Diff
Modified: trunk/JSTests/stress/dont-reserve-huge-capacity-lexer.js (221438 => 221439)
--- trunk/JSTests/stress/dont-reserve-huge-capacity-lexer.js 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/JSTests/stress/dont-reserve-huge-capacity-lexer.js 2017-08-31 20:46:58 UTC (rev 221439)
@@ -1,4 +1,4 @@
-//@ skip if ($architecture != "x86-64") or $memoryLimited
+//@ if ($architecture != "x86-64") or $memoryLimited then skip else runDefault end
var fe="f";
try
Modified: trunk/Source/_javascript_Core/ChangeLog (221438 => 221439)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-31 20:46:58 UTC (rev 221439)
@@ -1,3 +1,39 @@
+2017-08-31 Filip Pizlo <fpi...@apple.com>
+
+ All of the different ArrayBuffer::data's should be CagedPtr<>
+ https://bugs.webkit.org/show_bug.cgi?id=175515
+
+ Reviewed by Michael Saboff.
+
+ This straightforwardly implements what the title says.
+
+ * runtime/ArrayBuffer.cpp:
+ (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
+ (JSC::ArrayBufferContents::destroy):
+ (JSC::ArrayBufferContents::tryAllocate):
+ (JSC::ArrayBufferContents::makeShared):
+ (JSC::ArrayBufferContents::copyTo):
+ (JSC::ArrayBuffer::createFromBytes):
+ (JSC::ArrayBuffer::transferTo):
+ * runtime/ArrayBuffer.h:
+ (JSC::SharedArrayBufferContents::data const):
+ (JSC::ArrayBufferContents::data const):
+ (JSC::ArrayBuffer::data):
+ (JSC::ArrayBuffer::data const):
+ * runtime/ArrayBufferView.h:
+ (JSC::ArrayBufferView::baseAddress const):
+ * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
+ * runtime/DataView.h:
+ (JSC::DataView::get):
+ (JSC::DataView::set):
+ * runtime/JSArrayBufferView.cpp:
+ (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+ * runtime/JSArrayBufferView.h:
+ (JSC::JSArrayBufferView::ConstructionContext::vector const):
+ (JSC::JSArrayBufferView::vector const):
+ * runtime/JSGenericTypedArrayViewInlines.h:
+ (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
+
2017-08-22 Filip Pizlo <fpi...@apple.com>
Strings need to be in some kind of gigacage
Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2017-08-31 20:46:58 UTC (rev 221439)
@@ -41,7 +41,7 @@
SharedArrayBufferContents::~SharedArrayBufferContents()
{
- m_destructor(m_data);
+ m_destructor(m_data.getMayBeNull());
}
ArrayBufferContents::ArrayBufferContents()
@@ -81,7 +81,7 @@
void ArrayBufferContents::destroy()
{
- m_destructor(m_data);
+ m_destructor(m_data.getMayBeNull());
}
void ArrayBufferContents::reset()
@@ -113,7 +113,7 @@
}
if (policy == ZeroInitialize)
- memset(m_data, 0, size);
+ memset(m_data.get(), 0, size);
m_sizeInBytes = numElements * elementByteSize;
m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); };
@@ -121,7 +121,7 @@
void ArrayBufferContents::makeShared()
{
- m_shared = adoptRef(new SharedArrayBufferContents(m_data, WTFMove(m_destructor)));
+ m_shared = adoptRef(new SharedArrayBufferContents(m_data.getMayBeNull(), WTFMove(m_destructor)));
m_destructor = [] (void*) { };
}
@@ -141,7 +141,7 @@
other.tryAllocate(m_sizeInBytes, sizeof(char), ArrayBufferContents::DontInitialize);
if (!other.m_data)
return;
- memcpy(other.m_data, m_data, m_sizeInBytes);
+ memcpy(other.m_data.get(), m_data.get(), m_sizeInBytes);
other.m_sizeInBytes = m_sizeInBytes;
}
@@ -198,7 +198,7 @@
// - WebAssembly. Wasm should allocate from the cage.
Ref<ArrayBuffer> ArrayBuffer::createFromBytes(const void* data, unsigned byteLength, ArrayBufferDestructorFunction&& destructor)
{
- if (data && byteLength && !Gigacage::isCaged(Gigacage::Primitive, data))
+ if (data && !Gigacage::isCaged(Gigacage::Primitive, data))
Gigacage::disablePrimitiveGigacage();
ArrayBufferContents contents(const_cast<void*>(data), byteLength, WTFMove(destructor));
@@ -322,7 +322,7 @@
Ref<ArrayBuffer> protect(*this);
if (!m_contents.m_data) {
- result.m_data = 0;
+ result.m_data = nullptr;
return false;
}
Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.h (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/ArrayBuffer.h 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.h 2017-08-31 20:46:58 UTC (rev 221439)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009, 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
#include "ArrayBufferSharingMode.h"
#include "GCIncomingRefCounted.h"
#include "Weak.h"
+#include <wtf/CagedPtr.h>
#include <wtf/Function.h>
#include <wtf/StdLibExtras.h>
#include <wtf/ThreadSafeRefCounted.h>
@@ -47,12 +48,10 @@
SharedArrayBufferContents(void* data, ArrayBufferDestructorFunction&&);
~SharedArrayBufferContents();
- void* data() const { return m_data; }
+ void* data() const { return m_data.getMayBeNull(); }
private:
- // FIXME: This should be CagedPtr<>.
- // https://bugs.webkit.org/show_bug.cgi?id=175515
- void* m_data;
+ CagedPtr<Gigacage::Primitive, void> m_data;
ArrayBufferDestructorFunction m_destructor;
};
@@ -70,7 +69,7 @@
explicit operator bool() { return !!m_data; }
- void* data() const { return m_data; }
+ void* data() const { return m_data.getMayBeNull(); }
unsigned sizeInBytes() const { return m_sizeInBytes; }
bool isShared() const { return m_shared; }
@@ -97,9 +96,7 @@
ArrayBufferDestructorFunction m_destructor;
RefPtr<SharedArrayBufferContents> m_shared;
- // FIXME: This should be CagedPtr<>.
- // https://bugs.webkit.org/show_bug.cgi?id=175515
- void* m_data;
+ CagedPtr<Gigacage::Primitive, void> m_data;
unsigned m_sizeInBytes;
};
@@ -185,12 +182,12 @@
void* ArrayBuffer::data()
{
- return m_contents.m_data;
+ return m_contents.m_data.getMayBeNull();
}
const void* ArrayBuffer::data() const
{
- return m_contents.m_data;
+ return m_contents.m_data.getMayBeNull();
}
unsigned ArrayBuffer::byteLength() const
Modified: trunk/Source/_javascript_Core/runtime/ArrayBufferView.h (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/ArrayBufferView.h 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/ArrayBufferView.h 2017-08-31 20:46:58 UTC (rev 221439)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009, 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -72,7 +72,7 @@
{
if (isNeutered())
return 0;
- return m_baseAddress;
+ return m_baseAddress.getMayBeNull();
}
void* data() const { return baseAddress(); }
@@ -147,9 +147,7 @@
}
// This is the address of the ArrayBuffer's storage, plus the byte offset.
- // FIXME: This should be CagedPtr<>.
- // https://bugs.webkit.org/show_bug.cgi?id=175515
- void* m_baseAddress;
+ CagedPtr<Gigacage::Primitive, void> m_baseAddress;
unsigned m_byteOffset : 31;
bool m_isNeuterable : 1;
Modified: trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/CagedBarrierPtr.h 2017-08-31 20:46:58 UTC (rev 221439)
@@ -88,4 +88,51 @@
AuxiliaryBarrier<CagedPtr<kind, T>> m_barrier;
};
+template<Gigacage::Kind passedKind>
+class CagedBarrierPtr<passedKind, void> {
+public:
+ static constexpr Gigacage::Kind kind = passedKind;
+ typedef void Type;
+
+ CagedBarrierPtr() { }
+
+ template<typename U>
+ CagedBarrierPtr(VM& vm, JSCell* cell, U&& value)
+ {
+ m_barrier.set(vm, cell, std::forward<U>(value));
+ }
+
+ void clear() { m_barrier.clear(); }
+
+ template<typename U>
+ void set(VM& vm, JSCell* cell, U&& value)
+ {
+ m_barrier.set(vm, cell, std::forward<U>(value));
+ }
+
+ void* get() const { return m_barrier.get().get(); }
+ void* getMayBeNull() const { return m_barrier.get().getMayBeNull(); }
+
+ bool operator==(const CagedBarrierPtr& other) const
+ {
+ return getMayBeNull() == other.getMayBeNull();
+ }
+
+ bool operator!=(const CagedBarrierPtr& other) const
+ {
+ return !(*this == other);
+ }
+
+ explicit operator bool() const
+ {
+ return *this != CagedBarrierPtr();
+ }
+
+ template<typename U>
+ void setWithoutBarrier(U&& value) { m_barrier.setWithoutBarrier(std::forward<U>(value)); }
+
+private:
+ AuxiliaryBarrier<CagedPtr<kind, void>> m_barrier;
+};
+
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/DataView.h (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/DataView.h 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/DataView.h 2017-08-31 20:46:58 UTC (rev 221439)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -62,7 +62,7 @@
} else
ASSERT_WITH_SECURITY_IMPLICATION(offset + sizeof(T) <= byteLength());
return flipBytesIfLittleEndian(
- *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress) + offset),
+ *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset),
littleEndian);
}
@@ -86,7 +86,7 @@
*status = true;
} else
ASSERT_WITH_SECURITY_IMPLICATION(offset + sizeof(T) <= byteLength());
- *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress) + offset) =
+ *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset) =
flipBytesIfLittleEndian(value, littleEndian);
}
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2017-08-31 20:46:58 UTC (rev 221439)
@@ -77,7 +77,7 @@
m_mode = FastTypedArray;
if (mode == ZeroFill) {
- uint64_t* asWords = static_cast<uint64_t*>(m_vector);
+ uint64_t* asWords = static_cast<uint64_t*>(m_vector.get());
for (unsigned i = size / sizeof(uint64_t); i--;)
asWords[i] = 0;
}
@@ -94,7 +94,7 @@
if (!m_vector)
return;
if (mode == ZeroFill)
- memset(m_vector, 0, size);
+ memset(m_vector.get(), 0, size);
vm.heap.reportExtraMemoryAllocated(static_cast<size_t>(length) * elementSize);
Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferView.h 2017-08-31 20:46:58 UTC (rev 221439)
@@ -133,7 +133,7 @@
bool operator!() const { return !m_structure; }
Structure* structure() const { return m_structure; }
- void* vector() const { return m_vector; }
+ void* vector() const { return m_vector.getMayBeNull(); }
uint32_t length() const { return m_length; }
TypedArrayMode mode() const { return m_mode; }
Butterfly* butterfly() const { return m_butterfly; }
@@ -140,9 +140,7 @@
private:
Structure* m_structure;
- // FIXME: This should be CagedPtr<>.
- // https://bugs.webkit.org/show_bug.cgi?id=175515
- void* m_vector;
+ CagedPtr<Gigacage::Primitive, void> m_vector;
uint32_t m_length;
TypedArrayMode m_mode;
Butterfly* m_butterfly;
@@ -169,7 +167,7 @@
bool isNeutered() { return hasArrayBuffer() && !vector(); }
void neuter();
- void* vector() const { return m_vector.get(); }
+ void* vector() const { return m_vector.getMayBeNull(); }
unsigned byteOffset();
unsigned length() const { return m_length; }
@@ -192,9 +190,7 @@
static String toStringName(const JSObject*, ExecState*);
- // FIXME: This should be CagedBarrierPtr<>.
- // https://bugs.webkit.org/show_bug.cgi?id=175515
- AuxiliaryBarrier<void*> m_vector;
+ CagedBarrierPtr<Gigacage::Primitive, void> m_vector;
uint32_t m_length;
TypedArrayMode m_mode;
};
Modified: trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h (221438 => 221439)
--- trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/_javascript_Core/runtime/JSGenericTypedArrayViewInlines.h 2017-08-31 20:46:58 UTC (rev 221439)
@@ -517,7 +517,7 @@
switch (thisObject->m_mode) {
case FastTypedArray: {
- if (void* vector = thisObject->m_vector.get())
+ if (void* vector = thisObject->m_vector.getMayBeNull())
visitor.markAuxiliary(vector);
break;
}
Modified: trunk/Source/WTF/ChangeLog (221438 => 221439)
--- trunk/Source/WTF/ChangeLog 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/WTF/ChangeLog 2017-08-31 20:46:58 UTC (rev 221439)
@@ -1,3 +1,14 @@
+2017-08-31 Filip Pizlo <fpi...@apple.com>
+
+ All of the different ArrayBuffer::data's should be CagedPtr<>
+ https://bugs.webkit.org/show_bug.cgi?id=175515
+
+ Reviewed by Michael Saboff.
+
+ Added a specialization so that CagedPtr<void> is valid.
+
+ * wtf/CagedPtr.h:
+
2017-08-31 Per Arne Vollan <pvol...@apple.com>
[Win] Crash under WorkQueue::performWorkOnRegisteredWorkThread in layout tests.
Modified: trunk/Source/WTF/wtf/CagedPtr.h (221438 => 221439)
--- trunk/Source/WTF/wtf/CagedPtr.h 2017-08-31 20:09:53 UTC (rev 221438)
+++ trunk/Source/WTF/wtf/CagedPtr.h 2017-08-31 20:46:58 UTC (rev 221439)
@@ -77,6 +77,48 @@
T* m_ptr;
};
+template<Gigacage::Kind passedKind>
+class CagedPtr<passedKind, void> {
+public:
+ static constexpr Gigacage::Kind kind = passedKind;
+
+ CagedPtr(void* ptr = nullptr)
+ : m_ptr(ptr)
+ {
+ }
+
+ void* get() const
+ {
+ ASSERT(m_ptr);
+ return Gigacage::caged(kind, m_ptr);
+ }
+
+ void* getMayBeNull() const
+ {
+ if (!m_ptr)
+ return nullptr;
+ return get();
+ }
+
+ bool operator==(const CagedPtr& other) const
+ {
+ return getMayBeNull() == other.getMayBeNull();
+ }
+
+ bool operator!=(const CagedPtr& other) const
+ {
+ return !(*this == other);
+ }
+
+ explicit operator bool() const
+ {
+ return *this != CagedPtr();
+ }
+
+protected:
+ void* m_ptr;
+};
+
} // namespace WTF
using WTF::CagedPtr;
