Changeset 246322 in webkit


Ignore:
Timestamp:
Jun 11, 2019 10:18:47 AM (5 years ago)
Author:
sbarati@apple.com
Message:

Roll out PAC cage
https://bugs.webkit.org/show_bug.cgi?id=198726

Reviewed by Keith Miller.

Source/bmalloc:

  • bmalloc/Gigacage.h:

(Gigacage::isEnabled):
(Gigacage::caged):
(Gigacage::cagedMayBeNull): Deleted.

Source/JavaScriptCore:

This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622.

The resulting state we're in is we have Gigacage enabled on arm64.
There is no more PAC caging.

We're doing this because there are performance issues with PAC caging
that we haven't resolved yet.

  • assembler/CPU.h:

(JSC::isARM64E): Deleted.

  • assembler/MacroAssemblerARM64E.h:

(JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted.
(JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted.
(JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted.

  • b3/B3LowerToAir.cpp:
  • b3/B3PatchpointSpecial.cpp:

(JSC::B3::PatchpointSpecial::admitsStack):

  • b3/B3StackmapSpecial.cpp:

(JSC::B3::StackmapSpecial::forEachArgImpl):
(JSC::B3::StackmapSpecial::isArgValidForRep):

  • b3/B3Validate.cpp:
  • b3/B3ValueRep.cpp:

(JSC::B3::ValueRep::addUsedRegistersTo const):
(JSC::B3::ValueRep::dump const):
(WTF::printInternal):

  • b3/B3ValueRep.h:

(JSC::B3::ValueRep::ValueRep):
(JSC::B3::ValueRep::isReg const):

  • dfg/DFGOperations.cpp:

(JSC::DFG::newTypedArrayWithSize):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):

  • dfg/DFGSpeculativeJIT.h:
  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
(JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
(JSC::FTL::DFG::LowerDFGToB3::caged):
(JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
(JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted.

  • heap/ConservativeRoots.cpp:

(JSC::ConservativeRoots::genericAddPointer):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cageConditionally):

  • jit/IntrinsicEmitter.cpp:

(JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDirectArgumentsGetByVal):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

  • jit/PolymorphicCallStubRoutine.cpp:

(JSC::PolymorphicCallNode::clearCallLinkInfo):

  • jit/RegisterSet.h:
  • llint/LowLevelInterpreter64.asm:
  • runtime/ArrayBuffer.cpp:

(JSC::SharedArrayBufferContents::SharedArrayBufferContents):
(JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
(JSC::ArrayBufferContents::ArrayBufferContents):
(JSC::ArrayBufferContents::destroy):
(JSC::ArrayBufferContents::tryAllocate):
(JSC::ArrayBufferContents::makeShared):
(JSC::ArrayBufferContents::copyTo):

  • runtime/ArrayBuffer.h:

(JSC::SharedArrayBufferContents::data const):
(JSC::ArrayBufferContents::data const):
(JSC::ArrayBuffer::data):
(JSC::ArrayBuffer::data const):
(JSC::ArrayBuffer::byteLength const):

  • runtime/ArrayBufferView.cpp:

(JSC::ArrayBufferView::ArrayBufferView):

  • runtime/ArrayBufferView.h:

(JSC::ArrayBufferView::baseAddress const):
(JSC::ArrayBufferView::setRangeImpl):
(JSC::ArrayBufferView::getRangeImpl):
(JSC::ArrayBufferView::byteLength const): Deleted.

  • runtime/CachedTypes.cpp:

(JSC::CachedScopedArgumentsTable::encode):
(JSC::CachedScopedArgumentsTable::decode const):

  • runtime/CagedBarrierPtr.h:

(JSC::CagedBarrierPtr::CagedBarrierPtr):
(JSC::CagedBarrierPtr::set):
(JSC::CagedBarrierPtr::get const):
(JSC::CagedBarrierPtr::getMayBeNull const):
(JSC::CagedBarrierPtr::operator== const):
(JSC::CagedBarrierPtr::operator!= const):
(JSC::CagedBarrierPtr::operator bool const):
(JSC::CagedBarrierPtr::setWithoutBarrier):
(JSC::CagedBarrierPtr::operator* const):
(JSC::CagedBarrierPtr::operator-> const):
(JSC::CagedBarrierPtr::operator[] const):
(JSC::CagedBarrierPtr::getUnsafe const): Deleted.
(JSC::CagedBarrierPtr::at const): Deleted.

  • runtime/DataView.cpp:

(JSC::DataView::DataView):

  • runtime/DataView.h:

(JSC::DataView::get):
(JSC::DataView::set):

  • runtime/DirectArguments.cpp:

(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::unmapArgument):

  • runtime/DirectArguments.h:
  • runtime/GenericArguments.h:
  • runtime/GenericArgumentsInlines.h:

(JSC::GenericArguments<Type>::visitChildren):
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
(JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
(JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):

  • runtime/GenericTypedArrayView.h:
  • runtime/GenericTypedArrayViewInlines.h:

(JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):

  • runtime/JSArrayBufferView.cpp:

(JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
(JSC::JSArrayBufferView::JSArrayBufferView):
(JSC::JSArrayBufferView::finalize):
(JSC::JSArrayBufferView::slowDownAndWasteMemory):

  • runtime/JSArrayBufferView.h:

(JSC::JSArrayBufferView::ConstructionContext::vector const):
(JSC::JSArrayBufferView::isNeutered):
(JSC::JSArrayBufferView::vector const):
(JSC::JSArrayBufferView::hasVector const): Deleted.

  • runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
(JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
(JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):

  • runtime/Options.h:
  • runtime/ScopedArgumentsTable.cpp:

(JSC::ScopedArgumentsTable::clone):
(JSC::ScopedArgumentsTable::setLength):

  • runtime/ScopedArgumentsTable.h:
  • runtime/SymbolTable.h:
  • wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):

  • wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):

  • wasm/WasmBBQPlan.cpp:

(JSC::Wasm::BBQPlan::complete):

  • wasm/WasmBinding.cpp:

(JSC::Wasm::wasmToWasm):

  • wasm/WasmInstance.h:

(JSC::Wasm::Instance::cachedMemory const):
(JSC::Wasm::Instance::updateCachedMemory):

  • wasm/WasmMemory.cpp:

(JSC::Wasm::Memory::Memory):
(JSC::Wasm::Memory::~Memory):
(JSC::Wasm::Memory::grow):
(JSC::Wasm::Memory::dump const):

  • wasm/WasmMemory.h:

(JSC::Wasm::Memory::memory const):

  • wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

  • wasm/js/WebAssemblyFunction.cpp:

(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

Source/WTF:

  • WTF.xcodeproj/project.pbxproj:
  • wtf/CMakeLists.txt:
  • wtf/CagedPtr.h:

(WTF::CagedPtr::CagedPtr):
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::operator=):
(WTF::CagedPtr::operator== const):
(WTF::CagedPtr::operator!= const):
(WTF::CagedPtr::operator bool const):
(WTF::CagedPtr::operator* const):
(WTF::CagedPtr::operator-> const):
(WTF::CagedPtr::operator[] const):
(WTF::CagedPtr::getUnsafe const): Deleted.
(WTF::CagedPtr::at const): Deleted.
(WTF::CagedPtr::recage): Deleted.

  • wtf/CagedUniquePtr.h:

(WTF::CagedUniquePtr::CagedUniquePtr):
(WTF::CagedUniquePtr::create):
(WTF::CagedUniquePtr::operator=):
(WTF::CagedUniquePtr::~CagedUniquePtr):
(WTF::CagedUniquePtr::destroy):

  • wtf/Gigacage.h:

(Gigacage::caged):
(Gigacage::cagedMayBeNull): Deleted.

  • wtf/PtrTag.h:

(WTF::tagArrayPtr): Deleted.
(WTF::untagArrayPtr): Deleted.
(WTF::removeArrayPtrTag): Deleted.
(WTF::retagArrayPtr): Deleted.

  • wtf/TaggedArrayStoragePtr.h:

(WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted.
(WTF::TaggedArrayStoragePtr::get const): Deleted.
(WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted.
(WTF::TaggedArrayStoragePtr::resize): Deleted.
(WTF::TaggedArrayStoragePtr::operator bool const): Deleted.

Location:
trunk/Source
Files:
1 deleted
60 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r246299 r246322  
     12019-06-11  Saam Barati  <sbarati@apple.com>
     2
     3        Roll out PAC cage
     4        https://bugs.webkit.org/show_bug.cgi?id=198726
     5
     6        Reviewed by Keith Miller.
     7
     8        This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622.
     9       
     10        The resulting state we're in is we have Gigacage enabled on arm64.
     11        There is no more PAC caging.
     12
     13        We're doing this because there are performance issues with PAC caging
     14        that we haven't resolved yet.
     15
     16        * assembler/CPU.h:
     17        (JSC::isARM64E): Deleted.
     18        * assembler/MacroAssemblerARM64E.h:
     19        (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted.
     20        (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted.
     21        (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted.
     22        * b3/B3LowerToAir.cpp:
     23        * b3/B3PatchpointSpecial.cpp:
     24        (JSC::B3::PatchpointSpecial::admitsStack):
     25        * b3/B3StackmapSpecial.cpp:
     26        (JSC::B3::StackmapSpecial::forEachArgImpl):
     27        (JSC::B3::StackmapSpecial::isArgValidForRep):
     28        * b3/B3Validate.cpp:
     29        * b3/B3ValueRep.cpp:
     30        (JSC::B3::ValueRep::addUsedRegistersTo const):
     31        (JSC::B3::ValueRep::dump const):
     32        (WTF::printInternal):
     33        * b3/B3ValueRep.h:
     34        (JSC::B3::ValueRep::ValueRep):
     35        (JSC::B3::ValueRep::isReg const):
     36        * dfg/DFGOperations.cpp:
     37        (JSC::DFG::newTypedArrayWithSize):
     38        * dfg/DFGSpeculativeJIT.cpp:
     39        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
     40        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
     41        (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
     42        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
     43        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
     44        * dfg/DFGSpeculativeJIT.h:
     45        * dfg/DFGSpeculativeJIT64.cpp:
     46        (JSC::DFG::SpeculativeJIT::compile):
     47        * ftl/FTLLowerDFGToB3.cpp:
     48        (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
     49        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
     50        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
     51        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet):
     52        (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet):
     53        (JSC::FTL::DFG::LowerDFGToB3::caged):
     54        (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
     55        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted.
     56        (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted.
     57        * heap/ConservativeRoots.cpp:
     58        (JSC::ConservativeRoots::genericAddPointer):
     59        * jit/AssemblyHelpers.h:
     60        (JSC::AssemblyHelpers::cageConditionally):
     61        * jit/IntrinsicEmitter.cpp:
     62        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
     63        * jit/JITPropertyAccess.cpp:
     64        (JSC::JIT::emitDirectArgumentsGetByVal):
     65        (JSC::JIT::emitIntTypedArrayGetByVal):
     66        (JSC::JIT::emitFloatTypedArrayGetByVal):
     67        (JSC::JIT::emitIntTypedArrayPutByVal):
     68        (JSC::JIT::emitFloatTypedArrayPutByVal):
     69        * jit/PolymorphicCallStubRoutine.cpp:
     70        (JSC::PolymorphicCallNode::clearCallLinkInfo):
     71        * jit/RegisterSet.h:
     72        * llint/LowLevelInterpreter64.asm:
     73        * runtime/ArrayBuffer.cpp:
     74        (JSC::SharedArrayBufferContents::SharedArrayBufferContents):
     75        (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
     76        (JSC::ArrayBufferContents::ArrayBufferContents):
     77        (JSC::ArrayBufferContents::destroy):
     78        (JSC::ArrayBufferContents::tryAllocate):
     79        (JSC::ArrayBufferContents::makeShared):
     80        (JSC::ArrayBufferContents::copyTo):
     81        * runtime/ArrayBuffer.h:
     82        (JSC::SharedArrayBufferContents::data const):
     83        (JSC::ArrayBufferContents::data const):
     84        (JSC::ArrayBuffer::data):
     85        (JSC::ArrayBuffer::data const):
     86        (JSC::ArrayBuffer::byteLength const):
     87        * runtime/ArrayBufferView.cpp:
     88        (JSC::ArrayBufferView::ArrayBufferView):
     89        * runtime/ArrayBufferView.h:
     90        (JSC::ArrayBufferView::baseAddress const):
     91        (JSC::ArrayBufferView::setRangeImpl):
     92        (JSC::ArrayBufferView::getRangeImpl):
     93        (JSC::ArrayBufferView::byteLength const): Deleted.
     94        * runtime/CachedTypes.cpp:
     95        (JSC::CachedScopedArgumentsTable::encode):
     96        (JSC::CachedScopedArgumentsTable::decode const):
     97        * runtime/CagedBarrierPtr.h:
     98        (JSC::CagedBarrierPtr::CagedBarrierPtr):
     99        (JSC::CagedBarrierPtr::set):
     100        (JSC::CagedBarrierPtr::get const):
     101        (JSC::CagedBarrierPtr::getMayBeNull const):
     102        (JSC::CagedBarrierPtr::operator== const):
     103        (JSC::CagedBarrierPtr::operator!= const):
     104        (JSC::CagedBarrierPtr::operator bool const):
     105        (JSC::CagedBarrierPtr::setWithoutBarrier):
     106        (JSC::CagedBarrierPtr::operator* const):
     107        (JSC::CagedBarrierPtr::operator-> const):
     108        (JSC::CagedBarrierPtr::operator[] const):
     109        (JSC::CagedBarrierPtr::getUnsafe const): Deleted.
     110        (JSC::CagedBarrierPtr::at const): Deleted.
     111        * runtime/DataView.cpp:
     112        (JSC::DataView::DataView):
     113        * runtime/DataView.h:
     114        (JSC::DataView::get):
     115        (JSC::DataView::set):
     116        * runtime/DirectArguments.cpp:
     117        (JSC::DirectArguments::visitChildren):
     118        (JSC::DirectArguments::overrideThings):
     119        (JSC::DirectArguments::unmapArgument):
     120        * runtime/DirectArguments.h:
     121        * runtime/GenericArguments.h:
     122        * runtime/GenericArgumentsInlines.h:
     123        (JSC::GenericArguments<Type>::visitChildren):
     124        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
     125        (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
     126        (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
     127        * runtime/GenericTypedArrayView.h:
     128        * runtime/GenericTypedArrayViewInlines.h:
     129        (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView):
     130        * runtime/JSArrayBufferView.cpp:
     131        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
     132        (JSC::JSArrayBufferView::JSArrayBufferView):
     133        (JSC::JSArrayBufferView::finalize):
     134        (JSC::JSArrayBufferView::slowDownAndWasteMemory):
     135        * runtime/JSArrayBufferView.h:
     136        (JSC::JSArrayBufferView::ConstructionContext::vector const):
     137        (JSC::JSArrayBufferView::isNeutered):
     138        (JSC::JSArrayBufferView::vector const):
     139        (JSC::JSArrayBufferView::hasVector const): Deleted.
     140        * runtime/JSGenericTypedArrayViewInlines.h:
     141        (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized):
     142        (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
     143        (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
     144        * runtime/Options.h:
     145        * runtime/ScopedArgumentsTable.cpp:
     146        (JSC::ScopedArgumentsTable::clone):
     147        (JSC::ScopedArgumentsTable::setLength):
     148        * runtime/ScopedArgumentsTable.h:
     149        * runtime/SymbolTable.h:
     150        * wasm/WasmAirIRGenerator.cpp:
     151        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
     152        (JSC::Wasm::AirIRGenerator::addCallIndirect):
     153        * wasm/WasmB3IRGenerator.cpp:
     154        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
     155        (JSC::Wasm::B3IRGenerator::addCallIndirect):
     156        * wasm/WasmBBQPlan.cpp:
     157        (JSC::Wasm::BBQPlan::complete):
     158        * wasm/WasmBinding.cpp:
     159        (JSC::Wasm::wasmToWasm):
     160        * wasm/WasmInstance.h:
     161        (JSC::Wasm::Instance::cachedMemory const):
     162        (JSC::Wasm::Instance::updateCachedMemory):
     163        * wasm/WasmMemory.cpp:
     164        (JSC::Wasm::Memory::Memory):
     165        (JSC::Wasm::Memory::~Memory):
     166        (JSC::Wasm::Memory::grow):
     167        (JSC::Wasm::Memory::dump const):
     168        * wasm/WasmMemory.h:
     169        (JSC::Wasm::Memory::memory const):
     170        * wasm/js/JSToWasm.cpp:
     171        (JSC::Wasm::createJSToWasmWrapper):
     172        * wasm/js/WebAssemblyFunction.cpp:
     173        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
     174
    11752019-06-10  Basuke Suzuki  <Basuke.Suzuki@sony.com>
    2176
  • trunk/Source/JavaScriptCore/assembler/CPU.h

    r245432 r246322  
    5151{
    5252#if CPU(ARM64)
    53     return true;
    54 #else
    55     return false;
    56 #endif
    57 }
    58 
    59 constexpr bool isARM64E()
    60 {
    61 #if CPU(ARM64E)
    6253    return true;
    6354#else
  • trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h

    r246240 r246322  
    8383    }
    8484
    85     ALWAYS_INLINE void tagArrayPtr(RegisterID length, RegisterID target)
    86     {
    87         m_assembler.pacdb(target, length);
    88     }
    89 
    90     ALWAYS_INLINE void untagArrayPtr(RegisterID length, RegisterID target)
    91     {
    92         m_assembler.autdb(target, length);
    93     }
    94 
    95     ALWAYS_INLINE void untagArrayPtr(Address length, RegisterID target)
    96     {
    97         auto lengthGPR = getCachedDataTempRegisterIDAndInvalidate();
    98         load32(length, lengthGPR);
    99         m_assembler.autdb(target, lengthGPR);
    100     }
    101 
    102     ALWAYS_INLINE void removeArrayPtrTag(RegisterID target)
    103     {
    104         m_assembler.xpacd(target);
    105     }
    106 
    10785    static const RegisterID InvalidGPR  = static_cast<RegisterID>(-1);
    10886
  • trunk/Source/JavaScriptCore/b3/B3LowerToAir.cpp

    r245064 r246322  
    12751275                break;
    12761276            case ValueRep::SomeRegister:
    1277             case ValueRep::SomeLateRegister:
    12781277                arg = tmp(value.value());
    12791278                break;
  • trunk/Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp

    r245064 r246322  
    121121        case ValueRep::SomeRegisterWithClobber:
    122122        case ValueRep::SomeEarlyRegister:
    123         case ValueRep::SomeLateRegister:
    124123        case ValueRep::Register:
    125124        case ValueRep::LateRegister:
  • trunk/Source/JavaScriptCore/b3/B3StackmapSpecial.cpp

    r245064 r246322  
    114114                role = Arg::UseDef;
    115115                break;
    116             case ValueRep::SomeLateRegister:
    117116            case ValueRep::LateRegister:
    118117                role = Arg::LateUse;
     
    256255    case ValueRep::SomeRegisterWithClobber:
    257256    case ValueRep::SomeEarlyRegister:
    258     case ValueRep::SomeLateRegister:
    259257        return arg.isTmp();
    260258    case ValueRep::LateRegister:
  • trunk/Source/JavaScriptCore/b3/B3Validate.cpp

    r245064 r246322  
    581581        case ValueRep::Register:
    582582        case ValueRep::LateRegister:
    583         case ValueRep::SomeLateRegister:
    584583            if (value.rep().kind() == ValueRep::LateRegister)
    585584                VALIDATE(role == ConstraintRole::Use, ("At ", *context, ": ", value));
  • trunk/Source/JavaScriptCore/b3/B3ValueRep.cpp

    r245064 r246322  
    4343    case SomeRegisterWithClobber:
    4444    case SomeEarlyRegister:
    45     case SomeLateRegister:
    4645    case Constant:
    4746        return;
     
    7675    case SomeRegisterWithClobber:
    7776    case SomeEarlyRegister:
    78     case SomeLateRegister:
    7977        return;
    8078    case LateRegister:
     
    186184        out.print("SomeEarlyRegister");
    187185        return;
    188     case ValueRep::SomeLateRegister:
    189         out.print("SomeLateRegister");
    190         return;
    191186    case ValueRep::Register:
    192187        out.print("Register");
  • trunk/Source/JavaScriptCore/b3/B3ValueRep.h

    r245064 r246322  
    7575        // the result constraint of a Patchpoint.
    7676        SomeEarlyRegister,
    77 
    78         // As an input representation, this tells us that B3 should pick some register, but implies
    79         // the use happens after any defs. This is only works for patchpoints.
    80         SomeLateRegister,
    81 
     77       
    8278        // As an input representation, this forces a particular register. As an output
    8379        // representation, this tells us what register B3 picked.
     
    116112        : m_kind(kind)
    117113    {
    118         ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeRegisterWithClobber || kind == SomeEarlyRegister || kind == SomeLateRegister);
     114        ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeRegisterWithClobber || kind == SomeEarlyRegister);
    119115    }
    120116
     
    190186    bool isAny() const { return kind() == WarmAny || kind() == ColdAny || kind() == LateColdAny; }
    191187
    192     bool isReg() const { return kind() == Register || kind() == LateRegister || kind() == SomeLateRegister; }
     188    bool isReg() const { return kind() == Register || kind() == LateRegister; }
    193189   
    194190    Reg reg() const
  • trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

    r246041 r246322  
    199199   
    200200    if (vector)
    201         return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, untagArrayPtr(vector, size)));
     201        return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, vector));
    202202
    203203    RELEASE_AND_RETURN(scope, bitwise_cast<char*>(ViewClass::create(exec, structure, size)));
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r246240 r246322  
    4141#include "DFGSnippetParams.h"
    4242#include "DirectArguments.h"
    43 #include "DisallowMacroScratchRegisterUsage.h"
    4443#include "JITAddGenerator.h"
    4544#include "JITBitAndGenerator.h"
     
    28732872                TrustedImm32(WastefulTypedArray));
    28742873
    2875             JITCompiler::Jump hasNullVector;
    2876 #if !GIGACAGE_ENABLED && CPU(ARM64E)
    2877             {
    2878                 GPRReg scratch = m_jit.scratchRegister();
    2879                 DisallowMacroScratchRegisterUsage disallowScratch(m_jit);
    2880 
    2881                 m_jit.loadPtr(MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    2882                 m_jit.removeArrayPtrTag(scratch);
    2883                 hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch);
    2884             }
    2885 #else // !GIGACAGE_ENABLED && CPU(ARM64E)
    2886             hasNullVector = m_jit.branchTestPtr(
     2874            JITCompiler::Jump hasNullVector = m_jit.branchTestPtr(
    28872875                MacroAssembler::Zero,
    28882876                MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()));
    2889 #endif
    28902877            speculationCheck(Uncountable, JSValueSource(), node, hasNullVector);
    28912878            notWasteful.link(&m_jit);
     
    67596746}
    67606747
    6761 void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
     6748void SpeculativeJIT::cageTypedArrayStorage(GPRReg storageReg)
    67626749{
    67636750#if GIGACAGE_ENABLED
    6764     UNUSED_PARAM(baseReg);
    67656751    if (!Gigacage::shouldBeEnabled())
    67666752        return;
     
    67746760   
    67756761    m_jit.cage(Gigacage::Primitive, storageReg);
    6776 #elif CPU(ARM64E)
    6777     m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
    67786762#else
    6779     UNUSED_PARAM(baseReg);
    67806763    UNUSED_PARAM(storageReg);
    67816764#endif
     
    68016784        m_jit.loadPtr(MacroAssembler::Address(storageReg, StringImpl::dataOffset()), storageReg);
    68026785        break;
    6803 
    6804     default: {
     6786       
     6787    default:
    68056788        auto typedArrayType = node->arrayMode().typedArrayType();
    68066789        ASSERT_UNUSED(typedArrayType, isTypedView(typedArrayType));
    68076790
    68086791        m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfVector()), storageReg);
    6809         cageTypedArrayStorage(baseReg, storageReg);
    6810         break;
    6811     }
    6812     }
    6813 
     6792        cageTypedArrayStorage(storageReg);
     6793        break;
     6794    }
     6795   
    68146796    storageResult(storageReg, node);
    68156797}
     
    68366818
    68376819    m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
    6838 
    6839     // FIXME: This should mask the PAC bits
    6840     // https://bugs.webkit.org/show_bug.cgi?id=197701
    68416820    JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR);
    68426821
     
    68446823    m_jit.cage(Gigacage::JSValue, dataGPR);
    68456824
    6846     cageTypedArrayStorage(baseGPR, vectorGPR);
     6825    cageTypedArrayStorage(vectorGPR);
    68476826
    68486827    m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), arrayBufferGPR);
     
    68506829    // https://bugs.webkit.org/show_bug.cgi?id=175515
    68516830    m_jit.loadPtr(MacroAssembler::Address(arrayBufferGPR, ArrayBuffer::offsetOfData()), dataGPR);
    6852 #if CPU(ARM64E)
    6853     m_jit.removeArrayPtrTag(dataGPR);
    6854 #endif
    6855 
    68566831    m_jit.subPtr(dataGPR, vectorGPR);
    68576832   
     
    98469821    m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit);
    98479822    done.link(&m_jit);
    9848 #if !GIGACAGE_ENABLED && CPU(ARM64E)
    9849     // sizeGPR is still boxed as a number and there is no 32-bit variant of the PAC instructions.
    9850     m_jit.zeroExtend32ToPtr(sizeGPR, scratchGPR);
    9851     m_jit.tagArrayPtr(scratchGPR, storageGPR);
    9852 #endif
    98539823
    98549824    auto butterfly = TrustedImmPtr(nullptr);
     
    98729842        slowCases, this, operationNewTypedArrayWithSizeForType(typedArrayType),
    98739843        resultGPR, structure, sizeGPR, storageGPR));
    9874 
     9844   
    98759845    cellResult(resultGPR, node);
    98769846}
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

    r246041 r246322  
    16531653    GPRReg fillSpeculateInt32Internal(Edge, DataFormat& returnFormat);
    16541654   
    1655     void cageTypedArrayStorage(GPRReg, GPRReg);
     1655    void cageTypedArrayStorage(GPRReg);
    16561656   
    16571657    void recordSetLocal(
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r246041 r246322  
    46834683
    46844684        m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2);
    4685         cageTypedArrayStorage(dataViewGPR, t2);
     4685        cageTypedArrayStorage(t2);
    46864686
    46874687        m_jit.zeroExtend32ToPtr(indexGPR, t1);
     
    48794879
    48804880        m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2);
    4881         cageTypedArrayStorage(dataViewGPR, t2);
     4881        cageTypedArrayStorage(t2);
    48824882
    48834883        m_jit.zeroExtend32ToPtr(indexGPR, t1);
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r246240 r246322  
    38843884        DFG_ASSERT(m_graph, m_node, isTypedView(m_node->arrayMode().typedArrayType()), m_node->arrayMode().typedArrayType());
    38853885        LValue vector = m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector);
    3886         setStorage(caged(Gigacage::Primitive, vector, cell));
     3886        setStorage(caged(Gigacage::Primitive, vector));
    38873887    }
    38883888   
     
    39283928        m_out.appendTo(notNull, continuation);
    39293929
    3930         LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly), basePtr);
     3930        LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly));
    39313931        LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
    39323932
    3933         LValue vectorPtr = caged(Gigacage::Primitive, vector, basePtr);
     3933        LValue vectorPtr = caged(Gigacage::Primitive, vector);
    39343934
    39353935        // FIXME: This needs caging.
    39363936        // https://bugs.webkit.org/show_bug.cgi?id=175515
    39373937        LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data);
    3938         dataPtr = removeArrayPtrTag(dataPtr);
    39393938
    39403939        ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(vectorPtr, dataPtr));
     
    64856484                m_out.int64Zero,
    64866485                m_heaps.typedArrayProperties);
    6487 
    6488 #if !GIGACAGE_ENABLED && CPU(ARM64E)
    6489             {
    6490                 LValue sizePtr = m_out.zeroExtPtr(size);
    6491                 PatchpointValue* authenticate = m_out.patchpoint(pointerType());
    6492                 authenticate->appendSomeRegister(storage);
    6493                 authenticate->append(sizePtr, B3::ValueRep(B3::ValueRep::SomeLateRegister));
    6494                 authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
    6495                     jit.move(params[1].gpr(), params[0].gpr());
    6496                     jit.tagArrayPtr(params[2].gpr(), params[0].gpr());
    6497                 });
    6498                 storage = authenticate;
    6499             }
    6500 #endif
    65016486
    65026487            ValueFromBlock haveStorage = m_out.anchor(storage);
     
    1271812703        speculate(OutOfBounds, noValue(), nullptr, m_out.aboveOrEqual(indexToCheck, length));
    1271912704
    12720         LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector), dataView);
     12705        LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector));
    1272112706
    1272212707        TypedPointer pointer(m_heaps.typedArrayProperties, m_out.add(vector, m_out.zeroExtPtr(index)));
     
    1287712862        }
    1287812863
    12879         LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector), dataView);
     12864        LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector));
    1288012865        TypedPointer pointer(m_heaps.typedArrayProperties, m_out.add(vector, m_out.zeroExtPtr(index)));
    1288112866
     
    1412414109        }
    1412514110    }
    14126 
    14127     LValue untagArrayPtr(LValue ptr, LValue size)
    14128     {
    14129 #if CPU(ARM64E)
    14130         PatchpointValue* authenticate = m_out.patchpoint(pointerType());
    14131         authenticate->appendSomeRegister(ptr);
    14132         authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
    14133         authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
    14134             jit.move(params[1].gpr(), params[0].gpr());
    14135             jit.untagArrayPtr(params[2].gpr(), params[0].gpr());
    14136         });
    14137         return authenticate;
    14138 #else
    14139         UNUSED_PARAM(size);
    14140         return ptr;
    14141 #endif
    14142     }
    14143 
    14144     LValue removeArrayPtrTag(LValue ptr)
    14145     {
    14146 #if CPU(ARM64E)
    14147         PatchpointValue* authenticate = m_out.patchpoint(pointerType());
    14148         authenticate->appendSomeRegister(ptr);
    14149         authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
    14150             jit.move(params[1].gpr(), params[0].gpr());
    14151             jit.removeArrayPtrTag(params[0].gpr());
    14152         });
    14153         return authenticate;
    14154 #endif
    14155         return ptr;
    14156     }
    14157 
    14158     LValue caged(Gigacage::Kind kind, LValue ptr, LValue base)
     14111   
     14112    LValue caged(Gigacage::Kind kind, LValue ptr)
    1415914113    {
    1416014114#if GIGACAGE_ENABLED
    14161         UNUSED_PARAM(base);
    1416214115        if (!Gigacage::isEnabled(kind))
    1416314116            return ptr;
     
    1418814141        // https://bugs.webkit.org/show_bug.cgi?id=175493
    1418914142        return m_out.opaque(result);
    14190 #elif CPU(ARM64E)
    14191         if (kind == Gigacage::Primitive) {
    14192             LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
    14193             return untagArrayPtr(ptr, size);
    14194         }
    14195 
    14196         return ptr;
    1419714143#else
    1419814144        UNUSED_PARAM(kind);
    14199         UNUSED_PARAM(base);
    1420014145        return ptr;
    1420114146#endif
     
    1661116556        LBasicBlock lastNext = m_out.appendTo(isWasteful, continuation);
    1661216557        LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_vector);
    16613         // FIXME: We could probably make this a mask.
    16614         // https://bugs.webkit.org/show_bug.cgi?id=197701
    16615         vector = removeArrayPtrTag(vector);
    1661616558        speculate(Uncountable, jsValueValue(vector), m_node, m_out.isZero64(vector));
    1661716559        m_out.jump(continuation);
  • trunk/Source/JavaScriptCore/heap/ConservativeRoots.cpp

    r245168 r246322  
    6969inline void ConservativeRoots::genericAddPointer(void* p, HeapVersion markingVersion, HeapVersion newlyAllocatedVersion, TinyBloomFilter filter, MarkHook& markHook)
    7070{
    71     p = removeArrayPtrTag(p);
    7271    markHook.mark(p);
    7372
  • trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

    r246240 r246322  
    15701570    }
    15711571   
    1572     void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength)
     1572    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)
    15731573    {
    15741574#if GIGACAGE_ENABLED
     
    15791579            return cage(kind, storage);
    15801580       
    1581         loadPtr(&Gigacage::basePtr(kind), scratchOrLength);
    1582         Jump done = branchTestPtr(Zero, scratchOrLength);
     1581        loadPtr(&Gigacage::basePtr(kind), scratch);
     1582        Jump done = branchTestPtr(Zero, scratch);
    15831583        andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
    1584         addPtr(scratchOrLength, storage);
     1584        addPtr(scratch, storage);
    15851585        done.link(this);
    1586 #elif CPU(ARM64E)
    1587         if (kind == Gigacage::Primitive)
    1588             untagArrayPtr(scratchOrLength, storage);
    15891586#else
    15901587        UNUSED_PARAM(kind);
    15911588        UNUSED_PARAM(storage);
    1592         UNUSED_PARAM(scratchOrLength);
     1589        UNUSED_PARAM(scratch);
    15931590#endif
    15941591    }
  • trunk/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp

    r245313 r246322  
    115115        jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
    116116        jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), valueGPR);
    117 #if CPU(ARM64E)
    118         jit.removeArrayPtrTag(valueGPR);
    119 #endif
    120117        jit.loadPtr(MacroAssembler::Address(scratchGPR, Butterfly::offsetOfArrayBuffer()), scratchGPR);
    121118        jit.loadPtr(MacroAssembler::Address(scratchGPR, ArrayBuffer::offsetOfData()), scratchGPR);
    122 #if CPU(ARM64E)
    123         jit.removeArrayPtrTag(scratchGPR);
    124 #endif
    125119        jit.subPtr(scratchGPR, valueGPR);
    126120
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r246240 r246322  
    15901590    slowCases.append(branch32(AboveOrEqual, property, scratch2));
    15911591    slowCases.append(branchTestPtr(NonZero, Address(base, DirectArguments::offsetOfMappedArguments())));
    1592 
     1592   
    15931593    loadValue(BaseIndex(base, property, TimesEight, DirectArguments::storageOffset()), result);
    15941594   
     
    16701670    load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
    16711671    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    1672     load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2);
    1673     slowCases.append(branch32(AboveOrEqual, property, scratch2));
     1672    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
    16741673    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    16751674    cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
    17341733    load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
    17351734    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    1736     load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2);
    1737     slowCases.append(branch32(AboveOrEqual, property, scratch2));
     1735    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
    17381736    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    17391737    cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
    17851783    load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
    17861784    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
    1787     load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2);
    1788     Jump inBounds = branch32(Below, property, lateScratch2);
     1785    Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
    17891786    emitArrayProfileOutOfBoundsSpecialCase(profile);
    17901787    slowCases.append(jump());
     
    18611858    load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
    18621859    badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
    1863     load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2);
    1864     Jump inBounds = branch32(Below, property, lateScratch2);
     1860    Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
    18651861    emitArrayProfileOutOfBoundsSpecialCase(profile);
    18661862    slowCases.append(jump());
  • trunk/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp

    r245064 r246322  
    5858void PolymorphicCallNode::clearCallLinkInfo()
    5959{
     60    if (Options::dumpDisassembly())
     61        dataLog("Clearing call link info for polymorphic call at ", m_callLinkInfo->callReturnLocation(), ", ", m_callLinkInfo->codeOrigin(), "\n");
     62
    6063    m_callLinkInfo = nullptr;
    6164}
  • trunk/Source/JavaScriptCore/jit/RegisterSet.h

    r245432 r246322  
    8585        set(regs.payloadGPR(), value);
    8686    }
    87 
    88     void set(const RegisterSet& other, bool value = true) { value ? merge(other) : exclude(other); }
    89 
     87   
    9088    void clear(Reg reg)
    9189    {
  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

    r246240 r246322  
    423423end
    424424
    425 macro uncage(basePtr, mask, ptr, scratchOrLength)
    426     if GIGACAGE_ENABLED and not (C_LOOP or C_LOOP_WIN)
    427         loadp basePtr, scratchOrLength
    428         btpz scratchOrLength, .done
     425macro uncage(basePtr, mask, ptr, scratch)
     426    if GIGACAGE_ENABLED and not C_LOOP
     427        loadp basePtr, scratch
     428        btpz scratch, .done
    429429        andp mask, ptr
    430         addp scratchOrLength, ptr
    431     .done:
    432     end
    433 end
    434 
    435 macro loadCagedPrimitive(source, dest, scratchOrLength)
     430        addp scratch, ptr
     431        .done:
     432    end
     433end
     434
     435macro loadCaged(basePtr, mask, source, dest, scratch)
    436436    loadp source, dest
    437     if GIGACAGE_ENABLED
    438         uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength)
    439     elsif ARM64E
    440         untagArrayPtr scratchOrLength, dest
    441     end
    442 end
    443 
    444 macro loadCagedJSValue(source, dest, scratchOrLength)
    445     loadp source, dest
    446     uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, dest, scratchOrLength)
    447 end
     437    uncage(basePtr, mask, dest, scratch)
     438 end
    448439
    449440macro loadVariable(get, fieldName, valueReg)
     
    13451336    btiz t0, IsArray, .opGetByIdSlow
    13461337    btiz t0, IndexingShapeMask, .opGetByIdSlow
    1347     loadCagedJSValue(JSObject::m_butterfly[t3], t0, t1)
     1338    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t3], t0, t1)
    13481339    loadi -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], t0
    13491340    bilt t0, 0, .opGetByIdSlow
     
    14681459    sxi2q t1, t1
    14691460
    1470     loadCagedJSValue(JSObject::m_butterfly[t0], t3, tagTypeNumber)
     1461    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t0], t3, tagTypeNumber)
    14711462    move TagTypeNumber, tagTypeNumber
    14721463
     
    15121503   
    15131504    # Sweet, now we know that we have a typed array. Do some basic things now.
    1514 
    1515     if ARM64E
    1516         const scratchOrLength = t6
    1517         loadi JSArrayBufferView::m_length[t0], scratchOrLength
    1518         biaeq t1, scratchOrLength, .opGetByValSlow
    1519     else
    1520         const scratchOrLength = t0
    1521         biaeq t1, JSArrayBufferView::m_length[t0], .opGetByValSlow
    1522     end
    1523 
    1524     loadCagedPrimitive(JSArrayBufferView::m_vector[t0], t3, scratchOrLength)
     1505    biaeq t1, JSArrayBufferView::m_length[t0], .opGetByValSlow
    15251506
    15261507    # Now bisect through the various types:
     
    15441525
    15451526    # We have Int8ArrayType.
     1527    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15461528    loadbsi [t3, t1], t0
    15471529    finishIntGetByVal(t0, t1)
     
    15511533
    15521534    # We have Uint8ArrayType.
     1535    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15531536    loadb [t3, t1], t0
    15541537    finishIntGetByVal(t0, t1)
     
    15561539.opGetByValUint8ClampedArray:
    15571540    # We have Uint8ClampedArrayType.
     1541    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15581542    loadb [t3, t1], t0
    15591543    finishIntGetByVal(t0, t1)
     
    15641548
    15651549    # We have Int16ArrayType.
     1550    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15661551    loadhsi [t3, t1, 2], t0
    15671552    finishIntGetByVal(t0, t1)
     
    15691554.opGetByValUint16Array:
    15701555    # We have Uint16ArrayType.
     1556    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15711557    loadh [t3, t1, 2], t0
    15721558    finishIntGetByVal(t0, t1)
     
    15801566
    15811567    # We have Int32ArrayType.
     1568    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15821569    loadi [t3, t1, 4], t0
    15831570    finishIntGetByVal(t0, t1)
     
    15851572.opGetByValUint32Array:
    15861573    # We have Uint32ArrayType.
     1574    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15871575    # This is the hardest part because of large unsigned values.
    15881576    loadi [t3, t1, 4], t0
     
    15961584
    15971585    # We have Float64ArrayType.
     1586    loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2)
    15981587    loadd [t3, t1, 8], ft0
    15991588    bdnequn ft0, ft0, .opGetByValSlow
     
    16311620        loadConstantOrVariableInt32(size, t0, t3, .opPutByValSlow)
    16321621        sxi2q t3, t3
    1633         loadCagedJSValue(JSObject::m_butterfly[t1], t0, tagTypeNumber)
     1622        loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t1], t0, tagTypeNumber)
    16341623        move TagTypeNumber, tagTypeNumber
    16351624        btinz t2, CopyOnWrite, .opPutByValSlow
  • trunk/Source/JavaScriptCore/runtime/ArrayBuffer.cpp

    r245622 r246322  
    3434namespace JSC {
    3535
    36 SharedArrayBufferContents::SharedArrayBufferContents(void* data, unsigned size, ArrayBufferDestructorFunction&& destructor)
    37     : m_data(data, size)
     36SharedArrayBufferContents::SharedArrayBufferContents(void* data, ArrayBufferDestructorFunction&& destructor)
     37    : m_data(data)
    3838    , m_destructor(WTFMove(destructor))
    39     , m_sizeInBytes(size)
    4039{
    4140}
     
    4342SharedArrayBufferContents::~SharedArrayBufferContents()
    4443{
    45     // FIXME: we shouldn't use getUnsafe here https://bugs.webkit.org/show_bug.cgi?id=197698
    46     m_destructor(m_data.getUnsafe());
     44    m_destructor(m_data.getMayBeNull());
    4745}
    4846
     
    5957
    6058ArrayBufferContents::ArrayBufferContents(void* data, unsigned sizeInBytes, ArrayBufferDestructorFunction&& destructor)
    61     : m_data(data, sizeInBytes)
     59    : m_data(data)
    6260    , m_sizeInBytes(sizeInBytes)
    6361{
     
    8583void ArrayBufferContents::destroy()
    8684{
    87     // FIXME: We shouldn't use getUnsafe here: https://bugs.webkit.org/show_bug.cgi?id=197698
    88     m_destructor(m_data.getUnsafe());
     85    m_destructor(m_data.getMayBeNull());
    8986}
    9087
     
    107104        }
    108105    }
    109     size_t sizeInBytes = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize);
    110     size_t allocationSize = sizeInBytes;
    111     if (!allocationSize)
    112         allocationSize = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered.
    113 
    114     void* data = Gigacage::tryMalloc(Gigacage::Primitive, allocationSize);
    115     m_data = DataType(data, sizeInBytes);
    116     if (!data) {
     106    size_t size = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize);
     107    if (!size)
     108        size = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered.
     109    m_data = Gigacage::tryMalloc(Gigacage::Primitive, size);
     110    if (!m_data) {
    117111        reset();
    118112        return;
     
    120114   
    121115    if (policy == ZeroInitialize)
    122         memset(data, 0, allocationSize);
    123 
    124     m_sizeInBytes = sizeInBytes;
     116        memset(m_data.get(), 0, size);
     117
     118    m_sizeInBytes = numElements * elementByteSize;
    125119    RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
    126120    m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); };
     
    129123void ArrayBufferContents::makeShared()
    130124{
    131     m_shared = adoptRef(new SharedArrayBufferContents(data(), sizeInBytes(), WTFMove(m_destructor)));
     125    m_shared = adoptRef(new SharedArrayBufferContents(m_data.getMayBeNull(), WTFMove(m_destructor)));
    132126    m_destructor = [] (void*) { };
    133127}
     
    150144    if (!other.m_data)
    151145        return;
    152     memcpy(other.data(), data(), m_sizeInBytes);
     146    memcpy(other.m_data.get(), m_data.get(), m_sizeInBytes);
    153147    other.m_sizeInBytes = m_sizeInBytes;
    154148    RELEASE_ASSERT(other.m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE);
  • trunk/Source/JavaScriptCore/runtime/ArrayBuffer.h

    r245064 r246322  
    4949class SharedArrayBufferContents : public ThreadSafeRefCounted<SharedArrayBufferContents> {
    5050public:
    51     SharedArrayBufferContents(void* data, unsigned size, ArrayBufferDestructorFunction&&);
     51    SharedArrayBufferContents(void* data, ArrayBufferDestructorFunction&&);
    5252    ~SharedArrayBufferContents();
    5353   
    54     void* data() const { return m_data.getMayBeNull(m_sizeInBytes); }
     54    void* data() const { return m_data.getMayBeNull(); }
    5555   
    5656private:
    57     using DataType = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
    58     DataType m_data;
     57    CagedPtr<Gigacage::Primitive, void> m_data;
    5958    ArrayBufferDestructorFunction m_destructor;
    60     unsigned m_sizeInBytes;
    6159};
    6260
     
    7674    explicit operator bool() { return !!m_data; }
    7775   
    78     void* data() const { return m_data.getMayBeNull(sizeInBytes()); }
     76    void* data() const { return m_data.getMayBeNull(); }
    7977    unsigned sizeInBytes() const { return m_sizeInBytes; }
    8078   
     
    10199    ArrayBufferDestructorFunction m_destructor;
    102100    RefPtr<SharedArrayBufferContents> m_shared;
    103     using DataType = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
    104     DataType m_data;
     101    CagedPtr<Gigacage::Primitive, void> m_data;
    105102    unsigned m_sizeInBytes;
    106103};
     
    178175void* ArrayBuffer::data()
    179176{
    180     return m_contents.data();
     177    return m_contents.m_data.getMayBeNull();
    181178}
    182179
    183180const void* ArrayBuffer::data() const
    184181{
    185     return m_contents.data();
     182    return m_contents.m_data.getMayBeNull();
    186183}
    187184
    188185unsigned ArrayBuffer::byteLength() const
    189186{
    190     return m_contents.sizeInBytes();
     187    return m_contents.m_sizeInBytes;
    191188}
    192189
  • trunk/Source/JavaScriptCore/runtime/ArrayBufferView.cpp

    r245064 r246322  
    2626#include "config.h"
    2727#include "ArrayBufferView.h"
    28 #include <wtf/CheckedArithmetic.h>
    2928
    3029namespace JSC {
    3130
    3231ArrayBufferView::ArrayBufferView(
    33     RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned byteLength)
     32    RefPtr<ArrayBuffer>&& buffer,
     33    unsigned byteOffset)
    3434        : m_byteOffset(byteOffset)
    3535        , m_isNeuterable(true)
    36         , m_byteLength(byteLength)
    3736        , m_buffer(WTFMove(buffer))
    3837{
    39     Checked<unsigned, CrashOnOverflow> length(byteOffset);
    40     length += byteLength;
    41     RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(length <= m_buffer->byteLength());
    42     if (m_buffer)
    43         m_baseAddress = BaseAddress(static_cast<char*>(m_buffer->data()) + m_byteOffset, byteLength);
     38    m_baseAddress = m_buffer ? (static_cast<char*>(m_buffer->data()) + m_byteOffset) : 0;
    4439}
    4540
  • trunk/Source/JavaScriptCore/runtime/ArrayBufferView.h

    r245064 r246322  
    7272    {
    7373        if (isNeutered())
    74             return nullptr;
    75         return m_baseAddress.getMayBeNull(byteLength());
     74            return 0;
     75        return m_baseAddress.getMayBeNull();
    7676    }
    7777
     
    8585    }
    8686
    87     unsigned byteLength() const { return m_byteLength; }
     87    virtual unsigned byteLength() const = 0;
    8888
    8989    JS_EXPORT_PRIVATE void setNeuterable(bool flag);
     
    114114   
    115115protected:
    116     JS_EXPORT_PRIVATE ArrayBufferView(RefPtr<ArrayBuffer>&&, unsigned byteOffset, unsigned byteLength);
     116    JS_EXPORT_PRIVATE ArrayBufferView(RefPtr<ArrayBuffer>&&, unsigned byteOffset);
    117117
    118118    inline bool setImpl(ArrayBufferView*, unsigned byteOffset);
    119119
    120     inline bool setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset);
    121     inline bool getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset);
     120    // Caller passes in bufferByteLength to avoid a virtual function call.
     121    inline bool setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength);
     122    inline bool getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength);
    122123
    123124    inline bool zeroRangeImpl(unsigned byteOffset, size_t rangeByteLength);
     
    150151    unsigned m_byteOffset : 31;
    151152    bool m_isNeuterable : 1;
    152     unsigned m_byteLength;
    153 
    154     using BaseAddress = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
     153
    155154    // This is the address of the ArrayBuffer's storage, plus the byte offset.
    156     BaseAddress m_baseAddress;
     155    CagedPtr<Gigacage::Primitive, void> m_baseAddress;
    157156
    158157private:
     
    175174}
    176175
    177 bool ArrayBufferView::setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset)
    178 {
    179     if (byteOffset > byteLength()
    180         || byteOffset + dataByteLength > byteLength()
     176bool ArrayBufferView::setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength)
     177{
     178    // Do not replace with RELEASE_ASSERT; we want to avoid the virtual byteLength() function call in release.
     179    ASSERT_WITH_SECURITY_IMPLICATION(bufferByteLength == byteLength());
     180    if (byteOffset > bufferByteLength
     181        || byteOffset + dataByteLength > bufferByteLength
    181182        || byteOffset + dataByteLength < byteOffset) {
    182183        // Out of range offset or overflow
     
    189190}
    190191
    191 bool ArrayBufferView::getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset)
    192 {
    193     if (byteOffset > byteLength()
    194         || byteOffset + dataByteLength > byteLength()
     192bool ArrayBufferView::getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength)
     193{
     194    // Do not replace with RELEASE_ASSERT; we want to avoid the virtual byteLength() function call in release.
     195    ASSERT_WITH_SECURITY_IMPLICATION(bufferByteLength == byteLength());
     196    if (byteOffset > bufferByteLength
     197        || byteOffset + dataByteLength > bufferByteLength
    195198        || byteOffset + dataByteLength < byteOffset) {
    196199        // Out of range offset or overflow
  • trunk/Source/JavaScriptCore/runtime/CachedTypes.cpp

    r246272 r246322  
    10891089    {
    10901090        m_length = scopedArgumentsTable.m_length;
    1091         m_arguments.encode(encoder, scopedArgumentsTable.m_arguments.get(m_length), m_length);
     1091        m_arguments.encode(encoder, scopedArgumentsTable.m_arguments.get(), m_length);
    10921092    }
    10931093
     
    10951095    {
    10961096        ScopedArgumentsTable* scopedArgumentsTable = ScopedArgumentsTable::create(decoder.vm(), m_length);
    1097         m_arguments.decode(decoder, scopedArgumentsTable->m_arguments.get(m_length), m_length);
     1097        m_arguments.decode(decoder, scopedArgumentsTable->m_arguments.get(), m_length);
    10981098        return scopedArgumentsTable;
    10991099    }
  • trunk/Source/JavaScriptCore/runtime/CagedBarrierPtr.h

    r245064 r246322  
    3636// This is a convenient combo of AuxiliaryBarrier and CagedPtr.
    3737
    38 template<Gigacage::Kind passedKind, typename T, bool shouldTag = false>
     38template<Gigacage::Kind passedKind, typename T>
    3939class CagedBarrierPtr {
    4040public:
    4141    static constexpr Gigacage::Kind kind = passedKind;
    42     using Type = T;
    43     using CagedType = CagedPtr<kind, Type, shouldTag>;
     42    typedef T Type;
    4443   
    45     CagedBarrierPtr() = default;
     44    CagedBarrierPtr() { }
    4645   
    4746    template<typename U>
    48     CagedBarrierPtr(VM& vm, JSCell* cell, U&& value, unsigned size)
     47    CagedBarrierPtr(VM& vm, JSCell* cell, U&& value)
    4948    {
    50         m_barrier.set(vm, cell, CagedType(std::forward<U>(value), size));
     49        m_barrier.set(vm, cell, std::forward<U>(value));
    5150    }
    5251   
     
    5453   
    5554    template<typename U>
    56     void set(VM& vm, JSCell* cell, U&& value, unsigned size)
     55    void set(VM& vm, JSCell* cell, U&& value)
    5756    {
    58         m_barrier.set(vm, cell, CagedType(std::forward<U>(value), size));
     57        m_barrier.set(vm, cell, std::forward<U>(value));
    5958    }
    6059   
    61     T* get(unsigned size) const { return m_barrier.get().get(size); }
    62     T* getMayBeNull(unsigned size) const { return m_barrier.get().getMayBeNull(size); }
    63     T* getUnsafe() const { return m_barrier.get().getUnsafe(); }
    64 
    65     // We need the template here so that the type of U is deduced at usage time rather than class time. U should always be T.
    66     template<typename U = T>
    67     typename std::enable_if<!std::is_same<void, U>::value, T>::type&
    68     /* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; }
    69 
     60    T* get() const { return m_barrier.get().get(); }
     61    T* getMayBeNull() const { return m_barrier.get().getMayBeNull(); }
     62   
    7063    bool operator==(const CagedBarrierPtr& other) const
    7164    {
    72         return m_barrier.get() == other.m_barrier.get();
     65        return getMayBeNull() == other.getMayBeNull();
    7366    }
    7467   
     
    8073    explicit operator bool() const
    8174    {
    82         return !!m_barrier.get();
     75        return *this != CagedBarrierPtr();
    8376    }
    8477   
    8578    template<typename U>
    86     void setWithoutBarrier(U&& value, unsigned size) { m_barrier.setWithoutBarrier(CagedType(std::forward<U>(value), size)); }
     79    void setWithoutBarrier(U&& value) { m_barrier.setWithoutBarrier(std::forward<U>(value)); }
     80   
     81    T& operator*() const { return *get(); }
     82    T* operator->() const { return get(); }
     83   
     84    template<typename IndexType>
     85    T& operator[](IndexType index) const { return get()[index]; }
    8786   
    8887private:
    89     AuxiliaryBarrier<CagedType> m_barrier;
     88    AuxiliaryBarrier<CagedPtr<kind, T>> m_barrier;
     89};
     90
     91template<Gigacage::Kind passedKind>
     92class CagedBarrierPtr<passedKind, void> {
     93public:
     94    static constexpr Gigacage::Kind kind = passedKind;
     95    typedef void Type;
     96   
     97    CagedBarrierPtr() { }
     98   
     99    template<typename U>
     100    CagedBarrierPtr(VM& vm, JSCell* cell, U&& value)
     101    {
     102        m_barrier.set(vm, cell, std::forward<U>(value));
     103    }
     104   
     105    void clear() { m_barrier.clear(); }
     106   
     107    template<typename U>
     108    void set(VM& vm, JSCell* cell, U&& value)
     109    {
     110        m_barrier.set(vm, cell, std::forward<U>(value));
     111    }
     112   
     113    void* get() const { return m_barrier.get().get(); }
     114    void* getMayBeNull() const { return m_barrier.get().getMayBeNull(); }
     115   
     116    bool operator==(const CagedBarrierPtr& other) const
     117    {
     118        return getMayBeNull() == other.getMayBeNull();
     119    }
     120   
     121    bool operator!=(const CagedBarrierPtr& other) const
     122    {
     123        return !(*this == other);
     124    }
     125   
     126    explicit operator bool() const
     127    {
     128        return *this != CagedBarrierPtr();
     129    }
     130   
     131    template<typename U>
     132    void setWithoutBarrier(U&& value) { m_barrier.setWithoutBarrier(std::forward<U>(value)); }
     133   
     134private:
     135    AuxiliaryBarrier<CagedPtr<kind, void>> m_barrier;
    90136};
    91137
  • trunk/Source/JavaScriptCore/runtime/DataView.cpp

    r245064 r246322  
    3434
    3535DataView::DataView(RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned byteLength)
    36     : ArrayBufferView(WTFMove(buffer), byteOffset, byteLength)
     36    : ArrayBufferView(WTFMove(buffer), byteOffset)
     37    , m_byteLength(byteLength)
    3738{
    3839}
  • trunk/Source/JavaScriptCore/runtime/DataView.h

    r245064 r246322  
    3939    static Ref<DataView> create(RefPtr<ArrayBuffer>&&);
    4040   
     41    unsigned byteLength() const override
     42    {
     43        return m_byteLength;
     44    }
     45   
    4146    TypedArrayType getType() const override
    4247    {
     
    5863            RELEASE_ASSERT(offset + sizeof(T) <= byteLength());
    5964        return flipBytesIfLittleEndian(
    60             *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get(byteLength())) + offset),
     65            *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset),
    6166            littleEndian);
    6267    }
     
    8287        } else
    8388            RELEASE_ASSERT(offset + sizeof(T) <= byteLength());
    84         *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get(byteLength())) + offset) =
     89        *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset) =
    8590            flipBytesIfLittleEndian(value, littleEndian);
    8691    }
     92
     93private:
     94    unsigned m_byteLength;
    8795};
    8896
  • trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp

    r245064 r246322  
    102102
    103103    if (thisObject->m_mappedArguments)
    104         visitor.markAuxiliary(thisObject->m_mappedArguments.get(thisObject->internalLength()));
     104        visitor.markAuxiliary(thisObject->m_mappedArguments.get());
    105105    GenericArguments<DirectArguments>::visitChildren(thisCell, visitor);
    106106}
     
    121121    void* backingStore = vm.gigacageAuxiliarySpace(m_mappedArguments.kind).allocateNonVirtual(vm, mappedArgumentsSize(), nullptr, AllocationFailureMode::Assert);
    122122    bool* overrides = static_cast<bool*>(backingStore);
    123     m_mappedArguments.set(vm, this, overrides, internalLength());
    124     for (unsigned i = internalLength(); i--;)
     123    m_mappedArguments.set(vm, this, overrides);
     124    for (unsigned i = m_length; i--;)
    125125        overrides[i] = false;
    126126}
     
    135135{
    136136    overrideThingsIfNecessary(vm);
    137     m_mappedArguments.at(index, internalLength()) = true;
     137    m_mappedArguments[index] = true;
    138138}
    139139
  • trunk/Source/JavaScriptCore/runtime/DirectArguments.h

    r245064 r246322  
    8787    bool isMappedArgument(uint32_t i) const
    8888    {
    89         return i < m_length && (!m_mappedArguments || !m_mappedArguments.at(i, m_length));
     89        return i < m_length && (!m_mappedArguments || !m_mappedArguments[i]);
    9090    }
    9191
     
    183183    uint32_t m_length; // Always the actual length of captured arguments and never what was stored into the length property.
    184184    uint32_t m_minCapacity; // The max of this and length determines the capacity of this object. It may be the actual capacity, or maybe something smaller. We arrange it this way to be kind to the JITs.
    185     using MappedArguments = CagedBarrierPtr<Gigacage::Primitive, bool>;
    186     MappedArguments m_mappedArguments; // If non-null, it means that length, callee, and caller are fully materialized properties.
     185    CagedBarrierPtr<Gigacage::Primitive, bool> m_mappedArguments; // If non-null, it means that length, callee, and caller are fully materialized properties.
    187186};
    188187
  • trunk/Source/JavaScriptCore/runtime/GenericArguments.h

    r245064 r246322  
    6161
    6262    void copyToArguments(ExecState*, VirtualRegister firstElementDest, unsigned offset, unsigned length);
    63 
    64     using ModifiedArgumentsPtr = CagedBarrierPtr<Gigacage::Primitive, bool>;
    65     ModifiedArgumentsPtr m_modifiedArgumentsDescriptor;
     63   
     64    CagedBarrierPtr<Gigacage::Primitive, bool> m_modifiedArgumentsDescriptor;
    6665};
    6766
  • trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h

    r245064 r246322  
    3939   
    4040    if (thisObject->m_modifiedArgumentsDescriptor)
    41         visitor.markAuxiliary(thisObject->m_modifiedArgumentsDescriptor.getUnsafe());
     41        visitor.markAuxiliary(thisObject->m_modifiedArgumentsDescriptor.get());
    4242}
    4343
     
    266266        void* backingStore = vm.gigacageAuxiliarySpace(m_modifiedArgumentsDescriptor.kind).allocateNonVirtual(vm, WTF::roundUpToMultipleOf<8>(argsLength), nullptr, AllocationFailureMode::Assert);
    267267        bool* modifiedArguments = static_cast<bool*>(backingStore);
    268         m_modifiedArgumentsDescriptor.set(vm, this, modifiedArguments, argsLength);
     268        m_modifiedArgumentsDescriptor.set(vm, this, modifiedArguments);
    269269        for (unsigned i = argsLength; i--;)
    270270            modifiedArguments[i] = false;
     
    284284    initModifiedArgumentsDescriptorIfNecessary(vm, length);
    285285    if (index < length)
    286         m_modifiedArgumentsDescriptor.at(index, length) = true;
     286        m_modifiedArgumentsDescriptor[index] = true;
    287287}
    288288
     
    293293        return false;
    294294    if (index < length)
    295         return m_modifiedArgumentsDescriptor.at(index, length);
     295        return m_modifiedArgumentsDescriptor[index];
    296296    return false;
    297297}
  • trunk/Source/JavaScriptCore/runtime/GenericTypedArrayView.h

    r245093 r246322  
    5959            reinterpret_cast<const char*>(data),
    6060            count * sizeof(typename Adaptor::Type),
    61             offset * sizeof(typename Adaptor::Type));
     61            offset * sizeof(typename Adaptor::Type),
     62            internalByteLength());
    6263    }
    6364   
     
    7374        if (isNeutered())
    7475            return 0;
    75         return byteLength() / sizeof(typename Adaptor::Type);
     76        return m_length;
     77    }
     78   
     79    unsigned byteLength() const override
     80    {
     81        return internalByteLength();
    7682    }
    7783
     
    99105            reinterpret_cast<char*>(data),
    100106            count * sizeof(typename Adaptor::Type),
    101             offset * sizeof(typename Adaptor::Type));
     107            offset * sizeof(typename Adaptor::Type),
     108            internalByteLength());
    102109    }
    103110
     
    120127
    121128    JSArrayBufferView* wrap(ExecState*, JSGlobalObject*) override;
     129
     130private:
     131    unsigned internalByteLength() const
     132    {
     133        return length() * sizeof(typename Adaptor::Type);
     134    }
     135
     136    unsigned m_length;
    122137};
    123138
  • trunk/Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h

    r245064 r246322  
    3333template<typename Adaptor>
    3434GenericTypedArrayView<Adaptor>::GenericTypedArrayView(
    35 RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned length)
    36     : ArrayBufferView(WTFMove(buffer), byteOffset, length * sizeof(typename Adaptor::Type))
     35    RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned length)
     36    : ArrayBufferView(WTFMove(buffer), byteOffset)
     37    , m_length(length)
    3738{
    3839}
  • trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp

    r245064 r246322  
    11/*
    2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    5151    Structure* structure, uint32_t length, void* vector)
    5252    : m_structure(structure)
    53     , m_vector(vector, length)
     53    , m_vector(vector)
    5454    , m_length(length)
    5555    , m_mode(FastTypedArray)
    5656    , m_butterfly(nullptr)
    5757{
    58     ASSERT(vector == removeArrayPtrTag(vector));
    5958    RELEASE_ASSERT(length <= fastSizeLimit);
    6059}
     
    7675
    7776        m_structure = structure;
    78         m_vector = VectorType(temp, length);
     77        m_vector = temp;
    7978        m_mode = FastTypedArray;
    8079
    8180        if (mode == ZeroFill) {
    82             uint64_t* asWords = static_cast<uint64_t*>(vector());
     81            uint64_t* asWords = static_cast<uint64_t*>(m_vector.getMayBeNull());
    8382            for (unsigned i = size / sizeof(uint64_t); i--;)
    8483                asWords[i] = 0;
     
    9392   
    9493    size_t size = static_cast<size_t>(length) * static_cast<size_t>(elementSize);
    95     m_vector = VectorType(Gigacage::tryMalloc(Gigacage::Primitive, size), length);
     94    m_vector = Gigacage::tryMalloc(Gigacage::Primitive, size);
    9695    if (!m_vector)
    9796        return;
    9897    if (mode == ZeroFill)
    99         memset(vector(), 0, size);
     98        memset(m_vector.get(), 0, size);
    10099   
    101100    vm.heap.reportExtraMemoryAllocated(static_cast<size_t>(length) * elementSize);
     
    112111    , m_mode(WastefulTypedArray)
    113112{
    114     ASSERT(arrayBuffer->data() == removeArrayPtrTag(arrayBuffer->data()));
    115     m_vector = VectorType(static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset, length);
     113    m_vector = static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset;
    116114    IndexingHeader indexingHeader;
    117115    indexingHeader.setArrayBuffer(arrayBuffer.get());
     
    127125    , m_butterfly(0)
    128126{
    129     ASSERT(arrayBuffer->data() == removeArrayPtrTag(arrayBuffer->data()));
    130     m_vector = VectorType(static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset, length);
     127    m_vector = static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset;
    131128}
    132129
     
    137134{
    138135    setButterfly(vm, context.butterfly());
    139     ASSERT(context.vector() == removeArrayPtrTag(context.vector()));
    140     m_vector.setWithoutBarrier(context.vector(), m_length);
     136    m_vector.setWithoutBarrier(context.vector());
    141137}
    142138
     
    199195    ASSERT(thisObject->m_mode == OversizeTypedArray || thisObject->m_mode == WastefulTypedArray);
    200196    if (thisObject->m_mode == OversizeTypedArray)
    201         Gigacage::free(Gigacage::Primitive, thisObject->vector());
     197        Gigacage::free(Gigacage::Primitive, thisObject->m_vector.get());
    202198}
    203199
     
    288284        auto locker = holdLock(cellLock());
    289285        butterfly()->indexingHeader()->setArrayBuffer(buffer.get());
    290         m_vector.setWithoutBarrier(buffer->data(), m_length);
     286        m_vector.setWithoutBarrier(buffer->data());
    291287        WTF::storeStoreFence();
    292288        m_mode = WastefulTypedArray;
  • trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

    r245145 r246322  
    11/*
    2  * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    2828#include "AuxiliaryBarrier.h"
    2929#include "JSObject.h"
    30 #include <wtf/TaggedArrayStoragePtr.h>
    3130
    3231namespace JSC {
     
    9897    typedef JSNonFinalObject Base;
    9998    static const unsigned fastSizeLimit = 1000;
    100     using VectorPtr = CagedBarrierPtr<Gigacage::Primitive, void, tagCagedPtr>;
    10199   
    102100    static size_t sizeOf(uint32_t length, uint32_t elementSize)
     
    136134       
    137135        Structure* structure() const { return m_structure; }
    138         void* vector() const { return m_vector.getMayBeNull(m_length); }
     136        void* vector() const { return m_vector.getMayBeNull(); }
    139137        uint32_t length() const { return m_length; }
    140138        TypedArrayMode mode() const { return m_mode; }
     
    143141    private:
    144142        Structure* m_structure;
    145         using VectorType = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
    146         VectorType m_vector;
     143        CagedPtr<Gigacage::Primitive, void> m_vector;
    147144        uint32_t m_length;
    148145        TypedArrayMode m_mode;
     
    168165    RefPtr<ArrayBufferView> unsharedImpl();
    169166    JS_EXPORT_PRIVATE RefPtr<ArrayBufferView> possiblySharedImpl();
    170     bool isNeutered() { return hasArrayBuffer() && !hasVector(); }
     167    bool isNeutered() { return hasArrayBuffer() && !vector(); }
    171168    void neuter();
    172 
    173     bool hasVector() const { return !!m_vector; }
    174     void* vector() const { return m_vector.getMayBeNull(length()); }
     169   
     170    void* vector() const { return m_vector.getMayBeNull(); }
    175171   
    176172    unsigned byteOffset();
     
    196192    static String toStringName(const JSObject*, ExecState*);
    197193
    198     VectorPtr m_vector;
     194    CagedBarrierPtr<Gigacage::Primitive, void> m_vector;
    199195    uint32_t m_length;
    200196    TypedArrayMode m_mode;
  • trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

    r245064 r246322  
    7878
    7979template<typename Adaptor>
    80 JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createUninitialized(ExecState* exec, Structure* structure, unsigned length)
     80JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createUninitialized(
     81    ExecState* exec, Structure* structure, unsigned length)
    8182{
    8283    VM& vm = exec->vm();
     
    507508    if (thisObject->m_mode == OversizeTypedArray)
    508509        return Base::estimatedSize(thisObject, vm) + thisObject->byteSize();
    509     if (thisObject->m_mode == FastTypedArray && thisObject->hasVector())
     510    if (thisObject->m_mode == FastTypedArray && thisObject->m_vector)
    510511        return Base::estimatedSize(thisObject, vm) + thisObject->byteSize();
    511512
     
    526527        auto locker = holdLock(thisObject->cellLock());
    527528        mode = thisObject->m_mode;
    528         vector = thisObject->vector();
     529        vector = thisObject->m_vector.getMayBeNull();
    529530        byteSize = thisObject->byteSize();
    530531    }
  • trunk/Source/JavaScriptCore/runtime/Options.h

    r246272 r246322  
    493493    v(unsigned, webAssemblyFunctionEntryDecrement, 1, Normal, "The amount the tier up countdown is decremented on each function entry.") \
    494494    \
    495     v(bool, useWebAssemblyFastMemory, true, Normal, "If true, we will try to use a 32-bit address space with a signal handler to bounds check wasm memory.") \
     495    /* FIXME: enable fast memories on iOS and pre-allocate them. https://bugs.webkit.org/show_bug.cgi?id=170774 */ \
     496    v(bool, useWebAssemblyFastMemory, !isIOS(), Normal, "If true, we will try to use a 32-bit address space with a signal handler to bounds check wasm memory.") \
    496497    v(bool, logWebAssemblyMemory, false, Normal, nullptr) \
    497498    v(unsigned, webAssemblyFastMemoryRedzonePages, 128, Normal, "WebAssembly fast memories use 4GiB virtual allocations, plus a redzone (counted as multiple of 64KiB WebAssembly pages) at the end to catch reg+imm accesses which exceed 32-bit, anything beyond the redzone is explicitly bounds-checked") \
  • trunk/Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp

    r245064 r246322  
    6969    ScopedArgumentsTable* result = create(vm, m_length);
    7070    for (unsigned i = m_length; i--;)
    71         result->at(i) = this->at(i);
     71        result->m_arguments[i] = m_arguments[i];
    7272    return result;
    7373}
     
    7676{
    7777    if (LIKELY(!m_locked)) {
    78         ArgumentsPtr newArguments = ArgumentsPtr::create(newLength, newLength);
     78        ArgumentsPtr newArguments = ArgumentsPtr::create(newLength);
    7979        for (unsigned i = std::min(m_length, newLength); i--;)
    80             newArguments.at(i, newLength) = this->at(i);
     80            newArguments[i] = m_arguments[i];
    8181        m_length = newLength;
    8282        m_arguments = WTFMove(newArguments);
     
    8686    ScopedArgumentsTable* result = create(vm, newLength);
    8787    for (unsigned i = std::min(m_length, newLength); i--;)
    88         result->at(i) = this->at(i);
     88        result->m_arguments[i] = m_arguments[i];
    8989    return result;
    9090}
    91 
    92 static_assert(std::is_trivially_destructible<ScopeOffset>::value, "");
    9391
    9492ScopedArgumentsTable* ScopedArgumentsTable::set(VM& vm, uint32_t i, ScopeOffset value)
  • trunk/Source/JavaScriptCore/runtime/ScopedArgumentsTable.h

    r245064 r246322  
    6262    ScopedArgumentsTable* setLength(VM&, uint32_t newLength);
    6363   
    64     ScopeOffset get(uint32_t i) const { return at(i); }
     64    ScopeOffset get(uint32_t i) const
     65    {
     66        return const_cast<ScopedArgumentsTable*>(this)->at(i);
     67    }
    6568   
    6669    void lock()
     
    7881    static ptrdiff_t offsetOfArguments() { return OBJECT_OFFSETOF(ScopedArgumentsTable, m_arguments); }
    7982
    80     typedef CagedUniquePtr<Gigacage::Primitive, ScopeOffset> ArgumentsPtr;
     83    typedef CagedUniquePtr<Gigacage::Primitive, ScopeOffset[]> ArgumentsPtr;
    8184
    8285private:
    83     ScopeOffset& at(uint32_t i) const
     86    ScopeOffset& at(uint32_t i)
    8487    {
    8588        ASSERT_WITH_SECURITY_IMPLICATION(i < m_length);
    86         return m_arguments.get(length())[i];
     89        return m_arguments[i];
    8790    }
    8891   
  • trunk/Source/JavaScriptCore/runtime/SymbolTable.h

    r246073 r246322  
    637637    {
    638638        if (UNLIKELY(!m_arguments))
    639             m_arguments.set(vm, this, ScopedArgumentsTable::create(vm, length));
    640         else
    641             m_arguments.set(vm, this, m_arguments->setLength(vm, length));
     639            m_arguments.set(vm, this, ScopedArgumentsTable::create(vm));
     640        m_arguments.set(vm, this, m_arguments->setLength(vm, length));
    642641    }
    643642   
  • trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

    r246240 r246322  
    837837        clobbers.set(pinnedRegs->baseMemoryPointer);
    838838        clobbers.set(pinnedRegs->sizeRegister);
    839         if (!isARM64())
    840             clobbers.set(RegisterSet::macroScratchRegisters());
    841839
    842840        auto* patchpoint = addPatchpoint(B3::Void);
     
    846844        patchpoint->effects = effects;
    847845        patchpoint->clobber(clobbers);
    848         patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
    849846
    850847        patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
    851             RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
    852             AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
    853             GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
    854             GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
    855 
    856848            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
    857             jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
    858 
    859             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     849            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), pinnedRegs->baseMemoryPointer);
    860850        });
    861851
     
    19691959        patchpoint->clobber(PinnedRegisterInfo::get().toSave(MemoryMode::BoundsChecking));
    19701960        patchpoint->clobber(RegisterSet::macroScratchRegisters());
    1971         patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
    1972 
    19731961        patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
    19741962            AllowMacroScratchRegisterUsage allowScratch(jit);
     
    19841972            //   see: https://bugs.webkit.org/show_bug.cgi?id=162952
    19851973            ASSERT(pinnedRegs.sizeRegister != newContextInstance);
    1986             GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
    1987 
    19881974            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
    19891975            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
    1990 
    1991             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
    19921976        });
    19931977
  • trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

    r246240 r246322  
    4848#include "B3WasmAddressValue.h"
    4949#include "B3WasmBoundsCheckValue.h"
    50 #include "DisallowMacroScratchRegisterUsage.h"
    5150#include "JSCInlines.h"
    5251#include "JSWebAssemblyInstance.h"
     
    479478        clobbers.set(pinnedRegs->baseMemoryPointer);
    480479        clobbers.set(pinnedRegs->sizeRegister);
    481         if (!isARM64())
    482             clobbers.set(RegisterSet::macroScratchRegisters());
    483480
    484481        B3::PatchpointValue* patchpoint = block->appendNew<B3::PatchpointValue>(proc, B3::Void, origin());
     
    488485        patchpoint->effects = effects;
    489486        patchpoint->clobber(clobbers);
    490         patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
    491487
    492488        patchpoint->append(instance, ValueRep::SomeRegister);
     489
    493490        patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
    494             RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
    495             AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
    496491            GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
    497             GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
    498 
    499492            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
    500493            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
    501 
    502             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
    503494        });
    504495    }
     
    13811372        patchpoint->append(newContextInstance, ValueRep::SomeRegister);
    13821373        patchpoint->append(instanceValue(), ValueRep::SomeRegister);
    1383         patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
    1384 
    13851374        patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
    13861375            AllowMacroScratchRegisterUsage allowScratch(jit);
     
    13971386            //   see: https://bugs.webkit.org/show_bug.cgi?id=162952
    13981387            ASSERT(pinnedRegs.sizeRegister != newContextInstance);
    1399             GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
    1400 
    14011388            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
    14021389            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
    1403 
    1404             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
    14051390        });
    14061391        doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);
  • trunk/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp

    r246034 r246322  
    315315
    316316                m_wasmInternalFunctions[functionIndex]->entrypoint.compilation = std::make_unique<B3::Compilation>(
    317                     FINALIZE_CODE(linkBuffer, B3CompilationPtrTag, "WebAssembly BBQ function[%i] %s", functionIndex, signature.toString().ascii().data()),
     317                    FINALIZE_CODE(linkBuffer, B3CompilationPtrTag, "WebAssembly function[%i] %s", functionIndex, signature.toString().ascii().data()),
    318318                    WTFMove(context.wasmEntrypointByproducts));
    319319            }
  • trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp

    r246240 r246322  
    4747    JIT jit;
    4848
    49     GPRReg scratch = wasmCallingConventionAir().prologueScratch(0);
     49    GPRReg scratch = GPRInfo::nonPreservedNonArgumentGPR0;
    5050    GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
    5151    ASSERT(baseMemory != scratch);
     
    6767    // FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952
    6868    // Set up the callee's baseMemory register as well as the memory size registers.
    69     {
    70         GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);
    71 
    72         jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
    73         jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
    74         jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
    75     }
     69    jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
     70    jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::void*.
    7671
    7772    // Tail call into the callee WebAssembly function.
  • trunk/Source/JavaScriptCore/wasm/WasmInstance.h

    r245765 r246322  
    6767    Table* table() { return m_table.get(); }
    6868
    69     void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedMemorySize()); }
     69    void* cachedMemory() const { return m_cachedMemory; }
    7070    size_t cachedMemorySize() const { return m_cachedMemorySize; }
    7171
     
    7979    {
    8080        if (m_memory != nullptr) {
    81             m_cachedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>(memory()->memory(), memory()->size());
     81            m_cachedMemory = memory()->memory();
    8282            m_cachedMemorySize = memory()->size();
    8383        }
     
    148148    void* m_owner { nullptr }; // In a JS embedding, this is a JSWebAssemblyInstance*.
    149149    Context* m_context { nullptr };
    150     CagedPtr<Gigacage::Primitive, void, tagCagedPtr> m_cachedMemory;
     150    void* m_cachedMemory { nullptr };
    151151    size_t m_cachedMemorySize { 0 };
    152152    Ref<Module> m_module;
  • trunk/Source/JavaScriptCore/wasm/WasmMemory.cpp

    r245432 r246322  
    254254    ASSERT(m_mode == MemoryMode::BoundsChecking);
    255255    dataLogLnIf(verbose, "Memory::Memory allocating ", *this);
    256     ASSERT(!memory());
    257256}
    258257
    259258Memory::Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode mode, Function<void(NotifyPressure)>&& notifyMemoryPressure, Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback)
    260     : m_memory(memory, initial.bytes())
     259    : m_memory(memory)
    261260    , m_size(initial.bytes())
    262261    , m_initial(initial)
     
    340339        switch (m_mode) {
    341340        case MemoryMode::Signaling:
    342             if (mprotect(memory(), Memory::fastMappedBytes(), PROT_READ | PROT_WRITE)) {
     341            if (mprotect(m_memory, Memory::fastMappedBytes(), PROT_READ | PROT_WRITE)) {
    343342                dataLog("mprotect failed: ", strerror(errno), "\n");
    344343                RELEASE_ASSERT_NOT_REACHED();
    345344            }
    346             memoryManager().freeFastMemory(memory());
     345            memoryManager().freeFastMemory(m_memory);
    347346            break;
    348347        case MemoryMode::BoundsChecking:
    349             Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size);
     348            Gigacage::freeVirtualPages(Gigacage::Primitive, m_memory, m_size);
    350349            break;
    351350        }
     
    421420            return makeUnexpected(GrowFailReason::OutOfMemory);
    422421
    423         memcpy(newMemory, memory(), m_size);
     422        memcpy(newMemory, m_memory, m_size);
    424423        if (m_memory)
    425             Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size);
    426         m_memory = CagedMemory(newMemory, desiredSize);
     424            Gigacage::freeVirtualPages(Gigacage::Primitive, m_memory, m_size);
     425        m_memory = newMemory;
    427426        m_mappedCapacity = desiredSize;
    428427        m_size = desiredSize;
    429         ASSERT(memory() == newMemory);
    430428        return success();
    431429    }
    432430    case MemoryMode::Signaling: {
    433         RELEASE_ASSERT(memory());
     431        RELEASE_ASSERT(m_memory);
    434432        // Signaling memory must have been pre-allocated virtually.
    435         uint8_t* startAddress = static_cast<uint8_t*>(memory()) + m_size;
    436        
    437         dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(memory()), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")");
     433        uint8_t* startAddress = static_cast<uint8_t*>(m_memory) + m_size;
     434       
     435        dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(m_memory), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")");
    438436        if (mprotect(startAddress, extraBytes, PROT_READ | PROT_WRITE)) {
    439437            dataLog("mprotect failed: ", strerror(errno), "\n");
    440438            RELEASE_ASSERT_NOT_REACHED();
    441439        }
    442         m_memory.recage(m_size, desiredSize);
    443440        m_size = desiredSize;
    444441        return success();
     
    464461void Memory::dump(PrintStream& out) const
    465462{
    466     out.print("Memory at ", RawPointer(memory()), ", size ", m_size, "B capacity ", m_mappedCapacity, "B, initial ", m_initial, " maximum ", m_maximum, " mode ", makeString(m_mode));
     463    out.print("Memory at ", RawPointer(m_memory), ", size ", m_size, "B capacity ", m_mappedCapacity, "B, initial ", m_initial, " maximum ", m_maximum, " mode ", makeString(m_mode));
    467464}
    468465
  • trunk/Source/JavaScriptCore/wasm/WasmMemory.h

    r245432 r246322  
    3131#include "WasmPageCount.h"
    3232
    33 #include <wtf/CagedPtr.h>
    3433#include <wtf/Expected.h>
    3534#include <wtf/Function.h>
     
    7069    static bool addressIsInActiveFastMemory(void*);
    7170
    72     void* memory() const { ASSERT(m_memory.getMayBeNull(size()) == m_memory.getUnsafe()); return m_memory.getMayBeNull(size()); }
     71    void* memory() const { return m_memory; }
    7372    size_t size() const { return m_size; }
    7473    PageCount sizeInPages() const { return PageCount::fromBytes(m_size); }
     
    9897    Memory(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
    9998
    100     using CagedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
    101     CagedMemory m_memory;
     99    void* m_memory { nullptr };
    102100    size_t m_size { 0 };
    103101    PageCount m_initial;
  • trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

    r246240 r246322  
    3030
    3131#include "CCallHelpers.h"
    32 #include "DisallowMacroScratchRegisterUsage.h"
    3332#include "JSCInlines.h"
    3433#include "JSWebAssemblyInstance.h"
     
    213212    if (!!info.memory) {
    214213        GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
    215         GPRReg scratchOrSize = wasmCallingConventionAir().prologueScratch(0);
    216214
    217215        if (Context::useFastTLS())
     
    219217
    220218        GPRReg currentInstanceGPR = Context::useFastTLS() ? baseMemory : wasmContextInstanceGPR;
    221         if (isARM64E()) {
    222             if (mode != Wasm::MemoryMode::Signaling)
    223                 scratchOrSize = pinnedRegs.sizeRegister;
    224             jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
    225         } else {
    226             if (mode != Wasm::MemoryMode::Signaling)
    227                 jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
    228         }
     219        if (mode != MemoryMode::Signaling)
     220            jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
    229221
    230222        jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
    231         jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
    232223    }
    233224
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

    r246240 r246322  
    411411    if (!!moduleInformation.memory) {
    412412        GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
    413         GPRReg scratchOrSize = scratch2GPR;
    414         auto mode = instance()->memoryMode();
    415 
    416         if (isARM64E()) {
    417             if (mode != Wasm::MemoryMode::Signaling)
    418                 scratchOrSize = pinnedRegs.sizeRegister;
    419             jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
    420         } else {
    421             if (mode != Wasm::MemoryMode::Signaling)
    422                 jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
     413
     414        if (instance()->memoryMode() != Wasm::MemoryMode::Signaling) {
     415            ASSERT(pinnedRegs.sizeRegister != scratchGPR);
     416            jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
    423417        }
    424418
    425419        jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
    426         jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
    427420    }
    428421
  • trunk/Source/WTF/ChangeLog

    r246300 r246322  
     12019-06-11  Saam Barati  <sbarati@apple.com>
     2
     3        Roll out PAC cage
     4        https://bugs.webkit.org/show_bug.cgi?id=198726
     5
     6        Reviewed by Keith Miller.
     7
     8        * WTF.xcodeproj/project.pbxproj:
     9        * wtf/CMakeLists.txt:
     10        * wtf/CagedPtr.h:
     11        (WTF::CagedPtr::CagedPtr):
     12        (WTF::CagedPtr::get const):
     13        (WTF::CagedPtr::getMayBeNull const):
     14        (WTF::CagedPtr::operator=):
     15        (WTF::CagedPtr::operator== const):
     16        (WTF::CagedPtr::operator!= const):
     17        (WTF::CagedPtr::operator bool const):
     18        (WTF::CagedPtr::operator* const):
     19        (WTF::CagedPtr::operator-> const):
     20        (WTF::CagedPtr::operator[] const):
     21        (WTF::CagedPtr::getUnsafe const): Deleted.
     22        (WTF::CagedPtr::at const): Deleted.
     23        (WTF::CagedPtr::recage): Deleted.
     24        * wtf/CagedUniquePtr.h:
     25        (WTF::CagedUniquePtr::CagedUniquePtr):
     26        (WTF::CagedUniquePtr::create):
     27        (WTF::CagedUniquePtr::operator=):
     28        (WTF::CagedUniquePtr::~CagedUniquePtr):
     29        (WTF::CagedUniquePtr::destroy):
     30        * wtf/Gigacage.h:
     31        (Gigacage::caged):
     32        (Gigacage::cagedMayBeNull): Deleted.
     33        * wtf/PtrTag.h:
     34        (WTF::tagArrayPtr): Deleted.
     35        (WTF::untagArrayPtr): Deleted.
     36        (WTF::removeArrayPtrTag): Deleted.
     37        (WTF::retagArrayPtr): Deleted.
     38        * wtf/TaggedArrayStoragePtr.h:
     39        (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted.
     40        (WTF::TaggedArrayStoragePtr::get const): Deleted.
     41        (WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted.
     42        (WTF::TaggedArrayStoragePtr::resize): Deleted.
     43        (WTF::TaggedArrayStoragePtr::operator bool const): Deleted.
     44
    1452019-06-10  Andy Estes  <aestes@apple.com>
    246
  • trunk/Source/WTF/WTF.xcodeproj/project.pbxproj

    r245564 r246322  
    652652                DCEE21FD1CEA7551000C2396 /* BlockObjCExceptions.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = BlockObjCExceptions.mm; sourceTree = "<group>"; };
    653653                DCEE22041CEB9869000C2396 /* BackwardsGraph.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BackwardsGraph.h; sourceTree = "<group>"; };
    654                 DEF7FE5F22581AC800C15129 /* TaggedArrayStoragePtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TaggedArrayStoragePtr.h; sourceTree = "<group>"; };
    655654                E15556F318A0CC18006F48FB /* CryptographicUtilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CryptographicUtilities.cpp; sourceTree = "<group>"; };
    656655                E15556F418A0CC18006F48FB /* CryptographicUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptographicUtilities.h; sourceTree = "<group>"; };
     
    11591158                                E3E158251EADA53C004A079D /* SystemFree.h */,
    11601159                                0FB317C31C488001007E395A /* SystemTracing.h */,
    1161                                 DEF7FE5F22581AC800C15129 /* TaggedArrayStoragePtr.h */,
    11621160                                E311FB151F0A568B003C08DE /* ThreadGroup.cpp */,
    11631161                                E311FB161F0A568B003C08DE /* ThreadGroup.h */,
  • trunk/Source/WTF/wtf/CMakeLists.txt

    r245968 r246322  
    231231    SystemFree.h
    232232    SystemTracing.h
    233     TaggedArrayStoragePtr.h
    234233    ThreadGroup.h
    235234    ThreadMessage.h
  • trunk/Source/WTF/wtf/CagedPtr.h

    r246038 r246322  
    2828#include <wtf/DumbPtrTraits.h>
    2929#include <wtf/Gigacage.h>
    30 #include <wtf/PtrTag.h>
    3130
    3231namespace WTF {
    3332
    34 constexpr bool tagCagedPtr = true;
    35 
    36 template<Gigacage::Kind passedKind, typename T, bool shouldTag = false, typename PtrTraits = DumbPtrTraits<T>>
     33template<Gigacage::Kind passedKind, typename T, typename PtrTraits = DumbPtrTraits<T>>
    3734class CagedPtr {
    3835public:
     
    4037
    4138    CagedPtr() : CagedPtr(nullptr) { }
    42     CagedPtr(std::nullptr_t)
    43         : m_ptr(shouldTag ? tagArrayPtr<T>(nullptr, 0) : nullptr)
    44     { }
     39    CagedPtr(std::nullptr_t) : m_ptr(nullptr) { }
    4540
    46     CagedPtr(T* ptr, unsigned size)
    47         : m_ptr(shouldTag ? tagArrayPtr(ptr, size) : ptr)
    48     { }
    49 
    50 
    51     T* get(unsigned size) const
     41    explicit CagedPtr(T* ptr)
     42        : m_ptr(ptr)
     43    {
     44    }
     45   
     46    T* get() const
    5247    {
    5348        ASSERT(m_ptr);
    54         T* ptr = PtrTraits::unwrap(m_ptr);
    55         if (shouldTag)
    56             ptr = untagArrayPtr(ptr, size);
    57         return Gigacage::caged(kind, ptr);
     49        return Gigacage::caged(kind, PtrTraits::unwrap(m_ptr));
     50    }
     51   
     52    T* getMayBeNull() const
     53    {
     54        if (!m_ptr)
     55            return nullptr;
     56        return get();
    5857    }
    5958
    60     T* getMayBeNull(unsigned size) const
     59    CagedPtr& operator=(T* ptr)
    6160    {
    62         T* ptr = PtrTraits::unwrap(m_ptr);
    63         if (shouldTag)
    64             ptr = untagArrayPtr(ptr, size);
    65         return Gigacage::cagedMayBeNull(kind, ptr);
    66     }
    67 
    68     T* getUnsafe() const
    69     {
    70         T* ptr = PtrTraits::unwrap(m_ptr);
    71         if (shouldTag)
    72             ptr = removeArrayPtrTag(ptr);
    73         return Gigacage::cagedMayBeNull(kind, ptr);
    74     }
    75 
    76     // We need the template here so that the type of U is deduced at usage time rather than class time. U should always be T.
    77     template<typename U = T>
    78     typename std::enable_if<!std::is_same<void, U>::value, T>::type&
    79     /* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; }
    80 
    81     void recage(unsigned oldSize, unsigned newSize)
    82     {
    83         auto ptr = get(oldSize);
    84         ASSERT(ptr == getUnsafe());
    85         *this = CagedPtr(ptr, newSize);
    86     }
    87 
    88     CagedPtr(CagedPtr& other)
    89         : m_ptr(other.m_ptr)
    90     {
    91     }
    92 
    93     CagedPtr& operator=(const CagedPtr& ptr)
    94     {
    95         m_ptr = ptr.m_ptr;
     61        m_ptr = ptr;
    9662        return *this;
    9763    }
    9864
    99     CagedPtr(CagedPtr&& other)
    100         : m_ptr(PtrTraits::exchange(other.m_ptr, nullptr))
     65    CagedPtr& operator=(T*&& ptr)
    10166    {
    102     }
    103 
    104     CagedPtr& operator=(CagedPtr&& ptr)
    105     {
    106         m_ptr = PtrTraits::exchange(ptr.m_ptr, nullptr);
     67        m_ptr = WTFMove(ptr);
    10768        return *this;
    10869    }
     
    11071    bool operator==(const CagedPtr& other) const
    11172    {
    112         bool result = m_ptr == other.m_ptr;
    113         ASSERT(result == (getUnsafe() == other.getUnsafe()));
    114         return result;
     73        return getMayBeNull() == other.getMayBeNull();
    11574    }
    11675   
     
