Changeset 223113 in webkit

Timestamp:

Oct 9, 2017 6:40:53 PM (7 years ago)

Author:

fpizlo@apple.com

Message:

Enable gigacage on iOS
​https://bugs.webkit.org/show_bug.cgi?id=177586

Reviewed by JF Bastien.
JSTests:

Add tests for when Gigacage gets runtime disabled.

• stress/disable-gigacage-arrays.js: Added.

(foo):

• stress/disable-gigacage-strings.js: Added.

(foo):

• stress/disable-gigacage-typed-arrays.js: Added.

(foo):

Source/bmalloc:

Introduce the ability to disable gigacage at runtime if allocation fails. If any step of gigacage
allocation fails, we free all of the gigacages and turn off gigacage support.

Reland this after confirming that the 20% Kraken regression was a one-bot fluke. Local testing on the
same kind of system did not show the regression. Saam and I both tried independently.

• CMakeLists.txt:
• bmalloc.xcodeproj/project.pbxproj:
• bmalloc/Cache.cpp:

(bmalloc::Cache::scavenge):

• bmalloc/Cache.h:

(bmalloc::Cache::tryAllocate):
(bmalloc::Cache::allocate):
(bmalloc::Cache::deallocate):
(bmalloc::Cache::reallocate):

• bmalloc/Gigacage.cpp:

(Gigacage::ensureGigacage):
(Gigacage::runway):
(Gigacage::totalSize):
(Gigacage::shouldBeEnabled):
(): Deleted.
(Gigacage::Callback::Callback): Deleted.
(Gigacage::Callback::function): Deleted.
(Gigacage::PrimitiveDisableCallbacks::PrimitiveDisableCallbacks): Deleted.

• bmalloc/Gigacage.h:

(Gigacage::wasEnabled):
(Gigacage::isEnabled):
(Gigacage::runway): Deleted.
(Gigacage::totalSize): Deleted.

• bmalloc/HeapKind.cpp: Added.

(bmalloc::isActiveHeapKind):
(bmalloc::mapToActiveHeapKind):

• bmalloc/HeapKind.h:

(bmalloc::isActiveHeapKindAfterEnsuringGigacage):
(bmalloc::mapToActiveHeapKindAfterEnsuringGigacage):

• bmalloc/Scavenger.cpp:

(bmalloc::Scavenger::scavenge):

• bmalloc/bmalloc.h:

(bmalloc::api::tryLargeMemalignVirtual):
(bmalloc::api::freeLargeVirtual):
(bmalloc::api::isEnabled):

Source/JavaScriptCore:

The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
executing JS, so the LLInt needs to know how to load from global variables on all platforms that
have Gigacage. So, this teaches ARM64 how to load from global variables.

Also, this makes the code handle disabling the gigacage a bit better.

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):

• offlineasm/arm64.rb:
• offlineasm/asm.rb:
• offlineasm/instructions.rb:

Tools:

Add a mode to test disabling Gigacage.

• Scripts/run-jsc-stress-tests:
• Scripts/webkitruby/jsc-stress-test-writer-default.rb:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/disable-gigacage-arrays.js (added)
• JSTests/stress/disable-gigacage-strings.js (added)
• JSTests/stress/disable-gigacage-typed-arrays.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/AssemblyHelpers.h (modified) (2 diffs)
• Source/JavaScriptCore/offlineasm/arm64.rb (modified) (3 diffs)
• Source/JavaScriptCore/offlineasm/asm.rb (modified) (2 diffs)
• Source/JavaScriptCore/offlineasm/instructions.rb (modified) (1 diff)
• Source/bmalloc/CMakeLists.txt (modified) (1 diff)
• Source/bmalloc/ChangeLog (modified) (1 diff)
• Source/bmalloc/bmalloc.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/bmalloc/bmalloc/Cache.cpp (modified) (2 diffs)
• Source/bmalloc/bmalloc/Cache.h (modified) (6 diffs)
• Source/bmalloc/bmalloc/Gigacage.cpp (modified) (7 diffs)
• Source/bmalloc/bmalloc/Gigacage.h (modified) (5 diffs)
• Source/bmalloc/bmalloc/Heap.cpp (modified) (6 diffs)
• Source/bmalloc/bmalloc/HeapKind.cpp (added)
• Source/bmalloc/bmalloc/HeapKind.h (modified) (1 diff)
• Source/bmalloc/bmalloc/Scavenger.cpp (modified) (1 diff)
• Source/bmalloc/bmalloc/bmalloc.h (modified) (3 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/Scripts/run-jsc-stress-tests (modified) (3 diffs)
• Tools/Scripts/webkitruby/jsc-stress-test-writer-default.rb (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-09-29  Filip Pizlo  <fpizlo@apple.com>
+
+        Enable gigacage on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+
+        Reviewed by JF Bastien.
+        
+        Add tests for when Gigacage gets runtime disabled.
+
+        * stress/disable-gigacage-arrays.js: Added.
+        (foo):
+        * stress/disable-gigacage-strings.js: Added.
+        (foo):
+        * stress/disable-gigacage-typed-arrays.js: Added.
+        (foo):
+
 2017-10-09  Michael Saboff  <msaboff@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-09-29  Filip Pizlo  <fpizlo@apple.com>
+
+        Enable gigacage on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+
+        Reviewed by JF Bastien.
+
+        The hardest part of enabling Gigacage on iOS is that it requires loading global variables while
+        executing JS, so the LLInt needs to know how to load from global variables on all platforms that
+        have Gigacage. So, this teaches ARM64 how to load from global variables.
+        
+        Also, this makes the code handle disabling the gigacage a bit better.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * offlineasm/arm64.rb:
+        * offlineasm/asm.rb:
+        * offlineasm/instructions.rb:
+
 2017-10-09  Robin Morisset  <rmorisset@apple.com>
 

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11995 +11995 @@
     LValue caged(Gigacage::Kind kind, LValue ptr)
     {
-        if (!Gigacage::shouldBeEnabled())
+        if (!Gigacage::isEnabled(kind))
             return ptr;
         

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1315 +1315 @@
     {
 #if GIGACAGE_ENABLED
-        if (!Gigacage::shouldBeEnabled())
+        if (!Gigacage::isEnabled(kind))
             return;
         
@@ -1329 +1329 @@
     {
 #if GIGACAGE_ENABLED
-        if (!Gigacage::shouldBeEnabled())
+        if (!Gigacage::isEnabled(kind))
             return;
         

trunk/Source/JavaScriptCore/offlineasm/arm64.rb

@@ -261 +261 @@
 end
 
+def arm64LowerLabelReferences(list)
+    newList = []
+    list.each {
+        | node |
+        if node.is_a? Instruction
+            case node.opcode
+            when "loadi", "loadis", "loadp", "loadq", "loadb", "loadbs", "loadh", "loadhs"
+                labelRef = node.operands[0]
+                if labelRef.is_a? LabelReference
+                    tmp = Tmp.new(node.codeOrigin, :gpr)
+                    newList << Instruction.new(codeOrigin, "globaladdr", [LabelReference.new(node.codeOrigin, labelRef.label), tmp])
+                    newList << Instruction.new(codeOrigin, node.opcode, [Address.new(node.codeOrigin, tmp, Immediate.new(node.codeOrigin, labelRef.offset)), node.operands[1]])
+                else
+                    newList << node
+                end
+            else
+                newList << node
+            end
+        else
+            newList << node
+        end
+    }
+    newList
+end
+
 # Workaround for Cortex-A53 erratum (835769)
 def arm64CortexA53Fix835769(list)
@@ -297 +322 @@
         result = riscLowerShiftOps(result)
         result = arm64LowerMalformedLoadStoreAddresses(result)
+        result = arm64LowerLabelReferences(result)
         result = riscLowerMalformedAddresses(result) {
             | node, address |
@@ -905 +931 @@
             $asm.puts "nop"
             $asm.putStr("#endif")
+        when "globaladdr"
+            uid = $asm.newUID
+            $asm.puts "L_offlineasm_loh_adrp_#{uid}:"
+            $asm.puts "adrp #{operands[1].arm64Operand(:ptr)}, #{operands[0].asmLabel}@GOTPAGE"
+            $asm.puts "L_offlineasm_loh_ldr_#{uid}:"
+            $asm.puts "ldr #{operands[1].arm64Operand(:ptr)}, [#{operands[1].arm64Operand(:ptr)}, #{operands[0].asmLabel}@GOTPAGEOFF]"
+            $asm.deferAction {
+                $asm.puts ".loh AdrpLdrGot L_offlineasm_loh_adrp_#{uid}, L_offlineasm_loh_ldr_#{uid}"
+            }
         else
             lowerDefault

trunk/Source/JavaScriptCore/offlineasm/asm.rb

@@ -47 +47 @@
         @numLocalLabels = 0
         @numGlobalLabels = 0
+        @deferredActions = []
+        @count = 0
 
         @newlineSpacerState = :none
@@ -74 +76 @@
         end
         putsLastComment
+        @deferredActions.each {
+            | action |
+            action.call()
+        }
         @outp.puts "OFFLINE_ASM_END" if !$emitWinAsm
         @state = :cpp
+    end
+    
+    def deferAction(&proc)
+        @deferredActions << proc
+    end
+    
+    def newUID
+        @count += 1
+        @count
     end
     

trunk/Source/JavaScriptCore/offlineasm/instructions.rb

@@ -268 +268 @@
     [
      "pcrtoaddr",   # Address from PC relative offset - adr instruction
-     "nopFixCortexA53Err835769" # nop on Cortex-A53 (nothing otherwise)
+     "nopFixCortexA53Err835769", # nop on Cortex-A53 (nothing otherwise)
+     "globaladdr"
     ]
 

trunk/Source/bmalloc/CMakeLists.txt

@@ -14 +14 @@
     bmalloc/Gigacage.cpp
     bmalloc/Heap.cpp
+    bmalloc/HeapKind.cpp
     bmalloc/LargeMap.cpp
     bmalloc/Logging.cpp

trunk/Source/bmalloc/ChangeLog

@@ +1 @@
+2017-09-29  Filip Pizlo  <fpizlo@apple.com>
+
+        Enable gigacage on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+
+        Reviewed by JF Bastien.
+        
+        Introduce the ability to disable gigacage at runtime if allocation fails. If any step of gigacage
+        allocation fails, we free all of the gigacages and turn off gigacage support.
+        
+        Reland this after confirming that the 20% Kraken regression was a one-bot fluke. Local testing on the
+        same kind of system did not show the regression. Saam and I both tried independently.
+
+        * CMakeLists.txt:
+        * bmalloc.xcodeproj/project.pbxproj:
+        * bmalloc/Cache.cpp:
+        (bmalloc::Cache::scavenge):
+        * bmalloc/Cache.h:
+        (bmalloc::Cache::tryAllocate):
+        (bmalloc::Cache::allocate):
+        (bmalloc::Cache::deallocate):
+        (bmalloc::Cache::reallocate):
+        * bmalloc/Gigacage.cpp:
+        (Gigacage::ensureGigacage):
+        (Gigacage::runway):
+        (Gigacage::totalSize):
+        (Gigacage::shouldBeEnabled):
+        (): Deleted.
+        (Gigacage::Callback::Callback): Deleted.
+        (Gigacage::Callback::function): Deleted.
+        (Gigacage::PrimitiveDisableCallbacks::PrimitiveDisableCallbacks): Deleted.
+        * bmalloc/Gigacage.h:
+        (Gigacage::wasEnabled):
+        (Gigacage::isEnabled):
+        (Gigacage::runway): Deleted.
+        (Gigacage::totalSize): Deleted.
+        * bmalloc/HeapKind.cpp: Added.
+        (bmalloc::isActiveHeapKind):
+        (bmalloc::mapToActiveHeapKind):
+        * bmalloc/HeapKind.h:
+        (bmalloc::isActiveHeapKindAfterEnsuringGigacage):
+        (bmalloc::mapToActiveHeapKindAfterEnsuringGigacage):
+        * bmalloc/Scavenger.cpp:
+        (bmalloc::Scavenger::scavenge):
+        * bmalloc/bmalloc.h:
+        (bmalloc::api::tryLargeMemalignVirtual):
+        (bmalloc::api::freeLargeVirtual):
+        (bmalloc::api::isEnabled):
+
 2017-10-09  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/bmalloc/bmalloc.xcodeproj/project.pbxproj

@@ -16 +16 @@
                 0F5BF1531F22E1570029D91D /* Scavenger.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5BF1511F22E1570029D91D /* Scavenger.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F5BF1731F23C5710029D91D /* BExport.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5BF1721F23C5710029D91D /* BExport.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0FD557331F7EDB7B00B1F0A3 /* HeapKind.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FD557321F7EDB7B00B1F0A3 /* HeapKind.cpp */; };
                 1400274918F89C1300115C97 /* Heap.h in Headers */ = {isa = PBXBuildFile; fileRef = 14DA320C18875B09007269E0 /* Heap.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 1400274A18F89C2300115C97 /* VMHeap.h in Headers */ = {isa = PBXBuildFile; fileRef = 144F7BFC18BFC517003537F3 /* VMHeap.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -91 +92 @@
                 0F5BF1511F22E1570029D91D /* Scavenger.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = Scavenger.h; path = bmalloc/Scavenger.h; sourceTree = "<group>"; };
                 0F5BF1721F23C5710029D91D /* BExport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = BExport.h; path = bmalloc/BExport.h; sourceTree = "<group>"; };
+                0FD557321F7EDB7B00B1F0A3 /* HeapKind.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = HeapKind.cpp; path = bmalloc/HeapKind.cpp; sourceTree = "<group>"; };
                 140FA00219CE429C00FFD3C8 /* BumpRange.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = BumpRange.h; path = bmalloc/BumpRange.h; sourceTree = "<group>"; };
                 140FA00419CE4B6800FFD3C8 /* LineMetadata.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LineMetadata.h; path = bmalloc/LineMetadata.h; sourceTree = "<group>"; };
@@ -288 +290 @@
                                 14C919C818FCC59F0028DB43 /* BPlatform.h */,
                                 14D9DB4517F2447100EAAB79 /* FixedVector.h */,
+                                0FD557321F7EDB7B00B1F0A3 /* HeapKind.cpp */,
                                 0F5BF1461F22A8B10029D91D /* HeapKind.h */,
                                 141D9AFF1C8E51C0000ABBA0 /* List.h */,
@@ -457 +460 @@
                         files = (
                                 0F5BF1521F22E1570029D91D /* Scavenger.cpp in Sources */,
+                                0FD557331F7EDB7B00B1F0A3 /* HeapKind.cpp in Sources */,
                                 14F271C318EA3978008C152F /* Allocator.cpp in Sources */,
                                 6599C5CC1EC3F15900A2F7BB /* AvailableMemory.cpp in Sources */,

trunk/Source/bmalloc/bmalloc/Cache.cpp

@@ -36 +36 @@
     if (!caches)
         return;
+    if (!isActiveHeapKind(heapKind))
+        return;
 
     caches->at(heapKind).allocator().scavenge();
@@ -49 +51 @@
 BNO_INLINE void* Cache::tryAllocateSlowCaseNullCache(HeapKind heapKind, size_t size)
 {
-    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(heapKind).allocator().tryAllocate(size);
+    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(mapToActiveHeapKind(heapKind)).allocator().tryAllocate(size);
 }
 
 BNO_INLINE void* Cache::allocateSlowCaseNullCache(HeapKind heapKind, size_t size)
 {
-    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(heapKind).allocator().allocate(size);
+    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(mapToActiveHeapKind(heapKind)).allocator().allocate(size);
 }
 
 BNO_INLINE void* Cache::allocateSlowCaseNullCache(HeapKind heapKind, size_t alignment, size_t size)
 {
-    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(heapKind).allocator().allocate(alignment, size);
+    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(mapToActiveHeapKind(heapKind)).allocator().allocate(alignment, size);
 }
 
 BNO_INLINE void Cache::deallocateSlowCaseNullCache(HeapKind heapKind, void* object)
 {
-    PerThread<PerHeapKind<Cache>>::getSlowCase()->at(heapKind).deallocator().deallocate(object);
+    PerThread<PerHeapKind<Cache>>::getSlowCase()->at(mapToActiveHeapKind(heapKind)).deallocator().deallocate(object);
 }
 
 BNO_INLINE void* Cache::reallocateSlowCaseNullCache(HeapKind heapKind, void* object, size_t newSize)
 {
-    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(heapKind).allocator().reallocate(object, newSize);
+    return PerThread<PerHeapKind<Cache>>::getSlowCase()->at(mapToActiveHeapKind(heapKind)).allocator().reallocate(object, newSize);
 }
 

trunk/Source/bmalloc/bmalloc/Cache.h

@@ -69 +69 @@
     if (!caches)
         return tryAllocateSlowCaseNullCache(heapKind, size);
-    return caches->at(heapKind).allocator().tryAllocate(size);
+    return caches->at(mapToActiveHeapKindAfterEnsuringGigacage(heapKind)).allocator().tryAllocate(size);
 }
 
@@ -77 +77 @@
     if (!caches)
         return allocateSlowCaseNullCache(heapKind, size);
-    return caches->at(heapKind).allocator().allocate(size);
+    return caches->at(mapToActiveHeapKindAfterEnsuringGigacage(heapKind)).allocator().allocate(size);
 }
 
@@ -85 +85 @@
     if (!caches)
         return allocateSlowCaseNullCache(heapKind, alignment, size);
-    return caches->at(heapKind).allocator().tryAllocate(alignment, size);
+    return caches->at(mapToActiveHeapKindAfterEnsuringGigacage(heapKind)).allocator().tryAllocate(alignment, size);
 }
 
@@ -93 +93 @@
     if (!caches)
         return allocateSlowCaseNullCache(heapKind, alignment, size);
-    return caches->at(heapKind).allocator().allocate(alignment, size);
+    return caches->at(mapToActiveHeapKindAfterEnsuringGigacage(heapKind)).allocator().allocate(alignment, size);
 }
 
@@ -101 +101 @@
     if (!caches)
         return deallocateSlowCaseNullCache(heapKind, object);
-    return caches->at(heapKind).deallocator().deallocate(object);
+    return caches->at(mapToActiveHeapKindAfterEnsuringGigacage(heapKind)).deallocator().deallocate(object);
 }
 
@@ -109 +109 @@
     if (!caches)
         return reallocateSlowCaseNullCache(heapKind, object, newSize);
-    return caches->at(heapKind).allocator().reallocate(object, newSize);
+    return caches->at(mapToActiveHeapKindAfterEnsuringGigacage(heapKind)).allocator().reallocate(object, newSize);
 }
 

trunk/Source/bmalloc/bmalloc/Gigacage.cpp

@@ -34 +34 @@
 #include <mutex>
 
+#if BCPU(ARM64)
+// FIXME: There is no good reason for ARM64 to be special.
+// https://bugs.webkit.org/show_bug.cgi?id=177605
+#define PRIMITIVE_GIGACAGE_RUNWAY 0
+#else
+// FIXME: Consider making this 32GB, in case unsigned 32-bit indices find their way into indexed accesses.
+// https://bugs.webkit.org/show_bug.cgi?id=175062
+#define PRIMITIVE_GIGACAGE_RUNWAY (16llu * 1024 * 1024 * 1024)
+#endif
+
+// FIXME: Reconsider this.
+// https://bugs.webkit.org/show_bug.cgi?id=175921
+#define JSVALUE_GIGACAGE_RUNWAY 0
+#define STRING_GIGACAGE_RUNWAY 0
+
 char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE] __attribute__((aligned(GIGACAGE_BASE_PTRS_SIZE)));
 
@@ -39 +54 @@
 
 namespace Gigacage {
+
+bool g_wasEnabled;
 
 namespace {
@@ -70 +87 @@
 };
 
-} // anonymous namespce
-
 struct Callback {
     Callback() { }
@@ -90 +105 @@
     Vector<Callback> callbacks;
 };
+
+} // anonymous namespace
 
 void ensureGigacage()
@@ -101 +118 @@
                 return;
             
+            bool ok = true;
+            
             forEachKind(
                 [&] (Kind kind) {
+                    if (!ok)
+                        return;
                     // FIXME: Randomize where this goes.
                     // https://bugs.webkit.org/show_bug.cgi?id=175245
                     basePtr(kind) = tryVMAllocate(alignment(kind), totalSize(kind));
                     if (!basePtr(kind)) {
+                        if (GIGACAGE_ALLOCATION_CAN_FAIL) {
+                            ok = false;
+                            return;
+                        }
                         fprintf(stderr, "FATAL: Could not allocate %s gigacage.\n", name(kind));
                         BCRASH();
@@ -114 +139 @@
                 });
             
+            if (!ok) {
+                forEachKind(
+                    [&] (Kind kind) {
+                        if (!basePtr(kind))
+                            return;
+                        
+                        vmDeallocate(basePtr(kind), totalSize(kind));
+                        
+                        basePtr(kind) = nullptr;
+                    });
+                return;
+            }
+            
             protectGigacageBasePtrs();
+            g_wasEnabled = true;
         });
 #endif // GIGACAGE_ENABLED
+}
+
+size_t runway(Kind kind)
+{
+    switch (kind) {
+    case Primitive:
+        return static_cast<size_t>(PRIMITIVE_GIGACAGE_RUNWAY);
+    case JSValue:
+        return static_cast<size_t>(JSVALUE_GIGACAGE_RUNWAY);
+    case String:
+        return static_cast<size_t>(STRING_GIGACAGE_RUNWAY);
+    }
+    BCRASH();
+    return 0;
+}
+
+size_t totalSize(Kind kind)
+{
+    return size(kind) + runway(kind);
 }
 
@@ -188 +246 @@
 bool shouldBeEnabled()
 {
-    return GIGACAGE_ENABLED && !PerProcess<Environment>::get()->isDebugHeapEnabled();
+    static std::once_flag onceFlag;
+    static bool cached;
+    std::call_once(
+        onceFlag,
+        [] {
+            bool result = GIGACAGE_ENABLED && !PerProcess<Environment>::get()->isDebugHeapEnabled();
+            if (!result)
+                return;
+            
+            if (char* gigacageEnabled = getenv("GIGACAGE_ENABLED")) {
+                if (!strcasecmp(gigacageEnabled, "no") || !strcasecmp(gigacageEnabled, "false") || !strcasecmp(gigacageEnabled, "0")) {
+                    fprintf(stderr, "Warning: disabling gigacage because GIGACAGE_ENABLED=%s!\n", gigacageEnabled);
+                    return;
+                } else if (strcasecmp(gigacageEnabled, "yes") && strcasecmp(gigacageEnabled, "true") && strcasecmp(gigacageEnabled, "1"))
+                    fprintf(stderr, "Warning: invalid argument to GIGACAGE_ENABLED: %s\n", gigacageEnabled);
+            }
+            
+            cached = true;
+        });
+    
+    return cached;
 }
 

trunk/Source/bmalloc/bmalloc/Gigacage.h

@@ -33 +33 @@
 #include <inttypes.h>
 
+#if BCPU(ARM64)
+// FIXME: This can probably be a lot bigger on iOS. I just haven't tried to make it bigger yet.
+// https://bugs.webkit.org/show_bug.cgi?id=177605
+#define PRIMITIVE_GIGACAGE_SIZE 0x40000000llu
+#define JSVALUE_GIGACAGE_SIZE 0x40000000llu
+#define STRING_GIGACAGE_SIZE 0x40000000llu
+#define GIGACAGE_ALLOCATION_CAN_FAIL 1
+#else
 #define PRIMITIVE_GIGACAGE_SIZE 0x800000000llu
 #define JSVALUE_GIGACAGE_SIZE 0x400000000llu
 #define STRING_GIGACAGE_SIZE 0x400000000llu
+#define GIGACAGE_ALLOCATION_CAN_FAIL 0
+#endif
 
 #define GIGACAGE_SIZE_TO_MASK(size) ((size) - 1)
@@ -43 +53 @@
 #define STRING_GIGACAGE_MASK GIGACAGE_SIZE_TO_MASK(STRING_GIGACAGE_SIZE)
 
-// FIXME: Consider making this 32GB, in case unsigned 32-bit indices find their way into indexed accesses.
-// https://bugs.webkit.org/show_bug.cgi?id=175062
-#define PRIMITIVE_GIGACAGE_RUNWAY (16llu * 1024 * 1024 * 1024)
-
-// FIXME: Reconsider this.
-// https://bugs.webkit.org/show_bug.cgi?id=175921
-#define JSVALUE_GIGACAGE_RUNWAY 0
-#define STRING_GIGACAGE_RUNWAY 0
-
-#if (BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64)
+#if (BOS(DARWIN) && (BCPU(ARM64) || BCPU(X86_64))) || (BOS(LINUX) && BCPU(X86_64))
 #define GIGACAGE_ENABLED 1
 #else
@@ -58 +59 @@
 #endif
 
-#define GIGACAGE_BASE_PTRS_SIZE 8192
+#if BCPU(ARM64)
+#define GIGACAGE_BASE_PTRS_SIZE 16384
+#else
+#define GIGACAGE_BASE_PTRS_SIZE 4096
+#endif
 
 extern "C" BEXPORT char g_gigacageBasePtrs[GIGACAGE_BASE_PTRS_SIZE] __attribute__((aligned(GIGACAGE_BASE_PTRS_SIZE)));
 
 namespace Gigacage {
+
+extern BEXPORT bool g_wasEnabled;
+BINLINE bool wasEnabled() { return g_wasEnabled; }
 
 struct BasePtrs {
@@ -128 +136 @@
 }
 
+BINLINE bool isEnabled(Kind kind)
+{
+    return !!basePtr(kind);
+}
+
 BINLINE size_t size(Kind kind)
 {
@@ -152 +165 @@
 }
 
-BINLINE size_t runway(Kind kind)
-{
-    switch (kind) {
-    case Primitive:
-        return static_cast<size_t>(PRIMITIVE_GIGACAGE_RUNWAY);
-    case JSValue:
-        return static_cast<size_t>(JSVALUE_GIGACAGE_RUNWAY);
-    case String:
-        return static_cast<size_t>(STRING_GIGACAGE_RUNWAY);
-    }
-    BCRASH();
-    return 0;
-}
-
-BINLINE size_t totalSize(Kind kind)
-{
-    return size(kind) + runway(kind);
-}
+size_t runway(Kind kind);
+size_t totalSize(Kind kind);
 
 template<typename Func>

trunk/Source/bmalloc/bmalloc/Heap.cpp

@@ -178 +178 @@
 void Heap::allocateSmallChunk(std::lock_guard<StaticMutex>& lock, size_t pageClass)
 {
+    RELEASE_BASSERT(isActiveHeapKind(m_kind));
+    
     size_t pageSize = bmalloc::pageSize(pageClass);
 
@@ -222 +224 @@
 SmallPage* Heap::allocateSmallPage(std::lock_guard<StaticMutex>& lock, size_t sizeClass, LineCache& lineCache)
 {
+    RELEASE_BASSERT(isActiveHeapKind(m_kind));
+
     if (!lineCache[sizeClass].isEmpty())
         return lineCache[sizeClass].popFront();
@@ -301 +305 @@
     LineCache& lineCache)
 {
+    RELEASE_BASSERT(isActiveHeapKind(m_kind));
+
     SmallPage* page = allocateSmallPage(lock, sizeClass, lineCache);
     SmallLine* lines = page->begin();
@@ -363 +369 @@
     LineCache& lineCache)
 {
+    RELEASE_BASSERT(isActiveHeapKind(m_kind));
+
     size_t size = allocator.size();
     SmallPage* page = allocateSmallPage(lock, sizeClass, lineCache);
@@ -415 +423 @@
 LargeRange Heap::splitAndAllocate(LargeRange& range, size_t alignment, size_t size, AllocationKind allocationKind)
 {
+    RELEASE_BASSERT(isActiveHeapKind(m_kind));
+
     LargeRange prev;
     LargeRange next;
@@ -462 +472 @@
 void* Heap::tryAllocateLarge(std::lock_guard<StaticMutex>&, size_t alignment, size_t size, AllocationKind allocationKind)
 {
+    RELEASE_BASSERT(isActiveHeapKind(m_kind));
+
     BASSERT(isPowerOfTwo(alignment));
     

trunk/Source/bmalloc/bmalloc/HeapKind.h

@@ -86 +86 @@
 }
 
+BINLINE bool isActiveHeapKindAfterEnsuringGigacage(HeapKind kind)
+{
+    switch (kind) {
+    case HeapKind::PrimitiveGigacage:
+    case HeapKind::JSValueGigacage:
+    case HeapKind::StringGigacage:
+        if (Gigacage::wasEnabled())
+            return true;
+        return false;
+    default:
+        return true;
+    }
+}
+
+BEXPORT bool isActiveHeapKind(HeapKind);
+
+BINLINE HeapKind mapToActiveHeapKindAfterEnsuringGigacage(HeapKind kind)
+{
+    switch (kind) {
+    case HeapKind::PrimitiveGigacage:
+    case HeapKind::JSValueGigacage:
+    case HeapKind::StringGigacage:
+        if (Gigacage::wasEnabled())
+            return kind;
+        return HeapKind::Primary;
+    default:
+        return kind;
+    }
+}
+
+BEXPORT HeapKind mapToActiveHeapKind(HeapKind);
+
 } // namespace bmalloc
 

trunk/Source/bmalloc/bmalloc/Scavenger.cpp

@@ -118 +118 @@
 {
     std::lock_guard<StaticMutex> lock(Heap::mutex());
-    for (unsigned i = numHeaps; i--;)
+    for (unsigned i = numHeaps; i--;) {
+        if (!isActiveHeapKind(static_cast<HeapKind>(i)))
+            continue;
         PerProcess<PerHeapKind<Heap>>::get()->at(i).scavenge(lock);
+    }
 }
 

trunk/Source/bmalloc/bmalloc/bmalloc.h

@@ -69 +69 @@
 inline void* tryLargeMemalignVirtual(size_t alignment, size_t size, HeapKind kind = HeapKind::Primary)
 {
+    kind = mapToActiveHeapKind(kind);
     Heap& heap = PerProcess<PerHeapKind<Heap>>::get()->at(kind);
     std::lock_guard<StaticMutex> lock(Heap::mutex());
@@ -81 +82 @@
 inline void freeLargeVirtual(void* object, HeapKind kind = HeapKind::Primary)
 {
+    kind = mapToActiveHeapKind(kind);
     Heap& heap = PerProcess<PerHeapKind<Heap>>::get()->at(kind);
     std::lock_guard<StaticMutex> lock(Heap::mutex());
@@ -101 +103 @@
 inline bool isEnabled(HeapKind kind = HeapKind::Primary)
 {
+    kind = mapToActiveHeapKind(kind);
     std::unique_lock<StaticMutex> lock(Heap::mutex());
     return !PerProcess<PerHeapKind<Heap>>::getFastCase()->at(kind).debugHeap();

trunk/Tools/ChangeLog

@@ +1 @@
+2017-09-29  Filip Pizlo  <fpizlo@apple.com>
+
+        Enable gigacage on iOS
+        https://bugs.webkit.org/show_bug.cgi?id=177586
+
+        Reviewed by JF Bastien.
+        
+        Add a mode to test disabling Gigacage.
+
+        * Scripts/run-jsc-stress-tests:
+        * Scripts/webkitruby/jsc-stress-test-writer-default.rb:
+
 2017-10-09  Commit Queue  <commit-queue@webkit.org>
 

trunk/Tools/Scripts/run-jsc-stress-tests

@@ -514 +514 @@
 end
 
-def addRunCommand(kind, command, outputHandler, errorHandler)
+def addRunCommand(kind, command, outputHandler, errorHandler, *additionalEnv)
     $didAddRunCommand = true
     name = baseOutputName(kind)
@@ -523 +523 @@
         $benchmarkDirectory, command, "#{$collectionName}/#{$benchmark}", name, outputHandler,
         errorHandler)
+    plan.additionalEnv.push(*additionalEnv)
     if $numChildProcesses > 1 and $runCommandOptions[:isSlow]
         $runlist.unshift plan
@@ -1308 +1309 @@
 end
 
+def runNoisyTestImpl(kind, options, additionalEnv)
+    addRunCommand(kind, [pathToVM.to_s] + BASE_OPTIONS + options + [$benchmark.to_s], noisyOutputHandler, noisyErrorHandler, *additionalEnv)
+end
+
 def runNoisyTest(kind, *options)
-    addRunCommand(kind, [pathToVM.to_s] + BASE_OPTIONS + options + [$benchmark.to_s], noisyOutputHandler, noisyErrorHandler)
+    runNoisyTestImpl(kind, options, [])
+end
+
+def runNoisyTestWithEnv(kind, *additionalEnv)
+    runNoisyTestImpl(kind, [], additionalEnv)
 end
 

trunk/Tools/Scripts/webkitruby/jsc-stress-test-writer-default.rb

@@ -216 +216 @@
 
 class Plan
-    attr_reader :directory, :arguments, :family, :name, :outputHandler, :errorHandler
+    attr_reader :directory, :arguments, :family, :name, :outputHandler, :errorHandler, :additionalEnv
     attr_accessor :index
     
@@ -227 +227 @@
         @errorHandler = errorHandler
         @isSlow = !!$runCommandOptions[:isSlow]
+        @additionalEnv = []
     end
     
@@ -234 +235 @@
         # have to bend over backwards to do things relative to the root.
         script = "(cd ../#{Shellwords.shellescape(@directory.to_s)} && ("
-        $envVars.each { |var| script += "export " << var << "; " }
+        ($envVars + additionalEnv).each { |var| script += "export " << var << "; " }
         script += "\"$@\" " + escapeAll(@arguments) + "))"
         return script