- Revision
- 220624
- Author
- fpi...@apple.com
- Date
- 2017-08-12 11:40:07 -0700 (Sat, 12 Aug 2017)
Log Message
ScopedArguments overflow storage needs to be in the JSValue gigacage
https://bugs.webkit.org/show_bug.cgi?id=174923
Reviewed by Saam Barati.
ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
object into the JSValue gigacage.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitScopedArgumentsGetByVal):
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::subspaceFor):
(JSC::ScopedArguments::overflowStorage const):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (220623 => 220624)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-12 18:40:07 UTC (rev 220624)
@@ -1,5 +1,25 @@
2017-08-11 Filip Pizlo <fpi...@apple.com>
+ ScopedArguments overflow storage needs to be in the JSValue gigacage
+ https://bugs.webkit.org/show_bug.cgi?id=174923
+
+ Reviewed by Saam Barati.
+
+ ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
+ object into the JSValue gigacage.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitScopedArgumentsGetByVal):
+ * runtime/ScopedArguments.h:
+ (JSC::ScopedArguments::subspaceFor):
+ (JSC::ScopedArguments::overflowStorage const):
+
+2017-08-11 Filip Pizlo <fpi...@apple.com>
+
JSLexicalEnvironment needs to be in the JSValue gigacage
https://bugs.webkit.org/show_bug.cgi?id=174922
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (220623 => 220624)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-12 18:40:07 UTC (rev 220624)
@@ -6325,6 +6325,8 @@
m_jit.sub32(propertyReg, scratch2Reg);
m_jit.neg32(scratch2Reg);
+ m_jit.cage(Gigacage::JSValue, baseReg);
+
m_jit.loadValue(
MacroAssembler::BaseIndex(
baseReg, scratch2Reg, MacroAssembler::TimesEight,
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220623 => 220624)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-12 18:40:07 UTC (rev 220624)
@@ -3565,10 +3565,8 @@
m_out.appendTo(overflowCase, continuation);
- // FIXME: I guess we need to cage overflow storage?
- // https://bugs.webkit.org/show_bug.cgi?id=174923
address = m_out.baseIndex(
- m_heaps.ScopedArguments_overflowStorage, base,
+ m_heaps.ScopedArguments_overflowStorage, caged(Gigacage::JSValue, base),
m_out.zeroExtPtr(m_out.sub(index, namedLength)));
LValue overflowValue = m_out.load64(address);
speculate(ExoticObjectMode, noValue(), nullptr, m_out.isZero64(overflowValue));
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (220623 => 220624)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-08-12 18:40:07 UTC (rev 220624)
@@ -1551,6 +1551,7 @@
overflowCase.link(this);
sub32(property, scratch2);
neg32(scratch2);
+ cage(Gigacage::JSValue, base);
loadValue(BaseIndex(base, scratch2, TimesEight, ScopedArguments::overflowStorageOffset()), result);
slowCases.append(branchIfEmpty(result));
done.link(this);
Modified: trunk/Source/_javascript_Core/runtime/ScopedArguments.h (220623 => 220624)
--- trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2017-08-12 18:40:07 UTC (rev 220624)
@@ -42,6 +42,13 @@
void finishCreation(VM&, JSFunction* callee, ScopedArgumentsTable*, JSLexicalEnvironment*);
public:
+ template<typename CellType>
+ static Subspace* subspaceFor(VM& vm)
+ {
+ RELEASE_ASSERT(!CellType::needsDestruction);
+ return &vm.jsValueGigacageCellSpace;
+ }
+
// Creates an arguments object but leaves it uninitialized. This is dangerous if we GC right
// after allocation.
static ScopedArguments* createUninitialized(VM&, Structure*, JSFunction* callee, ScopedArgumentsTable*, JSLexicalEnvironment*, unsigned totalLength);
@@ -154,10 +161,9 @@
WriteBarrier<Unknown>* overflowStorage() const
{
return bitwise_cast<WriteBarrier<Unknown>*>(
- bitwise_cast<char*>(this) + overflowStorageOffset());
+ bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + overflowStorageOffset());
}
-
bool m_overrodeThings; // True if length, callee, and caller are fully materialized in the object.
unsigned m_totalLength; // The length of declared plus overflow arguments.
WriteBarrier<JSFunction> m_callee;