[webkit-changes] [220628] trunk/Source/JavaScriptCore

Sat, 12 Aug 2017 18:59:30 -0700

Title: [220628] trunk/Source/_javascript_Core
Revision
220628
Author
fpi...@apple.com
Date
2017-08-12 18:59:16 -0700 (Sat, 12 Aug 2017)

Log Message

FTL's compileGetTypedArrayByteOffset needs to do caging
https://bugs.webkit.org/show_bug.cgi?id=175366

Reviewed by Saam Barati.
        
While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
(JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
* runtime/ArrayBuffer.h:
* runtime/ArrayBufferView.h:
* runtime/JSArrayBufferView.h:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (220627 => 220628)


--- trunk/Source/_javascript_Core/ChangeLog	2017-08-12 22:14:53 UTC (rev 220627)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-08-13 01:59:16 UTC (rev 220628)
@@ -1,3 +1,22 @@
+2017-08-12  Filip Pizlo  <fpi...@apple.com>
+
+        FTL's compileGetTypedArrayByteOffset needs to do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175366
+
+        Reviewed by Saam Barati.
+        
+        While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
+        fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
+        (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
+        * runtime/ArrayBuffer.h:
+        * runtime/ArrayBufferView.h:
+        * runtime/JSArrayBufferView.h:
+
 2017-08-11  Ryosuke Niwa  <rn...@webkit.org>
 
         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (220627 => 220628)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-08-12 22:14:53 UTC (rev 220627)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-08-13 01:59:16 UTC (rev 220628)
@@ -6198,6 +6198,8 @@
     cageTypedArrayStorage(vectorGPR);
     nullVector.link(&m_jit);
     m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), dataGPR);
+    // FIXME: This needs caging.
+    // https://bugs.webkit.org/show_bug.cgi?id=175515
     m_jit.loadPtr(MacroAssembler::Address(dataGPR, ArrayBuffer::offsetOfData()), dataGPR);
     m_jit.subPtr(dataGPR, vectorGPR);

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220627 => 220628)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-08-12 22:14:53 UTC (rev 220627)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-08-13 01:59:16 UTC (rev 220628)
@@ -3309,11 +3309,13 @@
 
         m_out.appendTo(wastefulCase, continuation);
 
-        // FIXME: This needs to do caging.
-        // https://bugs.webkit.org/show_bug.cgi?id=175366
-        LValue vectorPtr = m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector);
-        LValue butterflyPtr = m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly);
+        LValue vectorPtr = cagedMayBeNull(
+            Gigacage::Primitive,
+            m_out.loadPtr(basePtr, m_heaps.JSArrayBufferView_vector));
+        LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly));
         LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
+        // FIXME: This needs caging.
+        // https://bugs.webkit.org/show_bug.cgi?id=175515
         LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data);
 
         ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(vectorPtr, dataPtr));
@@ -11643,6 +11645,24 @@
         return m_out.opaque(result);
     }
     
+    LValue cagedMayBeNull(Gigacage::Kind kind, LValue ptr)
+    {
+        LBasicBlock notNull = m_out.newBlock();
+        LBasicBlock continuation = m_out.newBlock();
+        
+        LBasicBlock lastNext = m_out.insertNewBlocksBefore(notNull);
+        
+        ValueFromBlock nullResult = m_out.anchor(ptr);
+        m_out.branch(ptr, unsure(notNull), unsure(continuation));
+        
+        m_out.appendTo(notNull, continuation);
+        ValueFromBlock notNullResult = m_out.anchor(caged(kind, ptr));
+        m_out.jump(continuation);
+        
+        m_out.appendTo(continuation, lastNext);
+        return m_out.phi(pointerType(), nullResult, notNullResult);
+    }
+    
     void buildSwitch(SwitchData* data, LType type, LValue switchValue)
     {
         ASSERT(type == pointerType() || type == Int32);

Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.h (220627 => 220628)


--- trunk/Source/_javascript_Core/runtime/ArrayBuffer.h	2017-08-12 22:14:53 UTC (rev 220627)
+++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.h	2017-08-13 01:59:16 UTC (rev 220628)
@@ -50,6 +50,8 @@
     void* data() const { return m_data; }
     
 private:
+    // FIXME: This should be CagedPtr<>.
+    // https://bugs.webkit.org/show_bug.cgi?id=175515
     void* m_data;
     ArrayBufferDestructorFunction m_destructor;
 };
@@ -95,6 +97,8 @@
 
     ArrayBufferDestructorFunction m_destructor;
     RefPtr<SharedArrayBufferContents> m_shared;
+    // FIXME: This should be CagedPtr<>.
+    // https://bugs.webkit.org/show_bug.cgi?id=175515
     void* m_data;
     unsigned m_sizeInBytes;
 };

Modified: trunk/Source/_javascript_Core/runtime/ArrayBufferView.h (220627 => 220628)


--- trunk/Source/_javascript_Core/runtime/ArrayBufferView.h	2017-08-12 22:14:53 UTC (rev 220627)
+++ trunk/Source/_javascript_Core/runtime/ArrayBufferView.h	2017-08-13 01:59:16 UTC (rev 220628)
@@ -147,6 +147,8 @@
     }
 
     // This is the address of the ArrayBuffer's storage, plus the byte offset.
+    // FIXME: This should be CagedPtr<>.
+    // https://bugs.webkit.org/show_bug.cgi?id=175515
     void* m_baseAddress;
 
     unsigned m_byteOffset : 31;

Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (220627 => 220628)


--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h	2017-08-12 22:14:53 UTC (rev 220627)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h	2017-08-13 01:59:16 UTC (rev 220628)
@@ -140,6 +140,8 @@
         
     private:
         Structure* m_structure;
+        // FIXME: This should be CagedPtr<>.
+        // https://bugs.webkit.org/show_bug.cgi?id=175515
         void* m_vector;
         uint32_t m_length;
         TypedArrayMode m_mode;
@@ -190,6 +192,8 @@
 
     static String toStringName(const JSObject*, ExecState*);
 
+    // FIXME: This should be CagedBarrierPtr<>.
+    // https://bugs.webkit.org/show_bug.cgi?id=175515
     AuxiliaryBarrier<void*> m_vector;
     uint32_t m_length;
     TypedArrayMode m_mode;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to