Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (230272 => 230273)
--- trunk/Source/_javascript_Core/ChangeLog 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,3 +1,54 @@
+2018-04-04 Filip Pizlo <fpi...@apple.com>
+
+ Remove poisoning of typed array vector
+ https://bugs.webkit.org/show_bug.cgi?id=184313
+
+ Reviewed by Saam Barati.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::checkArray):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
+ (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+ (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+ * ftl/FTLAbstractHeapRepository.h:
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered):
+ * jit/IntrinsicEmitter.cpp:
+ (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitIntTypedArrayGetByVal):
+ (JSC::JIT::emitFloatTypedArrayGetByVal):
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * llint/LowLevelInterpreter.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * offlineasm/arm64.rb:
+ * offlineasm/x86.rb:
+ * runtime/CagedBarrierPtr.h:
+ * runtime/JSArrayBufferView.cpp:
+ (JSC::JSArrayBufferView::JSArrayBufferView):
+ (JSC::JSArrayBufferView::finalize):
+ (JSC::JSArrayBufferView::neuter):
+ * runtime/JSArrayBufferView.h:
+ (JSC::JSArrayBufferView::vector const):
+ (JSC::JSArrayBufferView::offsetOfVector):
+ (JSC::JSArrayBufferView::offsetOfPoisonedVector): Deleted.
+ (JSC::JSArrayBufferView::poisonFor): Deleted.
+ (JSC::JSArrayBufferView::Poison::key): Deleted.
+ * runtime/JSCPoison.cpp:
+ (JSC::initializePoison):
+ * runtime/JSCPoison.h:
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
+ (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
+ (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
+ * runtime/JSObject.h:
+
2018-04-03 Filip Pizlo <fpi...@apple.com>
Don't do index masking or poisoning for DirectArguments
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (230272 => 230273)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -2887,7 +2887,6 @@
m_indexInBlock, SpecNone, GetButterfly, origin, Edge(array, CellUse));
}
- ASSERT(arrayMode.type() == Array::String || arrayMode.typedArrayType() != NotTypedArray);
return m_insertionSet.insertNode(
m_indexInBlock, SpecNone, GetIndexedPropertyStorage, origin,
OpInfo(arrayMode.asWord()), Edge(array, KnownCellUse));
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (230272 => 230273)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-04-04 20:29:43 UTC (rev 230273)
@@ -2825,7 +2825,7 @@
JITCompiler::Jump hasNullVector = m_jit.branchTestPtr(
MacroAssembler::Zero,
- MacroAssembler::Address(base, JSArrayBufferView::offsetOfPoisonedVector()));
+ MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()));
speculationCheck(Uncountable, JSValueSource(), node, hasNullVector);
notWasteful.link(&m_jit);
}
@@ -6426,10 +6426,7 @@
auto typedArrayType = node->arrayMode().typedArrayType();
ASSERT_UNUSED(typedArrayType, isTypedView(typedArrayType));
- m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfPoisonedVector()), storageReg);
-#if ENABLE(POISON)
- m_jit.xorPtr(JITCompiler::TrustedImmPtr(JSArrayBufferView::poisonFor(typedArrayType)), storageReg);
-#endif
+ m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfVector()), storageReg);
cageTypedArrayStorage(storageReg);
break;
}
@@ -6450,15 +6447,7 @@
ASSERT(baseGPR != dataGPR);
ASSERT(vectorGPR != dataGPR);
-#if ENABLE(POISON)
- GPRTemporary poison(this);
- GPRTemporary index(this);
- GPRReg poisonGPR = poison.gpr();
- GPRReg indexGPR = index.gpr();
- GPRReg arrayBufferGPR = poisonGPR;
-#else
GPRReg arrayBufferGPR = dataGPR;
-#endif
JITCompiler::Jump emptyByteOffset = m_jit.branch32(
MacroAssembler::NotEqual,
@@ -6465,20 +6454,12 @@
MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfMode()),
TrustedImm32(WastefulTypedArray));
- m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfPoisonedVector()), vectorGPR);
+ m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR);
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
m_jit.cage(Gigacage::JSValue, dataGPR);
-#if ENABLE(POISON)
- m_jit.load8(JITCompiler::Address(baseGPR, JSCell::typeInfoTypeOffset()), indexGPR);
- m_jit.move(JITCompiler::TrustedImmPtr(&g_typedArrayPoisons), poisonGPR);
- m_jit.sub32(JITCompiler::TrustedImm32(FirstTypedArrayType), indexGPR);
- m_jit.and32(JITCompiler::TrustedImm32(TypedArrayPoisonIndexMask), indexGPR);
- m_jit.loadPtr(JITCompiler::BaseIndex(poisonGPR, indexGPR, JITCompiler::timesPtr()), poisonGPR);
- m_jit.xorPtr(poisonGPR, vectorGPR);
-#endif
cageTypedArrayStorage(vectorGPR);
m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), arrayBufferGPR);
@@ -9313,7 +9294,8 @@
m_jit.emitAllocateVariableSized(
storageGPR, m_jit.vm()->primitiveGigacageAuxiliarySpace, scratchGPR, scratchGPR,
scratchGPR2, slowCases);
-
+
+ MacroAssembler::Jump done = m_jit.branchTest32(MacroAssembler::Zero, sizeGPR);
m_jit.move(sizeGPR, scratchGPR);
if (elementSize(typedArrayType) != 4) {
if (elementSize(typedArrayType) > 4)
@@ -9331,6 +9313,7 @@
TrustedImm32(0),
MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour));
m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit);
+ done.link(&m_jit);
auto butterfly = TrustedImmPtr(nullptr);
emitAllocateJSObject<JSArrayBufferView>(
@@ -9337,17 +9320,9 @@
resultGPR, TrustedImmPtr(structure), butterfly, scratchGPR, scratchGPR2,
slowCases);
-#if ENABLE(POISON)
- m_jit.move(storageGPR, scratchGPR);
- m_jit.xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(typedArrayType)), scratchGPR);
m_jit.storePtr(
- scratchGPR,
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfPoisonedVector()));
-#else
- m_jit.storePtr(
storageGPR,
- MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfPoisonedVector()));
-#endif
+ MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfVector()));
m_jit.store32(
sizeGPR,
MacroAssembler::Address(resultGPR, JSArrayBufferView::offsetOfLength()));
Modified: trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h (230272 => 230273)
--- trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h 2018-04-04 20:29:43 UTC (rev 230273)
@@ -60,7 +60,7 @@
macro(GetterSetter_setter, GetterSetter::offsetOfSetter()) \
macro(JSArrayBufferView_length, JSArrayBufferView::offsetOfLength()) \
macro(JSArrayBufferView_mode, JSArrayBufferView::offsetOfMode()) \
- macro(JSArrayBufferView_poisonedVector, JSArrayBufferView::offsetOfPoisonedVector()) \
+ macro(JSArrayBufferView_vector, JSArrayBufferView::offsetOfVector()) \
macro(JSCell_cellState, JSCell::cellStateOffset()) \
macro(JSCell_header, 0) \
macro(JSCell_indexingTypeAndMisc, JSCell::indexingTypeAndMiscOffset()) \
@@ -149,8 +149,7 @@
macro(variables, 0, sizeof(Register)) \
macro(HasOwnPropertyCache, 0, sizeof(HasOwnPropertyCache::Entry)) \
macro(JSFixedArray_buffer, JSFixedArray::offsetOfData(), sizeof(EncodedJSValue)) \
- macro(TypedArrayPoisons, 0, sizeof(uintptr_t)) \
-
+
#define FOR_EACH_NUMBERED_ABSTRACT_HEAP(macro) \
macro(properties)
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (230272 => 230273)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-04-04 20:29:43 UTC (rev 230273)
@@ -3495,13 +3495,7 @@
}
DFG_ASSERT(m_graph, m_node, isTypedView(m_node->arrayMode().typedArrayType()), m_node->arrayMode().typedArrayType());
- LValue poisonedVector = m_out.loadPtr(cell, m_heaps.JSArrayBufferView_poisonedVector);
-#if ENABLE(POISON)
- auto typedArrayType = m_node->arrayMode().typedArrayType();
- LValue vector = m_out.bitXor(m_out.constIntPtr(JSArrayBufferView::poisonFor(typedArrayType)), poisonedVector);
-#else
- LValue vector = poisonedVector;
-#endif
+ LValue vector = m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector);
setStorage(caged(Gigacage::Primitive, vector));
}
@@ -3540,9 +3534,9 @@
m_out.appendTo(wastefulCase, notNull);
- LValue poisonedVector = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_poisonedVector);
- ValueFromBlock nullVectorOut = m_out.anchor(poisonedVector);
- m_out.branch(poisonedVector, unsure(notNull), unsure(continuation));
+ LValue vector = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
+ ValueFromBlock nullVectorOut = m_out.anchor(vector);
+ m_out.branch(vector, unsure(notNull), unsure(continuation));
m_out.appendTo(notNull, continuation);
@@ -3549,15 +3543,7 @@
LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly));
LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
-#if ENABLE(POISON)
- LValue jsType = m_out.load8ZeroExt32(basePtr, m_heaps.JSCell_typeInfoType);
- LValue typeIndex = m_out.sub(jsType, m_out.constInt32(FirstTypedArrayType));
- LValue maskedTypeIndex = m_out.zeroExtPtr(m_out.bitAnd(typeIndex, m_out.constInt32(TypedArrayPoisonIndexMask)));
- LValue poisonsBasePtr = m_out.constIntPtr(&g_typedArrayPoisons);
- LValue poison = m_out.loadPtr(m_out.baseIndex(m_heaps.TypedArrayPoisons, poisonsBasePtr, maskedTypeIndex));
- poisonedVector = m_out.bitXor(poisonedVector, poison);
-#endif
- LValue vectorPtr = caged(Gigacage::Primitive, poisonedVector);
+ LValue vectorPtr = caged(Gigacage::Primitive, vector);
// FIXME: This needs caging.
// https://bugs.webkit.org/show_bug.cgi?id=175515
@@ -5925,10 +5911,7 @@
LValue fastResultValue =
allocateObject<JSArrayBufferView>(structure, m_out.intPtrZero, slowCase);
-#if ENABLE(POISON)
- storage = m_out.bitXor(m_out.constIntPtr(JSArrayBufferView::poisonFor(typedArrayType)), storage);
-#endif
- m_out.storePtr(storage, fastResultValue, m_heaps.JSArrayBufferView_poisonedVector);
+ m_out.storePtr(storage, fastResultValue, m_heaps.JSArrayBufferView_vector);
m_out.store32(size, fastResultValue, m_heaps.JSArrayBufferView_length);
m_out.store32(m_out.constInt32(FastTypedArray), fastResultValue, m_heaps.JSArrayBufferView_mode);
@@ -15425,7 +15408,7 @@
unsure(isWasteful), unsure(continuation));
LBasicBlock lastNext = m_out.appendTo(isWasteful, continuation);
- LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_poisonedVector);
+ LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_vector);
speculate(Uncountable, jsValueValue(vector), m_node, m_out.isZero64(vector));
m_out.jump(continuation);
Modified: trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp (230272 => 230273)
--- trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/jit/IntrinsicEmitter.cpp 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -107,31 +107,22 @@
case TypedArrayByteOffsetIntrinsic: {
GPRReg scratchGPR = state.scratchGPR;
- CCallHelpers::Jump notEmptyByteOffset = jit.branch32(
- MacroAssembler::Equal,
+ CCallHelpers::Jump emptyByteOffset = jit.branch32(
+ MacroAssembler::NotEqual,
MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfMode()),
TrustedImm32(WastefulTypedArray));
- jit.move(TrustedImmPtr(nullptr), valueGPR);
- CCallHelpers::Jump done = jit.jump();
-
- notEmptyByteOffset.link(&jit);
-
- // We need to load the butterfly before the vector because baseGPR and valueGPR
- // can be the same register.
jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
- jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfPoisonedVector()), valueGPR);
- CCallHelpers::Jump nullVector = jit.branchTestPtr(MacroAssembler::Zero, valueGPR);
-
-#if ENABLE(POISON)
- auto typedArrayType = structure()->classInfo()->typedArrayStorageType;
- jit.xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(typedArrayType)), valueGPR);
-#endif
+ jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), valueGPR);
jit.loadPtr(MacroAssembler::Address(scratchGPR, Butterfly::offsetOfArrayBuffer()), scratchGPR);
jit.loadPtr(MacroAssembler::Address(scratchGPR, ArrayBuffer::offsetOfData()), scratchGPR);
jit.subPtr(scratchGPR, valueGPR);
- nullVector.link(&jit);
+ CCallHelpers::Jump done = jit.jump();
+
+ emptyByteOffset.link(&jit);
+ jit.move(TrustedImmPtr(nullptr), valueGPR);
+
done.link(&jit);
jit.boxInt32(valueGPR, valueRegs);
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (230272 => 230273)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1460,9 +1460,9 @@
return slowCases;
}
-JIT::JumpList JIT::emitIntTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType typeArrayType)
+JIT::JumpList JIT::emitIntTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType type)
{
- ASSERT(isInt(typeArrayType));
+ ASSERT(isInt(type));
// The best way to test the array type is to use the classInfo. We need to do so without
// clobbering the register that holds the indexing type, base, and property.
@@ -1483,26 +1483,22 @@
#endif
JumpList slowCases;
- JSType jsType = typeForTypedArrayType(typeArrayType);
-
+
load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
- badType = patchableBranch32(NotEqual, scratch, TrustedImm32(jsType));
+ badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
- loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), scratch);
-#if ENABLE(POISON)
- xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), scratch);
-#endif
+ loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
cageConditionally(Gigacage::Primitive, scratch, scratch2);
- switch (elementSize(typeArrayType)) {
+ switch (elementSize(type)) {
case 1:
- if (JSC::isSigned(typeArrayType))
+ if (JSC::isSigned(type))
load8SignedExtendTo32(BaseIndex(scratch, property, TimesOne), resultPayload);
else
load8(BaseIndex(scratch, property, TimesOne), resultPayload);
break;
case 2:
- if (JSC::isSigned(typeArrayType))
+ if (JSC::isSigned(type))
load16SignedExtendTo32(BaseIndex(scratch, property, TimesTwo), resultPayload);
else
load16(BaseIndex(scratch, property, TimesTwo), resultPayload);
@@ -1515,7 +1511,7 @@
}
Jump done;
- if (typeArrayType == TypeUint32) {
+ if (type == TypeUint32) {
Jump canBeInt = branch32(GreaterThanOrEqual, resultPayload, TrustedImm32(0));
convertInt32ToDouble(resultPayload, fpRegT0);
@@ -1541,9 +1537,9 @@
return slowCases;
}
-JIT::JumpList JIT::emitFloatTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType typeArrayType)
+JIT::JumpList JIT::emitFloatTypedArrayGetByVal(Instruction*, PatchableJump& badType, TypedArrayType type)
{
- ASSERT(isFloat(typeArrayType));
+ ASSERT(isFloat(type));
#if USE(JSVALUE64)
RegisterID base = regT0;
@@ -1561,18 +1557,14 @@
#endif
JumpList slowCases;
- JSType jsType = typeForTypedArrayType(typeArrayType);
load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
- badType = patchableBranch32(NotEqual, scratch, TrustedImm32(jsType));
+ badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
- loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), scratch);
-#if ENABLE(POISON)
- xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), scratch);
-#endif
+ loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
cageConditionally(Gigacage::Primitive, scratch, scratch2);
- switch (elementSize(typeArrayType)) {
+ switch (elementSize(type)) {
case 4:
loadFloat(BaseIndex(scratch, property, TimesFour), fpRegT0);
convertFloatToDouble(fpRegT0, fpRegT0);
@@ -1599,10 +1591,10 @@
return slowCases;
}
-JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType typeArrayType)
+JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
{
ArrayProfile* profile = ""
- ASSERT(isInt(typeArrayType));
+ ASSERT(isInt(type));
int value = currentInstruction[3].u.operand;
@@ -1621,10 +1613,9 @@
#endif
JumpList slowCases;
- JSType jsType = typeForTypedArrayType(typeArrayType);
-
+
load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
- badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(jsType));
+ badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
emitArrayProfileOutOfBoundsSpecialCase(profile);
slowCases.append(jump());
@@ -1640,15 +1631,12 @@
// We would be loading this into base as in get_by_val, except that the slow
// path expects the base to be unclobbered.
- loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), lateScratch);
-#if ENABLE(POISON)
- xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), lateScratch);
-#endif
+ loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
- if (isClamped(typeArrayType)) {
- ASSERT(elementSize(typeArrayType) == 1);
- ASSERT(!JSC::isSigned(typeArrayType));
+ if (isClamped(type)) {
+ ASSERT(elementSize(type) == 1);
+ ASSERT(!JSC::isSigned(type));
Jump inBounds = branch32(BelowOrEqual, earlyScratch, TrustedImm32(0xff));
Jump tooBig = branch32(GreaterThan, earlyScratch, TrustedImm32(0xff));
xor32(earlyScratch, earlyScratch);
@@ -1659,7 +1647,7 @@
inBounds.link(this);
}
- switch (elementSize(typeArrayType)) {
+ switch (elementSize(type)) {
case 1:
store8(earlyScratch, BaseIndex(lateScratch, property, TimesOne));
break;
@@ -1676,10 +1664,10 @@
return slowCases;
}
-JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType typeArrayType)
+JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
{
ArrayProfile* profile = ""
- ASSERT(isFloat(typeArrayType));
+ ASSERT(isFloat(type));
int value = currentInstruction[3].u.operand;
@@ -1698,10 +1686,9 @@
#endif
JumpList slowCases;
- JSType jsType = typeForTypedArrayType(typeArrayType);
-
+
load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch);
- badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(jsType));
+ badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type)));
Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
emitArrayProfileOutOfBoundsSpecialCase(profile);
slowCases.append(jump());
@@ -1730,13 +1717,10 @@
// We would be loading this into base as in get_by_val, except that the slow
// path expects the base to be unclobbered.
- loadPtr(Address(base, JSArrayBufferView::offsetOfPoisonedVector()), lateScratch);
-#if ENABLE(POISON)
- xorPtr(TrustedImmPtr(JSArrayBufferView::poisonFor(jsType)), lateScratch);
-#endif
+ loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
- switch (elementSize(typeArrayType)) {
+ switch (elementSize(type)) {
case 4:
convertDoubleToFloat(fpRegT0, fpRegT0);
storeFloat(fpRegT0, BaseIndex(lateScratch, property, TimesFour));
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (230272 => 230273)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2018-04-04 20:29:43 UTC (rev 230273)
@@ -403,7 +403,6 @@
const FirstTypedArrayType = constexpr FirstTypedArrayType
const NumberOfTypedArrayTypesExcludingDataView = constexpr NumberOfTypedArrayTypesExcludingDataView
-const TypedArrayPoisonIndexMask = constexpr TypedArrayPoisonIndexMask
# Type flags constants.
const MasqueradesAsUndefined = constexpr MasqueradesAsUndefined
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (230272 => 230273)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2018-04-04 20:29:43 UTC (rev 230273)
@@ -391,18 +391,6 @@
uncage(basePtr, mask, dest, scratch)
end
-macro loadTypedArrayCaged(basePtr, mask, source, typeIndex, dest, scratch)
- if POISON
- leap _g_typedArrayPoisons, dest
- loadp (typeIndex - FirstTypedArrayType) * 8[dest], dest
- loadp source, scratch
- xorp scratch, dest
- else
- loadp source, dest
- end
- uncage(basePtr, mask, dest, scratch)
-end
-
macro loadVariable(operand, value)
loadisFromInstruction(operand, value)
loadq [cfr, value, 8], value
@@ -1636,7 +1624,7 @@
bia t2, Int8ArrayType - FirstTypedArrayType, .opGetByValUint8ArrayOrUint8ClampedArray
# We have Int8ArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int8ArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
loadbs [t3, t1], t0
finishIntGetByVal(t0, t1)
@@ -1644,13 +1632,13 @@
bia t2, Uint8ArrayType - FirstTypedArrayType, .opGetByValUint8ClampedArray
# We have Uint8ArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint8ArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
loadb [t3, t1], t0
finishIntGetByVal(t0, t1)
.opGetByValUint8ClampedArray:
# We have Uint8ClampedArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint8ClampedArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
loadb [t3, t1], t0
finishIntGetByVal(t0, t1)
@@ -1659,13 +1647,13 @@
bia t2, Int16ArrayType - FirstTypedArrayType, .opGetByValUint16Array
# We have Int16ArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int16ArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
loadhs [t3, t1, 2], t0
finishIntGetByVal(t0, t1)
.opGetByValUint16Array:
# We have Uint16ArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint16ArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
loadh [t3, t1, 2], t0
finishIntGetByVal(t0, t1)
@@ -1677,13 +1665,13 @@
bia t2, Int32ArrayType - FirstTypedArrayType, .opGetByValUint32Array
# We have Int32ArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Int32ArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
loadi [t3, t1, 4], t0
finishIntGetByVal(t0, t1)
.opGetByValUint32Array:
# We have Uint32ArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Uint32ArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
# This is the hardest part because of large unsigned values.
loadi [t3, t1, 4], t0
bilt t0, 0, .opGetByValSlow # This case is still awkward to implement in LLInt.
@@ -1695,7 +1683,7 @@
bieq t2, Float32ArrayType - FirstTypedArrayType, .opGetByValSlow
# We have Float64ArrayType.
- loadTypedArrayCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_poisonedVector[t0], Float64ArrayType, t3, t2)
+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr PRIMITIVE_GIGACAGE_MASK, JSArrayBufferView::m_vector[t0], t3, t2)
loadd [t3, t1, 8], ft0
bdnequn ft0, ft0, .opGetByValSlow
finishDoubleGetByVal(ft0, t0, t1)
Modified: trunk/Source/_javascript_Core/offlineasm/arm64.rb (230272 => 230273)
--- trunk/Source/_javascript_Core/offlineasm/arm64.rb 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/offlineasm/arm64.rb 2018-04-04 20:29:43 UTC (rev 230273)
@@ -275,13 +275,6 @@
else
newList << node
end
- when "leai", "leap", "leaq"
- labelRef = node.operands[0]
- if labelRef.is_a? LabelReference
- newList << Instruction.new(codeOrigin, "globaladdr", [LabelReference.new(node.codeOrigin, labelRef.label), node.operands[1]])
- else
- newList << node
- end
else
newList << node
end
Modified: trunk/Source/_javascript_Core/offlineasm/x86.rb (230272 => 230273)
--- trunk/Source/_javascript_Core/offlineasm/x86.rb 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/offlineasm/x86.rb 2018-04-04 20:29:43 UTC (rev 230273)
@@ -468,11 +468,6 @@
$asm.puts "movq #{asmLabel}@GOTPCREL(%rip), #{dst.x86Operand(:ptr)}"
"#{offset}(#{dst.x86Operand(kind)})"
end
- def x86AddressOperand(addressKind)
- # FIXME: Implement this on platforms that aren't Mach-O.
- # https://bugs.webkit.org/show_bug.cgi?id=175104
- "#{asmLabel}@GOTPCREL(%rip)"
- end
end
class LocalLabelReference
@@ -1551,9 +1546,9 @@
when "bnz"
$asm.puts "jnz #{operands[0].asmLabel}"
when "leai"
- emitX86Lea(operands[0], operands[1], :int)
+ $asm.puts "lea#{x86Suffix(:int)} #{orderOperands(operands[0].x86AddressOperand(:int), operands[1].x86Operand(:int))}"
when "leap"
- emitX86Lea(operands[0], operands[1], :ptr)
+ $asm.puts "lea#{x86Suffix(:ptr)} #{orderOperands(operands[0].x86AddressOperand(:ptr), operands[1].x86Operand(:ptr))}"
when "memfence"
sp = RegisterID.new(nil, "sp")
if isIntelSyntax
Modified: trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h (230272 => 230273)
--- trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,15 +26,8 @@
#pragma once
#include "AuxiliaryBarrier.h"
-#include <type_traits>
#include <wtf/CagedPtr.h>
-namespace WTF {
-
-template<typename Poison, typename T> struct PoisonedPtrTraits;
-
-} // namespace WTF
-
namespace JSC {
class JSCell;
@@ -42,7 +35,7 @@
// This is a convenient combo of AuxiliaryBarrier and CagedPtr.
