[webkit-changes] [220618] trunk/Source/JavaScriptCore

[fpizlo]

Title: [220618] trunk/Source/_javascript_Core

Revision

220618

Author

fpi...@apple.com

Date

2017-08-11 16:18:18 -0700 (Fri, 11 Aug 2017)

Log Message

JSLexicalEnvironment needs to be in the JSValue gigacage
https://bugs.webkit.org/show_bug.cgi?id=174922

Reviewed by Michael Saboff.
        
We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
the only random accesses use pointer caging.
        
We don't need to do anything to normal lexical environment accesses.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
* runtime/JSEnvironmentRecord.h:
(JSC::JSEnvironmentRecord::subspaceFor):
(JSC::JSEnvironmentRecord::variables):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
• trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
• trunk/Source/_javascript_Core/runtime/JSEnvironmentRecord.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (220617 => 220618)

--- trunk/Source/_javascript_Core/ChangeLog	2017-08-11 23:12:52 UTC (rev 220617)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-08-11 23:18:18 UTC (rev 220618)
@@ -1,5 +1,25 @@
 2017-08-11  Filip Pizlo  <fpi...@apple.com>
 
+        JSLexicalEnvironment needs to be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174922
+
+        Reviewed by Michael Saboff.
+        
+        We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
+        the only random accesses use pointer caging.
+        
+        We don't need to do anything to normal lexical environment accesses.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * runtime/JSEnvironmentRecord.h:
+        (JSC::JSEnvironmentRecord::subspaceFor):
+        (JSC::JSEnvironmentRecord::variables):
+
+2017-08-11  Filip Pizlo  <fpi...@apple.com>
+
         DirectArguments should be in the JSValue gigacage
         https://bugs.webkit.org/show_bug.cgi?id=174920
 

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (220617 => 220618)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-08-11 23:12:52 UTC (rev 220617)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-08-11 23:18:18 UTC (rev 220618)
@@ -6311,6 +6311,8 @@
         m_jit.branch32(
             MacroAssembler::Equal, scratchReg, TrustedImm32(ScopeOffset::invalidOffset)));
     
+    m_jit.cage(Gigacage::JSValue, scratch2Reg);
+    
     m_jit.loadValue(
         MacroAssembler::BaseIndex(
             scratch2Reg, propertyReg, MacroAssembler::TimesEight,

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220617 => 220618)

--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-08-11 23:12:52 UTC (rev 220617)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-08-11 23:18:18 UTC (rev 220618)
@@ -3557,10 +3557,9 @@
                 ExoticObjectMode, noValue(), nullptr,
                 m_out.equal(scopeOffset, m_out.constInt32(ScopeOffset::invalidOffset)));
             
-            // FIXME: I guess we need to cage JSEnvironmentRecord?
-            // https://bugs.webkit.org/show_bug.cgi?id=174922
             address = m_out.baseIndex(
-                m_heaps.JSEnvironmentRecord_variables, scope, m_out.zeroExtPtr(scopeOffset));
+                m_heaps.JSEnvironmentRecord_variables, caged(Gigacage::JSValue, scope),
+                m_out.zeroExtPtr(scopeOffset));
             ValueFromBlock namedResult = m_out.anchor(m_out.load64(address));
             m_out.jump(continuation);
             

Modified: trunk/Source/_javascript_Core/runtime/JSEnvironmentRecord.h (220617 => 220618)

--- trunk/Source/_javascript_Core/runtime/JSEnvironmentRecord.h	2017-08-11 23:12:52 UTC (rev 220617)
+++ trunk/Source/_javascript_Core/runtime/JSEnvironmentRecord.h	2017-08-11 23:18:18 UTC (rev 220618)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2008, 2012, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -36,17 +36,26 @@
 
 class LLIntOffsetsExtractor;
 
+// FIXME: Merge this with JSLexicalEnvironment, since that's the only subclass.
+// https://bugs.webkit.org/show_bug.cgi?id=175492
 class JSEnvironmentRecord : public JSSymbolTableObject {
     friend class JIT;
     friend class LLIntOffsetsExtractor;
 
 public:
+    template<typename CellType>
+    static Subspace* subspaceFor(VM& vm)
+    {
+        RELEASE_ASSERT(!CellType::needsDestruction);
+        return &vm.jsValueGigacageCellSpace;
+    }
+
     typedef JSSymbolTableObject Base;
     static const unsigned StructureFlags = Base::StructureFlags;
 
     WriteBarrierBase<Unknown>* variables()
     {
-        return bitwise_cast<WriteBarrierBase<Unknown>*>(bitwise_cast<char*>(this) + offsetOfVariables());
+        return bitwise_cast<WriteBarrierBase<Unknown>*>(bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + offsetOfVariables());
     }
     
     bool isValidScopeOffset(ScopeOffset offset)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes