Baseline JIT should do caging
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Aug 2017 23:30:15 +0000 (23:30 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Aug 2017 23:30:15 +0000 (23:30 +0000)
https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:

This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

* bmalloc/Gigacage.cpp:
(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
* bmalloc/Gigacage.h:
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:

Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jsc.cpp:
(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:

Use a better API to disable disabling the primitive gigacage.

* WebProcess/WebProcess.cpp:
(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

* wtf/Gigacage.h:
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220368 268f45cc-cd09-0410-ab3c-d52691b4dbfc

14 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/AccessCase.cpp
Source/JavaScriptCore/bytecode/InlineAccess.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.h
Source/JavaScriptCore/jit/JITPropertyAccess.cpp
Source/JavaScriptCore/jsc.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/Gigacage.h
Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebProcess.cpp
Source/bmalloc/ChangeLog
Source/bmalloc/bmalloc/Gigacage.cpp
Source/bmalloc/bmalloc/Gigacage.h

index 1f01970..9e8e466 100644 (file)
@@ -1,3 +1,35 @@
+2017-08-07  Filip Pizlo  <fpizlo@apple.com>
+
+        Baseline JIT should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+
+        Reviewed by Mark Lam.
+        
+        Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
+        
+        Also modifies FTL caging to be more defensive when caging is disabled.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cage):
+        (JSC::AssemblyHelpers::cageConditionally):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        (JSC::JIT::emitGenericContiguousPutByVal):
+        (JSC::JIT::emitArrayStoragePutByVal):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::emit_op_put_to_scope):
+        (JSC::JIT::emitIntTypedArrayGetByVal):
+        (JSC::JIT::emitFloatTypedArrayGetByVal):
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * jsc.cpp:
+        (jscmain):
+        (primitiveGigacageDisabled): Deleted.
+
 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
 
         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
index 675f09d..2807410 100644 (file)
@@ -527,6 +527,8 @@ void AccessCase::generateImpl(AccessGenerationState& state)
                 jit.loadPtr(
                     CCallHelpers::Address(baseForAccessGPR, JSObject::butterflyOffset()),
                     loadedValueGPR);
+                // FIXME: Do caging!
+                // https://bugs.webkit.org/show_bug.cgi?id=175295
                 storageGPR = loadedValueGPR;
             }
 
@@ -877,6 +879,8 @@ void AccessCase::generateImpl(AccessGenerationState& state)
                     // already had out-of-line property storage).
 
                     jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR3);
+                    // FIXME: Do caging!
+                    // https://bugs.webkit.org/show_bug.cgi?id=175295
 
                     // We have scratchGPR = new storage, scratchGPR3 = old storage,
                     // scratchGPR2 = available
@@ -955,8 +959,11 @@ void AccessCase::generateImpl(AccessGenerationState& state)
                     JSObject::offsetOfInlineStorage() +
                     offsetInInlineStorage(m_offset) * sizeof(JSValue)));
         } else {
-            if (!allocating)
+            if (!allocating) {
                 jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+                // FIXME: Do caging!
+                // https://bugs.webkit.org/show_bug.cgi?id=175295
+            }
             jit.storeValue(
                 valueRegs,
                 CCallHelpers::Address(scratchGPR, offsetInButterfly(m_offset) * sizeof(JSValue)));
@@ -992,6 +999,8 @@ void AccessCase::generateImpl(AccessGenerationState& state)
         
     case ArrayLength: {
         jit.loadPtr(CCallHelpers::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         jit.load32(CCallHelpers::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
         state.failAndIgnore.append(
             jit.branch32(CCallHelpers::LessThan, scratchGPR, CCallHelpers::TrustedImm32(0)));
index eb368d8..6b6a7db 100644 (file)
@@ -57,6 +57,8 @@ void InlineAccess::dumpCacheSizesAndCrash()
         jit.patchableBranch32(
             CCallHelpers::NotEqual, value, CCallHelpers::TrustedImm32(IsArray | ContiguousShape));
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         jit.load32(CCallHelpers::Address(value, ArrayStorage::lengthOffset()), value);
         jit.boxInt32(scratchGPR, regs);
 
@@ -73,6 +75,8 @@ void InlineAccess::dumpCacheSizesAndCrash()
         jit.loadPtr(
             CCallHelpers::Address(base, JSObject::butterflyOffset()),
             value);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         GPRReg storageGPR = value;
         jit.loadValue(
             CCallHelpers::Address(storageGPR, 0x000ab21ca), regs);
@@ -116,6 +120,8 @@ void InlineAccess::dumpCacheSizesAndCrash()
             MacroAssembler::TrustedImm32(0x000ab21ca));
 
         jit.loadPtr(MacroAssembler::Address(base, JSObject::butterflyOffset()), value);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         jit.storeValue(
             regs,
             MacroAssembler::Address(base, 120342));
@@ -170,6 +176,8 @@ bool InlineAccess::generateSelfPropertyAccess(StructureStubInfo& stubInfo, Struc
         storage = base;
     else {
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
         storage = value.payloadGPR();
     }
     
@@ -231,6 +239,8 @@ bool InlineAccess::generateSelfPropertyReplace(StructureStubInfo& stubInfo, Stru
         storage = getScratchRegister(stubInfo);
         ASSERT(storage != InvalidGPRReg);
         jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), storage);
+        // FIXME: Do caging!
+        // https://bugs.webkit.org/show_bug.cgi?id=175295
     }
 
     jit.storeValue(
@@ -269,6 +279,8 @@ bool InlineAccess::generateArrayLength(StructureStubInfo& stubInfo, JSArray* arr
     auto branchToSlowPath = jit.patchableBranch32(
         CCallHelpers::NotEqual, scratch, CCallHelpers::TrustedImm32(array->indexingType()));
     jit.loadPtr(CCallHelpers::Address(base, JSObject::butterflyOffset()), value.payloadGPR());
+    // FIXME: Do caging!
+    // https://bugs.webkit.org/show_bug.cgi?id=175295
     jit.load32(CCallHelpers::Address(value.payloadGPR(), ArrayStorage::lengthOffset()), value.payloadGPR());
     jit.boxInt32(value.payloadGPR(), value);
 
index 142eb5b..7023dbc 100644 (file)
@@ -11616,7 +11616,10 @@ private:
     
     LValue caged(Gigacage::Kind kind, LValue ptr)
     {
-        if (kind == Gigacage::Primitive) {
+        if (!Gigacage::shouldBeEnabled())
+            return ptr;
+        
+        if (kind == Gigacage::Primitive && Gigacage::canPrimitiveGigacageBeDisabled()) {
             if (vm().primitiveGigacageEnabled().isStillValid())
                 m_graph.watchpoints().addLazily(vm().primitiveGigacageEnabled());
             else
index 71facd2..56609f6 100644 (file)
@@ -1311,6 +1311,41 @@ public:
         ok.link(this);
     }
     
+    void cage(Gigacage::Kind kind, GPRReg storage)
+    {
+#if GIGACAGE_ENABLED
+        if (!Gigacage::shouldBeEnabled())
+            return;
+        
+        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+        addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(storage);
+#endif
+    }
+    
+    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch)
+    {
+#if GIGACAGE_ENABLED
+        if (!Gigacage::shouldBeEnabled())
+            return;
+        
+        if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
+            return cage(kind, storage);
+        
+        loadPtr(Gigacage::basePtr(kind), scratch);
+        Jump done = branchTestPtr(Zero, scratch);
+        andPtr(TrustedImmPtr(static_cast<size_t>(GIGACAGE_MASK)), storage);
+        addPtr(scratch, storage);
+        done.link(this);
+#else
+        UNUSED_PARAM(kind);
+        UNUSED_PARAM(storage);
+        UNUSED_PARAM(scratch);
+#endif
+    }
+    
     void storeButterfly(VM& vm, GPRReg butterfly, GPRReg object)
     {
         if (isX86()) {
index 34206ce..8228475 100644 (file)
@@ -172,9 +172,8 @@ JIT::JumpList JIT::emitDoubleLoad(Instruction*, PatchableJump& badType)
     JumpList slowCases;
     
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
     loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
     slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
@@ -187,9 +186,8 @@ JIT::JumpList JIT::emitContiguousLoad(Instruction*, PatchableJump& badType, Inde
     JumpList slowCases;
     
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
     load64(BaseIndex(regT2, regT1, TimesEight), regT0);
     slowCases.append(branchTest64(Zero, regT0));
@@ -204,9 +202,8 @@ JIT::JumpList JIT::emitArrayStorageLoad(Instruction*, PatchableJump& badType)
     add32(TrustedImm32(-ArrayStorageShape), regT2, regT3);
     badType = patchableBranch32(Above, regT3, TrustedImm32(SlowPutArrayStorageShape - ArrayStorageShape));
 
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
 
     load64(BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()), regT0);
@@ -353,9 +350,8 @@ JIT::JumpList JIT::emitGenericContiguousPutByVal(Instruction* currentInstruction
 
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
     
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     Jump outOfBounds = branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength()));
 
     Label storeResult = label();
@@ -410,9 +406,8 @@ JIT::JumpList JIT::emitArrayStoragePutByVal(Instruction* currentInstruction, Pat
     JumpList slowCases;
     
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
+    cage(Gigacage::JSValue, regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
 
     Jump empty = branchTest64(Zero, BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()));
@@ -923,9 +918,8 @@ void JIT::emit_op_get_from_scope(Instruction* currentInstruction)
                 abortWithReason(JITOffsetIsNotOutOfLine);
                 isOutOfLine.link(this);
             }
-            // FIXME: Should do caging.
-            // https://bugs.webkit.org/show_bug.cgi?id=175037
             loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
+            cage(Gigacage::JSValue, scratch);
             neg32(offset);
             signExtend32ToPtr(offset, offset);
             load64(BaseIndex(scratch, offset, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)), result);
@@ -1066,9 +1060,8 @@ void JIT::emit_op_put_to_scope(Instruction* currentInstruction)
             emitLoadWithStructureCheck(scope, structureSlot); // Structure check covers var injection.
             emitGetVirtualRegister(value, regT2);
             
-            // FIXME: Should do caging.
-            // https://bugs.webkit.org/show_bug.cgi?id=175037
             loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0);
+            cage(Gigacage::JSValue, regT0);
             loadPtr(operandSlot, regT1);
             negPtr(regT1);
             storePtr(regT2, BaseIndex(regT0, regT1, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)));
@@ -1576,12 +1569,14 @@ JIT::JumpList JIT::emitIntTypedArrayGetByVal(Instruction*, PatchableJump& badTyp
     RegisterID property = regT1;
     RegisterID resultPayload = regT0;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #else
     RegisterID base = regT0;
     RegisterID property = regT2;
     RegisterID resultPayload = regT0;
     RegisterID resultTag = regT1;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #endif
     
     JumpList slowCases;
@@ -1589,9 +1584,8 @@ JIT::JumpList JIT::emitIntTypedArrayGetByVal(Instruction*, PatchableJump& badTyp
     load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
     badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+    cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
     switch (elementSize(type)) {
     case 1:
@@ -1649,12 +1643,14 @@ JIT::JumpList JIT::emitFloatTypedArrayGetByVal(Instruction*, PatchableJump& badT
     RegisterID property = regT1;
     RegisterID resultPayload = regT0;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #else
     RegisterID base = regT0;
     RegisterID property = regT2;
     RegisterID resultPayload = regT0;
     RegisterID resultTag = regT1;
     RegisterID scratch = regT3;
+    RegisterID scratch2 = regT4;
 #endif
     