-template<Gigacage::Kind passedKind, typename T, typename PtrTraits = WTF::DumbPtrTraits<T>>
+template<Gigacage::Kind passedKind, typename T>
class CagedBarrierPtr {
public:
static constexpr Gigacage::Kind kind = passedKind;
@@ -92,11 +85,11 @@
T& operator[](IndexType index) const { return get()[index]; }
private:
- AuxiliaryBarrier<CagedPtr<kind, T, PtrTraits>> m_barrier;
+ AuxiliaryBarrier<CagedPtr<kind, T>> m_barrier;
};
-template<Gigacage::Kind passedKind, typename PtrTraits>
-class CagedBarrierPtr<passedKind, void, PtrTraits> {
+template<Gigacage::Kind passedKind>
+class CagedBarrierPtr<passedKind, void> {
public:
static constexpr Gigacage::Kind kind = passedKind;
typedef void Type;
@@ -139,10 +132,7 @@
void setWithoutBarrier(U&& value) { m_barrier.setWithoutBarrier(std::forward<U>(value)); }
private:
- AuxiliaryBarrier<CagedPtr<kind, void, PtrTraits>> m_barrier;
+ AuxiliaryBarrier<CagedPtr<kind, void>> m_barrier;
};
-template<typename Poison, Gigacage::Kind passedKind, typename T>
-using PoisonedCagedBarrierPtr = CagedBarrierPtr<passedKind, T, WTF::PoisonedPtrTraits<Poison, T>>;
-
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp (230272 => 230273)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -132,7 +132,7 @@
, m_mode(context.mode())
{
setButterfly(vm, context.butterfly());
- m_poisonedVector.setWithoutBarrier(context.vector());
+ m_vector.setWithoutBarrier(context.vector());
}
void JSArrayBufferView::finishCreation(VM& vm)
@@ -194,7 +194,7 @@
JSArrayBufferView* thisObject = static_cast<JSArrayBufferView*>(cell);
ASSERT(thisObject->m_mode == OversizeTypedArray || thisObject->m_mode == WastefulTypedArray);
if (thisObject->m_mode == OversizeTypedArray)
- Gigacage::free(Gigacage::Primitive, thisObject->m_poisonedVector.get());
+ Gigacage::free(Gigacage::Primitive, thisObject->m_vector.get());
}
JSArrayBuffer* JSArrayBufferView::unsharedJSBuffer(ExecState* exec)
@@ -212,7 +212,7 @@
RELEASE_ASSERT(hasArrayBuffer());
RELEASE_ASSERT(!isShared());
m_length = 0;
- m_poisonedVector.clear();
+ m_vector.clear();
}
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (230272 => 230273)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -26,22 +26,12 @@
#pragma once
#include "AuxiliaryBarrier.h"
-#include "CagedBarrierPtr.h"
-#include "JSCPoison.h"
#include "JSObject.h"
-#include "TypedArrayType.h"
-#include <wtf/MathExtras.h>
namespace JSC {
class LLIntOffsetsExtractor;
-// Since we'll be indexing into the g_typedArrayPoisons array based on the TypedArray type,
-// we'll index mask the index value and round up to the array size to the next power of 2 to
-// ensure that we'll never be able to access beyond the bounds of this array.
-static constexpr uint32_t NumberOfTypedArrayPoisons = WTF::roundUpToPowerOfTwo(NumberOfTypedArrayTypes);
-static constexpr uint32_t TypedArrayPoisonIndexMask = NumberOfTypedArrayPoisons - 1;
-
// This class serves two purposes:
//
// 1) It provides those parts of JSGenericTypedArrayView that don't depend
@@ -177,7 +167,7 @@
bool isNeutered() { return hasArrayBuffer() && !vector(); }
void neuter();
- void* vector() const { return m_poisonedVector.getMayBeNull(); }
+ void* vector() const { return m_vector.getMayBeNull(); }
unsigned byteOffset();
unsigned length() const { return m_length; }
@@ -184,23 +174,12 @@
DECLARE_EXPORT_INFO;
- static ptrdiff_t offsetOfPoisonedVector() { return OBJECT_OFFSETOF(JSArrayBufferView, m_poisonedVector); }
+ static ptrdiff_t offsetOfVector() { return OBJECT_OFFSETOF(JSArrayBufferView, m_vector); }
static ptrdiff_t offsetOfLength() { return OBJECT_OFFSETOF(JSArrayBufferView, m_length); }
static ptrdiff_t offsetOfMode() { return OBJECT_OFFSETOF(JSArrayBufferView, m_mode); }
static RefPtr<ArrayBufferView> toWrapped(VM&, JSValue);
- static uintptr_t poisonFor(JSType type)
- {
- return g_typedArrayPoisons[(type - FirstTypedArrayType) & TypedArrayPoisonIndexMask];
- }
-
- static uintptr_t poisonFor(TypedArrayType typedArrayType)
- {
- ASSERT(isTypedView(typedArrayType));
- return poisonFor(typeForTypedArrayType(typedArrayType));
- }
-
private:
static void finalize(JSCell*);
@@ -211,19 +190,7 @@
static String toStringName(const JSObject*, ExecState*);
- class Poison {
- public:
- template<typename PoisonedType>
- inline static uintptr_t key(const PoisonedType* poisonedPtr)
- {
- uintptr_t poisonedVectorAddress = bitwise_cast<uintptr_t>(poisonedPtr);
- uintptr_t baseAddress = poisonedVectorAddress - OBJECT_OFFSETOF(JSArrayBufferView, m_poisonedVector);
- JSArrayBufferView* thisObject = bitwise_cast<JSArrayBufferView*>(baseAddress);
- return poisonFor(thisObject->type());
- }
- };
-
- PoisonedCagedBarrierPtr<Poison, Gigacage::Primitive, void> m_poisonedVector;
+ CagedBarrierPtr<Gigacage::Primitive, void> m_vector;
uint32_t m_length;
TypedArrayMode m_mode;
};
Modified: trunk/Source/_javascript_Core/runtime/JSCPoison.cpp (230272 => 230273)
--- trunk/Source/_javascript_Core/runtime/JSCPoison.cpp 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/runtime/JSCPoison.cpp 2018-04-04 20:29:43 UTC (rev 230273)
@@ -26,7 +26,6 @@
#include "config.h"
#include "JSCPoison.h"
-#include "JSArrayBufferView.h"
#include "Options.h"
#include <mutex>
#include <wtf/HashSet.h>
@@ -37,8 +36,6 @@
uintptr_t POISON_KEY_NAME(poisonID);
FOR_EACH_JSC_POISON(DEFINE_POISON)
-uintptr_t g_typedArrayPoisons[NumberOfTypedArrayPoisons];
-
void initializePoison()
{
static std::once_flag initializeOnceFlag;
@@ -50,9 +47,6 @@
POISON_KEY_NAME(poisonID) = makePoison();
FOR_EACH_JSC_POISON(INITIALIZE_POISON)
-
- for (uint32_t i = 0; i < NumberOfTypedArrayPoisons; ++i)
- g_typedArrayPoisons[i] = makePoison();
});
}
Modified: trunk/Source/_javascript_Core/runtime/JSCPoison.h (230272 => 230273)
--- trunk/Source/_javascript_Core/runtime/JSCPoison.h 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/runtime/JSCPoison.h 2018-04-04 20:29:43 UTC (rev 230273)
@@ -66,8 +66,6 @@
FOR_EACH_JSC_POISON(DECLARE_POISON)
#undef DECLARE_POISON
-extern "C" JS_EXPORT_PRIVATE uintptr_t g_typedArrayPoisons[];
-
struct ClassInfo;
using PoisonedClassInfoPtr = Poisoned<GlobalDataPoison, const ClassInfo*>;
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (230272 => 230273)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2018-04-04 20:29:43 UTC (rev 230273)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -504,7 +504,7 @@
if (thisObject->m_mode == OversizeTypedArray)
return Base::estimatedSize(thisObject) + thisObject->byteSize();
- if (thisObject->m_mode == FastTypedArray && thisObject->m_poisonedVector)
+ if (thisObject->m_mode == FastTypedArray && thisObject->m_vector)
return Base::estimatedSize(thisObject) + thisObject->byteSize();
return Base::estimatedSize(thisObject);
@@ -517,7 +517,7 @@
switch (thisObject->m_mode) {
case FastTypedArray: {
- if (void* vector = thisObject->m_poisonedVector.getMayBeNull())
+ if (void* vector = thisObject->m_vector.getMayBeNull())
visitor.markAuxiliary(vector);
break;
}
@@ -584,7 +584,7 @@
}
thisObject->butterfly()->indexingHeader()->setArrayBuffer(buffer.get());
- thisObject->m_poisonedVector.setWithoutBarrier(buffer->data());
+ thisObject->m_vector.setWithoutBarrier(buffer->data());
WTF::storeStoreFence();
thisObject->m_mode = WastefulTypedArray;
heap->addReference(thisObject, buffer.get());
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (230272 => 230273)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2018-04-04 20:19:01 UTC (rev 230272)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2018-04-04 20:29:43 UTC (rev 230273)
@@ -24,9 +24,9 @@
#include "ArrayConventions.h"
#include "ArrayStorage.h"
-#include "AuxiliaryBarrier.h"
#include "Butterfly.h"
#include "CPU.h"
+#include "CagedBarrierPtr.h"
#include "CallFrame.h"
#include "ClassInfo.h"
#include "CustomGetterSetter.h"
