Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (220415 => 220416)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-08 19:44:20 UTC (rev 220416)
@@ -1,3 +1,44 @@
+2017-08-08 Filip Pizlo <fpi...@apple.com>
+
+ Baseline JIT should do caging
+ https://bugs.webkit.org/show_bug.cgi?id=175037
+
+ Reviewed by Mark Lam.
+
+ Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
+
+ Also modifies FTL caging to be more defensive when caging is disabled.
+
+ Relanded with fixed AssemblyHelpers::cageConditionally().
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateImpl):
+ * bytecode/InlineAccess.cpp:
+ (JSC::InlineAccess::dumpCacheSizesAndCrash):
+ (JSC::InlineAccess::generateSelfPropertyAccess):
+ (JSC::InlineAccess::generateSelfPropertyReplace):
+ (JSC::InlineAccess::generateArrayLength):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::caged):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::cage):
+ (JSC::AssemblyHelpers::cageConditionally):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitDoubleLoad):
+ (JSC::JIT::emitContiguousLoad):
+ (JSC::JIT::emitArrayStorageLoad):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::emit_op_get_from_scope):
+ (JSC::JIT::emit_op_put_to_scope):
+ (JSC::JIT::emitIntTypedArrayGetByVal):
+ (JSC::JIT::emitFloatTypedArrayGetByVal):
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * jsc.cpp:
+ (jscmain):
+ (primitiveGigacageDisabled): Deleted.
+
2017-08-08 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r220368.
Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (220415 => 220416)
--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2017-08-08 19:44:20 UTC (rev 220416)
@@ -527,6 +527,8 @@
jit.loadPtr(
CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
loadedValueGPR);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
storageGPR = loadedValueGPR;
}
@@ -877,6 +879,8 @@
// already had out-of-line property storage).
jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
// We have scratchGPR = new storage, scratchGPR3 = old storage,
// scratchGPR2 = available
@@ -955,8 +959,11 @@
JSObject::offsetOfInlineStorage() +
offsetInInlineStorage(m_offset) * sizeof(JSValue)));
} else {
- if (!allocating)
+ if (!allocating) {
jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
+ }
jit.storeValue(
valueRegs,
CCallHelpers::Address(scratchGPR, offsetInButterfly(m_offset) * sizeof(JSValue)));
@@ -992,6 +999,8 @@
case ArrayLength: {
jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
state.failAndIgnore.append(
jit.branch32(CCallHelpers::LessThan, scratchGPR, CCallHelpers::TrustedImm32(0)));
Modified: trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp (220415 => 220416)
--- trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp 2017-08-08 19:44:20 UTC (rev 220416)
@@ -57,6 +57,8 @@
jit.patchableBranch32(
CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
jit.boxInt32(scratchGPR, regs);
@@ -73,6 +75,8 @@
jit.loadPtr(
CCallHelpers::Address(base, JSObject::butterflyOffset()),
value);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
GPRReg storageGPR = value;
jit.loadValue(
CCallHelpers::Address(storageGPR, 0x000ab21ca), regs);
@@ -116,6 +120,8 @@
MacroAssembler::TrustedImm32(0x000ab21ca));
jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
jit.storeValue(
regs,
MacroAssembler::Address(base, 120342));
@@ -170,6 +176,8 @@
storage = base;
else {
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
storage = value.payloadGPR();
}
@@ -231,6 +239,8 @@
storage = getScratchRegister(stubInfo);
ASSERT(storage != InvalidGPRReg);
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
}
jit.storeValue(
@@ -269,6 +279,8 @@
auto branchToSlowPath = jit.patchableBranch32(
CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
+ // FIXME: Do caging!
+ // https://bugs.webkit.org/show_bug.cgi?id=175295
jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
jit.boxInt32(value.payloadGPR(), value);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220415 => 220416)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-08 19:44:20 UTC (rev 220416)
@@ -11616,7 +11616,10 @@
LValue caged(Gigacage::Kind kind, LValue ptr)
{
- if (kind == Gigacage::Primitive) {
+ if (!Gigacage::shouldBeEnabled())
+ return ptr;
+
+ if (kind == Gigacage::Primitive && Gigacage::canPrimitiveGigacageBeDisabled()) {
if (vm().primitiveGigacageEnabled().isStillValid())
m_graph.watchpoints().addLazily(vm().primitiveGigacageEnabled());
else
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (220415 => 220416)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2017-08-08 19:44:20 UTC (rev 220416)
@@ -1311,6 +1311,41 @@
ok.link(this);
}
+ void cage(Gigacage::Kind kind, GPRReg storage)
+ {
+#if GIGACAGE_ENABLED
+ if (!Gigacage::shouldBeEnabled())
+ return;
+
+ andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+ addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
+#else
+ UNUSED_PARAM(kind);
+ UNUSED_PARAM(storage);
+#endif
+ }
+
+ void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)
+ {
+#if GIGACAGE_ENABLED
+ if (!Gigacage::shouldBeEnabled())
+ return;
+
+ if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
+ return cage(kind, storage);
+
+ loadPtr(&Gigacage::basePtr(kind), scratch);
+ Jump done = branchTestPtr(Zero, scratch);
+ andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+ addPtr(scratch, storage);
+ done.link(this);
+#else
+ UNUSED_PARAM(kind);
+ UNUSED_PARAM(storage);
+ UNUSED_PARAM(scratch);
+#endif
+ }
+
void storeButterfly(VM& vm, GPRReg butterfly, GPRReg object)
{
if (isX86()) {
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (220415 => 220416)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-08-08 19:44:20 UTC (rev 220416)
@@ -172,9 +172,8 @@
JumpList slowCases;
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+ cage(Gigacage::JSValue, regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
@@ -187,9 +186,8 @@
JumpList slowCases;
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+ cage(Gigacage::JSValue, regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
load64(BaseIndex(regT2, regT1, TimesEight), regT0);
slowCases.append(branchTest64(Zero, regT0));
@@ -204,9 +202,8 @@
add32(TrustedImm32(-ArrayStorageShape), regT2, regT3);
badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+ cage(Gigacage::JSValue, regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
load64(BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()), regT0);
@@ -353,9 +350,8 @@
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+ cage(Gigacage::JSValue, regT2);
Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
Label storeResult = label();
@@ -410,9 +406,8 @@
JumpList slowCases;
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+ cage(Gigacage::JSValue, regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
@@ -923,9 +918,8 @@
abortWithReason(JITOffsetIsNotOutOfLine);
isOutOfLine.link(this);
}
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
+ cage(Gigacage::JSValue, scratch);
neg32(offset);
signExtend32ToPtr(offset, offset);
load64(BaseIndex(scratch, offset, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)), result);
@@ -1066,9 +1060,8 @@
emitLoadWithStructureCheck(scope, structureSlot); // Structure check covers var injection.
emitGetVirtualRegister(value, regT2);
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
+ cage(Gigacage::JSValue, regT0);
loadPtr(operandSlot, regT1);
negPtr(regT1);
storePtr(regT2, BaseIndex(regT0, regT1, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)));
@@ -1576,6 +1569,7 @@
RegisterID property = regT1;
RegisterID resultPayload = regT0;
RegisterID scratch = regT3;
+ RegisterID scratch2 = regT4;
#else
RegisterID base = regT0;
RegisterID property = regT2;
@@ -1582,6 +1576,7 @@
RegisterID resultPayload = regT0;
RegisterID resultTag = regT1;
RegisterID scratch = regT3;
+ RegisterID scratch2 = regT4;
#endif
JumpList slowCases;
@@ -1589,9 +1584,8 @@
load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+ cageConditionally(Gigacage::Primitive, scratch, scratch2);
switch (elementSize(type)) {
case 1:
@@ -1649,6 +1643,7 @@
RegisterID property = regT1;
RegisterID resultPayload = regT0;
RegisterID scratch = regT3;
+ RegisterID scratch2 = regT4;
#else
RegisterID base = regT0;
RegisterID property = regT2;
@@ -1655,6 +1650,7 @@
RegisterID resultPayload = regT0;
RegisterID resultTag = regT1;
RegisterID scratch = regT3;
+ RegisterID scratch2 = regT4;
#endif
JumpList slowCases;
@@ -1662,9 +1658,8 @@
load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+ cageConditionally(Gigacage::Primitive, scratch, scratch2);
switch (elementSize(type)) {
case 4:
@@ -1705,11 +1700,13 @@
RegisterID property = regT1;
RegisterID earlyScratch = regT3;
RegisterID lateScratch = regT2;
+ RegisterID lateScratch2 = regT4;
#else
RegisterID base = regT0;
RegisterID property = regT2;
RegisterID earlyScratch = regT3;
RegisterID lateScratch = regT1;
+ RegisterID lateScratch2 = regT4;
#endif
JumpList slowCases;
@@ -1731,9 +1728,8 @@
// We would be loading this into base as in get_by_val, except that the slow
// path expects the base to be unclobbered.
