Changeset 220441 in webkit for trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

Timestamp:

Aug 8, 2017, 8:48:44 PM (8 years ago)

Author:

[email protected]

Message:

ICs should do caging
​https://bugs.webkit.org/show_bug.cgi?id=175295

Reviewed by Saam Barati.

Adds the appropriate cage() calls in our inline caches.

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

• bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

File:

• trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp (modified) (6 diffs)

trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

@@ -58 +58 @@
             CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
         jit.boxInt32(scratchGPR, regs);
@@ -76 +75 @@
             CCallHelpers::Address(base, JSObject::butterflyOffset()),
             value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         GPRReg storageGPR = value;
         jit.loadValue(
@@ -121 +119 @@
 
         jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         jit.storeValue(
             regs,
@@ -177 +174 @@
     else {
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value.payloadGPR());
         storage = value.payloadGPR();
     }
@@ -240 +236 @@
         ASSERT(storage != InvalidGPRReg);
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, storage);
     }
 
@@ -280 +275 @@
         CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
     jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
-    // FIXME: Do caging!
-    // https://bugs.webkit.org/show_bug.cgi?id=175295
+    jit.cage(Gigacage::JSValue, value.payloadGPR());
     jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
     jit.boxInt32(value.payloadGPR(), value);