Changeset 221439 in webkit

Timestamp:

Aug 31, 2017 1:46:58 PM (7 years ago)

Author:

fpizlo@apple.com

Message:

All of the different ArrayBuffer::data's should be CagedPtr<>
​https://bugs.webkit.org/show_bug.cgi?id=175515

Reviewed by Michael Saboff.

Source/JavaScriptCore:

This straightforwardly implements what the title says.

• runtime/ArrayBuffer.cpp:

(JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
(JSC::ArrayBufferContents::destroy):
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::makeShared):
(JSC::ArrayBufferContents::copyTo):
(JSC::ArrayBuffer::createFromBytes):
(JSC::ArrayBuffer::transferTo):

• runtime/ArrayBuffer.h:

(JSC::SharedArrayBufferContents::data const):
(JSC::ArrayBufferContents::data const):
(JSC::ArrayBuffer::data):
(JSC::ArrayBuffer::data const):

• runtime/ArrayBufferView.h:

(JSC::ArrayBufferView::baseAddress const):

• runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
• runtime/DataView.h:

(JSC::DataView::get):
(JSC::DataView::set):

• runtime/JSArrayBufferView.cpp:

(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):

• runtime/JSArrayBufferView.h:

(JSC::JSArrayBufferView::ConstructionContext::vector const):
(JSC::JSArrayBufferView::vector const):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):

Source/WTF:

Added a specialization so that CagedPtr<void> is valid.

• wtf/CagedPtr.h:

Location:

trunk

Files:

• JSTests/stress/dont-reserve-huge-capacity-lexer.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayBuffer.cpp (modified) (7 diffs)
• Source/JavaScriptCore/runtime/ArrayBuffer.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/ArrayBufferView.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/CagedBarrierPtr.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/DataView.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSArrayBufferView.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (modified) (1 diff)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/CagedPtr.h (modified) (1 diff)

trunk/JSTests/stress/dont-reserve-huge-capacity-lexer.js

@@ -1 @@
-//@ skip if ($architecture != "x86-64") or $memoryLimited
+//@ if ($architecture != "x86-64") or $memoryLimited then skip else runDefault end
 
 var fe="f";                                                                         

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-08-31  Filip Pizlo  <fpizlo@apple.com>
+
+        All of the different ArrayBuffer::data's should be CagedPtr<>
+        https://bugs.webkit.org/show_bug.cgi?id=175515
+
+        Reviewed by Michael Saboff.
+        
+        This straightforwardly implements what the title says.
+
+        * runtime/ArrayBuffer.cpp:
+        (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
+        (JSC::ArrayBufferContents::destroy):
+        (JSC::ArrayBufferContents::tryAllocate):
+        (JSC::ArrayBufferContents::makeShared):
+        (JSC::ArrayBufferContents::copyTo):
+        (JSC::ArrayBuffer::createFromBytes):
+        (JSC::ArrayBuffer::transferTo):
+        * runtime/ArrayBuffer.h:
+        (JSC::SharedArrayBufferContents::data const):
+        (JSC::ArrayBufferContents::data const):
+        (JSC::ArrayBuffer::data):
+        (JSC::ArrayBuffer::data const):
+        * runtime/ArrayBufferView.h:
+        (JSC::ArrayBufferView::baseAddress const):
+        * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
+        * runtime/DataView.h:
+        (JSC::DataView::get):
+        (JSC::DataView::set):
+        * runtime/JSArrayBufferView.cpp:
+        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+        * runtime/JSArrayBufferView.h:
+        (JSC::JSArrayBufferView::ConstructionContext::vector const):
+        (JSC::JSArrayBufferView::vector const):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
+
 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp

@@ -42 +42 @@
 SharedArrayBufferContents::~SharedArrayBufferContents()
 {
-    m_destructor(m_data);
+    m_destructor(m_data.getMayBeNull());
 }
 
@@ -82 +82 @@
 void ArrayBufferContents::destroy()
 {
-    m_destructor(m_data);
+    m_destructor(m_data.getMayBeNull());
 }
 
@@ -114 +114 @@
     
     if (policy == ZeroInitialize)
-        memset(m_data, 0, size);
+        memset(m_data.get(), 0, size);
 
     m_sizeInBytes = numElements * elementByteSize;
@@ -122 +122 @@
 void ArrayBufferContents::makeShared()
 {
-    m_shared = adoptRef(new SharedArrayBufferContents(m_data, WTFMove(m_destructor)));
+    m_shared = adoptRef(new SharedArrayBufferContents(m_data.getMayBeNull(), WTFMove(m_destructor)));
     m_destructor = [] (void*) { };
 }
@@ -142 +142 @@
     if (!other.m_data)
         return;
-    memcpy(other.m_data, m_data, m_sizeInBytes);
+    memcpy(other.m_data.get(), m_data.get(), m_sizeInBytes);
     other.m_sizeInBytes = m_sizeInBytes;
 }
@@ -199 +199 @@
 Ref<ArrayBuffer> ArrayBuffer::createFromBytes(const void* data, unsigned byteLength, ArrayBufferDestructorFunction&& destructor)
 {
-    if (data && byteLength && !Gigacage::isCaged(Gigacage::Primitive, data))
+    if (data && !Gigacage::isCaged(Gigacage::Primitive, data))
         Gigacage::disablePrimitiveGigacage();
     
@@ -323 +323 @@
 
     if (!m_contents.m_data) {
-        result.m_data = 0;
+        result.m_data = nullptr;
         return false;
     }

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009, 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #include "GCIncomingRefCounted.h"
 #include "Weak.h"
+#include <wtf/CagedPtr.h>
 #include <wtf/Function.h>
 #include <wtf/StdLibExtras.h>
@@ -48 +49 @@
     ~SharedArrayBufferContents();
     
-    void* data() const { return m_data; }
+    void* data() const { return m_data.getMayBeNull(); }
     
 private:
-    // FIXME: This should be CagedPtr<>.
-    // https://bugs.webkit.org/show_bug.cgi?id=175515
-    void* m_data;
+    CagedPtr<Gigacage::Primitive, void> m_data;
     ArrayBufferDestructorFunction m_destructor;
 };
@@ -71 +70 @@
     explicit operator bool() { return !!m_data; }
     
-    void* data() const { return m_data; }
+    void* data() const { return m_data.getMayBeNull(); }
     unsigned sizeInBytes() const { return m_sizeInBytes; }
     
@@ -98 +97 @@
     ArrayBufferDestructorFunction m_destructor;
     RefPtr<SharedArrayBufferContents> m_shared;
-    // FIXME: This should be CagedPtr<>.
-    // https://bugs.webkit.org/show_bug.cgi?id=175515
-    void* m_data;
+    CagedPtr<Gigacage::Primitive, void> m_data;
     unsigned m_sizeInBytes;
 };
@@ -186 +183 @@
 void* ArrayBuffer::data()
 {
-    return m_contents.m_data;
+    return m_contents.m_data.getMayBeNull();
 }
 
 const void* ArrayBuffer::data() const
 {
-    return m_contents.m_data;
+    return m_contents.m_data.getMayBeNull();
 }
 

trunk/Source/JavaScriptCore/runtime/ArrayBufferView.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2009, 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -73 +73 @@
         if (isNeutered())
             return 0;
-        return m_baseAddress;
+        return m_baseAddress.getMayBeNull();
     }
 
@@ -148 +148 @@
 
     // This is the address of the ArrayBuffer's storage, plus the byte offset.
-    // FIXME: This should be CagedPtr<>.
-    // https://bugs.webkit.org/show_bug.cgi?id=175515
-    void* m_baseAddress;
+    CagedPtr<Gigacage::Primitive, void> m_baseAddress;
 
     unsigned m_byteOffset : 31;

trunk/Source/JavaScriptCore/runtime/CagedBarrierPtr.h

@@ -89 +89 @@
 };
 
+template<Gigacage::Kind passedKind>
+class CagedBarrierPtr<passedKind, void> {
+public:
+    static constexpr Gigacage::Kind kind = passedKind;
+    typedef void Type;
+    
+    CagedBarrierPtr() { }
+    
+    template<typename U>
+    CagedBarrierPtr(VM& vm, JSCell* cell, U&& value)
+    {
+        m_barrier.set(vm, cell, std::forward<U>(value));
+    }
+    
+    void clear() { m_barrier.clear(); }
+    
+    template<typename U>
+    void set(VM& vm, JSCell* cell, U&& value)
+    {
+        m_barrier.set(vm, cell, std::forward<U>(value));
+    }
+    
+    void* get() const { return m_barrier.get().get(); }
+    void* getMayBeNull() const { return m_barrier.get().getMayBeNull(); }
+    
+    bool operator==(const CagedBarrierPtr& other) const
+    {
+        return getMayBeNull() == other.getMayBeNull();
+    }
+    
+    bool operator!=(const CagedBarrierPtr& other) const
+    {
+        return !(*this == other);
+    }
+    
+    explicit operator bool() const
+    {
+        return *this != CagedBarrierPtr();
+    }
+    
+    template<typename U>
+    void setWithoutBarrier(U&& value) { m_barrier.setWithoutBarrier(std::forward<U>(value)); }
+    
+private:
+    AuxiliaryBarrier<CagedPtr<kind, void>> m_barrier;
+};
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/DataView.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -63 +63 @@
             ASSERT_WITH_SECURITY_IMPLICATION(offset + sizeof(T) <= byteLength());
         return flipBytesIfLittleEndian(
-            *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress) + offset),
+            *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset),
             littleEndian);
     }
@@ -87 +87 @@
         } else
             ASSERT_WITH_SECURITY_IMPLICATION(offset + sizeof(T) <= byteLength());
-        *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress) + offset) =
+        *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset) =
             flipBytesIfLittleEndian(value, littleEndian);
     }

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp

@@ -78 +78 @@
 
         if (mode == ZeroFill) {
-            uint64_t* asWords = static_cast<uint64_t*>(m_vector);
+            uint64_t* asWords = static_cast<uint64_t*>(m_vector.get());
             for (unsigned i = size / sizeof(uint64_t); i--;)
                 asWords[i] = 0;
@@ -95 +95 @@
         return;
     if (mode == ZeroFill)
-        memset(m_vector, 0, size);
+        memset(m_vector.get(), 0, size);
     
     vm.heap.reportExtraMemoryAllocated(static_cast<size_t>(length) * elementSize);

trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

@@ -134 +134 @@
         
         Structure* structure() const { return m_structure; }
-        void* vector() const { return m_vector; }
+        void* vector() const { return m_vector.getMayBeNull(); }
         uint32_t length() const { return m_length; }
         TypedArrayMode mode() const { return m_mode; }
@@ -141 +141 @@
     private:
         Structure* m_structure;
-        // FIXME: This should be CagedPtr<>.
-        // https://bugs.webkit.org/show_bug.cgi?id=175515
-        void* m_vector;
+        CagedPtr<Gigacage::Primitive, void> m_vector;
         uint32_t m_length;
         TypedArrayMode m_mode;
@@ -170 +168 @@
     void neuter();
     
-    void* vector() const { return m_vector.get(); }
+    void* vector() const { return m_vector.getMayBeNull(); }
     
     unsigned byteOffset();
@@ -193 +191 @@
     static String toStringName(const JSObject*, ExecState*);
 
-    // FIXME: This should be CagedBarrierPtr<>.
-    // https://bugs.webkit.org/show_bug.cgi?id=175515
-    AuxiliaryBarrier<void*> m_vector;
+    CagedBarrierPtr<Gigacage::Primitive, void> m_vector;
     uint32_t m_length;
     TypedArrayMode m_mode;

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

@@ -518 +518 @@
     switch (thisObject->m_mode) {
     case FastTypedArray: {
-        if (void* vector = thisObject->m_vector.get())
+        if (void* vector = thisObject->m_vector.getMayBeNull())
             visitor.markAuxiliary(vector);
         break;

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2017-08-31  Filip Pizlo  <fpizlo@apple.com>
+
+        All of the different ArrayBuffer::data's should be CagedPtr<>
+        https://bugs.webkit.org/show_bug.cgi?id=175515
+
+        Reviewed by Michael Saboff.
+        
+        Added a specialization so that CagedPtr<void> is valid.
+
+        * wtf/CagedPtr.h:
+
 2017-08-31  Per Arne Vollan  <pvollan@apple.com>
 

trunk/Source/WTF/wtf/CagedPtr.h

@@ -78 +78 @@
 };
 
+template<Gigacage::Kind passedKind>
+class CagedPtr<passedKind, void> {
+public:
+    static constexpr Gigacage::Kind kind = passedKind;
+    
+    CagedPtr(void* ptr = nullptr)
+        : m_ptr(ptr)
+    {
+    }
+    
+    void* get() const
+    {
+        ASSERT(m_ptr);
+        return Gigacage::caged(kind, m_ptr);
+    }
+    
+    void* getMayBeNull() const
+    {
+        if (!m_ptr)
+            return nullptr;
+        return get();
+    }
+    
+    bool operator==(const CagedPtr& other) const
+    {
+        return getMayBeNull() == other.getMayBeNull();
+    }
+    
+    bool operator!=(const CagedPtr& other) const
+    {
+        return !(*this == other);
+    }
+    
+    explicit operator bool() const
+    {
+        return *this != CagedPtr();
+    }
+    
+protected:
+    void* m_ptr;
+};
+
 } // namespace WTF