Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (220595 => 220596)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-11 16:39:14 UTC (rev 220595)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-11 16:47:14 UTC (rev 220596)
@@ -6126,6 +6126,25 @@
storageResult(storageGPR, node);
}
+void SpeculativeJIT::cageTypedArrayStorage(GPRReg storageReg)
+{
+#if GIGACAGE_ENABLED
+ if (!Gigacage::shouldBeEnabled())
+ return;
+
+ if (Gigacage::canPrimitiveGigacageBeDisabled()) {
+ if (m_jit.vm()->primitiveGigacageEnabled().isStillValid())
+ m_jit.graph().watchpoints().addLazily(m_jit.vm()->primitiveGigacageEnabled());
+ else
+ return;
+ }
+
+ m_jit.cage(Gigacage::Primitive, storageReg);
+#else
+ UNUSED_PARAM(storageReg);
+#endif
+}
+
void SpeculativeJIT::compileGetIndexedPropertyStorage(Node* node)
{
SpeculateCellOperand base(this, node->child1());
@@ -6150,6 +6169,7 @@
ASSERT(isTypedView(node->arrayMode().typedArrayType()));
m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfVector()), storageReg);
+ cageTypedArrayStorage(storageReg);
break;
}
@@ -6172,7 +6192,11 @@
TrustedImm32(WastefulTypedArray));
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
+ m_jit.cage(Gigacage::JSValue, dataGPR);
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR);
+ JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR);
+ cageTypedArrayStorage(vectorGPR);
+ nullVector.link(&m_jit);
m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), dataGPR);
m_jit.loadPtr(MacroAssembler::Address(dataGPR, ArrayBuffer::offsetOfData()), dataGPR);
m_jit.subPtr(dataGPR, vectorGPR);
@@ -6971,6 +6995,7 @@
GPRReg butterflyGPR = butterfly.gpr();
m_jit.loadPtr(MacroAssembler::Address(arrayResultGPR, JSObject::butterflyOffset()), butterflyGPR);
+ m_jit.cage(Gigacage::JSValue, butterflyGPR);
CCallHelpers::Jump skipLoop = m_jit.branch32(MacroAssembler::Equal, arrayLengthGPR, TrustedImm32(0));
m_jit.zeroExtend32ToPtr(arrayLengthGPR, currentLengthGPR);
@@ -7040,6 +7065,7 @@
slowPath.append(m_jit.branch32(MacroAssembler::Above, scratch1GPR, TrustedImm32(ContiguousShape - Int32Shape)));
m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), lengthGPR);
+ m_jit.cage(Gigacage::JSValue, lengthGPR);
m_jit.load32(MacroAssembler::Address(lengthGPR, Butterfly::offsetOfPublicLength()), lengthGPR);
static_assert(sizeof(JSValue) == 8 && 1 << 3 == 8, "This is strongly assumed in the code below.");
m_jit.move(lengthGPR, scratch1GPR);
@@ -7050,6 +7076,7 @@
m_jit.store32(lengthGPR, MacroAssembler::Address(resultGPR, JSFixedArray::offsetOfSize()));
m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), scratch1GPR);
+ m_jit.cage(Gigacage::JSValue, scratch1GPR);
MacroAssembler::JumpList done;
@@ -7159,6 +7186,7 @@
m_jit.move(TrustedImm32(0), indexGPR);
m_jit.loadPtr(MacroAssembler::Address(resultGPR, JSObject::butterflyOffset()), storageGPR);
+ m_jit.cage(Gigacage::JSValue, storageGPR);
for (unsigned i = 0; i < node->numChildren(); ++i) {
Edge use = m_jit.graph().varArgChild(node, i);
@@ -7415,6 +7443,7 @@
GPRReg resultButterfly = temp2.gpr();
m_jit.loadPtr(MacroAssembler::Address(resultGPR, JSObject::butterflyOffset()), resultButterfly);
+ m_jit.cage(Gigacage::JSValue, resultButterfly);
m_jit.zeroExtend32ToPtr(tempGPR, tempGPR);
m_jit.zeroExtend32ToPtr(loadIndex, loadIndex);
auto done = m_jit.branchPtr(MacroAssembler::AboveOrEqual, loadIndex, tempGPR);
@@ -7983,9 +8012,7 @@
GPRReg resultGPR = result.gpr();
m_jit.loadPtr(JITCompiler::Address(baseGPR, JSObject::butterflyOffset()), resultGPR);
-
- // FIXME: Implement caging!
- // https://bugs.webkit.org/show_bug.cgi?id=174918
+ m_jit.cage(Gigacage::JSValue, resultGPR);
storageResult(resultGPR, node);
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (220595 => 220596)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2017-08-11 16:39:14 UTC (rev 220595)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2017-08-11 16:47:14 UTC (rev 220596)
@@ -3045,6 +3045,8 @@
template<bool strict>
GPRReg fillSpeculateInt32Internal(Edge, DataFormat& returnFormat);
+ void cageTypedArrayStorage(GPRReg);
+
// It is possible, during speculative generation, to reach a situation in which we
// can statically determine a speculation will fail (for example, when two nodes
// will make conflicting speculations about the same operand). In such cases this
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (220595 => 220596)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-08-11 16:39:14 UTC (rev 220595)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-08-11 16:47:14 UTC (rev 220596)
@@ -5786,6 +5786,7 @@
// Otherwise it's out of line
outOfLineAccess.link(&m_jit);
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratch2GPR);
+ m_jit.cage(Gigacage::JSValue, scratch2GPR);
m_jit.move(indexGPR, scratch1GPR);
m_jit.sub32(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedInlineCapacityOffset()), scratch1GPR);
m_jit.neg32(scratch1GPR);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220595 => 220596)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-11 16:39:14 UTC (rev 220595)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-11 16:47:14 UTC (rev 220596)
@@ -3309,6 +3309,8 @@
m_out.appendTo(wastefulCase, continuation);
+ // FIXME: This needs to do caging.
+ // https://bugs.webkit.org/show_bug.cgi?id=175366
LValue vectorPtr = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
LValue butterflyPtr = m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly);
LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
