Changeset 220368 in webkit


Ignore:
Timestamp:
Aug 7, 2017 4:30:15 PM (7 years ago)
Author:
fpizlo@apple.com
Message:

Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:


This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

  • bmalloc/Gigacage.cpp:

(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):

  • bmalloc/Gigacage.h:

(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:


Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

  • jsc.cpp:

(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:


Use a better API to disable disabling the primitive gigacage.

  • WebProcess/WebProcess.cpp:

(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

  • wtf/Gigacage.h:

(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Location:
trunk/Source
Files:
14 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r220352 r220368  
     12017-08-07  Filip Pizlo  <fpizlo@apple.com>
     2
     3        Baseline JIT should do caging
     4        https://bugs.webkit.org/show_bug.cgi?id=175037
     5
     6        Reviewed by Mark Lam.
     7       
     8        Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
     9       
     10        Also modifies FTL caging to be more defensive when caging is disabled.
     11
     12        * ftl/FTLLowerDFGToB3.cpp:
     13        (JSC::FTL::DFG::LowerDFGToB3::caged):
     14        * jit/AssemblyHelpers.h:
     15        (JSC::AssemblyHelpers::cage):
     16        (JSC::AssemblyHelpers::cageConditionally):
     17        * jit/JITPropertyAccess.cpp:
     18        (JSC::JIT::emitDoubleLoad):
     19        (JSC::JIT::emitContiguousLoad):
     20        (JSC::JIT::emitArrayStorageLoad):
     21        (JSC::JIT::emitGenericContiguousPutByVal):
     22        (JSC::JIT::emitArrayStoragePutByVal):
     23        (JSC::JIT::emit_op_get_from_scope):
     24        (JSC::JIT::emit_op_put_to_scope):
     25        (JSC::JIT::emitIntTypedArrayGetByVal):
     26        (JSC::JIT::emitFloatTypedArrayGetByVal):
     27        (JSC::JIT::emitIntTypedArrayPutByVal):
     28        (JSC::JIT::emitFloatTypedArrayPutByVal):
     29        * jsc.cpp:
     30        (jscmain):
     31        (primitiveGigacageDisabled): Deleted.
     32
    1332017-08-06  Filip Pizlo  <fpizlo@apple.com>
    234
  • trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

    r220352 r220368  
    528528                    CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
    529529                    loadedValueGPR);
     530                // FIXME: Do caging!
     531                // https://bugs.webkit.org/show_bug.cgi?id=175295
    530532                storageGPR = loadedValueGPR;
    531533            }
     
    878880
    879881                    jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
     882                    // FIXME: Do caging!
     883                    // https://bugs.webkit.org/show_bug.cgi?id=175295
    880884
    881885                    // We have scratchGPR = new storage, scratchGPR3 = old storage,
     
    956960                    offsetInInlineStorage(m_offset) * sizeof(JSValue)));
    957961        } else {
    958             if (!allocating)
     962            if (!allocating) {
    959963                jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
     964                // FIXME: Do caging!
     965                // https://bugs.webkit.org/show_bug.cgi?id=175295
     966            }
    960967            jit.storeValue(
    961968                valueRegs,
     
    9931000    case ArrayLength: {
    9941001        jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
     1002        // FIXME: Do caging!
     1003        // https://bugs.webkit.org/show_bug.cgi?id=175295
    9951004        jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
    9961005        state.failAndIgnore.append(
  • trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

    r214531 r220368  
    5858            CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
    5959        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
     60        // FIXME: Do caging!
     61        // https://bugs.webkit.org/show_bug.cgi?id=175295
    6062        jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
    6163        jit.boxInt32(scratchGPR, regs);
     
    7476            CCallHelpers::Address(base, JSObject::butterflyOffset()),
    7577            value);
     78        // FIXME: Do caging!
     79        // https://bugs.webkit.org/show_bug.cgi?id=175295
    7680        GPRReg storageGPR = value;
    7781        jit.loadValue(
     
    117121
    118122        jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
     123        // FIXME: Do caging!
     124        // https://bugs.webkit.org/show_bug.cgi?id=175295
    119125        jit.storeValue(
    120126            regs,
     
    171177    else {
    172178        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
     179        // FIXME: Do caging!
     180        // https://bugs.webkit.org/show_bug.cgi?id=175295
    173181        storage = value.payloadGPR();
    174182    }
     
    232240        ASSERT(storage != InvalidGPRReg);
    233241        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
     242        // FIXME: Do caging!
     243        // https://bugs.webkit.org/show_bug.cgi?id=175295
    234244    }
    235245
     
    270280        CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
    271281    jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
     282    // FIXME: Do caging!
     283    // https://bugs.webkit.org/show_bug.cgi?id=175295
    272284    jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
    273285    jit.boxInt32(value.payloadGPR(), value);
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r220352 r220368  
    1161711617    LValue caged(Gigacage::Kind kind, LValue ptr)
    1161811618    {
    11619         if (kind == Gigacage::Primitive) {
     11619        if (!Gigacage::shouldBeEnabled())
     11620            return ptr;
     11621       
     11622        if (kind == Gigacage::Primitive && Gigacage::canPrimitiveGigacageBeDisabled()) {
    1162011623            if (vm().primitiveGigacageEnabled().isStillValid())
    1162111624                m_graph.watchpoints().addLazily(vm().primitiveGigacageEnabled());
  • trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

    r218794 r220368  
    13101310        storeFence();
    13111311        ok.link(this);
     1312    }
     1313   
     1314    void cage(Gigacage::Kind kind, GPRReg storage)
     1315    {
     1316#if GIGACAGE_ENABLED
     1317        if (!Gigacage::shouldBeEnabled())
     1318            return;
     1319       
     1320        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
     1321        addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
     1322#else
     1323        UNUSED_PARAM(kind);
     1324        UNUSED_PARAM(storage);
     1325#endif
     1326    }
     1327   
     1328    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)
     1329    {
     1330#if GIGACAGE_ENABLED
     1331        if (!Gigacage::shouldBeEnabled())
     1332            return;
     1333       
     1334        if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
     1335            return cage(kind, storage);
     1336       
     1337        loadPtr(Gigacage::basePtr(kind), scratch);
     1338        Jump done = branchTestPtr(Zero, scratch);
     1339        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
     1340        addPtr(scratch, storage);
     1341        done.link(this);
     1342#else
     1343        UNUSED_PARAM(kind);
     1344        UNUSED_PARAM(storage);
     1345        UNUSED_PARAM(scratch);
     1346#endif
    13121347    }
    13131348   
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r220118 r220368  
    173173   
    174174    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
    175     // FIXME: Should do caging.
    176     // https://bugs.webkit.org/show_bug.cgi?id=175037
    177175    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     176    cage(Gigacage::JSValue, regT2);
    178177    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    179178    loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
     
    188187   
    189188    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
    190     // FIXME: Should do caging.
    191     // https://bugs.webkit.org/show_bug.cgi?id=175037
    192189    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     190    cage(Gigacage::JSValue, regT2);
    193191    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    194192    load64(BaseIndex(regT2, regT1, TimesEight), regT0);
     
    205203    badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
    206204
    207     // FIXME: Should do caging.
    208     // https://bugs.webkit.org/show_bug.cgi?id=175037
    209205    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     206    cage(Gigacage::JSValue, regT2);
    210207    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    211208
     
    354351    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
    355352   
    356     // FIXME: Should do caging.
    357     // https://bugs.webkit.org/show_bug.cgi?id=175037
    358353    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     354    cage(Gigacage::JSValue, regT2);
    359355    Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
    360356
     
    411407   
    412408    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
    413     // FIXME: Should do caging.
    414     // https://bugs.webkit.org/show_bug.cgi?id=175037
    415409    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     410    cage(Gigacage::JSValue, regT2);
    416411    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    417412
     
    924919                isOutOfLine.link(this);
    925920            }
    926             // FIXME: Should do caging.
    927             // https://bugs.webkit.org/show_bug.cgi?id=175037
    928921            loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
     922            cage(Gigacage::JSValue, scratch);
    929923            neg32(offset);
    930924            signExtend32ToPtr(offset, offset);
     
    10671061            emitGetVirtualRegister(value, regT2);
    10681062           
    1069             // FIXME: Should do caging.
    1070             // https://bugs.webkit.org/show_bug.cgi?id=175037
    10711063            loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
     1064            cage(Gigacage::JSValue, regT0);
    10721065            loadPtr(operandSlot, regT1);
    10731066            negPtr(regT1);
     
