Changeset 220416 in webkit for trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

Timestamp:

Aug 8, 2017, 12:44:20 PM (8 years ago)

Author:

[email protected]

Message:

Baseline JIT should do caging
​https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:

This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

• bmalloc/Gigacage.cpp:

(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):

• bmalloc/Gigacage.h:

(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:

Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

Relanded with fixed AssemblyHelpers::cageConditionally().

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

• bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::caged):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

• jsc.cpp:

(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:

Use a better API to disable disabling the primitive gigacage.

• WebProcess/WebProcess.cpp:

(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

• wtf/Gigacage.h:

(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):
(Gigacage::basePtr):

File:

• trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h (modified) (1 diff)

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1310 +1310 @@
         storeFence();
         ok.link(this);
+    }
+    
+    void cage(Gigacage::Kind kind, GPRReg storage)
+    {
+#if GIGACAGE_ENABLED
+        if (!Gigacage::shouldBeEnabled())
+            return;
+        
+        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+        addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(storage);
+#endif
+    }
+    
+    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)
+    {
+#if GIGACAGE_ENABLED
+        if (!Gigacage::shouldBeEnabled())
+            return;
+        
+        if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
+            return cage(kind, storage);
+        
+        loadPtr(&Gigacage::basePtr(kind), scratch);
+        Jump done = branchTestPtr(Zero, scratch);
+        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+        addPtr(scratch, storage);
+        done.link(this);
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(storage);
+        UNUSED_PARAM(scratch);
+#endif
     }