Modified: trunk/Source/_javascript_Core/ChangeLog (220440 => 220441)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-09 03:24:31 UTC (rev 220440)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-09 03:48:44 UTC (rev 220441)
@@ -1,3 +1,20 @@
+2017-08-08 Filip Pizlo <fpi...@apple.com>
+
+ ICs should do caging
+ https://bugs.webkit.org/show_bug.cgi?id=175295
+
+ Reviewed by Saam Barati.
+
+ Adds the appropriate cage() calls in our inline caches.
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateImpl):
+ * bytecode/InlineAccess.cpp:
+ (JSC::InlineAccess::dumpCacheSizesAndCrash):
+ (JSC::InlineAccess::generateSelfPropertyAccess):
+ (JSC::InlineAccess::generateSelfPropertyReplace):
+ (JSC::InlineAccess::generateArrayLength):
+
2017-08-08 Devin Rousso <drou...@apple.com>
Web Inspector: Canvas: support editing WebGL shaders
Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (220440 => 220441)
--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2017-08-09 03:24:31 UTC (rev 220440)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2017-08-09 03:48:44 UTC (rev 220441)
@@ -527,8 +527,7 @@
jit.loadPtr(
CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
loadedValueGPR);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, loadedValueGPR);
storageGPR = loadedValueGPR;
}
@@ -879,8 +878,7 @@
// already had out-of-line property storage).
jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, scratchGPR3);
// We have scratchGPR = new storage, scratchGPR3 = old storage,
// scratchGPR2 = available
@@ -961,8 +959,7 @@
} else {
if (!allocating) {
jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, scratchGPR);
}
jit.storeValue(
valueRegs,
@@ -999,8 +996,7 @@
case ArrayLength: {
jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, scratchGPR);
jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
state.failAndIgnore.append(
jit.branch32(CCallHelpers::LessThan, scratchGPR, CCallHelpers::TrustedImm32(0)));
Modified: trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp (220440 => 220441)
--- trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp 2017-08-09 03:24:31 UTC (rev 220440)
+++ trunk/Source/_javascript_Core/bytecode/InlineAccess.cpp 2017-08-09 03:48:44 UTC (rev 220441)
@@ -57,8 +57,7 @@
jit.patchableBranch32(
CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, value);
jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
jit.boxInt32(scratchGPR, regs);
@@ -75,8 +74,7 @@
jit.loadPtr(
CCallHelpers::Address(base, JSObject::butterflyOffset()),
value);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, value);
GPRReg storageGPR = value;
jit.loadValue(
CCallHelpers::Address(storageGPR, 0x000ab21ca), regs);
@@ -120,8 +118,7 @@
MacroAssembler::TrustedImm32(0x000ab21ca));
jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, value);
jit.storeValue(
regs,
MacroAssembler::Address(base, 120342));
@@ -176,8 +173,7 @@
storage = base;
else {
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, value.payloadGPR());
storage = value.payloadGPR();
}
@@ -239,8 +235,7 @@
storage = getScratchRegister(stubInfo);
ASSERT(storage != InvalidGPRReg);
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, storage);
}
jit.storeValue(
@@ -279,8 +274,7 @@
auto branchToSlowPath = jit.patchableBranch32(
CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
- // FIXME: Do caging!
- // https://bugs.webkit.org/show_bug.cgi?id=175295
+ jit.cage(Gigacage::JSValue, value.payloadGPR());
jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
jit.boxInt32(value.payloadGPR(), value);