[webkit-changes] [220624] trunk/Source/JavaScriptCore

[fpizlo]

Title: [220624] trunk/Source/_javascript_Core

Revision

220624

Author

fpi...@apple.com

Date

2017-08-12 11:40:07 -0700 (Sat, 12 Aug 2017)

Log Message

ScopedArguments overflow storage needs to be in the JSValue gigacage
https://bugs.webkit.org/show_bug.cgi?id=174923

Reviewed by Saam Barati.
        
ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
object into the JSValue gigacage.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitScopedArgumentsGetByVal):
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::subspaceFor):
(JSC::ScopedArguments::overflowStorage const):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
• trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp
• trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp
• trunk/Source/_javascript_Core/runtime/ScopedArguments.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (220623 => 220624)

--- trunk/Source/_javascript_Core/ChangeLog	2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-08-12 18:40:07 UTC (rev 220624)
@@ -1,5 +1,25 @@
 2017-08-11  Filip Pizlo  <fpi...@apple.com>
 
+        ScopedArguments overflow storage needs to be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174923
+
+        Reviewed by Saam Barati.
+        
+        ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
+        object into the JSValue gigacage.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::subspaceFor):
+        (JSC::ScopedArguments::overflowStorage const):
+
+2017-08-11  Filip Pizlo  <fpi...@apple.com>
+
         JSLexicalEnvironment needs to be in the JSValue gigacage
         https://bugs.webkit.org/show_bug.cgi?id=174922
 

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (220623 => 220624)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-08-12 18:40:07 UTC (rev 220624)
@@ -6325,6 +6325,8 @@
     m_jit.sub32(propertyReg, scratch2Reg);
     m_jit.neg32(scratch2Reg);
     
+    m_jit.cage(Gigacage::JSValue, baseReg);
+    
     m_jit.loadValue(
         MacroAssembler::BaseIndex(
             baseReg, scratch2Reg, MacroAssembler::TimesEight,

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220623 => 220624)

--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-08-12 18:40:07 UTC (rev 220624)
@@ -3565,10 +3565,8 @@
             
             m_out.appendTo(overflowCase, continuation);
             
-            // FIXME: I guess we need to cage overflow storage?
-            // https://bugs.webkit.org/show_bug.cgi?id=174923
             address = m_out.baseIndex(
-                m_heaps.ScopedArguments_overflowStorage, base,
+                m_heaps.ScopedArguments_overflowStorage, caged(Gigacage::JSValue, base),
                 m_out.zeroExtPtr(m_out.sub(index, namedLength)));
             LValue overflowValue = m_out.load64(address);
             speculate(ExoticObjectMode, noValue(), nullptr, m_out.isZero64(overflowValue));

Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (220623 => 220624)

--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2017-08-12 18:40:07 UTC (rev 220624)
@@ -1551,6 +1551,7 @@
     overflowCase.link(this);
     sub32(property, scratch2);
     neg32(scratch2);
+    cage(Gigacage::JSValue, base);
     loadValue(BaseIndex(base, scratch2, TimesEight, ScopedArguments::overflowStorageOffset()), result);
     slowCases.append(branchIfEmpty(result));
     done.link(this);

Modified: trunk/Source/_javascript_Core/runtime/ScopedArguments.h (220623 => 220624)

--- trunk/Source/_javascript_Core/runtime/ScopedArguments.h	2017-08-12 05:18:27 UTC (rev 220623)
+++ trunk/Source/_javascript_Core/runtime/ScopedArguments.h	2017-08-12 18:40:07 UTC (rev 220624)
@@ -42,6 +42,13 @@
     void finishCreation(VM&, JSFunction* callee, ScopedArgumentsTable*, JSLexicalEnvironment*);
 
 public:
+    template<typename CellType>
+    static Subspace* subspaceFor(VM& vm)
+    {
+        RELEASE_ASSERT(!CellType::needsDestruction);
+        return &vm.jsValueGigacageCellSpace;
+    }
+
     // Creates an arguments object but leaves it uninitialized. This is dangerous if we GC right
     // after allocation.
     static ScopedArguments* createUninitialized(VM&, Structure*, JSFunction* callee, ScopedArgumentsTable*, JSLexicalEnvironment*, unsigned totalLength);
@@ -154,10 +161,9 @@
     WriteBarrier<Unknown>* overflowStorage() const
     {
         return bitwise_cast<WriteBarrier<Unknown>*>(
-            bitwise_cast<char*>(this) + overflowStorageOffset());
+            bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + overflowStorageOffset());
     }
     
-    
     bool m_overrodeThings; // True if length, callee, and caller are fully materialized in the object.
     unsigned m_totalLength; // The length of declared plus overflow arguments.
     WriteBarrier<JSFunction> m_callee;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes