Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (224801 => 224802)
--- trunk/Source/_javascript_Core/ChangeLog 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-11-14 05:33:30 UTC (rev 224802)
@@ -1,3 +1,32 @@
+2017-11-13 Saam Barati <sbar...@apple.com>
+
+ Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
+ https://bugs.webkit.org/show_bug.cgi?id=179203
+
+ Reviewed by Yusuke Suzuki.
+
+ This patch only removes the pointer caging for the described types in the title.
+ These types still allocate out of the gigacage. This is a just a cost vs benefit
+ tradeoff of performance vs security.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitDirectArgumentsGetByVal):
+ (JSC::JIT::emitScopedArgumentsGetByVal):
+ * runtime/DirectArguments.h:
+ (JSC::DirectArguments::storage):
+ * runtime/HashMapImpl.cpp:
+ (JSC::HashMapImpl<HashMapBucket>::visitChildren):
+ * runtime/HashMapImpl.h:
+ * runtime/JSLexicalEnvironment.h:
+ (JSC::JSLexicalEnvironment::variables):
+ * runtime/ScopedArguments.h:
+ (JSC::ScopedArguments::overflowStorage const):
+
2017-11-08 Keith Miller <keith_mil...@apple.com>
Async iteration should only fetch the next method once and add feature flag
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (224801 => 224802)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2017-11-14 05:33:30 UTC (rev 224802)
@@ -6496,8 +6496,6 @@
MacroAssembler::AboveOrEqual, propertyReg,
MacroAssembler::Address(baseReg, DirectArguments::offsetOfLength())));
- m_jit.cage(Gigacage::JSValue, baseReg);
-
m_jit.loadValue(
MacroAssembler::BaseIndex(
baseReg, propertyReg, MacroAssembler::TimesEight, DirectArguments::storageOffset()),
@@ -6552,7 +6550,6 @@
m_jit.loadPtr(
MacroAssembler::Address(scratchReg, ScopedArgumentsTable::offsetOfArguments()),
scratchReg);
- m_jit.cage(ScopedArgumentsTable::ArgumentsPtr::kind, scratchReg);
m_jit.load32(
MacroAssembler::BaseIndex(scratchReg, propertyReg, MacroAssembler::TimesFour),
scratchReg);
@@ -6562,8 +6559,6 @@
m_jit.branch32(
MacroAssembler::Equal, scratchReg, TrustedImm32(ScopeOffset::invalidOffset)));
- m_jit.cage(Gigacage::JSValue, scratch2Reg);
-
m_jit.loadValue(
MacroAssembler::BaseIndex(
scratch2Reg, propertyReg, MacroAssembler::TimesEight,
@@ -6576,8 +6571,6 @@
m_jit.sub32(propertyReg, scratch2Reg);
m_jit.neg32(scratch2Reg);
- m_jit.cage(Gigacage::JSValue, baseReg);
-
m_jit.loadValue(
MacroAssembler::BaseIndex(
baseReg, scratch2Reg, MacroAssembler::TimesEight,
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (224801 => 224802)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2017-11-14 05:33:30 UTC (rev 224802)
@@ -3718,7 +3718,7 @@
m_out.load32NonNegative(base, m_heaps.DirectArguments_length)));
TypedPointer address = m_out.baseIndex(
- m_heaps.DirectArguments_storage, caged(Gigacage::JSValue, base), m_out.zeroExtPtr(index));
+ m_heaps.DirectArguments_storage, base, m_out.zeroExtPtr(index));
setJSValue(m_out.load64(address));
return;
}
@@ -3746,9 +3746,7 @@
LBasicBlock lastNext = m_out.appendTo(namedCase, overflowCase);
LValue scope = m_out.loadPtr(base, m_heaps.ScopedArguments_scope);
- LValue arguments = caged(
- ScopedArgumentsTable::ArgumentsPtr::kind,
- m_out.loadPtr(table, m_heaps.ScopedArgumentsTable_arguments));
+ LValue arguments = m_out.loadPtr(table, m_heaps.ScopedArgumentsTable_arguments);
TypedPointer address = m_out.baseIndex(
m_heaps.scopedArgumentsTableArguments, arguments, m_out.zeroExtPtr(index));
@@ -3759,8 +3757,7 @@
m_out.equal(scopeOffset, m_out.constInt32(ScopeOffset::invalidOffset)));
address = m_out.baseIndex(
- m_heaps.JSLexicalEnvironment_variables, caged(Gigacage::JSValue, scope),
- m_out.zeroExtPtr(scopeOffset));
+ m_heaps.JSLexicalEnvironment_variables, scope, m_out.zeroExtPtr(scopeOffset));
ValueFromBlock namedResult = m_out.anchor(m_out.load64(address));
m_out.jump(continuation);
@@ -3767,7 +3764,7 @@
m_out.appendTo(overflowCase, continuation);
address = m_out.baseIndex(
- m_heaps.ScopedArguments_overflowStorage, caged(Gigacage::JSValue, base),
+ m_heaps.ScopedArguments_overflowStorage, base,
m_out.zeroExtPtr(m_out.sub(index, namedLength)));
LValue overflowValue = m_out.load64(address);
speculate(ExoticObjectMode, noValue(), nullptr, m_out.isZero64(overflowValue));
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (224801 => 224802)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2017-11-14 05:33:30 UTC (rev 224802)
@@ -1403,7 +1403,6 @@
slowCases.append(branchTestPtr(NonZero, Address(base, DirectArguments::offsetOfMappedArguments())));
zeroExtend32ToPtr(property, scratch);
- cage(Gigacage::JSValue, base);
loadValue(BaseIndex(base, scratch, TimesEight, DirectArguments::storageOffset()), result);
return slowCases;
@@ -1436,7 +1435,6 @@
Jump overflowCase = branch32(AboveOrEqual, property, scratch2);
loadPtr(Address(base, ScopedArguments::offsetOfScope()), scratch2);
loadPtr(Address(scratch, ScopedArgumentsTable::offsetOfArguments()), scratch);
- cage(ScopedArgumentsTable::ArgumentsPtr::kind, scratch);
load32(BaseIndex(scratch, property, TimesFour), scratch);
slowCases.append(branch32(Equal, scratch, TrustedImm32(ScopeOffset::invalidOffset)));
loadValue(BaseIndex(scratch2, scratch, TimesEight, JSLexicalEnvironment::offsetOfVariables()), result);
@@ -1444,7 +1442,6 @@
overflowCase.link(this);
sub32(property, scratch2);
neg32(scratch2);
- cage(Gigacage::JSValue, base);
loadValue(BaseIndex(base, scratch2, TimesEight, ScopedArguments::overflowStorageOffset()), result);
slowCases.append(branchIfEmpty(result));
done.link(this);
Modified: trunk/Source/_javascript_Core/runtime/DirectArguments.h (224801 => 224802)
--- trunk/Source/_javascript_Core/runtime/DirectArguments.h 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/runtime/DirectArguments.h 2017-11-14 05:33:30 UTC (rev 224802)
@@ -170,7 +170,7 @@
private:
WriteBarrier<Unknown>* storage()
{
- return bitwise_cast<WriteBarrier<Unknown>*>(bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + storageOffset());
+ return bitwise_cast<WriteBarrier<Unknown>*>(bitwise_cast<char*>(this) + storageOffset());
}
unsigned mappedArgumentsSize();
Modified: trunk/Source/_javascript_Core/runtime/HashMapImpl.cpp (224801 => 224802)
--- trunk/Source/_javascript_Core/runtime/HashMapImpl.cpp 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/runtime/HashMapImpl.cpp 2017-11-14 05:33:30 UTC (rev 224802)
@@ -62,7 +62,7 @@
visitor.append(thisObject->m_head);
visitor.append(thisObject->m_tail);
- if (HashMapBufferType* buffer = thisObject->m_buffer.getMayBeNull())
+ if (HashMapBufferType* buffer = thisObject->m_buffer.get())
visitor.markAuxiliary(buffer);
}
Modified: trunk/Source/_javascript_Core/runtime/HashMapImpl.h (224801 => 224802)
--- trunk/Source/_javascript_Core/runtime/HashMapImpl.h 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/runtime/HashMapImpl.h 2017-11-14 05:33:30 UTC (rev 224802)
@@ -698,7 +698,7 @@
WriteBarrier<HashMapBucketType> m_head;
WriteBarrier<HashMapBucketType> m_tail;
- CagedBarrierPtr<Gigacage::JSValue, HashMapBufferType> m_buffer;
+ AuxiliaryBarrier<HashMapBufferType*> m_buffer;
uint32_t m_keyCount;
uint32_t m_deleteCount;
uint32_t m_capacity;
Modified: trunk/Source/_javascript_Core/runtime/JSLexicalEnvironment.h (224801 => 224802)
--- trunk/Source/_javascript_Core/runtime/JSLexicalEnvironment.h 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/runtime/JSLexicalEnvironment.h 2017-11-14 05:33:30 UTC (rev 224802)
@@ -52,7 +52,7 @@
WriteBarrierBase<Unknown>* variables()
{
- return bitwise_cast<WriteBarrierBase<Unknown>*>(bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + offsetOfVariables());
+ return bitwise_cast<WriteBarrierBase<Unknown>*>(bitwise_cast<char*>(this) + offsetOfVariables());
}
bool isValidScopeOffset(ScopeOffset offset)
Modified: trunk/Source/_javascript_Core/runtime/ScopedArguments.h (224801 => 224802)
--- trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2017-11-14 03:58:01 UTC (rev 224801)
+++ trunk/Source/_javascript_Core/runtime/ScopedArguments.h 2017-11-14 05:33:30 UTC (rev 224802)
@@ -161,8 +161,7 @@
private:
WriteBarrier<Unknown>* overflowStorage() const
{
- return bitwise_cast<WriteBarrier<Unknown>*>(
- bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + overflowStorageOffset());
+ return bitwise_cast<WriteBarrier<Unknown>*>(bitwise_cast<char*>(this) + overflowStorageOffset());
}
bool m_overrodeThings; // True if length, callee, and caller are fully materialized in the object.