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
+ cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
if (isClamped(type)) {
ASSERT(elementSize(type) == 1);
@@ -1777,11 +1773,13 @@
RegisterID property = regT1;
RegisterID earlyScratch = regT3;
RegisterID lateScratch = regT2;
+ RegisterID lateScratch2 = regT4;
#else
RegisterID base = regT0;
RegisterID property = regT2;
RegisterID earlyScratch = regT3;
RegisterID lateScratch = regT1;
+ RegisterID lateScratch2 = regT4;
#endif
JumpList slowCases;
@@ -1816,9 +1814,8 @@
// We would be loading this into base as in get_by_val, except that the slow
// path expects the base to be unclobbered.
- // FIXME: Should do caging.
- // https://bugs.webkit.org/show_bug.cgi?id=175037
loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
+ cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
switch (elementSize(type)) {
case 4:
Modified: trunk/Source/_javascript_Core/jsc.cpp (220415 => 220416)
--- trunk/Source/_javascript_Core/jsc.cpp 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/_javascript_Core/jsc.cpp 2017-08-08 19:44:20 UTC (rev 220416)
@@ -3802,12 +3802,6 @@
return result;
}
-static void primitiveGigacageDisabled(void*)
-{
- dataLog("Primitive gigacage disabled! Aborting.\n");
- UNREACHABLE_FOR_PLATFORM();
-}
-
int jscmain(int argc, char** argv)
{
// Need to override and enable restricted options before we start parsing options below.
@@ -3826,8 +3820,7 @@
#if ENABLE(WEBASSEMBLY)
JSC::Wasm::enableFastMemory();
#endif
- if (Gigacage::shouldBeEnabled())
- Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
+ Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
int result;
result = runJSC(
Modified: trunk/Source/WTF/ChangeLog (220415 => 220416)
--- trunk/Source/WTF/ChangeLog 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/WTF/ChangeLog 2017-08-08 19:44:20 UTC (rev 220416)
@@ -1,3 +1,17 @@
+2017-08-08 Filip Pizlo <fpi...@apple.com>
+
+ Baseline JIT should do caging
+ https://bugs.webkit.org/show_bug.cgi?id=175037
+
+ Reviewed by Mark Lam.
+
+ * wtf/Gigacage.h:
+ (Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
+ (Gigacage::isDisablingPrimitiveGigacageDisabled):
+ (Gigacage::isPrimitiveGigacagePermanentlyEnabled):
+ (Gigacage::canPrimitiveGigacageBeDisabled):
+ (Gigacage::basePtr):
+
2017-08-08 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r220368.
Modified: trunk/Source/WTF/wtf/Gigacage.h (220415 => 220416)
--- trunk/Source/WTF/wtf/Gigacage.h 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/WTF/wtf/Gigacage.h 2017-08-08 19:44:20 UTC (rev 220416)
@@ -49,6 +49,12 @@
inline void addPrimitiveDisableCallback(void (*)(void*), void*) { }
inline void removePrimitiveDisableCallback(void (*)(void*), void*) { }
+inline void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
+
+inline bool isDisablingPrimitiveGigacageDisabled() { return false; }
+inline bool isPrimitiveGigacagePermanentlyEnabled() { return false; }
+inline bool canPrimitiveGigacageBeDisabled() { return true; }
+
ALWAYS_INLINE const char* name(Kind kind)
{
switch (kind) {
@@ -61,7 +67,7 @@
return nullptr;
}
-ALWAYS_INLINE void* basePtr(Kind)
+ALWAYS_INLINE void*& basePtr(Kind)
{
return g_gigacageBasePtr;
}
Modified: trunk/Source/WebKit/ChangeLog (220415 => 220416)
--- trunk/Source/WebKit/ChangeLog 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/WebKit/ChangeLog 2017-08-08 19:44:20 UTC (rev 220416)
@@ -1,3 +1,16 @@
+2017-08-08 Filip Pizlo <fpi...@apple.com>
+
+ Baseline JIT should do caging
+ https://bugs.webkit.org/show_bug.cgi?id=175037
+
+ Reviewed by Mark Lam.
+
+ Use a better API to disable disabling the primitive gigacage.
+
+ * WebProcess/WebProcess.cpp:
+ (WebKit::m_webSQLiteDatabaseTracker):
+ (WebKit::primitiveGigacageDisabled): Deleted.
