Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (225306 => 225307)
--- trunk/Source/_javascript_Core/ChangeLog 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-11-30 01:05:01 UTC (rev 225307)
@@ -1,3 +1,71 @@
+2017-11-29 Saam Barati <sbar...@apple.com>
+
+ Remove pointer caging for double arrays
+ https://bugs.webkit.org/show_bug.cgi?id=180163
+
+ Reviewed by Mark Lam.
+
+ This patch removes pointer caging from double arrays. Like
+ my previous removals of pointer caging, this is a security vs
+ performance tradeoff. We believe that butterflies being allocated
+ in the cage and with a 32GB runway gives us enough security that
+ pointer caging the butterfly just for double arrays does not add
+ enough security benefit for the performance hit it incurs.
+
+ This patch also removes the GetButterflyWithoutCaging node and
+ the FixedButterflyAccessUncaging phase. The node is no longer needed
+ because now all GetButterfly nodes are not caged. The phase is removed
+ since we no longer have two nodes.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGArgumentsEliminationPhase.cpp:
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
+ * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileSpread):
+ (JSC::DFG::SpeculativeJIT::compileArraySlice):
+ (JSC::DFG::SpeculativeJIT::compileGetButterfly):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGTypeCheckHoistingPhase.cpp:
+ (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
+ (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitDoubleLoad):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ * runtime/Butterfly.h:
+ (JSC::Butterfly::pointer):
+ (JSC::Butterfly::contiguousDouble):
+ (JSC::Butterfly::caged): Deleted.
+ * runtime/ButterflyInlines.h:
+ (JSC::Butterfly::createOrGrowPropertyStorage):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::ensureLengthSlow):
+ (JSC::JSObject::reallocateAndShrinkButterfly):
+
2017-11-29 Stanislav Ocovaj <stanislav.oco...@rt-rk.com>
[MIPS][JSC] Implement MacroAssembler::probe support on MIPS
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (225306 => 225307)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2017-11-30 01:05:01 UTC (rev 225307)
@@ -535,7 +535,6 @@
0FD8A32817D51F5700CA2C40 /* DFGTierUpCheckInjectionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD8A32017D51F5700CA2C40 /* DFGTierUpCheckInjectionPhase.h */; };
0FD8A32A17D51F5700CA2C40 /* DFGToFTLDeferredCompilationCallback.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD8A32217D51F5700CA2C40 /* DFGToFTLDeferredCompilationCallback.h */; };
0FD8A32C17D51F5700CA2C40 /* DFGToFTLForOSREntryDeferredCompilationCallback.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD8A32417D51F5700CA2C40 /* DFGToFTLForOSREntryDeferredCompilationCallback.h */; };
- 0FD9EA891F29162C00F32BEE /* DFGFixedButterflyAccessUncagingPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FD9EA871F29162C00F32BEE /* DFGFixedButterflyAccessUncagingPhase.h */; };
0FDB2CC9173DA520007B3C1B /* FTLAbbreviatedTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDB2CC7173DA51E007B3C1B /* FTLAbbreviatedTypes.h */; settings = {ATTRIBUTES = (Private, ); }; };
0FDB2CCA173DA523007B3C1B /* FTLValueFromBlock.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDB2CC8173DA51E007B3C1B /* FTLValueFromBlock.h */; settings = {ATTRIBUTES = (Private, ); }; };
0FDB2CE8174830A2007B3C1B /* DFGWorklist.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FDB2CE6174830A2007B3C1B /* DFGWorklist.h */; };
@@ -2658,8 +2657,6 @@
0FD8A32217D51F5700CA2C40 /* DFGToFTLDeferredCompilationCallback.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGToFTLDeferredCompilationCallback.h; path = dfg/DFGToFTLDeferredCompilationCallback.h; sourceTree = "<group>"; };
0FD8A32317D51F5700CA2C40 /* DFGToFTLForOSREntryDeferredCompilationCallback.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGToFTLForOSREntryDeferredCompilationCallback.cpp; path = dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp; sourceTree = "<group>"; };
0FD8A32417D51F5700CA2C40 /* DFGToFTLForOSREntryDeferredCompilationCallback.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGToFTLForOSREntryDeferredCompilationCallback.h; path = dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h; sourceTree = "<group>"; };
- 0FD9EA861F29162C00F32BEE /* DFGFixedButterflyAccessUncagingPhase.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = DFGFixedButterflyAccessUncagingPhase.cpp; path = dfg/DFGFixedButterflyAccessUncagingPhase.cpp; sourceTree = "<group>"; };
