[webkit-changes] [229912] trunk/Source/JavaScriptCore

Fri, 23 Mar 2018 11:55:58 -0700

Title: [229912] trunk/Source/_javascript_Core
Revision
229912
Author
mark....@apple.com
Date
2018-03-23 11:55:26 -0700 (Fri, 23 Mar 2018)

Log Message

LLInt TypeArray pointer poisoning should not pick its poison dynamically.
https://bugs.webkit.org/show_bug.cgi?id=183942
<rdar://problem/38798018>

Reviewed by JF Bastien.

1. Move the LLInt TypedArray unpoisoning to just before the array access after
   all the branches.
2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
3. Remove a useless instruction in the implementation of emitX86Lea for a global
   label.

* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/x86.rb:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (229911 => 229912)


--- trunk/Source/_javascript_Core/ChangeLog	2018-03-23 18:44:17 UTC (rev 229911)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-03-23 18:55:26 UTC (rev 229912)
@@ -1,5 +1,23 @@
 2018-03-23  Mark Lam  <mark....@apple.com>
 
+        LLInt TypeArray pointer poisoning should not pick its poison dynamically.
+        https://bugs.webkit.org/show_bug.cgi?id=183942
+        <rdar://problem/38798018>
+
+        Reviewed by JF Bastien.
+
+        1. Move the LLInt TypedArray unpoisoning to just before the array access after
+           all the branches.
+        2. Renamed FirstArrayType to FirstTypedArrayType to match the symbol in C++ code.
+        3. Remove a useless instruction in the implementation of emitX86Lea for a global
+           label.
+
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * offlineasm/x86.rb:
+
+2018-03-23  Mark Lam  <mark....@apple.com>
+
         Add more support for pointer profiling.
         https://bugs.webkit.org/show_bug.cgi?id=183943
         <rdar://problem/38799068>

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (229911 => 229912)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2018-03-23 18:44:17 UTC (rev 229911)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm	2018-03-23 18:55:26 UTC (rev 229912)
@@ -400,7 +400,7 @@
 const Float32ArrayType = constexpr Float32ArrayType
 const Float64ArrayType = constexpr Float64ArrayType
 
-const FirstArrayType = constexpr FirstTypedArrayType
+const FirstTypedArrayType = constexpr FirstTypedArrayType
 const NumberOfTypedArrayTypesExcludingDataView = constexpr NumberOfTypedArrayTypesExcludingDataView
 const TypedArrayPoisonIndexMask = constexpr TypedArrayPoisonIndexMask

Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (229911 => 229912)


--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2018-03-23 18:44:17 UTC (rev 229911)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2018-03-23 18:55:26 UTC (rev 229912)
@@ -402,9 +402,8 @@
 
 macro loadTypedArrayCaged(basePtr, mask, source, typeIndex, dest, scratch)
     if POISON
-        andp TypedArrayPoisonIndexMask, typeIndex
         leap _g_typedArrayPoisons, dest
-        loadp [dest, typeIndex, 8], dest
+        loadp (typeIndex - FirstTypedArrayType) * 8[dest], dest
         loadp source, scratch
         xorp scratch, dest
     else
@@ -1576,12 +1575,11 @@
 .opGetByValNotIndexedStorage:
     # First lets check if we even have a typed array. This lets us do some boilerplate up front.
     loadb JSCell::m_type[t0], t2
-    subi FirstArrayType, t2
+    subi FirstTypedArrayType, t2
     biaeq t2, NumberOfTypedArrayTypesExcludingDataView, .opGetByValSlow
     
     # Sweet, now we know that we have a typed array. Do some basic things now.
     biaeq t1, JSArrayBufferView::m_length[t0], .opGetByValSlow
-    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], t2, t3, t5)
 
     # Now bisect through the various types:
     #    Int8ArrayType,
@@ -1594,49 +1592,63 @@
     #    Float32ArrayType,
     #    Float64ArrayType,
 
-    bia t2, Uint16ArrayType - FirstArrayType, .opGetByValAboveUint16Array
+    bia t2, Uint16ArrayType - FirstTypedArrayType, .opGetByValAboveUint16Array
 
     # We have one of Int8ArrayType .. Uint16ArrayType.
-    bia t2, Uint8ClampedArrayType - FirstArrayType, .opGetByValInt16ArrayOrUint16Array
+    bia t2, Uint8ClampedArrayType - FirstTypedArrayType, .opGetByValInt16ArrayOrUint16Array
 
