Baseline JIT should do caging
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Aug 2017 23:30:15 +0000 (23:30 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Aug 2017 23:30:15 +0000 (23:30 +0000)
commit20ebddc9a10ad193826fc478ba36ff088ea9680e
tree4f244d3593e5da8cba095105fdf949c5bd40bc13
parent1e18b9b62f363e036b539d4cf075f4cb50277eca
Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:

This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

* bmalloc/Gigacage.cpp:
(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
* bmalloc/Gigacage.h:
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:

Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jsc.cpp:
(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:

Use a better API to disable disabling the primitive gigacage.

* WebProcess/WebProcess.cpp:
(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

* wtf/Gigacage.h:
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/AccessCase.cpp
Source/JavaScriptCore/bytecode/InlineAccess.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.h
Source/JavaScriptCore/jit/JITPropertyAccess.cpp
Source/JavaScriptCore/jsc.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/Gigacage.h
Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebProcess.cpp
Source/bmalloc/ChangeLog
Source/bmalloc/bmalloc/Gigacage.cpp
Source/bmalloc/bmalloc/Gigacage.h