Ignore:
Timestamp:
Aug 8, 2017, 9:00:06 AM (8 years ago)
Author:
Ryan Haddad
Message:

Unreviewed, rolling out r220368.

This change caused WK1 tests to exit early with crashes.

Reverted changeset:

"Baseline JIT should do caging"
https://bugs.webkit.org/show_bug.cgi?id=175037
http://trac.webkit.org/changeset/220368

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r220368 r220404  
    173173   
    174174    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
     175    // FIXME: Should do caging.
     176    // https://bugs.webkit.org/show_bug.cgi?id=175037
    175177    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    176     cage(Gigacage::JSValue, regT2);
    177178    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    178179    loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
     
    187188   
    188189    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
     190    // FIXME: Should do caging.
     191    // https://bugs.webkit.org/show_bug.cgi?id=175037
    189192    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    190     cage(Gigacage::JSValue, regT2);
    191193    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
    192194    load64(BaseIndex(regT2, regT1, TimesEight), regT0);
     
    203205    badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
    204206
     207    // FIXME: Should do caging.
     208    // https://bugs.webkit.org/show_bug.cgi?id=175037
    205209    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    206     cage(Gigacage::JSValue, regT2);
    207210    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    208211
     
    351354    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
    352355   
     356    // FIXME: Should do caging.
     357    // https://bugs.webkit.org/show_bug.cgi?id=175037
    353358    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    354     cage(Gigacage::JSValue, regT2);
    355359    Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
    356360
     
    407411   
    408412    badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
     413    // FIXME: Should do caging.
     414    // https://bugs.webkit.org/show_bug.cgi?id=175037
    409415    loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
    410     cage(Gigacage::JSValue, regT2);
    411416    slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
    412417
     
    919924                isOutOfLine.link(this);
    920925            }
     926            // FIXME: Should do caging.
     927            // https://bugs.webkit.org/show_bug.cgi?id=175037
    921928            loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
    922             cage(Gigacage::JSValue, scratch);
    923929            neg32(offset);
    924930            signExtend32ToPtr(offset, offset);
     
    10611067            emitGetVirtualRegister(value, regT2);
    10621068           
     1069            // FIXME: Should do caging.
     1070            // https://bugs.webkit.org/show_bug.cgi?id=175037
    10631071            loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
    1064             cage(Gigacage::JSValue, regT0);
    10651072            loadPtr(operandSlot, regT1);
    10661073            negPtr(regT1);
     
    15701577    RegisterID resultPayload = regT0;
    15711578    RegisterID scratch = regT3;
    1572     RegisterID scratch2 = regT4;
    15731579#else
    15741580    RegisterID base = regT0;
     
    15771583    RegisterID resultTag = regT1;
    15781584    RegisterID scratch = regT3;
    1579     RegisterID scratch2 = regT4;
    15801585#endif
    15811586   
     
    15851590    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    15861591    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
     1592    // FIXME: Should do caging.
     1593    // https://bugs.webkit.org/show_bug.cgi?id=175037
    15871594    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    1588     cageConditionally(Gigacage::Primitive, scratch, scratch2);
    15891595   
    15901596    switch (elementSize(type)) {
     
    16441650    RegisterID resultPayload = regT0;
    16451651    RegisterID scratch = regT3;
    1646     RegisterID scratch2 = regT4;
    16471652#else
    16481653    RegisterID base = regT0;
     
    16511656    RegisterID resultTag = regT1;
    16521657    RegisterID scratch = regT3;
    1653     RegisterID scratch2 = regT4;
    16541658#endif
    16551659   
     
    16591663    badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
    16601664    slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
     1665    // FIXME: Should do caging.
     1666    // https://bugs.webkit.org/show_bug.cgi?id=175037
    16611667    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    1662     cageConditionally(Gigacage::Primitive, scratch, scratch2);
    16631668   
    16641669    switch (elementSize(type)) {
     
    17011706    RegisterID earlyScratch = regT3;
    17021707    RegisterID lateScratch = regT2;
    1703     RegisterID lateScratch2 = regT4;
    17041708#else
    17051709    RegisterID base = regT0;
     
    17071711    RegisterID earlyScratch = regT3;
    17081712    RegisterID lateScratch = regT1;
    1709     RegisterID lateScratch2 = regT4;
    17101713#endif
    17111714   
     
    17291732    // We would be loading this into base as in get_by_val, except that the slow
    17301733    // path expects the base to be unclobbered.
     1734    // FIXME: Should do caging.
     1735    // https://bugs.webkit.org/show_bug.cgi?id=175037
    17311736    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
    1732     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    17331737   
    17341738    if (isClamped(type)) {
     
    17741778    RegisterID earlyScratch = regT3;
    17751779    RegisterID lateScratch = regT2;
    1776     RegisterID lateScratch2 = regT4;
    17771780#else
    17781781    RegisterID base = regT0;
     
    17801783    RegisterID earlyScratch = regT3;
    17811784    RegisterID lateScratch = regT1;
    1782     RegisterID lateScratch2 = regT4;
    17831785#endif
    17841786   
     
    18151817    // We would be loading this into base as in get_by_val, except that the slow
    18161818    // path expects the base to be unclobbered.
     1819    // FIXME: Should do caging.
     1820    // https://bugs.webkit.org/show_bug.cgi?id=175037
    18171821    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
    1818     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
    18191822   
    18201823    switch (elementSize(type)) {
Note: See TracChangeset for help on using the changeset viewer.