Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (220605 => 220606)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-11 20:04:06 UTC (rev 220605)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-11 20:08:33 UTC (rev 220606)
@@ -1,5 +1,30 @@
2017-08-11 Filip Pizlo <fpi...@apple.com>
+ DirectArguments should be in the JSValue gigacage
+ https://bugs.webkit.org/show_bug.cgi?id=174920
+
+ Reviewed by Michael Saboff.
+
+ This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
+ indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
+ because they always operate on a DirectArguments that is pointed to directly from the stack, they are
+ required to use fixed offsets, and you can only store JSValues.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitDirectArgumentsGetByVal):
+ * runtime/DirectArguments.h:
+ (JSC::DirectArguments::subspaceFor):
+ (JSC::DirectArguments::storage):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
+2017-08-11 Filip Pizlo <fpi...@apple.com>
+
Unreviewed, add a FIXME.
* ftl/FTLLowerDFGToB3.cpp:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (220605 => 220606)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-11 20:04:06 UTC (rev 220605)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-08-11 20:08:33 UTC (rev 220606)
@@ -6246,6 +6246,8 @@
MacroAssembler::AboveOrEqual, propertyReg,
MacroAssembler::Address(baseReg, DirectArguments::offsetOfLength())));
+ m_jit.cage(Gigacage::JSValue, baseReg);
+
m_jit.loadValue(
MacroAssembler::BaseIndex(
baseReg, propertyReg, MacroAssembler::TimesEight, DirectArguments::storageOffset()),
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (220605 => 220606)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-11 20:04:06 UTC (rev 220605)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-08-11 20:08:33 UTC (rev 220606)
@@ -3516,10 +3516,8 @@
index,
m_out.load32NonNegative(base, m_heaps.DirectArguments_length)));
- // FIXME: I guess we need to cage DirectArguments?
- // https://bugs.webkit.org/show_bug.cgi?id=174920
TypedPointer address = m_out.baseIndex(
- m_heaps.DirectArguments_storage, base, m_out.zeroExtPtr(index));
+ m_heaps.DirectArguments_storage, caged(Gigacage::JSValue, base), m_out.zeroExtPtr(index));
setJSValue(m_out.load64(address));
return;
}
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (220605 => 220606)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-08-11 20:04:06 UTC (rev 220605)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-08-11 20:08:33 UTC (rev 220606)
@@ -1511,6 +1511,7 @@
slowCases.append(branchTestPtr(NonZero, Address(base, DirectArguments::offsetOfMappedArguments())));
zeroExtend32ToPtr(property, scratch);
+ cage(Gigacage::JSValue, base);
loadValue(BaseIndex(base, scratch, TimesEight, DirectArguments::storageOffset()), result);
return slowCases;
Modified: trunk/Source/_javascript_Core/runtime/DirectArguments.h (220605 => 220606)
--- trunk/Source/_javascript_Core/runtime/DirectArguments.h 2017-08-11 20:04:06 UTC (rev 220605)
+++ trunk/Source/_javascript_Core/runtime/DirectArguments.h 2017-08-11 20:08:33 UTC (rev 220606)
@@ -46,6 +46,13 @@
DirectArguments(VM&, Structure*, unsigned length, unsigned capacity);
public:
+ template<typename CellType>
+ static Subspace* subspaceFor(VM& vm)
+ {
+ RELEASE_ASSERT(!CellType::needsDestruction);
+ return &vm.jsValueGigacageCellSpace;
+ }
+
// Creates an arguments object but leaves it uninitialized. This is dangerous if we GC right
// after allocation.
static DirectArguments* createUninitialized(VM&, Structure*, unsigned length, unsigned capacity);
@@ -157,7 +164,7 @@
private:
WriteBarrier<Unknown>* storage()
{
- return bitwise_cast<WriteBarrier<Unknown>*>(bitwise_cast<char*>(this) + storageOffset());
+ return bitwise_cast<WriteBarrier<Unknown>*>(bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + storageOffset());
}
unsigned mappedArgumentsSize();
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (220605 => 220606)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2017-08-11 20:04:06 UTC (rev 220605)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2017-08-11 20:08:33 UTC (rev 220606)
@@ -171,6 +171,7 @@
, primitiveGigacageAuxiliarySpace("Primitive Gigacage Auxiliary", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::Auxiliary), primitiveGigacageAllocator.get())
, jsValueGigacageAuxiliarySpace("JSValue Gigacage Auxiliary", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::Auxiliary), jsValueGigacageAllocator.get())
, cellSpace("JSCell", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::JSCell), fastMallocAllocator.get())
+ , jsValueGigacageCellSpace("JSValue Gigacage JSCell", heap, AllocatorAttributes(DoesNotNeedDestruction, HeapCell::JSCell), jsValueGigacageAllocator.get())
, destructibleCellSpace("Destructible JSCell", heap, AllocatorAttributes(NeedsDestruction, HeapCell::JSCell), fastMallocAllocator.get())
, stringSpace("JSString", heap, fastMallocAllocator.get())
, destructibleObjectSpace("JSDestructibleObject", heap, fastMallocAllocator.get())
Modified: trunk/Source/_javascript_Core/runtime/VM.h (220605 => 220606)
--- trunk/Source/_javascript_Core/runtime/VM.h 2017-08-11 20:04:06 UTC (rev 220605)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2017-08-11 20:08:33 UTC (rev 220606)
@@ -315,6 +315,7 @@
// Whenever possible, use subspaceFor<CellType>(vm) to get one of these subspaces.
Subspace cellSpace;
+ Subspace jsValueGigacageCellSpace;
Subspace destructibleCellSpace;
JSStringSubspace stringSpace;
JSDestructibleObjectSubspace destructibleObjectSpace;
