JSLexicalEnvironment needs to be in the JSValue gigacage
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Aug 2017 23:18:18 +0000 (23:18 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Aug 2017 23:18:18 +0000 (23:18 +0000)
https://bugs.webkit.org/show_bug.cgi?id=174922

Reviewed by Michael Saboff.

We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
the only random accesses use pointer caging.

We don't need to do anything to normal lexical environment accesses.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
* runtime/JSEnvironmentRecord.h:
(JSC::JSEnvironmentRecord::subspaceFor):
(JSC::JSEnvironmentRecord::variables):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220618 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/runtime/JSEnvironmentRecord.h

index 2d83b80..a98f548 100644 (file)
@@ -1,5 +1,25 @@
 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
 
+        JSLexicalEnvironment needs to be in the JSValue gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=174922
+
+        Reviewed by Michael Saboff.
+        
+        We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
+        the only random accesses use pointer caging.
+        
+        We don't need to do anything to normal lexical environment accesses.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        * runtime/JSEnvironmentRecord.h:
+        (JSC::JSEnvironmentRecord::subspaceFor):
+        (JSC::JSEnvironmentRecord::variables):
+
+2017-08-11  Filip Pizlo  <fpizlo@apple.com>
+
         DirectArguments should be in the JSValue gigacage
         https://bugs.webkit.org/show_bug.cgi?id=174920
 
index f6f55d3..8e64c12 100644 (file)
@@ -6311,6 +6311,8 @@ void SpeculativeJIT::compileGetByValOnScopedArguments(Node* node)
         m_jit.branch32(
             MacroAssembler::Equal, scratchReg, TrustedImm32(ScopeOffset::invalidOffset)));
     
+    m_jit.cage(Gigacage::JSValue, scratch2Reg);
+    
     m_jit.loadValue(
         MacroAssembler::BaseIndex(
             scratch2Reg, propertyReg, MacroAssembler::TimesEight,
index 5a7a7a5..80e17d7 100644 (file)
@@ -3557,10 +3557,9 @@ private:
                 ExoticObjectMode, noValue(), nullptr,
                 m_out.equal(scopeOffset, m_out.constInt32(ScopeOffset::invalidOffset)));
             
-            // FIXME: I guess we need to cage JSEnvironmentRecord?
-            // https://bugs.webkit.org/show_bug.cgi?id=174922
             address = m_out.baseIndex(
-                m_heaps.JSEnvironmentRecord_variables, scope, m_out.zeroExtPtr(scopeOffset));
+                m_heaps.JSEnvironmentRecord_variables, caged(Gigacage::JSValue, scope),
+                m_out.zeroExtPtr(scopeOffset));
             ValueFromBlock namedResult = m_out.anchor(m_out.load64(address));
             m_out.jump(continuation);
             
index 1b6f87a..55e5dc6 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2008, 2012, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2007-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -36,17 +36,26 @@ namespace JSC {
 
 class LLIntOffsetsExtractor;
 
+// FIXME: Merge this with JSLexicalEnvironment, since that's the only subclass.
+// https://bugs.webkit.org/show_bug.cgi?id=175492
 class JSEnvironmentRecord : public JSSymbolTableObject {
     friend class JIT;
     friend class LLIntOffsetsExtractor;
 
 public:
+    template<typename CellType>
+    static Subspace* subspaceFor(VM& vm)
+    {
+        RELEASE_ASSERT(!CellType::needsDestruction);
+        return &vm.jsValueGigacageCellSpace;
+    }
+
     typedef JSSymbolTableObject Base;
     static const unsigned StructureFlags = Base::StructureFlags;
 
     WriteBarrierBase<Unknown>* variables()
     {
-        return bitwise_cast<WriteBarrierBase<Unknown>*>(bitwise_cast<char*>(this) + offsetOfVariables());
+        return bitwise_cast<WriteBarrierBase<Unknown>*>(bitwise_cast<char*>(Gigacage::caged(Gigacage::JSValue, this)) + offsetOfVariables());
     }
     
     bool isValidScopeOffset(ScopeOffset offset)