Baseline JIT should do caging
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 19:44:20 +0000 (19:44 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 8 Aug 2017 19:44:20 +0000 (19:44 +0000)
commit22e873d3c416041fb134f3219e573ff2d2edc02f
tree0819a000baeea6249b8df703c03465e820e6c945
parent15bb800ab104f2e77f67781098a917021f5143ce
Baseline JIT should do caging
https://bugs.webkit.org/show_bug.cgi?id=175037

Reviewed by Mark Lam.
Source/bmalloc:

This centralizes the notion of permanently enabling the primitive gigacage, which we only do in jsc
and WebProcess.

This saves the baseline JIT from emitting some code. Otherwise it would always have to emit enabled
checks on each typed array access.

* bmalloc/Gigacage.cpp:
(Gigacage::primitiveGigacageDisabled):
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
* bmalloc/Gigacage.h:
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):

Source/JavaScriptCore:

Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.

Also modifies FTL caging to be more defensive when caging is disabled.

Relanded with fixed AssemblyHelpers::cageConditionally().

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateImpl):
* bytecode/InlineAccess.cpp:
(JSC::InlineAccess::dumpCacheSizesAndCrash):
(JSC::InlineAccess::generateSelfPropertyAccess):
(JSC::InlineAccess::generateSelfPropertyReplace):
(JSC::InlineAccess::generateArrayLength):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::caged):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::cage):
(JSC::AssemblyHelpers::cageConditionally):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emitArrayStoragePutByVal):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jsc.cpp:
(jscmain):
(primitiveGigacageDisabled): Deleted.

Source/WebKit:

Use a better API to disable disabling the primitive gigacage.

* WebProcess/WebProcess.cpp:
(WebKit::m_webSQLiteDatabaseTracker):
(WebKit::primitiveGigacageDisabled): Deleted.

Source/WTF:

* wtf/Gigacage.h:
(Gigacage::disableDisablingPrimitiveGigacageIfShouldBeEnabled):
(Gigacage::isDisablingPrimitiveGigacageDisabled):
(Gigacage::isPrimitiveGigacagePermanentlyEnabled):
(Gigacage::canPrimitiveGigacageBeDisabled):
(Gigacage::basePtr):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@220416 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/AccessCase.cpp
Source/JavaScriptCore/bytecode/InlineAccess.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.h
Source/JavaScriptCore/jit/JITPropertyAccess.cpp
Source/JavaScriptCore/jsc.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/Gigacage.h
Source/WebKit/ChangeLog
Source/WebKit/WebProcess/WebProcess.cpp
Source/bmalloc/ChangeLog
Source/bmalloc/bmalloc/Gigacage.cpp
Source/bmalloc/bmalloc/Gigacage.h