Changeset 220416 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Aug 8, 2017, 12:44:20 PM (8 years ago)

Author:

[email protected]

Message:

Baseline JIT should do caging
​https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:

This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

• bmalloc/Gigacage.cpp:

(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):

• bmalloc/Gigacage.h:

(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:

Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

Relanded with fixed AssemblyHelpers::cageConditionally().

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

• bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

• jsc.cpp:

(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:

Use a better API to disable disabling the primitive gigacage.

• WebProcess/WebProcess.cpp:

(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

• wtf/Gigacage.h:

(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):
(Gigacage::basePtr):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/AccessCase.cpp (modified) (4 diffs)
• bytecode/InlineAccess.cpp (modified) (6 diffs)
• ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)
• jit/AssemblyHelpers.h (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (19 diffs)
• jsc.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-08-08  Filip Pizlo  <[email protected]>
+
+        Baseline JIT should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+
+        Reviewed by Mark Lam.
+        
+        Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
+        
+        Also modifies FTL caging to be more defensive when caging is disabled.
+        
+        Relanded with fixed AssemblyHelpers::cageConditionally().
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jsc.cpp:
+        (jscmain):
+        (primitiveGigacageDisabled): Deleted.
+
 2017-08-08  Ryan Haddad  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -528 +528 @@
                     CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
                     loadedValueGPR);
+                // FIXME: Do caging!
+                // https://bugs.webkit.org/show_bug.cgi?id=175295
                 storageGPR = loadedValueGPR;
             }
@@ -878 +880 @@
 
                     jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
+                    // FIXME: Do caging!
+                    // https://bugs.webkit.org/show_bug.cgi?id=175295
 
                     // We have scratchGPR = new storage, scratchGPR3 = old storage,
@@ -956 +960 @@
                     offsetInInlineStorage(m_offset) * sizeof(JSValue)));
         } else {
-            if (!allocating)
+            if (!allocating) {
                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+                // FIXME: Do caging!
+                // https://bugs.webkit.org/show_bug.cgi?id=175295
+            }
             jit.storeValue(
                 valueRegs,
@@ -993 +1000 @@
     case ArrayLength: {
         jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
         state.failAndIgnore.append(

trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

@@ -58 +58 @@
             CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
         jit.boxInt32(scratchGPR, regs);
@@ -74 +76 @@
             CCallHelpers::Address(base, JSObject::butterflyOffset()),
             value);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         GPRReg storageGPR = value;
         jit.loadValue(
@@ -117 +121 @@
 
         jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         jit.storeValue(
             regs,
@@ -171 +177 @@
     else {
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         storage = value.payloadGPR();
     }
@@ -232 +240 @@
         ASSERT(storage != InvalidGPRReg);
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
     }
 
@@ -270 +280 @@
         CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
     jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
+    // FIXME: Do caging!
+    // https://bugs.webkit.org/show_bug.cgi?id=175295
     jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
     jit.boxInt32(value.payloadGPR(), value);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11617 +11617 @@
     LValue caged(Gigacage::Kind kind, LValue ptr)
     {
-        if (kind == Gigacage::Primitive) {
+        if (!Gigacage::shouldBeEnabled())
+            return ptr;
+        
+        if (kind == Gigacage::Primitive && Gigacage::canPrimitiveGigacageBeDisabled()) {
             if (vm().primitiveGigacageEnabled().isStillValid())
                 m_graph.watchpoints().addLazily(vm().primitiveGigacageEnabled());

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1310 +1310 @@
         storeFence();
         ok.link(this);
+    }
+    
+    void cage(Gigacage::Kind kind, GPRReg storage)
+    {
+#if GIGACAGE_ENABLED
+        if (!Gigacage::shouldBeEnabled())
+            return;
+        
+        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+        addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(storage);
+#endif
+    }
+    
+    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)
+    {
+#if GIGACAGE_ENABLED
+        if (!Gigacage::shouldBeEnabled())
+            return;
+        
+        if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
+            return cage(kind, storage);
+        
+        loadPtr(&Gigacage::basePtr(kind), scratch);
+        Jump done = branchTestPtr(Zero, scratch);
+        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+        addPtr(scratch, storage);
+        done.link(this);
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(storage);
+        UNUSED_PARAM(scratch);
+#endif
     }
     

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -173 +173 @@
     
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
     loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
@@ -188 +187 @@
     
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
     load64(BaseIndex(regT2, regT1, TimesEight), regT0);
@@ -205 +203 @@
     badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
 
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
 
@@ -354 +351 @@
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
     
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
 
@@ -411 +407 @@
     
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
 
@@ -924 +919 @@
                 isOutOfLine.link(this);
             }
-            // FIXME: Should do caging.
-            // https://bugs.webkit.org/show_bug.cgi?id=175037
             loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
+            cage(Gigacage::JSValue, scratch);
             neg32(offset);
             signExtend32ToPtr(offset, offset);
@@ -1067 +1061 @@
             emitGetVirtualRegister(value, regT2);
             
-            // FIXME: Should do caging.
-            // https://bugs.webkit.org/show_bug.cgi?id=175037
             loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
+            cage(Gigacage::JSValue, regT0);
             loadPtr(operandSlot, regT1);
             negPtr(regT1);
@@ -1577 +1570 @@
     RegisterID resultPayload = regT0;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #else
     RegisterID base = regT0;
@@ -1583 +1577 @@
     RegisterID resultTag = regT1;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #endif
     
@@ -1590 +1585 @@
     badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+    cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
     switch (elementSize(type)) {
@@ -1650 +1644 @@
     RegisterID resultPayload = regT0;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #else
     RegisterID base = regT0;
@@ -1656 +1651 @@
     RegisterID resultTag = regT1;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #endif
     
@@ -1663 +1659 @@
     badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+    cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
     switch (elementSize(type)) {
@@ -1706 +1701 @@
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT2;
+    RegisterID lateScratch2 = regT4;
 #else
     RegisterID base = regT0;
@@ -1711 +1707 @@
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT1;
+    RegisterID lateScratch2 = regT4;
 #endif
     
@@ -1732 +1729 @@
     // We would be loading this into base as in get_by_val, except that the slow
     // path expects the base to be unclobbered.
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
+    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
     if (isClamped(type)) {
@@ -1778 +1774 @@
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT2;
+    RegisterID lateScratch2 = regT4;
 #else
     RegisterID base = regT0;
@@ -1783 +1780 @@
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT1;
+    RegisterID lateScratch2 = regT4;
 #endif
     
@@ -1817 +1815 @@
     // We would be loading this into base as in get_by_val, except that the slow
     // path expects the base to be unclobbered.
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
+    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
     switch (elementSize(type)) {

trunk/Source/JavaScriptCore/jsc.cpp

@@ -3803 +3803 @@
 }
 
-static void primitiveGigacageDisabled(void*)
-{
-    dataLog("Primitive gigacage disabled! Aborting.\n");
-    UNREACHABLE_FOR_PLATFORM();
-}
-
 int jscmain(int argc, char** argv)
 {
@@ -3827 +3821 @@
     JSC::Wasm::enableFastMemory();
 #endif
-    if (Gigacage::shouldBeEnabled())
-        Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
+    Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
 
     int result;