Title: [293657] trunk/Source/_javascript_Core
- Revision
- 293657
- Author
- ysuz...@apple.com
- Date
- 2022-05-01 18:17:02 -0700 (Sun, 01 May 2022)
Log Message
[JSC] Revive JSC's guard against speculation collection
https://bugs.webkit.org/show_bug.cgi?id=239939
Reviewed by Mark Lam.
r288815 dropped JSC's guard against structures in speculation collection, but this is wrong.
This patch reverts it back.
* Source/_javascript_Core/bytecode/SpeculatedType.cpp:
(JSC::speculationFromCell):
* Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp:
(JSC::StructureMemoryManager::StructureMemoryManager):
(JSC::StructureMemoryManager::tryMallocStructureBlock):
(JSC::StructureMemoryManager::freeStructureBlock):
(JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace):
* Source/_javascript_Core/runtime/JSCConfig.h:
* Source/_javascript_Core/runtime/StructureID.h:
(JSC::StructureID::tryDecode const):
Canonical link: https://commits.webkit.org/250161@main
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (293656 => 293657)
--- trunk/Source/_javascript_Core/ChangeLog 2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-05-02 01:17:02 UTC (rev 293657)
@@ -1,3 +1,24 @@
+2022-05-01 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Revive JSC's guard against speculation collection
+ https://bugs.webkit.org/show_bug.cgi?id=239939
+
+ Reviewed by Mark Lam.
+
+ r288815 dropped JSC's guard against structures in speculation collection, but this is wrong.
+ This patch reverts it back.
+
+ * bytecode/SpeculatedType.cpp:
+ (JSC::speculationFromCell):
+ * heap/StructureAlignedMemoryAllocator.cpp:
+ (JSC::StructureMemoryManager::StructureMemoryManager):
+ (JSC::StructureMemoryManager::tryMallocStructureBlock):
+ (JSC::StructureMemoryManager::freeStructureBlock):
+ (JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace):
+ * runtime/JSCConfig.h:
+ * runtime/StructureID.h:
+ (JSC::StructureID::tryDecode const):
+
2022-05-01 Zan Dobersek <zdober...@igalia.com>
[RISCV64] Implement MacroAssembler::probe(), ctiMasmProbeTrampoline
Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp (293656 => 293657)
--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2022-05-02 01:17:02 UTC (rev 293657)
@@ -596,7 +596,13 @@
}
return SpecString;
}
- return speculationFromStructure(cell->structure());
+ // FIXME: rdar://69036888: undo this when no longer needed.
+ auto* structure = cell->structureID().tryDecode();
+ if (UNLIKELY(!isSanePointer(structure))) {
+ ASSERT_NOT_REACHED();
+ return SpecNone;
+ }
+ return speculationFromStructure(structure);
}
SpeculatedType speculationFromValue(JSValue value)
Modified: trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp (293656 => 293657)
--- trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/heap/StructureAlignedMemoryAllocator.cpp 2022-05-02 01:17:02 UTC (rev 293657)
@@ -75,14 +75,14 @@
// Don't use the first page because zero is used as the empty StructureID and the first allocation will conflict.
m_usedBlocks.set(0);
- m_mappedHeapSize = structureHeapAddressSize;
+ uintptr_t mappedHeapSize = structureHeapAddressSize;
for (unsigned i = 0; i < 8; ++i) {
- g_jscConfig.startOfStructureHeap = reinterpret_cast<uintptr_t>(OSAllocator::tryReserveUncommittedAligned(m_mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages));
+ g_jscConfig.startOfStructureHeap = reinterpret_cast<uintptr_t>(OSAllocator::tryReserveUncommittedAligned(mappedHeapSize, structureHeapAddressSize, OSAllocator::FastMallocPages));
if (g_jscConfig.startOfStructureHeap)
break;
- m_mappedHeapSize /= 2;
+ mappedHeapSize /= 2;
}
-
+ g_jscConfig.sizeOfStructureHeap = mappedHeapSize;
RELEASE_ASSERT(g_jscConfig.startOfStructureHeap && ((g_jscConfig.startOfStructureHeap & ~structureIDMask) == g_jscConfig.startOfStructureHeap));
}
@@ -94,8 +94,8 @@
constexpr size_t startIndex = 0;
freeIndex = m_usedBlocks.findBit(startIndex, 0);
ASSERT(freeIndex <= m_usedBlocks.bitCount());
- RELEASE_ASSERT(m_mappedHeapSize <= structureHeapAddressSize);
- if (freeIndex * MarkedBlock::blockSize >= m_mappedHeapSize)
+ RELEASE_ASSERT(g_jscConfig.sizeOfStructureHeap <= structureHeapAddressSize);
+ if (freeIndex * MarkedBlock::blockSize >= g_jscConfig.sizeOfStructureHeap)
return nullptr;
// If we can't find a free block then `freeIndex == m_usedBlocks.bitCount()` and this set will grow the bit vector.