- 0FD9EA871F29162C00F32BEE /* DFGFixedButterflyAccessUncagingPhase.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = DFGFixedButterflyAccessUncagingPhase.h; path = dfg/DFGFixedButterflyAccessUncagingPhase.h; sourceTree = "<group>"; };
0FDB2CC7173DA51E007B3C1B /* FTLAbbreviatedTypes.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = FTLAbbreviatedTypes.h; path = ftl/FTLAbbreviatedTypes.h; sourceTree = "<group>"; };
0FDB2CC8173DA51E007B3C1B /* FTLValueFromBlock.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = FTLValueFromBlock.h; path = ftl/FTLValueFromBlock.h; sourceTree = "<group>"; };
0FDB2CE5174830A2007B3C1B /* DFGWorklist.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGWorklist.cpp; path = dfg/DFGWorklist.cpp; sourceTree = "<group>"; };
@@ -7045,8 +7042,6 @@
A7BFF3BF179868940002F462 /* DFGFiltrationResult.h */,
A78A976E179738B8009DF744 /* DFGFinalizer.cpp */,
A78A976F179738B8009DF744 /* DFGFinalizer.h */,
- 0FD9EA861F29162C00F32BEE /* DFGFixedButterflyAccessUncagingPhase.cpp */,
- 0FD9EA871F29162C00F32BEE /* DFGFixedButterflyAccessUncagingPhase.h */,
0F2BDC12151C5D4A00CD8910 /* DFGFixupPhase.cpp */,
0F2BDC13151C5D4A00CD8910 /* DFGFixupPhase.h */,
0F20177D1DCADC3000EA5950 /* DFGFlowIndexing.cpp */,
@@ -8335,7 +8330,6 @@
A78A9775179738B8009DF744 /* DFGFailedFinalizer.h in Headers */,
A7BFF3C0179868940002F462 /* DFGFiltrationResult.h in Headers */,
A78A9777179738B8009DF744 /* DFGFinalizer.h in Headers */,
- 0FD9EA891F29162C00F32BEE /* DFGFixedButterflyAccessUncagingPhase.h in Headers */,
0F2BDC16151C5D4F00CD8910 /* DFGFixupPhase.h in Headers */,
0F2017801DCADC3500EA5950 /* DFGFlowIndexing.h in Headers */,
0F2017821DCADD4200EA5950 /* DFGFlowMap.h in Headers */,
Modified: trunk/Source/_javascript_Core/Sources.txt (225306 => 225307)
--- trunk/Source/_javascript_Core/Sources.txt 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/Sources.txt 2017-11-30 01:05:01 UTC (rev 225307)
@@ -315,7 +315,6 @@
dfg/DFGEpoch.cpp
dfg/DFGFailedFinalizer.cpp
dfg/DFGFinalizer.cpp
-dfg/DFGFixedButterflyAccessUncagingPhase.cpp
dfg/DFGFixupPhase.cpp
dfg/DFGFlowIndexing.cpp
dfg/DFGFlushFormat.cpp
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -2609,7 +2609,6 @@
}
break;
case GetButterfly:
- case GetButterflyWithoutCaging:
case AllocatePropertyStorage:
case ReallocatePropertyStorage:
case NukeStructureAndSetButterfly:
Modified: trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -378,7 +378,6 @@
break;
case GetButterfly:
- case GetButterflyWithoutCaging:
// This barely works. The danger is that the GetButterfly is used by something that
// does something escaping to a candidate. Fortunately, the only butterfly-using ops
// that we exempt here also use the candidate directly. If there ever was a
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -1044,11 +1044,6 @@
def(HeapLocation(ButterflyLoc, JSObject_butterfly, node->child1()), LazyNode(node));
return;
- case GetButterflyWithoutCaging:
- read(JSObject_butterfly);
- def(HeapLocation(ButterflyWithoutCagingLoc, JSObject_butterfly, node->child1()), LazyNode(node));
- return;
-
case CheckSubClass:
def(PureValue(node, node->classInfo()));
return;
Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -118,7 +118,6 @@
case CheckStructureImmediate:
case GetExecutable:
case GetButterfly:
- case GetButterflyWithoutCaging:
case CheckSubClass:
case CheckArray:
case GetScope:
Deleted: trunk/Source/_javascript_Core/dfg/DFGFixedButterflyAccessUncagingPhase.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGFixedButterflyAccessUncagingPhase.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGFixedButterflyAccessUncagingPhase.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -1,141 +0,0 @@
-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "DFGFixedButterflyAccessUncagingPhase.h"
-
-#if ENABLE(DFG_JIT)
-
-#include "DFGClobberize.h"
-#include "DFGGraph.h"
-#include "DFGPhase.h"
-#include "JSCInlines.h"
-#include <wtf/IndexSet.h>
-
-namespace JSC { namespace DFG {
-
-namespace {
-
-class FixedButterflyAccessUncagingPhase : public Phase {
-public:
- FixedButterflyAccessUncagingPhase(Graph& graph)
- : Phase(graph, "fixed butterfly access uncaging")
- {
- }
-
- bool run()
- {
- IndexSet<Node*> needCaging;
-
- bool changed = true;
- while (changed) {
- changed = false;
- for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
- for (Node* node : *block) {
- switch (node->op()) {
- // FIXME: Check again how badly we need this. It might not be worth it.
- // https://bugs.webkit.org/show_bug.cgi?id=175044
- case GetByOffset:
- case PutByOffset:
- case GetGetterSetterByOffset:
- case GetArrayLength:
- case GetVectorLength:
- break;
-
- case Upsilon:
- if (needCaging.contains(node->phi()))
- changed |= needCaging.add(node->child1().node());
- break;
-
- default:
- // FIXME: We could possibly make this more precise. We really only care about whether
- // this can read/write butterfly contents.
- // https://bugs.webkit.org/show_bug.cgi?id=174926
- if (!accessesOverlap(m_graph, node, Heap))
- break;
-
- Node* toExclude = nullptr;
- if (node->hasArrayMode() && node->arrayMode().type() != Array::Double) {
- switch (node->op()) {
- case ArrayPush:
- toExclude = m_graph.varArgChild(node, 0).node();
- break;
- case ArrayIndexOf:
- toExclude = m_graph.varArgChild(node, node->numChildren() == 3 ? 2 : 3).node();
- break;
- case ArrayPop:
- toExclude = node->child2().node();
- break;
- case HasIndexedProperty:
- toExclude = node->child3().node();
- break;
- case GetByVal:
- toExclude = node->child3().node();
- break;
- case PutByVal:
- toExclude = m_graph.varArgChild(node, 3).node();
- break;
- default:
- break;
- }
- }
-
- m_graph.doToChildren(
- node,
- [&] (Edge& edge) {
- if (edge.node() != toExclude)
- changed |= needCaging.add(edge.node());
- });
- break;
- }
- }
- }
- }
-
- bool didOptimize = false;
- for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
- for (Node* node : *block) {
- if (node->op() == GetButterfly && !needCaging.contains(node)) {
- node->setOp(GetButterflyWithoutCaging);
- didOptimize = true;
- }
- }
- }
-
- return didOptimize;
- }
-};
-
-} // anonymous namespace
-
-bool performFixedButterflyAccessUncaging(Graph& graph)
-{
- return runPhase<FixedButterflyAccessUncagingPhase>(graph);
-}
-
-} } // namespace JSC::DFG
-
-#endif // ENABLE(DFG_JIT)
-
Deleted: trunk/Source/_javascript_Core/dfg/DFGFixedButterflyAccessUncagingPhase.h (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGFixedButterflyAccessUncagingPhase.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGFixedButterflyAccessUncagingPhase.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -1,40 +0,0 @@
-/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
- * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
- * THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-#if ENABLE(DFG_JIT)
-
-namespace JSC { namespace DFG {
-
-class Graph;
-
-// Turns GetButterfly into GetButterflyWithoutCaging if all of the accesses are fixed-offset.
-bool performFixedButterflyAccessUncaging(Graph&);
-
-} } // namespace JSC::DFG
-
-#endif // ENABLE(DFG_JIT)
-
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -1475,8 +1475,7 @@
case CheckStructure:
case CheckCell:
case CreateThis:
- case GetButterfly:
- case GetButterflyWithoutCaging: {
+ case GetButterfly: {
fixEdge<CellUse>(node->child1());
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGHeapLocation.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGHeapLocation.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGHeapLocation.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -96,10 +96,6 @@
out.print("ButterflyLoc");
return;
- case ButterflyWithoutCagingLoc:
- out.print("ButterflyWithoutCagingLoc");
- return;
-
case CheckTypeInfoFlagsLoc:
out.print("CheckTypeInfoFlagsLoc");
return;
Modified: trunk/Source/_javascript_Core/dfg/DFGHeapLocation.h (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGHeapLocation.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGHeapLocation.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -39,7 +39,6 @@
ArrayLengthLoc,
VectorLengthLoc,
ButterflyLoc,
- ButterflyWithoutCagingLoc,
CheckTypeInfoFlagsLoc,
OverridesHasInstanceLoc,
ClosureVariableLoc,
Modified: trunk/Source/_javascript_Core/dfg/DFGNodeType.h (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -204,7 +204,6 @@
macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
macro(ReallocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
macro(GetButterfly, NodeResultStorage) \
- macro(GetButterflyWithoutCaging, NodeResultStorage) \
macro(NukeStructureAndSetButterfly, NodeMustGenerate) \
macro(CheckArray, NodeMustGenerate) \
macro(Arrayify, NodeMustGenerate) \
Modified: trunk/Source/_javascript_Core/dfg/DFGPlan.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -41,7 +41,6 @@
#include "DFGCriticalEdgeBreakingPhase.h"
#include "DFGDCEPhase.h"
#include "DFGFailedFinalizer.h"
-#include "DFGFixedButterflyAccessUncagingPhase.h"
#include "DFGFixupPhase.h"
#include "DFGGraphSafepoint.h"
#include "DFGIntegerCheckCombiningPhase.h"
@@ -464,7 +463,6 @@
RUN_PHASE(performCFA);
RUN_PHASE(performGlobalStoreBarrierInsertion);
RUN_PHASE(performStoreBarrierClustering);
- RUN_PHASE(performFixedButterflyAccessUncaging);
if (Options::useMovHintRemoval())
RUN_PHASE(performMovHintRemoval);
RUN_PHASE(performCleanUp);
Modified: trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -855,7 +855,6 @@
break;
}
case GetButterfly:
- case GetButterflyWithoutCaging:
case GetIndexedPropertyStorage:
case AllocatePropertyStorage:
case ReallocatePropertyStorage: {
Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -240,7 +240,6 @@
case CheckStructureOrEmpty:
case GetExecutable:
case GetButterfly:
- case GetButterflyWithoutCaging:
case CallDOMGetter:
case CallDOM:
case CheckSubClass:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -7350,7 +7350,6 @@
slowPath.append(m_jit.branch32(MacroAssembler::Above, scratch1GPR, TrustedImm32(ContiguousShape - Int32Shape)));
m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), lengthGPR);
- m_jit.cage(Gigacage::JSValue, lengthGPR); // We may do a double memcpy loop below, so we conservatively cage.
m_jit.load32(MacroAssembler::Address(lengthGPR, Butterfly::offsetOfPublicLength()), lengthGPR);
static_assert(sizeof(JSValue) == 8 && 1 << 3 == 8, "This is strongly assumed in the code below.");
m_jit.move(lengthGPR, scratch1GPR);
@@ -7361,7 +7360,6 @@
m_jit.store32(lengthGPR, MacroAssembler::Address(resultGPR, JSFixedArray::offsetOfSize()));
m_jit.loadPtr(MacroAssembler::Address(argument, JSObject::butterflyOffset()), scratch1GPR);
- m_jit.cage(Gigacage::JSValue, scratch1GPR); // We may do a double memcpy loop below, so we conservatively cage.
MacroAssembler::JumpList done;
@@ -7727,7 +7725,6 @@
GPRReg resultButterfly = temp2.gpr();
m_jit.loadPtr(MacroAssembler::Address(resultGPR, JSObject::butterflyOffset()), resultButterfly);
- m_jit.cage(Gigacage::JSValue, resultButterfly);
m_jit.zeroExtend32ToPtr(tempGPR, tempGPR);
m_jit.zeroExtend32ToPtr(loadIndex, loadIndex);
auto done = m_jit.branchPtr(MacroAssembler::AboveOrEqual, loadIndex, tempGPR);
@@ -8546,7 +8543,6 @@
GPRReg resultGPR = result.gpr();
m_jit.loadPtr(JITCompiler::Address(baseGPR, JSObject::butterflyOffset()), resultGPR);
- m_jit.cage(Gigacage::JSValue, resultGPR);
storageResult(resultGPR, node);
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -4413,7 +4413,6 @@
break;
case GetButterfly:
- case GetButterflyWithoutCaging:
compileGetButterfly(node);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -4624,7 +4624,6 @@
break;
case GetButterfly:
- case GetButterflyWithoutCaging:
compileGetButterfly(node);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGTypeCheckHoistingPhase.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/dfg/DFGTypeCheckHoistingPhase.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/dfg/DFGTypeCheckHoistingPhase.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -255,7 +255,6 @@
case ReallocatePropertyStorage:
case NukeStructureAndSetButterfly:
case GetButterfly:
- case GetButterflyWithoutCaging:
case GetByVal:
case PutByValDirect:
case PutByVal:
@@ -332,7 +331,6 @@
case PutStructure:
case ReallocatePropertyStorage:
case GetButterfly:
- case GetButterflyWithoutCaging:
case GetByVal:
case PutByValDirect:
case PutByVal:
Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -70,7 +70,6 @@
case ArrayifyToStructure:
case PutStructure:
case GetButterfly:
- case GetButterflyWithoutCaging:
case NewObject:
case NewStringObject:
case NewArray:
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -713,7 +713,6 @@
compileDeleteByVal();
break;
case GetButterfly:
- case GetButterflyWithoutCaging:
compileGetButterfly();
break;
case ConstantStoragePointer:
@@ -3382,8 +3381,6 @@
void compileGetButterfly()
{
LValue butterfly = m_out.loadPtr(lowCell(m_node->child1()), m_heaps.JSObject_butterfly);
- if (m_node->op() != GetButterflyWithoutCaging)
- butterfly = caged(Gigacage::JSValue, butterfly);
setStorage(butterfly);
}
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -173,7 +173,6 @@
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
- cage(Gigacage::JSValue, regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
@@ -343,8 +342,6 @@
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
- if (indexingShape == DoubleShape)
- cage(Gigacage::JSValue, regT2);
Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
Label storeResult = label();
Modified: trunk/Source/_javascript_Core/runtime/Butterfly.h (225306 => 225307)
--- trunk/Source/_javascript_Core/runtime/Butterfly.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/runtime/Butterfly.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -103,7 +103,6 @@
}
char* pointer() { return reinterpret_cast<char*>(this); }
- Butterfly* caged() { return Gigacage::caged(Gigacage::JSValue, this); }
static ptrdiff_t offsetOfIndexingHeader() { return IndexingHeader::offsetOfIndexingHeader(); }
static ptrdiff_t offsetOfArrayBuffer() { return offsetOfIndexingHeader() + IndexingHeader::offsetOfArrayBuffer(); }
@@ -131,7 +130,7 @@
ArrayStorage* arrayStorage() { return indexingPayload<ArrayStorage>(); }
ContiguousJSValues contiguousInt32() { return ContiguousJSValues(indexingPayload<WriteBarrier<Unknown>>(), vectorLength()); }
- ContiguousDoubles contiguousDouble() { return ContiguousDoubles(caged()->indexingPayload<double>(), vectorLength()); }
+ ContiguousDoubles contiguousDouble() { return ContiguousDoubles(indexingPayload<double>(), vectorLength()); }
ContiguousJSValues contiguous() { return ContiguousJSValues(indexingPayload<WriteBarrier<Unknown>>(), vectorLength()); }
static Butterfly* fromContiguous(WriteBarrier<Unknown>* contiguous)
Modified: trunk/Source/_javascript_Core/runtime/ButterflyInlines.h (225306 => 225307)
--- trunk/Source/_javascript_Core/runtime/ButterflyInlines.h 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/runtime/ButterflyInlines.h 2017-11-30 01:05:01 UTC (rev 225307)
@@ -107,8 +107,6 @@
if (!oldButterfly)
return create(vm, intendedOwner, 0, newPropertyCapacity, false, IndexingHeader(), 0);
- oldButterfly = oldButterfly->caged();
-
size_t preCapacity = oldButterfly->indexingHeader()->preCapacity(structure);
size_t indexingPayloadSizeInBytes = oldButterfly->indexingHeader()->indexingPayloadSizeInBytes(structure);
bool hasIndexingHeader = structure->hasIndexingHeader(intendedOwner);
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (225306 => 225307)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-11-30 00:39:14 UTC (rev 225306)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2017-11-30 01:05:01 UTC (rev 225307)
@@ -3173,7 +3173,7 @@
bool JSObject::ensureLengthSlow(VM& vm, unsigned length)
{
- Butterfly* butterfly = this->butterfly()->caged();
+ Butterfly* butterfly = this->butterfly();
ASSERT(length <= MAX_STORAGE_VECTOR_LENGTH);
ASSERT(hasContiguous(indexingType()) || hasInt32(indexingType()) || hasDouble(indexingType()) || hasUndecided(indexingType()));
@@ -3233,7 +3233,7 @@
ASSERT(!m_butterfly->indexingHeader()->preCapacity(structure()));
DeferGC deferGC(vm.heap);
- Butterfly* newButterfly = butterfly()->caged()->resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(length));
+ Butterfly* newButterfly = butterfly()->resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(length));
newButterfly->setVectorLength(length);
newButterfly->setPublicLength(length);
WTF::storeStoreFence();