     JumpList slowCases;
@@ -1662,9 +1658,8 @@ JIT::JumpList JIT::emitFloatTypedArrayGetByVal(Instruction*, PatchableJump& badT
     load8(Address(base, JSCell::typeInfoTypeOffset()), scratch);
     badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type)));
     slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
+    cageConditionally(Gigacage::Primitive, scratch, scratch2);
     
     switch (elementSize(type)) {
     case 4:
@@ -1705,11 +1700,13 @@ JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, Pa
     RegisterID property = regT1;
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT2;
+    RegisterID lateScratch2 = regT4;
 #else
     RegisterID base = regT0;
     RegisterID property = regT2;
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT1;
+    RegisterID lateScratch2 = regT4;
 #endif
     
     JumpList slowCases;
@@ -1731,9 +1728,8 @@ JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, Pa
     
     // We would be loading this into base as in get_by_val, except that the slow
     // path expects the base to be unclobbered.
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
+    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
     if (isClamped(type)) {
         ASSERT(elementSize(type) == 1);
@@ -1777,11 +1773,13 @@ JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction,
     RegisterID property = regT1;
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT2;
+    RegisterID lateScratch2 = regT4;
 #else
     RegisterID base = regT0;
     RegisterID property = regT2;
     RegisterID earlyScratch = regT3;
     RegisterID lateScratch = regT1;
+    RegisterID lateScratch2 = regT4;
 #endif
     
     JumpList slowCases;
@@ -1816,9 +1814,8 @@ JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction,
     
     // We would be loading this into base as in get_by_val, except that the slow
     // path expects the base to be unclobbered.
-    // FIXME: Should do caging.
-    // https://bugs.webkit.org/show_bug.cgi?id=175037
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
+    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     
     switch (elementSize(type)) {
     case 4:
index 34f09c4..52f1dc6 100644 (file)
@@ -3802,12 +3802,6 @@ int runJSC(CommandLine options, bool isWorker, const Func& func)
     return result;
 }
 
-static void primitiveGigacageDisabled(void*)
-{
-    dataLog("Primitive gigacage disabled! Aborting.\n");
-    UNREACHABLE_FOR_PLATFORM();
-}
-
 int jscmain(int argc, char** argv)
 {
     // Need to override and enable restricted options before we start parsing options below.
@@ -3826,8 +3820,7 @@ int jscmain(int argc, char** argv)
 #if ENABLE(WEBASSEMBLY)
     JSC::Wasm::enableFastMemory();
 #endif
-    if (Gigacage::shouldBeEnabled())
-        Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
+    Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
 
     int result;
     result = runJSC(
index 18366f3..3287e79 100644 (file)
@@ -1,5 +1,18 @@
 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
 
+        Baseline JIT should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+
+        Reviewed by Mark Lam.
+
+        * wtf/Gigacage.h:
+        (Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
+        (Gigacage::isDisablingPrimitiveGigacageDisabled):
+        (Gigacage::isPrimitiveGigacagePermanentlyEnabled):
+        (Gigacage::canPrimitiveGigacageBeDisabled):
+
+2017-08-07  Filip Pizlo  <fpizlo@apple.com>
+
         Unreviewed, try to fix Windows build.
 
         * wtf/Gigacage.cpp:
index 8d29db1..3a542aa 100644 (file)
@@ -49,6 +49,12 @@ inline bool shouldBeEnabled() { return false; }
 inline void addPrimitiveDisableCallback(void (*)(void*), void*) { }
 inline void removePrimitiveDisableCallback(void (*)(void*), void*) { }
 
+inline void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
+
+inline bool isDisablingPrimitiveGigacageDisabled() { return false; }
+inline bool isPrimitiveGigacagePermanentlyEnabled() { return false; }
+inline bool canPrimitiveGigacageBeDisabled() { return true; }
+
 ALWAYS_INLINE const char* name(Kind kind)
 {
     switch (kind) {
index fd15088..983b94d 100644 (file)
@@ -1,3 +1,16 @@
+2017-08-07  Filip Pizlo  <fpizlo@apple.com>
+
+        Baseline JIT should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+
+        Reviewed by Mark Lam.
+        
+        Use a better API to disable disabling the primitive gigacage.
+
+        * WebProcess/WebProcess.cpp:
+        (WebKit::m_webSQLiteDatabaseTracker):
+        (WebKit::primitiveGigacageDisabled): Deleted.
+
 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
 
