ScopedArguments overflow storage needs to be in the JSValue gigacage
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 12 Aug 2017 18:40:07 +0000 (18:40 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 12 Aug 2017 18:40:07 +0000 (18:40 +0000)
https://bugs.webkit.org/show_bug.cgi?id=174923

Reviewed by Saam Barati.

ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
object into the JSValue gigacage.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitScopedArgumentsGetByVal):
* runtime/ScopedArguments.h:
(JSC::ScopedArguments::subspaceFor):
(JSC::ScopedArguments::overflowStorage const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220624 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/JITPropertyAccess.cpp
Source/JavaScriptCore/runtime/ScopedArguments.h

index a98f548..2e06fd8 100644 (file)
@@ -1,5 +1,25 @@
 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
 
+        ScopedArguments overflow storage needs to be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174923
+
+        Reviewed by Saam Barati.
+        
+        ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
+        object into the JSValue gigacage.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitScopedArgumentsGetByVal):
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::subspaceFor):
+        (JSC::ScopedArguments::overflowStorage const):
+
+2017-08-11  Filip Pizlo  <fpizlo@apple.com>
+
         JSLexicalEnvironment needs to be in the JSValue gigacage
         https://bugs.webkit.org/show_bug.cgi?id=174922
 
index 8e64c12..919e898 100644 (file)
@@ -6325,6 +6325,8 @@ void SpeculativeJIT::compileGetByValOnScopedArguments(Node* node)
     m_jit.sub32(propertyReg, scratch2Reg);
     m_jit.neg32(scratch2Reg);
     
+    m_jit.cage(Gigacage::JSValue, baseReg);
+    
     m_jit.loadValue(
         MacroAssembler::BaseIndex(
             baseReg, scratch2Reg, MacroAssembler::TimesEight,
index 80e17d7..65993f3 100644 (file)
@@ -3565,10 +3565,8 @@ private:
             
             m_out.appendTo(overflowCase, continuation);
             
-            // FIXME: I guess we need to cage overflow storage?
-            // https://bugs.webkit.org/show_bug.cgi?id=174923
             address = m_out.baseIndex(
-                m_heaps.ScopedArguments_overflowStorage, base,
+                m_heaps.ScopedArguments_overflowStorage, caged(Gigacage::JSValue, base),
                 m_out.zeroExtPtr(m_out.sub(index, namedLength)));
             LValue overflowValue = m_out.load64(address);
             speculate(ExoticObjectMode, noValue(), nullptr, m_out.isZero64(overflowValue));
index 0217181..e261978 100644 (file)
@@ -1551,6 +1551,7 @@ JIT::JumpList JIT::emitScopedArgumentsGetByVal(Instruction*, PatchableJump& badT
     overflowCase.link(this);
     sub32(property, scratch2);
     neg32(scratch2);
+    cage(Gigacage::JSValue, base);
     loadValue(BaseIndex(base, scratch2, TimesEight, ScopedArguments::overflowStorageOffset()), result);
     slowCases.append(branchIfEmpty(result));
     done.link(this);
index 91ad2f0..53e2738 100644 (file)
@@ -42,6 +42,13 @@ private:
     void finishCreation(VM&, JSFunction* callee, ScopedArgumentsTable*, JSLexicalEnvironment*);
 
 public:
+    template<typename CellType>
+    static Subspace* subspaceFor(VM& vm)
+    {
+        RELEASE_ASSERT(!CellType::needsDestruction);
+        return &vm.jsValueGigacageCellSpace;
+    }
+
     // Creates an arguments object but leaves it uninitialized. This is dangerous if we GC right
     // after allocation.
     static ScopedArguments* createUninitialized(VM&, Structure*, JSFunction* callee, ScopedArgumentsTable*, JSLexicalEnvironment*, unsigned totalLength);
@@ -154,10 +161,9 @@ private:
     WriteBarrier<Unknown>* overflowStorage() const
     {
         return bitwise_cast<WriteBarrier<Unknown>*>(
-            bitwise_cast<char*>(this) + overflowStorageOffset());
+            bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + overflowStorageOffset());
     }
     
-    
     bool m_overrodeThings; // True if length, callee, and caller are fully materialized in the object.
     unsigned m_totalLength; // The length of declared plus overflow arguments.
     WriteBarrier<JSFunction> m_callee;