[webkit-changes] [271835] branches/safari-611-branch

Mon, 25 Jan 2021 14:12:40 -0800

Title: [271835] branches/safari-611-branch
Revision
271835
Author
alanc...@apple.com
Date
2021-01-25 14:12:02 -0800 (Mon, 25 Jan 2021)

Log Message

Cherry-pick r271422. rdar://problem/73477541

    [JSC] Bypass OperationPtrTagging for JITCage verification for CallDOMGetter
    https://bugs.webkit.org/show_bug.cgi?id=220564

    Reviewed by Saam Barati.

    JSTests:

    * stress/domjit-getter2.js: Added.
    (shouldBe):
    (access):

    Source/_javascript_Core:

    CustomAccessorPtrTag functions are not registered ones for JITCage since we are using C++ trampoline to invoke them.
    However, we do not want to use this trampoline in x64 due to performance issue. So we would like to call these
    functions directly from JIT while they are not registered (And this is OK in JITCage since they are called from trampoline).
    In this patch we bypass OperationPtrTagging by using WTF::tagNativeCodePtrImpl directly for non JITCage case.

    * dfg/DFGJITCompiler.h:
    (JSC::DFG::JITCompiler::appendOperationCall):
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
    * dfg/DFGSpeculativeJIT.h:
    (JSC::DFG::SpeculativeJIT::appendOperationCall):
    * ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
    (JSC::FTL::DFG::LowerDFGToB3::vmCall):
    * ftl/FTLOutput.h:
    (JSC::FTL::Output::operation):
    * tools/JSDollarVM.cpp:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271422 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-611-branch/JSTests/ChangeLog (271834 => 271835)


--- branches/safari-611-branch/JSTests/ChangeLog	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/JSTests/ChangeLog	2021-01-25 22:12:02 UTC (rev 271835)
@@ -1,3 +1,51 @@
+2021-01-25  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r271422. rdar://problem/73477541
+
+    [JSC] Bypass OperationPtrTagging for JITCage verification for CallDOMGetter
+    https://bugs.webkit.org/show_bug.cgi?id=220564
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * stress/domjit-getter2.js: Added.
+    (shouldBe):
+    (access):
+    
+    Source/_javascript_Core:
+    
+    CustomAccessorPtrTag functions are not registered ones for JITCage since we are using C++ trampoline to invoke them.
+    However, we do not want to use this trampoline in x64 due to performance issue. So we would like to call these
+    functions directly from JIT while they are not registered (And this is OK in JITCage since they are called from trampoline).
+    In this patch we bypass OperationPtrTagging by using WTF::tagNativeCodePtrImpl directly for non JITCage case.
+    
+    * dfg/DFGJITCompiler.h:
+    (JSC::DFG::JITCompiler::appendOperationCall):
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+    * dfg/DFGSpeculativeJIT.h:
+    (JSC::DFG::SpeculativeJIT::appendOperationCall):
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
+    (JSC::FTL::DFG::LowerDFGToB3::vmCall):
+    * ftl/FTLOutput.h:
+    (JSC::FTL::Output::operation):
+    * tools/JSDollarVM.cpp:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271422 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-01-12  Yusuke Suzuki  <ysuz...@apple.com>
+
+            [JSC] Bypass OperationPtrTagging for JITCage verification for CallDOMGetter
+            https://bugs.webkit.org/show_bug.cgi?id=220564
+
+            Reviewed by Saam Barati.
+
+            * stress/domjit-getter2.js: Added.
+            (shouldBe):
+            (access):
+
 2021-01-13  Russell Epstein  <repst...@apple.com>
 
         Revert r270664. rdar://problem/73165685

Added: branches/safari-611-branch/JSTests/stress/domjit-getter2.js (0 => 271835)


--- branches/safari-611-branch/JSTests/stress/domjit-getter2.js	                        (rev 0)
+++ branches/safari-611-branch/JSTests/stress/domjit-getter2.js	2021-01-25 22:12:02 UTC (rev 271835)
@@ -0,0 +1,20 @@
+var createDOMJITGetterObject = $vm.createDOMJITGetterObject;
+
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error(`bad value: ${String(actual)}`);
+}
+
+var domjit = createDOMJITGetterObject();
+
+function access(domjit)
+{
+    return domjit.customGetter2 + domjit.customGetter2;
+}
+
+for (var i = 0; i < 1e4; ++i)
+    shouldBe(access(domjit), 84);
+
+shouldBe(access({ customGetter2: 42 }), 84);
+domjit.test = 44;
+shouldBe(access(domjit), 84);

Modified: branches/safari-611-branch/Source/_javascript_Core/ChangeLog (271834 => 271835)


--- branches/safari-611-branch/Source/_javascript_Core/ChangeLog	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/Source/_javascript_Core/ChangeLog	2021-01-25 22:12:02 UTC (rev 271835)
@@ -1,5 +1,67 @@
 2021-01-25  Alan Coon  <alanc...@apple.com>
 
+        Cherry-pick r271422. rdar://problem/73477541
+
+    [JSC] Bypass OperationPtrTagging for JITCage verification for CallDOMGetter
+    https://bugs.webkit.org/show_bug.cgi?id=220564
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * stress/domjit-getter2.js: Added.
+    (shouldBe):
+    (access):
+    
+    Source/_javascript_Core:
+    
+    CustomAccessorPtrTag functions are not registered ones for JITCage since we are using C++ trampoline to invoke them.
+    However, we do not want to use this trampoline in x64 due to performance issue. So we would like to call these
+    functions directly from JIT while they are not registered (And this is OK in JITCage since they are called from trampoline).
+    In this patch we bypass OperationPtrTagging by using WTF::tagNativeCodePtrImpl directly for non JITCage case.
+    
+    * dfg/DFGJITCompiler.h:
+    (JSC::DFG::JITCompiler::appendOperationCall):
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+    * dfg/DFGSpeculativeJIT.h:
+    (JSC::DFG::SpeculativeJIT::appendOperationCall):
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
+    (JSC::FTL::DFG::LowerDFGToB3::vmCall):
+    * ftl/FTLOutput.h:
+    (JSC::FTL::Output::operation):
+    * tools/JSDollarVM.cpp:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271422 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-01-12  Yusuke Suzuki  <ysuz...@apple.com>
+
+            [JSC] Bypass OperationPtrTagging for JITCage verification for CallDOMGetter
+            https://bugs.webkit.org/show_bug.cgi?id=220564
+
+            Reviewed by Saam Barati.
+
+            CustomAccessorPtrTag functions are not registered ones for JITCage since we are using C++ trampoline to invoke them.
+            However, we do not want to use this trampoline in x64 due to performance issue. So we would like to call these
+            functions directly from JIT while they are not registered (And this is OK in JITCage since they are called from trampoline).
+            In this patch we bypass OperationPtrTagging by using WTF::tagNativeCodePtrImpl directly for non JITCage case.
+
+            * dfg/DFGJITCompiler.h:
+            (JSC::DFG::JITCompiler::appendOperationCall):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
+            * dfg/DFGSpeculativeJIT.h:
+            (JSC::DFG::SpeculativeJIT::appendOperationCall):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
+            (JSC::FTL::DFG::LowerDFGToB3::vmCall):
+            * ftl/FTLOutput.h:
+            (JSC::FTL::Output::operation):
+            * tools/JSDollarVM.cpp:
+
+2021-01-25  Alan Coon  <alanc...@apple.com>
+
         Cherry-pick r271544. rdar://problem/73471591
 
     [JSC] Clean up DFGPreciseLocalClobberize to avoid duplicate code

Modified: branches/safari-611-branch/Source/_javascript_Core/dfg/DFGJITCompiler.h (271834 => 271835)