         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
index 18031a1..869d829 100644 (file)
@@ -146,11 +146,6 @@ static const Seconds nonVisibleProcessCleanupDelay { 10_s };
 
 namespace WebKit {
 
-static void primitiveGigacageDisabled(void*)
-{
-    UNREACHABLE_FOR_PLATFORM();
-}
-
 WebProcess& WebProcess::singleton()
 {
     static WebProcess& process = *new WebProcess;
@@ -202,8 +197,7 @@ WebProcess::WebProcess()
         parentProcessConnection()->send(Messages::WebResourceLoadStatisticsStore::ResourceLoadStatisticsUpdated(WTFMove(statistics)), 0);
     });
 
-    if (Gigacage::shouldBeEnabled())
-        Gigacage::addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
+    Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled();
 }
 
 WebProcess::~WebProcess()
index 5feac56..2f84a3b 100644 (file)
@@ -1,3 +1,24 @@
+2017-08-07  Filip Pizlo  <fpizlo@apple.com>
+
+        Baseline JIT should do caging
+        https://bugs.webkit.org/show_bug.cgi?id=175037
+
+        Reviewed by Mark Lam.
+        
+        This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
+        and WebProcess.
+        
+        This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
+        checks on each typed array access.
+
+        * bmalloc/Gigacage.cpp:
+        (Gigacage::primitiveGigacageDisabled):
+        (Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
+        (Gigacage::isDisablingPrimitiveGigacageDisabled):
+        * bmalloc/Gigacage.h:
+        (Gigacage::isPrimitiveGigacagePermanentlyEnabled):
+        (Gigacage::canPrimitiveGigacageBeDisabled):
+
 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
 
         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
index 0e48fe9..22c408a 100644 (file)
@@ -41,6 +41,8 @@ using namespace bmalloc;
 
 namespace Gigacage {
 
+static bool s_isDisablingPrimitiveGigacageDisabled;
+
 struct Callback {
     Callback() { }
     
@@ -131,6 +133,28 @@ void removePrimitiveDisableCallback(void (*function)(void*), void* argument)
     }
 }
 
+static bool False;
+
+static void primitiveGigacageDisabled(void*)
+{
+    fprintf(stderr, "FATAL: Primitive gigacage disabled, but we don't want that in this process\n");
+    if (!False)
+        BCRASH();
+}
+
+void disableDisablingPrimitiveGigacageIfShouldBeEnabled()
+{
+    if (shouldBeEnabled()) {
+        addPrimitiveDisableCallback(primitiveGigacageDisabled, nullptr);
+        s_isDisablingPrimitiveGigacageDisabled = true;
+    }
+}
+
+bool isDisablingPrimitiveGigacageDisabled()
+{
+    return s_isDisablingPrimitiveGigacageDisabled;
+}
+
 bool shouldBeEnabled()
 {
     return GIGACAGE_ENABLED && !PerProcess<Environment>::get()->isDebugHeapEnabled();
index b1cbf5a..340186d 100644 (file)
@@ -63,6 +63,12 @@ BEXPORT void disablePrimitiveGigacage();
 BEXPORT void addPrimitiveDisableCallback(void (*)(void*), void*);
 BEXPORT void removePrimitiveDisableCallback(void (*)(void*), void*);
 
+BEXPORT void disableDisablingPrimitiveGigacageIfShouldBeEnabled();
+
+BEXPORT bool isDisablingPrimitiveGigacageDisabled();
+inline bool isPrimitiveGigacagePermanentlyEnabled() { return isDisablingPrimitiveGigacageDisabled(); }
+inline bool canPrimitiveGigacageBeDisabled() { return !isDisablingPrimitiveGigacageDisabled(); }
+
 BINLINE const char* name(Kind kind)
 {
     switch (kind) {