    15771570    RegisterID resultPayload = regT0;
    15781571    RegisterID scratch = regT3;
     1572    RegisterID scratch2 = regT4;
    15791573#else
    15801574    RegisterID base = regT0;
     
    15831577    RegisterID resultTag = regT1;
    15841578    RegisterID scratch = regT3;
     1579    RegisterID scratch2 = regT4;
    15851580#endif
    15861581   
     
    15901585    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    15911586    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
    1592     // FIXME: Should do caging.
    1593     // https://bugs.webkit.org/show_bug.cgi?id=175037
    15941587    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
     1588    cageConditionally(Gigacage::Primitive, scratch, scratch2);
    15951589   
    15961590    switch (elementSize(type)) {
     
    16501644    RegisterID resultPayload = regT0;
    16511645    RegisterID scratch = regT3;
     1646    RegisterID scratch2 = regT4;
    16521647#else
    16531648    RegisterID base = regT0;
     
    16561651    RegisterID resultTag = regT1;
    16571652    RegisterID scratch = regT3;
     1653    RegisterID scratch2 = regT4;
    16581654#endif
    16591655   
     
    16631659    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    16641660    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
    1665     // FIXME: Should do caging.
    1666     // https://bugs.webkit.org/show_bug.cgi?id=175037
    16671661    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
     1662    cageConditionally(Gigacage::Primitive, scratch, scratch2);
    16681663   
    16691664    switch (elementSize(type)) {
     
    17061701    RegisterID earlyScratch = regT3;
    17071702    RegisterID lateScratch = regT2;
     1703    RegisterID lateScratch2 = regT4;
    17081704#else
    17091705    RegisterID base = regT0;
     
    17111707    RegisterID earlyScratch = regT3;
    17121708    RegisterID lateScratch = regT1;
     1709    RegisterID lateScratch2 = regT4;
    17131710#endif
    17141711   
     
    17321729    // We would be loading this into base as in get_by_val, except that the slow
    17331730    // path expects the base to be unclobbered.
    1734     // FIXME: Should do caging.
    1735     // https://bugs.webkit.org/show_bug.cgi?id=175037
    17361731    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
     1732    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    17371733   
    17381734    if (isClamped(type)) {
     
    17781774    RegisterID earlyScratch = regT3;
    17791775    RegisterID lateScratch = regT2;
     1776    RegisterID lateScratch2 = regT4;
    17801777#else
    17811778    RegisterID base = regT0;
     
    17831780    RegisterID earlyScratch = regT3;
    17841781    RegisterID lateScratch = regT1;
     1782    RegisterID lateScratch2 = regT4;
    17851783#endif
    17861784   
     
    18171815    // We would be loading this into base as in get_by_val, except that the slow
    18181816    // path expects the base to be unclobbered.
    1819     // FIXME: Should do caging.
    1820     // https://bugs.webkit.org/show_bug.cgi?id=175037
    18211817    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
     1818    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    18221819   
    18231820    switch (elementSize(type)) {
  • trunk/Source/JavaScriptCore/jsc.cpp

    r220352 r220368  
    38033803}
    38043804
    3805 static void primitiveGigacageDisabled(void*)
    3806 {
    3807     dataLog("Primitive gigacage disabled! Aborting.\n");
    3808     UNREACHABLE_FOR_PLATFORM();
    3809 }
    3810 
    38113805int jscmain(int argc, char** argv)
    38123806{
     
    38273821    JSC::Wasm::enableFastMemory();
    38283822#endif
    3829     if (Gigacage::shouldBeEnabled())
    3830         Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
     3823    Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
    38313824
    38323825    int result;
  • trunk/Source/WTF/ChangeLog

    r220353 r220368  
     12017-08-07  Filip Pizlo  <fpizlo@apple.com>
     2
     3        Baseline JIT should do caging
     4        https://bugs.webkit.org/show_bug.cgi?id=175037
     5
     6        Reviewed by Mark Lam.
     7
     8        * wtf/Gigacage.h:
     9        (Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
     10        (Gigacage::isDisablingPrimitiveGigacageDisabled):
     11        (Gigacage::isPrimitiveGigacagePermanentlyEnabled):
     12        (Gigacage::canPrimitiveGigacageBeDisabled):
     13
    1142017-08-07  Filip Pizlo  <fpizlo@apple.com>
    215
  • trunk/Source/WTF/wtf/Gigacage.h

    r220353 r220368  
    5050inline void removePrimitiveDisableCallback(void (*)(void*), void*) { }
    5151
     52inline void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
     53
     54inline bool isDisablingPrimitiveGigacageDisabled() { return false; }
     55inline bool isPrimitiveGigacagePermanentlyEnabled() { return false; }
     56inline bool canPrimitiveGigacageBeDisabled() { return true; }
     57
    5258ALWAYS_INLINE const char* name(Kind kind)
    5359{
  • trunk/Source/WebKit/ChangeLog

    r220352 r220368  
     12017-08-07  Filip Pizlo  <fpizlo@apple.com>
     2
     3        Baseline JIT should do caging
     4        https://bugs.webkit.org/show_bug.cgi?id=175037
     5
     6        Reviewed by Mark Lam.
     7       
     8        Use a better API to disable disabling the primitive gigacage.
     9
     10        * WebProcess/WebProcess.cpp:
     11        (WebKit::m_webSQLiteDatabaseTracker):
     12        (WebKit::primitiveGigacageDisabled): Deleted.
     13
    1142017-08-06  Filip Pizlo  <fpizlo@apple.com>
    215
  • trunk/Source/WebKit/WebProcess/WebProcess.cpp

    r220352 r220368  
    147147namespace WebKit {
    148148
    149 static void primitiveGigacageDisabled(void*)
    150 {
    151     UNREACHABLE_FOR_PLATFORM();
    152 }
    153 
    154149WebProcess& WebProcess::singleton()
    155150{
     
    203198    });
    204199
    205     if (Gigacage::shouldBeEnabled())
    206         Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
     200    Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
    207201}
    208202
  • trunk/Source/bmalloc/ChangeLog

    r220352 r220368  
     12017-08-07  Filip Pizlo  <fpizlo@apple.com>
     2
     3        Baseline JIT should do caging
     4        https://bugs.webkit.org/show_bug.cgi?id=175037
     5
     6        Reviewed by Mark Lam.
     7       
     8        This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
     9        and WebProcess.
     10       
     11        This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
     12        checks on each typed array access.
     13
     14        * bmalloc/Gigacage.cpp:
     15        (Gigacage::primitiveGigacageDisabled):
     16        (Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
     17        (Gigacage::isDisablingPrimitiveGigacageDisabled):
     18        * bmalloc/Gigacage.h:
     19        (Gigacage::isPrimitiveGigacagePermanentlyEnabled):
     20        (Gigacage::canPrimitiveGigacageBeDisabled):
     21
    1222017-08-06  Filip Pizlo  <fpizlo@apple.com>
    223
  • trunk/Source/bmalloc/bmalloc/Gigacage.cpp

    r220352 r220368  
    4141
    4242namespace Gigacage {
     43
     44static bool s_isDisablingPrimitiveGigacageDisabled;
    4345
    4446struct Callback {
     
    132134}
    133135
     136static bool False;
     137
     138static void primitiveGigacageDisabled(void*)
     139{
     140    fprintf(stderr, "FATAL: Primitive gigacage disabled, but we don't want that in this process\n");
     141    if (!False)
     142        BCRASH();
     143}
     144
     145void disableDisablingPrimitiveGigacageIfShouldBeEnabled()
     146{
     147    if (shouldBeEnabled()) {
     148        addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
     149        s_isDisablingPrimitiveGigacageDisabled = true;
     150    }
     151}
     152
     153bool isDisablingPrimitiveGigacageDisabled()
     154{
     155    return s_isDisablingPrimitiveGigacageDisabled;
     156}
     157
    134158bool shouldBeEnabled()
    135159{
  • trunk/Source/bmalloc/bmalloc/Gigacage.h

    r220352 r220368  
    6464BEXPORT void removePrimitiveDisableCallback(void (*)(void*), void*);
    6565
     66BEXPORT void disableDisablingPrimitiveGigacageIfShouldBeEnabled();
     67
     68BEXPORT bool isDisablingPrimitiveGigacageDisabled();
     69inline bool isPrimitiveGigacagePermanentlyEnabled() { return isDisablingPrimitiveGigacageDisabled(); }
     70inline bool canPrimitiveGigacageBeDisabled() { return !isDisablingPrimitiveGigacageDisabled(); }
     71
    6672BINLINE const char* name(Kind kind)
    6773{
Note: See TracChangeset for help on using the changeset viewer.