--- branches/safari-611-branch/Source/_javascript_Core/dfg/DFGJITCompiler.h	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/Source/_javascript_Core/dfg/DFGJITCompiler.h	2021-01-25 22:12:02 UTC (rev 271835)
@@ -145,6 +145,13 @@
         m_calls.append(CallLinkRecord(functionCall, function.retagged<OperationPtrTag>()));
         return functionCall;
     }
+
+    Call appendOperationCall(const FunctionPtr<OperationPtrTag> function)
+    {
+        Call functionCall = call(OperationPtrTag);
+        m_calls.append(CallLinkRecord(functionCall, function));
+        return functionCall;
+    }
     
     void exceptionCheck();

Modified: branches/safari-611-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (271834 => 271835)


--- branches/safari-611-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-01-25 22:12:02 UTC (rev 271835)
@@ -10122,8 +10122,10 @@
         m_jit.emitStoreCodeOrigin(m_currentNode->origin.semantic);
         if (Options::useJITCage())
             m_jit.appendCall(vmEntryCustomAccessor);
-        else
-            m_jit.appendCall(getter.retagged<CFunctionPtrTag>());
+        else {
+            FunctionPtr<OperationPtrTag> bypassedFunction = FunctionPtr<OperationPtrTag>(MacroAssemblerCodePtr<OperationPtrTag>(WTF::tagNativeCodePtrImpl<OperationPtrTag>(WTF::untagNativeCodePtrImpl<CustomAccessorPtrTag>(getter.executableAddress()))));
+            m_jit.appendOperationCall(bypassedFunction);
+        }
         m_jit.setupResults(resultRegs);
 
         m_jit.exceptionCheck();

Modified: branches/safari-611-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (271834 => 271835)


--- branches/safari-611-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2021-01-25 22:12:02 UTC (rev 271835)
@@ -986,6 +986,13 @@
         return m_jit.appendCall(function);
     }
 
+    JITCompiler::Call appendOperationCall(const FunctionPtr<OperationPtrTag> function)
+    {
+        prepareForExternalCall();
+        m_jit.emitStoreCodeOrigin(m_currentNode->origin.semantic);
+        return m_jit.appendOperationCall(function);
+    }
+
     JITCompiler::Call appendCallWithCallFrameRollbackOnException(const FunctionPtr<CFunctionPtrTag> function)
     {
         JITCompiler::Call call = appendCall(function);

Modified: branches/safari-611-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (271834 => 271835)


--- branches/safari-611-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2021-01-25 22:12:02 UTC (rev 271835)
@@ -14506,9 +14506,9 @@
                 setJSValue(
                     vmCall(Int64, vmEntryCustomAccessor, weakPointer(globalObject), lowCell(m_node->child1()), m_out.constIntPtr(m_graph.identifiers()[m_node->callDOMGetterData()->identifierNumber]), m_out.constIntPtr(m_node->callDOMGetterData()->customAccessorGetter.executableAddress())));
             } else {
-                setJSValue(
-                    vmCall(Int64, bitwise_cast<CustomGetterSetter::CustomGetter>(m_node->callDOMGetterData()->customAccessorGetter.retaggedExecutableAddress<CFunctionPtrTag>()),
-                        weakPointer(globalObject), lowCell(m_node->child1()), m_out.constIntPtr(m_graph.identifiers()[m_node->callDOMGetterData()->identifierNumber])));
+                FunctionPtr<CustomAccessorPtrTag> getter = m_node->callDOMGetterData()->customAccessorGetter;
+                FunctionPtr<OperationPtrTag> bypassedFunction = FunctionPtr<OperationPtrTag>(MacroAssemblerCodePtr<OperationPtrTag>(WTF::tagNativeCodePtrImpl<OperationPtrTag>(WTF::untagNativeCodePtrImpl<CustomAccessorPtrTag>(getter.executableAddress()))));
+                setJSValue(vmCall(Int64, bypassedFunction, weakPointer(globalObject), lowCell(m_node->child1()), m_out.constIntPtr(m_graph.identifiers()[m_node->callDOMGetterData()->identifierNumber])));
             }
             return;
         }
@@ -19103,7 +19103,8 @@
     LValue vmCall(LType type, OperationType function, Args&&... args)
     {
         static_assert(!std::is_same<OperationType, LValue>::value);
-        static_assert(FunctionTraits<OperationType>::cCallArity() == sizeof...(Args), "Sanity check");
+        if constexpr (!std::is_same_v<FunctionPtr<OperationPtrTag>, OperationType>)
+            static_assert(FunctionTraits<OperationType>::cCallArity() == sizeof...(Args), "Sanity check");
         callPreflight();
         LValue result = m_out.call(type, m_out.operation(function), std::forward<Args>(args)...);
         if (mayExit(m_graph, m_node))

Modified: branches/safari-611-branch/Source/_javascript_Core/ftl/FTLOutput.h (271834 => 271835)


--- branches/safari-611-branch/Source/_javascript_Core/ftl/FTLOutput.h	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/Source/_javascript_Core/ftl/FTLOutput.h	2021-01-25 22:12:02 UTC (rev 271835)
@@ -402,6 +402,7 @@
     // https://bugs.webkit.org/show_bug.cgi?id=184324
     template<typename FunctionType>
     LValue operation(FunctionType function) { return constIntPtr(tagCFunctionPtr<void*, OperationPtrTag>(function)); }
+    LValue operation(FunctionPtr<OperationPtrTag> function) { return constIntPtr(function.executableAddress()); }
 
     void jump(LBasicBlock);
     void branch(LValue condition, LBasicBlock taken, Weight takenWeight, LBasicBlock notTaken, Weight notTakenWeight);

Modified: branches/safari-611-branch/Source/_javascript_Core/tools/JSDollarVM.cpp (271834 => 271835)


--- branches/safari-611-branch/Source/_javascript_Core/tools/JSDollarVM.cpp	2021-01-25 22:11:55 UTC (rev 271834)
+++ branches/safari-611-branch/Source/_javascript_Core/tools/JSDollarVM.cpp	2021-01-25 22:12:02 UTC (rev 271835)
@@ -987,9 +987,15 @@
 {
     DollarVMAssertScope assertScope;
     Base::finishCreation(vm);
-    const DOMJIT::GetterSetter* domJIT = &DOMJITGetterDOMJIT;
-    auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, domJIT->getter(), nullptr, DOMAttributeAnnotation { DOMJITNode::info(), domJIT });
-    putDirectCustomAccessor(vm, Identifier::fromString(vm, "customGetter"), customGetterSetter, PropertyAttribute::ReadOnly | PropertyAttribute::CustomAccessor);
+    {
+        const DOMJIT::GetterSetter* domJIT = &DOMJITGetterDOMJIT;
+        auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, domJIT->getter(), nullptr, DOMAttributeAnnotation { DOMJITNode::info(), domJIT });
+        putDirectCustomAccessor(vm, Identifier::fromString(vm, "customGetter"), customGetterSetter, PropertyAttribute::ReadOnly | PropertyAttribute::CustomAccessor);
+    }
+    {
+        auto* customGetterSetter = DOMAttributeGetterSetter::create(vm, domJITGetterCustomGetter, nullptr, DOMAttributeAnnotation { DOMJITNode::info(), nullptr });
+        putDirectCustomAccessor(vm, Identifier::fromString(vm, "customGetter2"), customGetterSetter, PropertyAttribute::ReadOnly | PropertyAttribute::CustomAccessor);
+    }
 }
 
 JSC_DEFINE_CUSTOM_GETTER(domJITGetterCustomGetter, (JSGlobalObject* globalObject, EncodedJSValue thisValue, PropertyName))

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to