Changeset 220606 in webkit for trunk/Source/JavaScriptCore/runtime/VM.cpp

Timestamp:

Aug 11, 2017, 1:08:33 PM (8 years ago)

Author:

[email protected]

Message:

DirectArguments should be in the JSValue gigacage
​https://bugs.webkit.org/show_bug.cgi?id=174920

Reviewed by Michael Saboff.

This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
because they always operate on a DirectArguments that is pointed to directly from the stack, they are
required to use fixed offsets, and you can only store JSValues.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDirectArgumentsGetByVal):

• runtime/DirectArguments.h:

(JSC::DirectArguments::subspaceFor):
(JSC::DirectArguments::storage):

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

File:

• trunk/Source/JavaScriptCore/runtime/VM.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -172 +172 @@
     , jsValueGigacageAuxiliarySpace("JSValue Gigacage Auxiliary", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::Auxiliary), jsValueGigacageAllocator.get())
     , cellSpace("JSCell", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::JSCell), fastMallocAllocator.get())
+    , jsValueGigacageCellSpace("JSValue Gigacage JSCell", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::JSCell), jsValueGigacageAllocator.get())
     , destructibleCellSpace("Destructible JSCell", heap, AllocatorAttributes(NeedsDestruction, HeapCell::JSCell), fastMallocAllocator.get())
     , stringSpace("JSString", heap, fastMallocAllocator.get())