Changeset 224564 in webkit for trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

Timestamp:

Nov 7, 2017, 10:29:31 PM (8 years ago)

Author:

[email protected]

Message:

Only cage double butterfly accesses
​https://bugs.webkit.org/show_bug.cgi?id=179202

Reviewed by Mark Lam.

This patch removes caging from all butterfly accesses except double loads/stores.
This is a performance vs security tradeoff. Double loads/stores are the only butterfly
loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
by caging. The other load/stores we are no longer caging to get back performance on
various benchmarks.

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

• bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

• dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):

• llint/LowLevelInterpreter64.asm:
• runtime/AuxiliaryBarrier.h:

(JSC::AuxiliaryBarrier::operator-> const):

• runtime/Butterfly.h:

(JSC::Butterfly::caged):
(JSC::Butterfly::contiguousDouble):

• runtime/JSArray.cpp:

(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):

• runtime/JSArrayInlines.h:

(JSC::JSArray::pushInline):

• runtime/JSObject.cpp:

(JSC::JSObject::heapSnapshot):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::allocateMoreOutOfLineStorage):

• runtime/JSObject.h:

(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::butterfly const):
(JSC::JSObject::butterfly):

File:

• trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -625 +625 @@
                     CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
                     loadedValueGPR);
-                jit.cage(Gigacage::JSValue, loadedValueGPR);
                 storageGPR = loadedValueGPR;
             }
@@ -976 +975 @@
 
                     jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
-                    jit.cage(Gigacage::JSValue, scratchGPR3);
 
                     // We have scratchGPR = new storage, scratchGPR3 = old storage,
@@ -1057 +1055 @@
                     offsetInInlineStorage(m_offset) * sizeof(JSValue)));
         } else {
-            if (!allocating) {
+            if (!allocating)
                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-                jit.cage(Gigacage::JSValue, scratchGPR);
-            }
             jit.storeValue(
                 valueRegs,
@@ -1096 +1092 @@
     case ArrayLength: {
         jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-        jit.cage(Gigacage::JSValue, scratchGPR);
         jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
         state.failAndIgnore.append(