Ignore:
Timestamp:
Nov 7, 2017, 10:29:31 PM (8 years ago)
Author:
[email protected]
Message:

Only cage double butterfly accesses
https://bugs.webkit.org/show_bug.cgi?id=179202

Reviewed by Mark Lam.

This patch removes caging from all butterfly accesses except double loads/stores.
This is a performance vs security tradeoff. Double loads/stores are the only butterfly
loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
by caging. The other load/stores we are no longer caging to get back performance on
various benchmarks.

  • bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

  • bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

  • dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):

  • llint/LowLevelInterpreter64.asm:
  • runtime/AuxiliaryBarrier.h:

(JSC::AuxiliaryBarrier::operator-> const):

  • runtime/Butterfly.h:

(JSC::Butterfly::caged):
(JSC::Butterfly::contiguousDouble):

  • runtime/JSArray.cpp:

(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):

  • runtime/JSArrayInlines.h:

(JSC::JSArray::pushInline):

  • runtime/JSObject.cpp:

(JSC::JSObject::heapSnapshot):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::allocateMoreOutOfLineStorage):

  • runtime/JSObject.h:

(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::butterfly const):
(JSC::JSObject::butterfly):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/InlineAccess.cpp

    r224258 r224564  
    5858            CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
    5959        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
    60         jit.cage(Gigacage::JSValue, value);
    6160        jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
    6261        jit.boxInt32(scratchGPR, regs);
     
    7574            CCallHelpers::Address(base, JSObject::butterflyOffset()),
    7675            value);
    77         jit.cage(Gigacage::JSValue, value);
    7876        GPRReg storageGPR = value;
    7977        jit.loadValue(
     
    119117
    120118        jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
    121         jit.cage(Gigacage::JSValue, value);
    122119        jit.storeValue(
    123120            regs,
     
    174171    else {
    175172        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
    176         jit.cage(Gigacage::JSValue, value.payloadGPR());
    177173        storage = value.payloadGPR();
    178174    }
     
    236232        ASSERT(storage != InvalidGPRReg);
    237233        jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
    238         jit.cage(Gigacage::JSValue, storage);
    239234    }
    240235
     
    275270        CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
    276271    jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
    277     jit.cage(Gigacage::JSValue, value.payloadGPR());
    278272    jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
    279273    jit.boxInt32(value.payloadGPR(), value);
Note: See TracChangeset for help on using the changeset viewer.