayBeNull();
     1221    Butterfly* butterfly = this->butterfly();
    12221222    switch (indexingType()) {
    12231223    case ArrayClass:

  • trunk/Source/JavaScriptCore/runtime/JSArrayInlines.h

    r222827 r224564  
    8989    auto scope = DECLARE_THROW_SCOPE(vm);
    9090
    91     Butterfly* butterfly = m_butterfly.getMayBeNull();
     91    Butterfly* butterfly = this->butterfly();
    9292
    9393    switch (indexingType()) {

  • trunk/Source/JavaScriptCore/runtime/JSObject.cpp

    r224416 r224564  
    463463    }
    464464
    465     Butterfly* butterfly = thisObject->m_butterfly.getMayBeNull();
     465    Butterfly* butterfly = thisObject->butterfly();
    466466    if (butterfly) {
    467467        WriteBarrier<Unknown>* data = nullptr;
     
    10271027    unsigned vectorLength = Butterfly::optimalContiguousVectorLength(propertyCapacity, length);
    10281028    Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
    1029         m_butterfly.getMayBeNull(), vm, this, structure, propertyCapacity, false, 0,
     1029        butterfly(), vm, this, structure, propertyCapacity, false, 0,
    10301030        sizeof(EncodedJSValue) * vectorLength);
    10311031    newButterfly->setPublicLength(length);
     
    11151115    ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
    11161116
    1117     Butterfly* newButterfly = createArrayStorageButterfly(vm, this, oldStructure, length, vectorLength, m_butterfly.getMayBeNull());
     1117    Butterfly* newButterfly = createArrayStorageButterfly(vm, this, oldStructure, length, vectorLength, butterfly());
    11181118    ArrayStorage* result = newButterfly->arrayStorage();
    11191119    Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, suggestedArrayStorageTransition());
     
    11331133    ASSERT(hasUndecided(indexingType()));
    11341134
    1135     Butterfly* butterfly = m_butterfly.getMayBeNull();
     1135    Butterfly* butterfly = this->butterfly();
    11361136    for (unsigned i = butterfly->vectorLength(); i--;)
    11371137        butterfly->contiguousInt32()[i].setWithoutWriteBarrier(JSValue());
     
    31743174bool JSObject::ensureLengthSlow(VM& vm, unsigned length)
    31753175{
    3176     Butterfly* butterfly = m_butterfly.get();
     3176    Butterfly* butterfly = this->butterfly()->caged();
    31773177   
    31783178    ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
     
    32343234
    32353235    DeferGC deferGC(vm.heap);
    3236     Butterfly* newButterfly = m_butterfly->resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(length));
     3236    Butterfly* newButterfly = butterfly()->caged()->resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(length));
    32373237    newButterfly->setVectorLength(length);
    32383238    newButterfly->setPublicLength(length);
     
    32483248    // capacity, since we might have already mutated the structure in-place.
    32493249
    3250     return Butterfly::createOrGrowPropertyStorage(m_butterfly.getMayBeNull(), vm, this, structure(vm), oldSize, newSize);
     3250    return Butterfly::createOrGrowPropertyStorage(butterfly(), vm, this, structure(vm), oldSize, newSize);
    32513251}
    32523252

  • trunk/Source/JavaScriptCore/runtime/JSObject.h

    r223746 r224564  
    256256    bool canGetIndexQuickly(unsigned i)
    257257    {
    258         Butterfly* butterfly = m_butterfly.getMayBeNull();
     258        Butterfly* butterfly = this->butterfly();
    259259        switch (indexingType()) {
    260260        case ALL_BLANK_INDEXING_TYPES:
     
    282282    JSValue getIndexQuickly(unsigned i)
    283283    {
    284         Butterfly* butterfly = m_butterfly.get();
     284        Butterfly* butterfly = this->butterfly();
    285285        switch (indexingType()) {
    286286        case ALL_INT32_INDEXING_TYPES:
     
    300300    JSValue tryGetIndexQuickly(unsigned i) const
    301301    {
    302         Butterfly* butterfly = m_butterfly.getMayBeNull();
     302        Butterfly* butterfly = const_cast<JSObject*>(this)->butterfly();
    303303        switch (indexingType()) {
    304304        case ALL_BLANK_INDEXING_TYPES:
     
    354354    bool canSetIndexQuickly(unsigned i)
    355355    {
    356         Butterfly* butterfly = m_butterfly.getMayBeNull();
     356        Butterfly* butterfly = this->butterfly();
    357357        switch (indexingType()) {
    358358        case ALL_BLANK_INDEXING_TYPES:
     
    670670    }
    671671       
    672     const Butterfly* butterfly() const { return m_butterfly.getMayBeNull(); }
    673     Butterfly* butterfly() { return m_butterfly.getMayBeNull(); }
     672    const Butterfly* butterfly() const { return m_butterfly.get(); }
     673    Butterfly* butterfly() { return m_butterfly.get(); }
    674674   
    675675    ConstPropertyStorage outOfLineStorage() const { return m_butterfly->propertyStorage(); }
     
    10531053
    10541054protected:
    1055     CagedBarrierPtr<Gigacage::JSValue, Butterfly> m_butterfly;
     1055    AuxiliaryBarrier<Butterfly*> m_butterfly;
    10561056#if USE(JSVALUE32_64)
    10571057private:
Note: See TracChangeset for help on using the changeset viewer.