Context Navigation

← Previous Change
Next Change →

AccessCase.cpp

Timestamp:

Aug 8, 2017, 8:48:44 PM (8 years ago)

Author:

[email protected]

Message:

ICs should do caging
https://bugs.webkit.org/show_bug.cgi?id=175295

Reviewed by Saam Barati.

Adds the appropriate cage() calls in our inline caches.

bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

File:

: 1 edited

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

-              r220416
+              r220441
                     CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
                     loadedValueGPR);
+                // FIXME: Do caging!
+                // https://bugs.webkit.org/show_bug.cgi?id=175295
+                jit.cage(Gigacage::JSValue, loadedValueGPR);
                 storageGPR = loadedValueGPR;
+            }
 …
                     jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
+                    // FIXME: Do caging!
+                    // https://bugs.webkit.org/show_bug.cgi?id=175295
+                    jit.cage(Gigacage::JSValue, scratchGPR3);
                     // We have scratchGPR = new storage, scratchGPR3 = old storage,
 …
             if (!allocating) {
                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+                // FIXME: Do caging!
+                // https://bugs.webkit.org/show_bug.cgi?id=175295
+                jit.cage(Gigacage::JSValue, scratchGPR);
+            }
             jit.storeValue(
 …
     case ArrayLength: {
         jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, scratchGPR);
         jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
         state.failAndIgnore.append(

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 220441 in webkit for trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

Legend:

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

Download in other formats: