Ignore:
Timestamp:
Nov 7, 2017, 10:29:31 PM (8 years ago)
Author:
[email protected]
Message:

Only cage double butterfly accesses
https://bugs.webkit.org/show_bug.cgi?id=179202

Reviewed by Mark Lam.

This patch removes caging from all butterfly accesses except double loads/stores.
This is a performance vs security tradeoff. Double loads/stores are the only butterfly
loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
by caging. The other load/stores we are no longer caging to get back performance on
various benchmarks.

  • bytecode/AccessCase.cpp:

(JSC::AccessCase::generateImpl):

  • bytecode/InlineAccess.cpp:

(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

  • dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileSpread):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):

  • llint/LowLevelInterpreter64.asm:
  • runtime/AuxiliaryBarrier.h:

(JSC::AuxiliaryBarrier::operator-> const):

  • runtime/Butterfly.h:

(JSC::Butterfly::caged):
(JSC::Butterfly::contiguousDouble):

  • runtime/JSArray.cpp:

(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):

  • runtime/JSArrayInlines.h:

(JSC::JSArray::pushInline):

  • runtime/JSObject.cpp:

(JSC::JSObject::heapSnapshot):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::reallocateAndShrinkButterfly):
(JSC::JSObject::allocateMoreOutOfLineStorage):

  • runtime/JSObject.h:

(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly const):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::butterfly const):
(JSC::JSObject::butterfly):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r224280 r224564  
    72707270
    72717271        m_jit.loadPtr(MacroAssembler::Address(arrayResultGPR, JSObject::butterflyOffset()), butterflyGPR);
    7272         m_jit.cage(Gigacage::JSValue, butterflyGPR);
    72737272
    72747273        CCallHelpers::Jump skipLoop = m_jit.branch32(MacroAssembler::Equal, arrayLengthGPR, TrustedImm32(0));
     
    73407339
    73417340        m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), lengthGPR);
    7342         m_jit.cage(Gigacage::JSValue, lengthGPR);
     7341        m_jit.cage(Gigacage::JSValue, lengthGPR); // We may do a double memcpy loop below, so we conservatively cage.
    73437342        m_jit.load32(MacroAssembler::Address(lengthGPR, Butterfly::offsetOfPublicLength()), lengthGPR);
    73447343        static_assert(sizeof(JSValue) == 8 && 1 << 3 == 8, "This is strongly assumed in the code below.");
     
    73517350
    73527351        m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), scratch1GPR);
    7353         m_jit.cage(Gigacage::JSValue, scratch1GPR);
     7352        m_jit.cage(Gigacage::JSValue, scratch1GPR); // We may do a double memcpy loop below, so we conservatively cage.
    73547353
    73557354        MacroAssembler::JumpList done;
     
    73747373        isDoubleArray.link(&m_jit);
    73757374        {
    7376 
    73777375            done.append(m_jit.branchTest32(MacroAssembler::Zero, lengthGPR));
    73787376            auto loopStart = m_jit.label();
     
    74617459        m_jit.move(TrustedImm32(0), indexGPR);
    74627460        m_jit.loadPtr(MacroAssembler::Address(resultGPR, JSObject::butterflyOffset()), storageGPR);
    7463         m_jit.cage(Gigacage::JSValue, storageGPR);
    74647461
    74657462        for (unsigned i = 0; i < node->numChildren(); ++i) {
Note: See TracChangeset for help on using the changeset viewer.