Ignore:
Timestamp:
Aug 8, 2017, 12:44:20 PM (8 years ago)
Author:
[email protected]
Message:

Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:


This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

  • bmalloc/Gigacage.cpp:

(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):

  • bmalloc/Gigacage.h:

(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:


Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

Relanded with fixed AssemblyHelpers::cageConditionally().

  • bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

  • bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

  • jsc.cpp:

(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:


Use a better API to disable disabling the primitive gigacage.

  • WebProcess/WebProcess.cpp:

(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

  • wtf/Gigacage.h:

(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):
(Gigacage::basePtr):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

    r220404 r220416  
    5858            CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
    5959        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
     60        // FIXME: Do caging!
     61        // https://bugs.webkit.org/show_bug.cgi?id=175295
    6062        jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
    6163        jit.boxInt32(scratchGPR, regs);
     
    7476            CCallHelpers::Address(base, JSObject::butterflyOffset()),
    7577            value);
     78        // FIXME: Do caging!
     79        // https://bugs.webkit.org/show_bug.cgi?id=175295
    7680        GPRReg storageGPR = value;
    7781        jit.loadValue(
     
    117121
    118122        jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
     123        // FIXME: Do caging!
     124        // https://bugs.webkit.org/show_bug.cgi?id=175295
    119125        jit.storeValue(
    120126            regs,
     
    171177    else {
    172178        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
     179        // FIXME: Do caging!
     180        // https://bugs.webkit.org/show_bug.cgi?id=175295
    173181        storage = value.payloadGPR();
    174182    }
     
    232240        ASSERT(storage != InvalidGPRReg);
    233241        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
     242        // FIXME: Do caging!
     243        // https://bugs.webkit.org/show_bug.cgi?id=175295
    234244    }
    235245
     
    270280        CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
    271281    jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
     282    // FIXME: Do caging!
     283    // https://bugs.webkit.org/show_bug.cgi?id=175295
    272284    jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
    273285    jit.boxInt32(value.payloadGPR(), value);
Note: See TracChangeset for help on using the changeset viewer.