+
2017-08-08 John Wilander <wilan...@apple.com>
Resource Load Statistics: Clear web processes' state on history removal
Modified: trunk/Source/WebKit/WebProcess/WebProcess.cpp (220415 => 220416)
--- trunk/Source/WebKit/WebProcess/WebProcess.cpp 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/WebKit/WebProcess/WebProcess.cpp 2017-08-08 19:44:20 UTC (rev 220416)
@@ -146,11 +146,6 @@
namespace WebKit {
-static void primitiveGigacageDisabled(void*)
-{
- UNREACHABLE_FOR_PLATFORM();
-}
-
WebProcess& WebProcess::singleton()
{
static WebProcess& process = *new WebProcess;
@@ -202,8 +197,7 @@
parentProcessConnection()->send(Messages::WebResourceLoadStatisticsStore::ResourceLoadStatisticsUpdated(WTFMove(statistics)), 0);
});
- if (Gigacage::shouldBeEnabled())
- Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
+ Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
}
WebProcess::~WebProcess()
Modified: trunk/Source/bmalloc/ChangeLog (220415 => 220416)
--- trunk/Source/bmalloc/ChangeLog 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/bmalloc/ChangeLog 2017-08-08 19:44:20 UTC (rev 220416)
@@ -1,3 +1,24 @@
+2017-08-08 Filip Pizlo <fpi...@apple.com>
+
+ Baseline JIT should do caging
+ https://bugs.webkit.org/show_bug.cgi?id=175037
+
+ Reviewed by Mark Lam.
+
+ This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
+ and WebProcess.
+
+ This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
+ checks on each typed array access.
+
+ * bmalloc/Gigacage.cpp:
+ (Gigacage::primitiveGigacageDisabled):
+ (Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
+ (Gigacage::isDisablingPrimitiveGigacageDisabled):
+ * bmalloc/Gigacage.h:
+ (Gigacage::isPrimitiveGigacagePermanentlyEnabled):
+ (Gigacage::canPrimitiveGigacageBeDisabled):
+
2017-08-08 Ryan Haddad <ryanhad...@apple.com>
Unreviewed, rolling out r220368.
Modified: trunk/Source/bmalloc/bmalloc/Gigacage.cpp (220415 => 220416)
--- trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.cpp 2017-08-08 19:44:20 UTC (rev 220416)
@@ -41,6 +41,8 @@
namespace Gigacage {
+static bool s_isDisablingPrimitiveGigacageDisabled;
+
struct Callback {
Callback() { }
@@ -131,6 +133,27 @@
}
}
+static void primitiveGigacageDisabled(void*)
+{
+ static bool s_false;
+ fprintf(stderr, "FATAL: Primitive gigacage disabled, but we don't want that in this process.\n");
+ if (!s_false)
+ BCRASH();
+}
+
+void disableDisablingPrimitiveGigacageIfShouldBeEnabled()
+{
+ if (shouldBeEnabled()) {
+ addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
+ s_isDisablingPrimitiveGigacageDisabled = true;
+ }
+}
+
+bool isDisablingPrimitiveGigacageDisabled()
+{
+ return s_isDisablingPrimitiveGigacageDisabled;
+}
+
bool shouldBeEnabled()
{
return GIGACAGE_ENABLED && !PerProcess<Environment>::get()->isDebugHeapEnabled();
Modified: trunk/Source/bmalloc/bmalloc/Gigacage.h (220415 => 220416)
--- trunk/Source/bmalloc/bmalloc/Gigacage.h 2017-08-08 19:16:10 UTC (rev 220415)
+++ trunk/Source/bmalloc/bmalloc/Gigacage.h 2017-08-08 19:44:20 UTC (rev 220416)
@@ -63,6 +63,12 @@
BEXPORT void addPrimitiveDisableCallback(void (*)(void*), void*);
BEXPORT void removePrimitiveDisableCallback(void (*)(void*), void*);
+BEXPORT void disableDisablingPrimitiveGigacageIfShouldBeEnabled();
+
+BEXPORT bool isDisablingPrimitiveGigacageDisabled();
+inline bool isPrimitiveGigacagePermanentlyEnabled() { return isDisablingPrimitiveGigacageDisabled(); }
+inline bool canPrimitiveGigacageBeDisabled() { return !isDisablingPrimitiveGigacageDisabled(); }
+
BINLINE const char* name(Kind kind)
{
switch (kind) {