Ignore:
Timestamp:
Aug 7, 2017, 4:30:15 PM (8 years ago)
Author:
[email protected]
Message:

Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:


This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

  • bmalloc/Gigacage.cpp:

(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):

  • bmalloc/Gigacage.h:

(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:


Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

  • jsc.cpp:

(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:


Use a better API to disable disabling the primitive gigacage.

  • WebProcess/WebProcess.cpp:

(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

  • wtf/Gigacage.h:

(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r220118 r220368  
    173173   
    174174    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
    175     // FIXME: Should do caging.
    176     // https://bugs.webkit.org/show_bug.cgi?id=175037
    177175    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     176    cage(Gigacage::JSValue, regT2);
    178177    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    179178    loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
     
    188187   
    189188    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
    190     // FIXME: Should do caging.
    191     // https://bugs.webkit.org/show_bug.cgi?id=175037
    192189    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     190    cage(Gigacage::JSValue, regT2);
    193191    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    194192    load64(BaseIndex(regT2, regT1, TimesEight), regT0);
     
    205203    badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
    206204
    207     // FIXME: Should do caging.
    208     // https://bugs.webkit.org/show_bug.cgi?id=175037
    209205    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     206    cage(Gigacage::JSValue, regT2);
    210207    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    211208
     
    354351    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
    355352   
    356     // FIXME: Should do caging.
    357     // https://bugs.webkit.org/show_bug.cgi?id=175037
    358353    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     354    cage(Gigacage::JSValue, regT2);
    359355    Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
    360356
     
    411407   
    412408    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
    413     // FIXME: Should do caging.
    414     // https://bugs.webkit.org/show_bug.cgi?id=175037
    415409    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     410    cage(Gigacage::JSValue, regT2);
    416411    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    417412
     
    924919                isOutOfLine.link(this);
    925920            }
    926             // FIXME: Should do caging.
    927             // https://bugs.webkit.org/show_bug.cgi?id=175037
    928921            loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
     922            cage(Gigacage::JSValue, scratch);
    929923            neg32(offset);
    930924            signExtend32ToPtr(offset, offset);
     
    10671061            emitGetVirtualRegister(value, regT2);
    10681062           
    1069             // FIXME: Should do caging.
    1070             // https://bugs.webkit.org/show_bug.cgi?id=175037
    10711063            loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
     1064            cage(Gigacage::JSValue, regT0);
    10721065            loadPtr(operandSlot, regT1);
    10731066            negPtr(regT1);
     
    15771570    RegisterID resultPayload = regT0;
    15781571    RegisterID scratch = regT3;
     1572    RegisterID scratch2 = regT4;
    15791573#else
    15801574    RegisterID base = regT0;
     
    15831577    RegisterID resultTag = regT1;
    15841578    RegisterID scratch = regT3;
     1579    RegisterID scratch2 = regT4;
    15851580#endif
    15861581   
     
    15901585    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    15911586    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
    1592     // FIXME: Should do caging.
    1593     // https://bugs.webkit.org/show_bug.cgi?id=175037
    15941587    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
     1588    cageConditionally(Gigacage::Primitive, scratch, scratch2);
    15951589   
    15961590    switch (elementSize(type)) {
     
    16501644    RegisterID resultPayload = regT0;
    16511645    RegisterID scratch = regT3;
     1646    RegisterID scratch2 = regT4;
    16521647#else
    16531648    RegisterID base = regT0;
     
    16561651    RegisterID resultTag = regT1;
    16571652    RegisterID scratch = regT3;
     1653    RegisterID scratch2 = regT4;
    16581654#endif
    16591655   
     
    16631659    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    16641660    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
    1665     // FIXME: Should do caging.
    1666     // https://bugs.webkit.org/show_bug.cgi?id=175037
    16671661    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
     1662    cageConditionally(Gigacage::Primitive, scratch, scratch2);
    16681663   
    16691664    switch (elementSize(type)) {
     
    17061701    RegisterID earlyScratch = regT3;
    17071702    RegisterID lateScratch = regT2;
     1703    RegisterID lateScratch2 = regT4;
    17081704#else
    17091705    RegisterID base = regT0;
     
    17111707    RegisterID earlyScratch = regT3;
    17121708    RegisterID lateScratch = regT1;
     1709    RegisterID lateScratch2 = regT4;
    17131710#endif
    17141711   
     
    17321729    // We would be loading this into base as in get_by_val, except that the slow
    17331730    // path expects the base to be unclobbered.
    1734     // FIXME: Should do caging.
    1735     // https://bugs.webkit.org/show_bug.cgi?id=175037
    17361731    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
     1732    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    17371733   
    17381734    if (isClamped(type)) {
     
    17781774    RegisterID earlyScratch = regT3;
    17791775    RegisterID lateScratch = regT2;
     1776    RegisterID lateScratch2 = regT4;
    17801777#else
    17811778    RegisterID base = regT0;
     
    17831780    RegisterID earlyScratch = regT3;
    17841781    RegisterID lateScratch = regT1;
     1782    RegisterID lateScratch2 = regT4;
    17851783#endif
    17861784   
     
    18171815    // We would be loading this into base as in get_by_val, except that the slow
    18181816    // path expects the base to be unclobbered.
    1819     // FIXME: Should do caging.
    1820     // https://bugs.webkit.org/show_bug.cgi?id=175037
    18211817    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
     1818    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    18221819   
    18231820    switch (elementSize(type)) {
Note: See TracChangeset for help on using the changeset viewer.