    12281    explicit operator bool() const
    12382    {
    124         return getUnsafe() != nullptr;
     83        return *this != CagedPtr();
     84    }
     85   
     86    T& operator*() const { return *get(); }
     87    T* operator->() const { return get(); }
     88
     89    template<typename IndexType>
     90    T& operator[](IndexType index) const { return get()[index]; }
     91   
     92protected:
     93    typename PtrTraits::StorageType m_ptr;
     94};
     95
     96template<Gigacage::Kind passedKind, typename PtrTraits>
     97class CagedPtr<passedKind, void, PtrTraits> {
     98public:
     99    static constexpr Gigacage::Kind kind = passedKind;
     100
     101    CagedPtr() : CagedPtr(nullptr) { }
     102    CagedPtr(std::nullptr_t) : m_ptr(nullptr) { }
     103
     104    explicit CagedPtr(void* ptr)
     105        : m_ptr(ptr)
     106    {
     107    }
     108   
     109    void* get() const
     110    {
     111        ASSERT(m_ptr);
     112        return Gigacage::caged(kind, PtrTraits::unwrap(m_ptr));
     113    }
     114   
     115    void* getMayBeNull() const
     116    {
     117        if (!m_ptr)
     118            return nullptr;
     119        return get();
     120    }
     121
     122    CagedPtr& operator=(void* ptr)
     123    {
     124        m_ptr = ptr;
     125        return *this;
     126    }
     127
     128    bool operator==(const CagedPtr& other) const
     129    {
     130        return getMayBeNull() == other.getMayBeNull();
     131    }
     132   
     133    bool operator!=(const CagedPtr& other) const
     134    {
     135        return !(*this == other);
     136    }
     137   
     138    explicit operator bool() const
     139    {
     140        return *this != CagedPtr();
    125141    }
    126142   
     
    132148
    133149using WTF::CagedPtr;
    134 using WTF::tagCagedPtr;
    135150
  • trunk/Source/WTF/wtf/CagedUniquePtr.h

    r245064 r246322  
    3030namespace WTF {
    3131
    32 template<Gigacage::Kind kind, typename T, bool shouldTag = false>
    33 class CagedUniquePtr : public CagedPtr<kind, T, shouldTag> {
    34     static_assert(std::is_trivially_destructible<T>::value, "We expect the contents of a caged pointer to be trivially destructable.");
     32template<Gigacage::Kind kind, typename T, typename Enable = void>
     33class CagedUniquePtr : public CagedPtr<kind, T> {
    3534public:
    36     using Base = CagedPtr<kind, T, shouldTag>;
    37     CagedUniquePtr() = default;
    38 
    39     CagedUniquePtr(T* ptr, unsigned size)
    40         : Base(ptr, size)
    41     { }
    42 
     35    CagedUniquePtr(T* ptr = nullptr)
     36        : CagedPtr<kind, T>(ptr)
     37    {
     38    }
     39   
    4340    CagedUniquePtr(CagedUniquePtr&& ptr)
    44         : Base(std::forward<CagedUniquePtr&&>(ptr))
    45     { }
     41        : CagedPtr<kind, T>(ptr.m_ptr)
     42    {
     43        ptr.m_ptr = nullptr;
     44    }
    4645   
    4746    CagedUniquePtr(const CagedUniquePtr&) = delete;
    4847   
    4948    template<typename... Arguments>
    50     static CagedUniquePtr create(unsigned length, Arguments&&... arguments)
    51     {
    52         T* result = static_cast<T*>(Gigacage::malloc(kind, sizeof(T) * length));
    53         while (length--)
    54             new (result + length) T(arguments...);
    55         return CagedUniquePtr(result, length);
     49    static CagedUniquePtr create(Arguments&&... arguments)
     50    {
     51        T* result = static_cast<T*>(Gigacage::malloc(kind, sizeof(T)));
     52        new (result) T(std::forward<Arguments>(arguments)...);
     53        return CagedUniquePtr(result);
    5654    }
    5755   
     
    7068        destroy();
    7169    }
    72 
     70   
    7371private:
    7472    void destroy()
    7573    {
    76         T* ptr = Base::getUnsafe();
    77         if (!ptr)
     74        if (!this->m_ptr)
    7875            return;
    79         ptr->~T();
    80         Gigacage::free(kind, ptr);
     76        this->m_ptr->~T();
     77        Gigacage::free(kind, this->m_ptr);
    8178    }
    8279};
    8380
     81template<Gigacage::Kind kind, typename T>
     82class CagedUniquePtr<kind, T[], typename std::enable_if<std::is_trivially_destructible<T>::value>::type> : public CagedPtr<kind, T> {
     83public:
     84    CagedUniquePtr() : CagedPtr<kind, T>() { }
     85   
     86    CagedUniquePtr(T* ptr)
     87        : CagedPtr<kind, T>(ptr)
     88    {
     89    }
     90   
     91    CagedUniquePtr(CagedUniquePtr&& ptr)
     92        : CagedPtr<kind, T>(ptr.m_ptr)
     93    {
     94        ptr.m_ptr = nullptr;
     95    }
     96   
     97    CagedUniquePtr(const CagedUniquePtr&) = delete;
     98   
     99    template<typename... Arguments>
     100    static CagedUniquePtr create(size_t count, Arguments&&... arguments)
     101    {
     102        T* result = static_cast<T*>(Gigacage::mallocArray(kind, count, sizeof(T)));
     103        while (count--)
     104            new (result + count) T(std::forward<Arguments>(arguments)...);
     105        return CagedUniquePtr(result);
     106    }
     107   
     108    CagedUniquePtr& operator=(CagedUniquePtr&& ptr)
     109    {
     110        destroy();
     111        this->m_ptr = ptr.m_ptr;
     112        ptr.m_ptr = nullptr;
     113        return *this;
     114    }
     115   
     116    CagedUniquePtr& operator=(const CagedUniquePtr&) = delete;
     117   
     118    ~CagedUniquePtr()
     119    {
     120        destroy();
     121    }
     122   
     123private:
     124    void destroy()
     125    {
     126        if (!this->m_ptr)
     127            return;
     128        Gigacage::free(kind, this->m_ptr);
     129    }
     130};
     131
     132template<Gigacage::Kind kind, typename T>
     133class CagedUniquePtr<kind, T[], typename std::enable_if<!std::is_trivially_destructible<T>::value>::type> : public CagedPtr<kind, T> {
     134public:
     135    CagedUniquePtr() : CagedPtr<kind, T>() { }
     136   
     137    CagedUniquePtr(T* ptr, size_t count)
     138        : CagedPtr<kind, T>(ptr)
     139        , m_count(count)
     140    {
     141    }
     142   
     143    CagedUniquePtr(CagedUniquePtr&& ptr)
     144        : CagedPtr<kind, T>(ptr.m_ptr)
     145        , m_count(ptr.m_count)
     146    {
     147        ptr.clear();
     148    }
     149   
     150    CagedUniquePtr(const CagedUniquePtr&) = delete;
     151   
     152    template<typename... Arguments>
     153    static CagedUniquePtr create(size_t count, Arguments&&... arguments)
     154    {
     155        T* result = static_cast<T*>(Gigacage::mallocArray(kind, count, sizeof(T)));
     156        while (count--)
     157            new (result + count) T(std::forward<Arguments>(arguments)...);
     158        return CagedUniquePtr(result, count);
     159    }
     160   
     161    CagedUniquePtr& operator=(CagedUniquePtr&& ptr)
     162    {
     163        destroy();
     164        this->m_ptr = ptr.m_ptr;
     165        m_count = ptr.m_count;
     166        ptr.clear();
     167        return *this;
     168    }
     169   
     170    CagedUniquePtr& operator=(const CagedUniquePtr&) = delete;
     171   
     172    ~CagedUniquePtr()
     173    {
     174        destroy();
     175    }
     176   
     177    // FIXME: It's weird that we inherit CagedPtr::operator== and friends, which don't do anything
     178    // about m_count. It "works" because pointer equality is enough so long as everything is sane, but
     179    // it seems like a missed opportunity to assert things.
     180    // https://bugs.webkit.org/show_bug.cgi?id=175541
     181   
     182private:
     183    void destroy()
     184    {
     185        if (!this->m_ptr)
     186            return;
     187        while (m_count--)
     188            this->m_ptr[m_count].~T();
     189        Gigacage::free(kind, this->m_ptr);
     190    }
     191   
     192    void clear()
     193    {
     194        this->m_ptr = nullptr;
     195        m_count = 0;
     196    }
     197   
     198    size_t m_count { 0 };
     199};
     200
    84201} // namespace WTF
    85202
  • trunk/Source/WTF/wtf/Gigacage.h

    r245064 r246322  
    115115template<typename T>
    116116inline T* caged(Kind, T* ptr) { return ptr; }
    117 template<typename T>
    118 inline T* cagedMayBeNull(Kind, T* ptr) { return ptr; }
    119117
    120118inline bool isCaged(Kind, const void*) { return false; }
  • trunk/Source/WTF/wtf/PtrTag.h

    r245325 r246322  
    123123
    124124
    125 template<typename T>
    126 inline T* tagArrayPtr(std::nullptr_t ptr, size_t length)
    127 {
    128     ASSERT(!length);
    129     return ptrauth_sign_unauthenticated(static_cast<T*>(ptr), ptrauth_key_process_dependent_data, length);
    130 }
    131 
    132 
    133 template<typename T>
    134 inline T* tagArrayPtr(T* ptr, size_t length)
    135 {
    136     return ptrauth_sign_unauthenticated(ptr, ptrauth_key_process_dependent_data, length);
    137 }
    138 
    139 template<typename T>
    140 inline T* untagArrayPtr(T* ptr, size_t length)
    141 {
    142     return ptrauth_auth_data(ptr, ptrauth_key_process_dependent_data, length);
    143 }
    144 
    145 template<typename T>
    146 inline T* removeArrayPtrTag(T* ptr)
    147 {
    148     return ptrauth_strip(ptr, ptrauth_key_process_dependent_data);
    149 }
    150 
    151 template<typename T>
    152 inline T* retagArrayPtr(T* ptr, size_t oldLength, size_t newLength)
    153 {
    154     return ptrauth_auth_and_resign(ptr, ptrauth_key_process_dependent_data, oldLength, ptrauth_key_process_dependent_data, newLength);
    155 }
    156 
    157125template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
    158126inline constexpr T removeCodePtrTag(PtrType ptr)
     
    428396inline void reportBadTag(const void*, PtrTag) { }
    429397
    430 template<typename T>
    431 inline T* tagArrayPtr(std::nullptr_t, size_t size)
    432 {
    433     ASSERT_UNUSED(size, !size);
    434     return nullptr;
    435 }
    436 
    437 template<typename T>
    438 inline T* tagArrayPtr(T* ptr, size_t)
    439 {
    440     return ptr;
    441 }
    442 
    443 template<typename T>
    444 inline T* untagArrayPtr(T* ptr, size_t)
    445 {
    446     return ptr;
    447 }
    448 
    449 template<typename T>
    450 inline T* removeArrayPtrTag(T* ptr)
    451 {
    452     return ptr;
    453 }
    454 
    455 template<typename T>
    456 inline T* retagArrayPtr(T* ptr, size_t, size_t)
    457 {
    458     return ptr;
    459 }
    460 
    461 
    462398template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
    463399constexpr T tagCodePtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
     
    558494
    559495using WTF::reportBadTag;
    560 
    561 using WTF::tagArrayPtr;
    562 using WTF::untagArrayPtr;
    563 using WTF::retagArrayPtr;
    564 using WTF::removeArrayPtrTag;
    565496
    566497using WTF::tagCodePtr;
  • trunk/Source/bmalloc/ChangeLog

    r246240 r246322  
     12019-06-11  Saam Barati  <sbarati@apple.com>
     2
     3        Roll out PAC cage
     4        https://bugs.webkit.org/show_bug.cgi?id=198726
     5
     6        Reviewed by Keith Miller.
     7
     8        * bmalloc/Gigacage.h:
     9        (Gigacage::isEnabled):
     10        (Gigacage::caged):
     11        (Gigacage::cagedMayBeNull): Deleted.
     12
    1132019-06-09  Commit Queue  <commit-queue@webkit.org>
    214
  • trunk/Source/bmalloc/bmalloc/Gigacage.h

    r246240 r246322  
    3535#include <inttypes.h>
    3636
    37 #if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64))
     37#if ((BOS(DARWIN) || BOS(LINUX)) && \
     38(BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS)))))
    3839#define GIGACAGE_ENABLED 1
    3940#else
     
    200201}
    201202
    202 template<typename T>
    203 BINLINE T* cagedMayBeNull(Kind kind, T* ptr)
    204 {
    205     if (!ptr)
    206         return ptr;
    207     return caged(kind, ptr);
    208 }
    209 
    210203BINLINE bool isCaged(Kind kind, const void* ptr)
    211204{
     
    227220BINLINE bool wasEnabled() { return false; }
    228221BINLINE bool isCaged(Kind, const void*) { return true; }
    229 BINLINE bool isEnabled(Kind) { return false; }
     222BINLINE bool isEnabled() { return false; }
    230223template<typename T> BINLINE T* caged(Kind, T* ptr) { return ptr; }
    231 template<typename T> BINLINE T* cagedMayBeNull(Kind, T* ptr) { return ptr; }
    232224BINLINE void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
    233225BINLINE bool canPrimitiveGigacageBeDisabled() { return false; }
Note: See TracChangeset for help on using the changeset viewer.