Skip to site navigation (Press enter)

[webkit-changes] [293657] trunk/Source/JavaScriptCore

ysuzuki Sun, 01 May 2022 18:17:58 -0700

Title: [293657] trunk/Source/_javascript_Core

Revision: 293657
Author: ysuz...@apple.com
Date: 2022-05-01 18:17:02 -0700 (Sun, 01 May 2022)

Log Message

[JSC] Revive JSC's guard against speculation collection
https://bugs.webkit.org/show_bug.cgi?id=239939


Reviewed by Mark Lam.

r288815 dropped JSC's guard against structures in speculation collection, but this is wrong.
This patch reverts it back.

* Source/_javascript_Core/bytecode/SpeculatedType.cpp:
(JSC::speculationFromCell):
* Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp:
(JSC::StructureMemoryManager::StructureMemoryManager):
(JSC::StructureMemoryManager::tryMallocStructureBlock):
(JSC::StructureMemoryManager::freeStructureBlock):
(JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace):
* Source/_javascript_Core/runtime/JSCConfig.h:
* Source/_javascript_Core/runtime/StructureID.h:
(JSC::StructureID::tryDecode const):

Canonical link: https://commits.webkit.org/250161@main

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp
trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp
trunk/Source/_javascript_Core/runtime/JSCConfig.h
trunk/Source/_javascript_Core/runtime/StructureID.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (293656 => 293657)


--- trunk/Source/_javascript_Core/ChangeLog	2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/ChangeLog	2022-05-02 01:17:02 UTC (rev 293657)
@@ -1,3 +1,24 @@
+2022-05-01  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Revive JSC's guard against speculation collection
+        https://bugs.webkit.org/show_bug.cgi?id=239939
+
+        Reviewed by Mark Lam.
+
+        r288815 dropped JSC's guard against structures in speculation collection, but this is wrong.
+        This patch reverts it back.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::speculationFromCell):
+        * heap/StructureAlignedMemoryAllocator.cpp:
+        (JSC::StructureMemoryManager::StructureMemoryManager):
+        (JSC::StructureMemoryManager::tryMallocStructureBlock):
+        (JSC::StructureMemoryManager::freeStructureBlock):
+        (JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace):
+        * runtime/JSCConfig.h:
+        * runtime/StructureID.h:
+        (JSC::StructureID::tryDecode const):
+
 2022-05-01  Zan Dobersek  <zdober...@igalia.com>
 
         [RISCV64] Implement MacroAssembler::probe(), ctiMasmProbeTrampoline

Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp (293656 => 293657)


--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp	2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp	2022-05-02 01:17:02 UTC (rev 293657)
@@ -596,7 +596,13 @@
         }
         return SpecString;
     }
-    return speculationFromStructure(cell->structure());
+    // FIXME: rdar://69036888: undo this when no longer needed.
+    auto* structure = cell->structureID().tryDecode();
+    if (UNLIKELY(!isSanePointer(structure))) {
+        ASSERT_NOT_REACHED();
+        return SpecNone;
+    }
+    return speculationFromStructure(structure);
 }
 
 SpeculatedType speculationFromValue(JSValue value)

Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (293656 => 293657)


--- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp	2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp	2022-05-02 01:17:02 UTC (rev 293657)
@@ -75,14 +75,14 @@
         // Don't use the first page because zero is used as the empty StructureID and the first allocation will conflict.
         m_usedBlocks.set(0);
 
-        m_mappedHeapSize = structureHeapAddressSize;
+        uintptr_t mappedHeapSize = structureHeapAddressSize;
         for (unsigned i = 0; i < 8; ++i) {
-            g_jscConfig.startOfStructureHeap = reinterpret_cast<uintptr_t>(OSAllocator::tryReserveUncommittedAligned(m_mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages));
+            g_jscConfig.startOfStructureHeap = reinterpret_cast<uintptr_t>(OSAllocator::tryReserveUncommittedAligned(mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages));
             if (g_jscConfig.startOfStructureHeap)
                 break;
-            m_mappedHeapSize /= 2;
+            mappedHeapSize /= 2;
         }
-
+        g_jscConfig.sizeOfStructureHeap = mappedHeapSize;
         RELEASE_ASSERT(g_jscConfig.startOfStructureHeap && ((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap));
     }
 
@@ -94,8 +94,8 @@
             constexpr size_t startIndex = 0;
             freeIndex = m_usedBlocks.findBit(startIndex, 0);
             ASSERT(freeIndex <= m_usedBlocks.bitCount());
-            RELEASE_ASSERT(m_mappedHeapSize <= structureHeapAddressSize);
-            if (freeIndex * MarkedBlock::blockSize >= m_mappedHeapSize)
+            RELEASE_ASSERT(g_jscConfig.sizeOfStructureHeap <= structureHeapAddressSize);
+            if (freeIndex * MarkedBlock::blockSize >= g_jscConfig.sizeOfStructureHeap)
                 return nullptr;
             // If we can't find a free block then `freeIndex == m_usedBlocks.bitCount()` and this set will grow the bit vector.
             m_usedBlocks.set(freeIndex);
@@ -110,7 +110,7 @@
     {
         decommitBlock(blockPtr);
         uintptr_t block = reinterpret_cast<uintptr_t>(blockPtr);
-        RELEASE_ASSERT(g_jscConfig.startOfStructureHeap <= block && block < g_jscConfig.startOfStructureHeap + m_mappedHeapSize);
+        RELEASE_ASSERT(g_jscConfig.startOfStructureHeap <= block && block < g_jscConfig.startOfStructureHeap + g_jscConfig.sizeOfStructureHeap);
         RELEASE_ASSERT(roundUpToMultipleOf<MarkedBlock::blockSize>(block) == block);
 
         Locker locker(m_lock);
@@ -140,7 +140,6 @@
 
 private:
     Lock m_lock;
-    size_t m_mappedHeapSize;
     BitVector m_usedBlocks;
 };
 
@@ -179,6 +178,7 @@
 void StructureAlignedMemoryAllocator::initializeStructureAddressSpace()
 {
     g_jscConfig.startOfStructureHeap = 0;
+    g_jscConfig.sizeOfStructureHeap = UINTPTR_MAX;
 }
 
 void* StructureAlignedMemoryAllocator::tryMallocBlock()

Modified: trunk/Source/_javascript_Core/runtime/JSCConfig.h (293656 => 293657)


--- trunk/Source/_javascript_Core/runtime/JSCConfig.h	2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/runtime/JSCConfig.h	2022-05-02 01:17:02 UTC (rev 293657)
@@ -91,6 +91,7 @@
     void* endExecutableMemory;
     uintptr_t startOfFixedWritableMemoryPool;
     uintptr_t startOfStructureHeap;
+    uintptr_t sizeOfStructureHeap;
 
 #if ENABLE(SEPARATED_WX_HEAP)
     JITWriteSeparateHeapsFunction jitWriteSeparateHeaps;

Modified: trunk/Source/_javascript_Core/runtime/StructureID.h (293656 => 293657)


--- trunk/Source/_javascript_Core/runtime/StructureID.h	2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/runtime/StructureID.h	2022-05-02 01:17:02 UTC (rev 293657)
@@ -26,6 +26,7 @@
 #pragma once
 
 #include "JSCConfig.h"
+#include "MarkedBlock.h"
 #include <wtf/HashTraits.h>
 #include <wtf/StdIntExtras.h>
 
@@ -48,6 +49,7 @@
     StructureID decontaminate() const { return StructureID(m_bits & ~nukedStructureIDBit); }
 
     inline Structure* decode() const;
+    inline Structure* tryDecode() const;
     static StructureID encode(const Structure*);
 
     explicit operator bool() const { return !!m_bits; }
@@ -74,6 +76,15 @@
     return reinterpret_cast<Structure*>((static_cast<uintptr_t>(decontaminate().m_bits) & structureIDMask) + g_jscConfig.startOfStructureHeap);
 }
 
+ALWAYS_INLINE Structure* StructureID::tryDecode() const
+{
+    // Take care to only use the bits from m_bits in the structure's address reservation.
+    uintptr_t offset = static_cast<uintptr_t>(decontaminate().m_bits);
+    if (offset < MarkedBlock::blockSize || offset >= g_jscConfig.sizeOfStructureHeap)
+        return nullptr;
+    return reinterpret_cast<Structure*>((offset & structureIDMask) + g_jscConfig.startOfStructureHeap);
+}
+
 ALWAYS_INLINE StructureID StructureID::encode(const Structure* structure)
 {
     ASSERT(structure);
@@ -91,6 +102,11 @@
     return reinterpret_cast<Structure*>(m_bits);
 }
 
+ALWAYS_INLINE Structure* StructureID::tryDecode() const
+{
+    return reinterpret_cast<Structure*>(m_bits);
+}
+
 ALWAYS_INLINE StructureID StructureID::encode(const Structure* structure)
 {
     ASSERT(structure);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes