Changeset 220404 in webkit
- Timestamp:
- Aug 8, 2017 9:00:06 AM (7 years ago)
- Location:
- trunk/Source
- Files:
-
- 14 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r220403 r220404 1 2017-08-08 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r220368. 4 5 This change caused WK1 tests to exit early with crashes. 6 7 Reverted changeset: 8 9 "Baseline JIT should do caging" 10 https://bugs.webkit.org/show_bug.cgi?id=175037 11 http://trac.webkit.org/changeset/220368 12 1 13 2017-08-08 Michael Catanzaro <mcatanzaro@igalia.com> 2 14 -
trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp
r220368 r220404 528 528 CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()), 529 529 loadedValueGPR); 530 // FIXME: Do caging!531 // https://bugs.webkit.org/show_bug.cgi?id=175295532 530 storageGPR = loadedValueGPR; 533 531 } … … 880 878 881 879 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3); 882 // FIXME: Do caging!883 // https://bugs.webkit.org/show_bug.cgi?id=175295884 880 885 881 // We have scratchGPR = new storage, scratchGPR3 = old storage, … … 960 956 offsetInInlineStorage(m_offset) * sizeof(JSValue))); 961 957 } else { 962 if (!allocating) {958 if (!allocating) 963 959 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); 964 // FIXME: Do caging!965 // https://bugs.webkit.org/show_bug.cgi?id=175295966 }967 960 jit.storeValue( 968 961 valueRegs, … … 1000 993 case ArrayLength: { 1001 994 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); 1002 // FIXME: Do caging!1003 // https://bugs.webkit.org/show_bug.cgi?id=1752951004 995 jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR); 1005 996 state.failAndIgnore.append( -
trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp
r220368 r220404 58 58 CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape)); 59 59 jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value); 60 // FIXME: Do caging!61 // https://bugs.webkit.org/show_bug.cgi?id=17529562 60 jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value); 63 61 jit.boxInt32(scratchGPR, regs); … … 76 74 CCallHelpers::Address(base, JSObject::butterflyOffset()), 77 75 value); 78 // FIXME: Do caging!79 // https://bugs.webkit.org/show_bug.cgi?id=17529580 76 GPRReg storageGPR = value; 81 77 jit.loadValue( … … 121 117 122 118 jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value); 123 // FIXME: Do caging!124 // https://bugs.webkit.org/show_bug.cgi?id=175295125 119 jit.storeValue( 126 120 regs, … … 177 171 else { 178 172 jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR()); 179 // FIXME: Do caging!180 // https://bugs.webkit.org/show_bug.cgi?id=175295181 173 storage = value.payloadGPR(); 182 174 } … … 240 232 ASSERT(storage != InvalidGPRReg); 241 233 jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage); 242 // FIXME: Do caging!243 // https://bugs.webkit.org/show_bug.cgi?id=175295244 234 } 245 235 … … 280 270 CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType())); 281 271 jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR()); 282 // FIXME: Do caging!283 // https://bugs.webkit.org/show_bug.cgi?id=175295284 272 jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR()); 285 273 jit.boxInt32(value.payloadGPR(), value); -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r220368 r220404 11617 11617 LValue caged(Gigacage::Kind kind, LValue ptr) 11618 11618 { 11619 if (!Gigacage::shouldBeEnabled()) 11620 return ptr; 11621 11622 if (kind == Gigacage::Primitive && Gigacage::canPrimitiveGigacageBeDisabled()) { 11619 if (kind == Gigacage::Primitive) { 11623 11620 if (vm().primitiveGigacageEnabled().isStillValid()) 11624 11621 m_graph.watchpoints().addLazily(vm().primitiveGigacageEnabled()); -
trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h
r220368 r220404 1310 1310 storeFence(); 1311 1311 ok.link(this); 1312 }1313 1314 void cage(Gigacage::Kind kind, GPRReg storage)1315 {1316 #if GIGACAGE_ENABLED1317 if (!Gigacage::shouldBeEnabled())1318 return;1319 1320 andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);1321 addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);1322 #else1323 UNUSED_PARAM(kind);1324 UNUSED_PARAM(storage);1325 #endif1326 }1327 1328 void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)1329 {1330 #if GIGACAGE_ENABLED1331 if (!Gigacage::shouldBeEnabled())1332 return;1333 1334 if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())1335 return cage(kind, storage);1336 1337 loadPtr(Gigacage::basePtr(kind), scratch);1338 Jump done = branchTestPtr(Zero, scratch);1339 andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);1340 addPtr(scratch, storage);1341 done.link(this);1342 #else1343 UNUSED_PARAM(kind);1344 UNUSED_PARAM(storage);1345 UNUSED_PARAM(scratch);1346 #endif1347 1312 } 1348 1313 -
trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
r220368 r220404 173 173 174 174 badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape)); 175 // FIXME: Should do caging. 176 // https://bugs.webkit.org/show_bug.cgi?id=175037 175 177 loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2); 176 cage(Gigacage::JSValue, regT2);177 178 slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()))); 178 179 loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0); … … 187 188 188 189 badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape)); 190 // FIXME: Should do caging. 191 // https://bugs.webkit.org/show_bug.cgi?id=175037 189 192 loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2); 190 cage(Gigacage::JSValue, regT2);191 193 slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()))); 192 194 load64(BaseIndex(regT2, regT1, TimesEight), regT0); … … 203 205 badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape)); 204 206 207 // FIXME: Should do caging. 208 // https://bugs.webkit.org/show_bug.cgi?id=175037 205 209 loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2); 206 cage(Gigacage::JSValue, regT2);207 210 slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset()))); 208 211 … … 351 354 badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape)); 352 355 356 // FIXME: Should do caging. 357 // https://bugs.webkit.org/show_bug.cgi?id=175037 353 358 loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2); 354 cage(Gigacage::JSValue, regT2);355 359 Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())); 356 360 … … 407 411 408 412 badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape)); 413 // FIXME: Should do caging. 414 // https://bugs.webkit.org/show_bug.cgi?id=175037 409 415 loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2); 410 cage(Gigacage::JSValue, regT2);411 416 slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset()))); 412 417 … … 919 924 isOutOfLine.link(this); 920 925 } 926 // FIXME: Should do caging. 927 // https://bugs.webkit.org/show_bug.cgi?id=175037 921 928 loadPtr(Address(base, JSObject::butterflyOffset()), scratch); 922 cage(Gigacage::JSValue, scratch);923 929 neg32(offset); 924 930 signExtend32ToPtr(offset, offset); … … 1061 1067 emitGetVirtualRegister(value, regT2); 1062 1068 1069 // FIXME: Should do caging. 1070 // https://bugs.webkit.org/show_bug.cgi?id=175037 1063 1071 loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0); 1064 cage(Gigacage::JSValue, regT0);1065 1072 loadPtr(operandSlot, regT1); 1066 1073 negPtr(regT1); … … 1570 1577 RegisterID resultPayload = regT0; 1571 1578 RegisterID scratch = regT3; 1572 RegisterID scratch2 = regT4;1573 1579 #else 1574 1580 RegisterID base = regT0; … … 1577 1583 RegisterID resultTag = regT1; 1578 1584 RegisterID scratch = regT3; 1579 RegisterID scratch2 = regT4;1580 1585 #endif 1581 1586 … … 1585 1590 badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type))); 1586 1591 slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength()))); 1592 // FIXME: Should do caging. 1593 // https://bugs.webkit.org/show_bug.cgi?id=175037 1587 1594 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); 1588 cageConditionally(Gigacage::Primitive, scratch, scratch2);1589 1595 1590 1596 switch (elementSize(type)) { … … 1644 1650 RegisterID resultPayload = regT0; 1645 1651 RegisterID scratch = regT3; 1646 RegisterID scratch2 = regT4;1647 1652 #else 1648 1653 RegisterID base = regT0; … … 1651 1656 RegisterID resultTag = regT1; 1652 1657 RegisterID scratch = regT3; 1653 RegisterID scratch2 = regT4;1654 1658 #endif 1655 1659 … … 1659 1663 badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type))); 1660 1664 slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength()))); 1665 // FIXME: Should do caging. 1666 // https://bugs.webkit.org/show_bug.cgi?id=175037 1661 1667 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); 1662 cageConditionally(Gigacage::Primitive, scratch, scratch2);1663 1668 1664 1669 switch (elementSize(type)) { … … 1701 1706 RegisterID earlyScratch = regT3; 1702 1707 RegisterID lateScratch = regT2; 1703 RegisterID lateScratch2 = regT4;1704 1708 #else 1705 1709 RegisterID base = regT0; … … 1707 1711 RegisterID earlyScratch = regT3; 1708 1712 RegisterID lateScratch = regT1; 1709 RegisterID lateScratch2 = regT4;1710 1713 #endif 1711 1714 … … 1729 1732 // We would be loading this into base as in get_by_val, except that the slow 1730 1733 // path expects the base to be unclobbered. 1734 // FIXME: Should do caging. 1735 // https://bugs.webkit.org/show_bug.cgi?id=175037 1731 1736 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); 1732 cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);1733 1737 1734 1738 if (isClamped(type)) { … … 1774 1778 RegisterID earlyScratch = regT3; 1775 1779 RegisterID lateScratch = regT2; 1776 RegisterID lateScratch2 = regT4;1777 1780 #else 1778 1781 RegisterID base = regT0; … … 1780 1783 RegisterID earlyScratch = regT3; 1781 1784 RegisterID lateScratch = regT1; 1782 RegisterID lateScratch2 = regT4;1783 1785 #endif 1784 1786 … … 1815 1817 // We would be loading this into base as in get_by_val, except that the slow 1816 1818 // path expects the base to be unclobbered. 1819 // FIXME: Should do caging. 1820 // https://bugs.webkit.org/show_bug.cgi?id=175037 1817 1821 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); 1818 cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);1819 1822 1820 1823 switch (elementSize(type)) { -
trunk/Source/JavaScriptCore/jsc.cpp
r220368 r220404 3803 3803 } 3804 3804 3805 static void primitiveGigacageDisabled(void*) 3806 { 3807 dataLog("Primitive gigacage disabled! Aborting.\n"); 3808 UNREACHABLE_FOR_PLATFORM(); 3809 } 3810 3805 3811 int jscmain(int argc, char** argv) 3806 3812 { … … 3821 3827 JSC::Wasm::enableFastMemory(); 3822 3828 #endif 3823 Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled(); 3829 if (Gigacage::shouldBeEnabled()) 3830 Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr); 3824 3831 3825 3832 int result; -
trunk/Source/WTF/ChangeLog
r220403 r220404 1 2017-08-08 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r220368. 4 5 This change caused WK1 tests to exit early with crashes. 6 7 Reverted changeset: 8 9 "Baseline JIT should do caging" 10 https://bugs.webkit.org/show_bug.cgi?id=175037 11 http://trac.webkit.org/changeset/220368 12 1 13 2017-08-08 Michael Catanzaro <mcatanzaro@igalia.com> 2 14 -
trunk/Source/WTF/wtf/Gigacage.h
r220368 r220404 50 50 inline void removePrimitiveDisableCallback(void (*)(void*), void*) { } 51 51 52 inline void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }53 54 inline bool isDisablingPrimitiveGigacageDisabled() { return false; }55 inline bool isPrimitiveGigacagePermanentlyEnabled() { return false; }56 inline bool canPrimitiveGigacageBeDisabled() { return true; }57 58 52 ALWAYS_INLINE const char* name(Kind kind) 59 53 { -
trunk/Source/WebKit/ChangeLog
r220403 r220404 1 2017-08-08 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r220368. 4 5 This change caused WK1 tests to exit early with crashes. 6 7 Reverted changeset: 8 9 "Baseline JIT should do caging" 10 https://bugs.webkit.org/show_bug.cgi?id=175037 11 http://trac.webkit.org/changeset/220368 12 1 13 2017-08-08 Michael Catanzaro <mcatanzaro@igalia.com> 2 14 -
trunk/Source/WebKit/WebProcess/WebProcess.cpp
r220368 r220404 147 147 namespace WebKit { 148 148 149 static void primitiveGigacageDisabled(void*) 150 { 151 UNREACHABLE_FOR_PLATFORM(); 152 } 153 149 154 WebProcess& WebProcess::singleton() 150 155 { … … 198 203 }); 199 204 200 Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled(); 205 if (Gigacage::shouldBeEnabled()) 206 Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr); 201 207 } 202 208 -
trunk/Source/bmalloc/ChangeLog
r220368 r220404 1 2017-08-08 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r220368. 4 5 This change caused WK1 tests to exit early with crashes. 6 7 Reverted changeset: 8 9 "Baseline JIT should do caging" 10 https://bugs.webkit.org/show_bug.cgi?id=175037 11 http://trac.webkit.org/changeset/220368 12 1 13 2017-08-07 Filip Pizlo <fpizlo@apple.com> 2 14 -
trunk/Source/bmalloc/bmalloc/Gigacage.cpp
r220368 r220404 41 41 42 42 namespace Gigacage { 43 44 static bool s_isDisablingPrimitiveGigacageDisabled;45 43 46 44 struct Callback { … … 134 132 } 135 133 136 static bool False;137 138 static void primitiveGigacageDisabled(void*)139 {140 fprintf(stderr, "FATAL: Primitive gigacage disabled, but we don't want that in this process\n");141 if (!False)142 BCRASH();143 }144 145 void disableDisablingPrimitiveGigacageIfShouldBeEnabled()146 {147 if (shouldBeEnabled()) {148 addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);149 s_isDisablingPrimitiveGigacageDisabled = true;150 }151 }152 153 bool isDisablingPrimitiveGigacageDisabled()154 {155 return s_isDisablingPrimitiveGigacageDisabled;156 }157 158 134 bool shouldBeEnabled() 159 135 { -
trunk/Source/bmalloc/bmalloc/Gigacage.h
r220368 r220404 64 64 BEXPORT void removePrimitiveDisableCallback(void (*)(void*), void*); 65 65 66 BEXPORT void disableDisablingPrimitiveGigacageIfShouldBeEnabled();67 68 BEXPORT bool isDisablingPrimitiveGigacageDisabled();69 inline bool isPrimitiveGigacagePermanentlyEnabled() { return isDisablingPrimitiveGigacageDisabled(); }70 inline bool canPrimitiveGigacageBeDisabled() { return !isDisablingPrimitiveGigacageDisabled(); }71 72 66 BINLINE const char* name(Kind kind) 73 67 {
Note: See TracChangeset
for help on using the changeset viewer.