m_usedBlocks.set(freeIndex);
@@ -110,7 +110,7 @@
{
decommitBlock(blockPtr);
uintptr_t block = reinterpret_cast<uintptr_t>(blockPtr);
- RELEASE_ASSERT(g_jscConfig.startOfStructureHeap <= block && block < g_jscConfig.startOfStructureHeap + m_mappedHeapSize);
+ RELEASE_ASSERT(g_jscConfig.startOfStructureHeap <= block && block < g_jscConfig.startOfStructureHeap + g_jscConfig.sizeOfStructureHeap);
RELEASE_ASSERT(roundUpToMultipleOf<MarkedBlock::blockSize>(block) == block);
Locker locker(m_lock);
@@ -140,7 +140,6 @@
private:
Lock m_lock;
- size_t m_mappedHeapSize;
BitVector m_usedBlocks;
};
@@ -179,6 +178,7 @@
void StructureAlignedMemoryAllocator::initializeStructureAddressSpace()
{
g_jscConfig.startOfStructureHeap = 0;
+ g_jscConfig.sizeOfStructureHeap = UINTPTR_MAX;
}
void* StructureAlignedMemoryAllocator::tryMallocBlock()
Modified: trunk/Source/_javascript_Core/runtime/JSCConfig.h (293656 => 293657)
--- trunk/Source/_javascript_Core/runtime/JSCConfig.h 2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/runtime/JSCConfig.h 2022-05-02 01:17:02 UTC (rev 293657)
@@ -91,6 +91,7 @@
void* endExecutableMemory;
uintptr_t startOfFixedWritableMemoryPool;
uintptr_t startOfStructureHeap;
+ uintptr_t sizeOfStructureHeap;
#if ENABLE(SEPARATED_WX_HEAP)
JITWriteSeparateHeapsFunction jitWriteSeparateHeaps;
Modified: trunk/Source/_javascript_Core/runtime/StructureID.h (293656 => 293657)
--- trunk/Source/_javascript_Core/runtime/StructureID.h 2022-05-02 00:17:50 UTC (rev 293656)
+++ trunk/Source/_javascript_Core/runtime/StructureID.h 2022-05-02 01:17:02 UTC (rev 293657)
@@ -26,6 +26,7 @@
#pragma once
#include "JSCConfig.h"
+#include "MarkedBlock.h"
#include <wtf/HashTraits.h>
#include <wtf/StdIntExtras.h>
@@ -48,6 +49,7 @@
StructureID decontaminate() const { return StructureID(m_bits & ~nukedStructureIDBit); }
inline Structure* decode() const;
+ inline Structure* tryDecode() const;
static StructureID encode(const Structure*);
explicit operator bool() const { return !!m_bits; }
@@ -74,6 +76,15 @@
return reinterpret_cast<Structure*>((static_cast<uintptr_t>(decontaminate().m_bits) & structureIDMask) + g_jscConfig.startOfStructureHeap);
}
+ALWAYS_INLINE Structure* StructureID::tryDecode() const
+{
+ // Take care to only use the bits from m_bits in the structure's address reservation.
+ uintptr_t offset = static_cast<uintptr_t>(decontaminate().m_bits);
+ if (offset < MarkedBlock::blockSize || offset >= g_jscConfig.sizeOfStructureHeap)
+ return nullptr;
+ return reinterpret_cast<Structure*>((offset & structureIDMask) + g_jscConfig.startOfStructureHeap);
+}
+
ALWAYS_INLINE StructureID StructureID::encode(const Structure* structure)
{
ASSERT(structure);
@@ -91,6 +102,11 @@
return reinterpret_cast<Structure*>(m_bits);
}
+ALWAYS_INLINE Structure* StructureID::tryDecode() const
+{
+ return reinterpret_cast<Structure*>(m_bits);
+}
+
ALWAYS_INLINE StructureID StructureID::encode(const Structure* structure)
{
ASSERT(structure);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes