ICs should do caging
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Aug 2017 03:48:44 +0000 (03:48 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Aug 2017 03:48:44 +0000 (03:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175295

Reviewed by Saam Barati.

Adds the appropriate cage() calls in our inline caches.

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220441 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/AccessCase.cpp
Source/JavaScriptCore/bytecode/InlineAccess.cpp

index 8fd51fc..f8c9a85 100644 (file)
@@ -1,3 +1,20 @@
+2017-08-08  Filip Pizlo  <fpizlo@apple.com>
+
+        ICs should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175295
+
+        Reviewed by Saam Barati.
+        
+        Adds the appropriate cage() calls in our inline caches.
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateImpl):
+        * bytecode/InlineAccess.cpp:
+        (JSC::InlineAccess::dumpCacheSizesAndCrash):
+        (JSC::InlineAccess::generateSelfPropertyAccess):
+        (JSC::InlineAccess::generateSelfPropertyReplace):
+        (JSC::InlineAccess::generateArrayLength):
+
 2017-08-08  Devin Rousso  <drousso@apple.com>
 
         Web Inspector: Canvas: support editing WebGL shaders
index 2807410..35ffbf1 100644 (file)
@@ -527,8 +527,7 @@ void AccessCase::generateImpl(AccessGenerationState& state)
                 jit.loadPtr(
                     CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
                     loadedValueGPR);
-                // FIXME: Do caging!
-                // https://bugs.webkit.org/show_bug.cgi?id=175295
+                jit.cage(Gigacage::JSValue, loadedValueGPR);
                 storageGPR = loadedValueGPR;
             }
 
@@ -879,8 +878,7 @@ void AccessCase::generateImpl(AccessGenerationState& state)
                     // already had out-of-line property storage).
 
                     jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
-                    // FIXME: Do caging!
-                    // https://bugs.webkit.org/show_bug.cgi?id=175295
+                    jit.cage(Gigacage::JSValue, scratchGPR3);
 
                     // We have scratchGPR = new storage, scratchGPR3 = old storage,
                     // scratchGPR2 = available
@@ -961,8 +959,7 @@ void AccessCase::generateImpl(AccessGenerationState& state)
         } else {
             if (!allocating) {
                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-                // FIXME: Do caging!
-                // https://bugs.webkit.org/show_bug.cgi?id=175295
+                jit.cage(Gigacage::JSValue, scratchGPR);
             }
             jit.storeValue(
                 valueRegs,
@@ -999,8 +996,7 @@ void AccessCase::generateImpl(AccessGenerationState& state)
         
     case ArrayLength: {
         jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, scratchGPR);
         jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
         state.failAndIgnore.append(
             jit.branch32(CCallHelpers::LessThan, scratchGPR, CCallHelpers::TrustedImm32(0)));
index 6b6a7db..8aee855 100644 (file)
@@ -57,8 +57,7 @@ void InlineAccess::dumpCacheSizesAndCrash()
         jit.patchableBranch32(
             CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
         jit.boxInt32(scratchGPR, regs);
 
@@ -75,8 +74,7 @@ void InlineAccess::dumpCacheSizesAndCrash()
         jit.loadPtr(
             CCallHelpers::Address(base, JSObject::butterflyOffset()),
             value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         GPRReg storageGPR = value;
         jit.loadValue(
             CCallHelpers::Address(storageGPR, 0x000ab21ca), regs);
@@ -120,8 +118,7 @@ void InlineAccess::dumpCacheSizesAndCrash()
             MacroAssembler::TrustedImm32(0x000ab21ca));
 
         jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value);
         jit.storeValue(
             regs,
             MacroAssembler::Address(base, 120342));
@@ -176,8 +173,7 @@ bool InlineAccess::generateSelfPropertyAccess(StructureStubInfo& stubInfo, Struc
         storage = base;
     else {
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, value.payloadGPR());
         storage = value.payloadGPR();
     }
     
@@ -239,8 +235,7 @@ bool InlineAccess::generateSelfPropertyReplace(StructureStubInfo& stubInfo, Stru
         storage = getScratchRegister(stubInfo);
         ASSERT(storage != InvalidGPRReg);
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
-        // FIXME: Do caging!
-        // https://bugs.webkit.org/show_bug.cgi?id=175295
+        jit.cage(Gigacage::JSValue, storage);
     }
 
     jit.storeValue(
@@ -279,8 +274,7 @@ bool InlineAccess::generateArrayLength(StructureStubInfo& stubInfo, JSArray* arr
     auto branchToSlowPath = jit.patchableBranch32(
         CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
     jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
-    // FIXME: Do caging!
-    // https://bugs.webkit.org/show_bug.cgi?id=175295
+    jit.cage(Gigacage::JSValue, value.payloadGPR());
     jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
     jit.boxInt32(value.payloadGPR(), value);