Ignore:
Timestamp:
Aug 8, 2017, 12:44:20 PM (8 years ago)
Author:
[email protected]
Message:

Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:


This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

  • bmalloc/Gigacage.cpp:

(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):

  • bmalloc/Gigacage.h:

(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:


Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

Relanded with fixed AssemblyHelpers::cageConditionally().

  • bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

  • bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

  • jsc.cpp:

(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:


Use a better API to disable disabling the primitive gigacage.

  • WebProcess/WebProcess.cpp:

(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

  • wtf/Gigacage.h:

(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):
(Gigacage::basePtr):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

    r220404 r220416  
    528528                    CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
    529529                    loadedValueGPR);
     530                // FIXME: Do caging!
     531                // https://bugs.webkit.org/show_bug.cgi?id=175295
    530532                storageGPR = loadedValueGPR;
    531533            }
     
    878880
    879881                    jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
     882                    // FIXME: Do caging!
     883                    // https://bugs.webkit.org/show_bug.cgi?id=175295
    880884
    881885                    // We have scratchGPR = new storage, scratchGPR3 = old storage,
     
    956960                    offsetInInlineStorage(m_offset) * sizeof(JSValue)));
    957961        } else {
    958             if (!allocating)
     962            if (!allocating) {
    959963                jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
     964                // FIXME: Do caging!
     965                // https://bugs.webkit.org/show_bug.cgi?id=175295
     966            }
    960967            jit.storeValue(
    961968                valueRegs,
     
    9931000    case ArrayLength: {
    9941001        jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
     1002        // FIXME: Do caging!
     1003        // https://bugs.webkit.org/show_bug.cgi?id=175295
    9951004        jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
    9961005        state.failAndIgnore.append(
Note: See TracChangeset for help on using the changeset viewer.