     # We have one of Int8ArrayType ... Uint8ClampedArrayType
-    bineq t2, Int8ArrayType - FirstArrayType, .opGetByValUint8ArrayOrUint8ClampedArray
+    bia t2, Int8ArrayType - FirstTypedArrayType, .opGetByValUint8ArrayOrUint8ClampedArray
 
-    # We have Int8ArrayType
+    # We have Int8ArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int8ArrayType, t3, t2)
     loadbs [t3, t1], t0
     finishIntGetByVal(t0, t1)
 
 .opGetByValUint8ArrayOrUint8ClampedArray:
-    # We have either Uint8ArrayType or Uint8ClampedArrayType. They behave the same so that's cool.
+    bia t2, Uint8ArrayType - FirstTypedArrayType, .opGetByValUint8ClampedArray
+
+    # We have Uint8ArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint8ArrayType, t3, t2)
     loadb [t3, t1], t0
     finishIntGetByVal(t0, t1)
 
+.opGetByValUint8ClampedArray:
+    # We have Uint8ClampedArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint8ClampedArrayType, t3, t2)
+    loadb [t3, t1], t0
+    finishIntGetByVal(t0, t1)
+
 .opGetByValInt16ArrayOrUint16Array:
     # We have either Int16ArrayType or Uint16ClampedArrayType.
-    bieq t2, Uint16ArrayType - FirstArrayType, .opGetByValUint16Array
+    bia t2, Int16ArrayType - FirstTypedArrayType, .opGetByValUint16Array
 
     # We have Int16ArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int16ArrayType, t3, t2)
     loadhs [t3, t1, 2], t0
     finishIntGetByVal(t0, t1)
 
 .opGetByValUint16Array:
     # We have Uint16ArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint16ArrayType, t3, t2)
     loadh [t3, t1, 2], t0
     finishIntGetByVal(t0, t1)
 
 .opGetByValAboveUint16Array:
     # We have one of Int32ArrayType .. Float64ArrayType.
-    bia t2, Uint32ArrayType - FirstArrayType, .opGetByValFloat32ArrayOrFloat64Array
+    bia t2, Uint32ArrayType - FirstTypedArrayType, .opGetByValFloat32ArrayOrFloat64Array
 
     # We have either Int32ArrayType or Uint32ArrayType
-    bineq t2, Int32ArrayType - FirstArrayType, .opGetByValUint32Array
+    bia t2, Int32ArrayType - FirstTypedArrayType, .opGetByValUint32Array
 
-    # We have Int32ArrayType
+    # We have Int32ArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int32ArrayType, t3, t2)
     loadi [t3, t1, 4], t0
     finishIntGetByVal(t0, t1)
 
 .opGetByValUint32Array:
     # We have Uint32ArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint32ArrayType, t3, t2)
     # This is the hardest part because of large unsigned values.
     loadi [t3, t1, 4], t0
     bilt t0, 0, .opGetByValSlow # This case is still awkward to implement in LLInt.
@@ -1645,9 +1657,10 @@
 .opGetByValFloat32ArrayOrFloat64Array:
     # We have one of Float32ArrayType or Float64ArrayType. Sadly, we cannot handle Float32Array
     # inline yet. That would require some offlineasm changes.
-    bieq t2, Float32ArrayType - FirstArrayType, .opGetByValSlow
+    bieq t2, Float32ArrayType - FirstTypedArrayType, .opGetByValSlow
 
     # We have Float64ArrayType.
+    loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Float64ArrayType, t3, t2)
     loadd [t3, t1, 8], ft0
     bdnequn ft0, ft0, .opGetByValSlow
     finishDoubleGetByVal(ft0, t0, t1)

Modified: trunk/Source/_javascript_Core/offlineasm/x86.rb (229911 => 229912)


--- trunk/Source/_javascript_Core/offlineasm/x86.rb	2018-03-23 18:44:17 UTC (rev 229911)
+++ trunk/Source/_javascript_Core/offlineasm/x86.rb	2018-03-23 18:55:26 UTC (rev 229912)
@@ -590,7 +590,6 @@
     def emitX86Lea(src, dst, kind)
         if src.is_a? LabelReference
             $asm.puts "movq #{src.asmLabel}@GOTPCREL(%rip), #{dst.x86Operand(:ptr)}"
-            $asm.puts "mov#{x86Suffix(kind)} #{orderOperands(dst.x86Operand(kind), dst.x86Operand(kind))}"
         else
             $asm.puts "lea#{x86Suffix(kind)} #{orderOperands(src.x86AddressOperand(kind), dst.x86Operand(kind))}"
         end

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to