WebKit Bugzilla
Attachment 371710 Details for
Bug 198698
: REGRESSION(r246150): Regresses page loading time on iOS 13 (Requested by keith_m__ on #webkit).
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
ROLLOUT of r246150
bug-198698-20190609132448.patch (text/plain), 30.39 KB, created by
WebKit Commit Bot
on 2019-06-09 13:24:49 PDT
(
hide
)
Description:
ROLLOUT of r246150
Filename:
MIME Type:
Creator:
WebKit Commit Bot
Created:
2019-06-09 13:24:49 PDT
Size:
30.39 KB
patch
obsolete
>Subversion Revision: 246239 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 6b0d019eefb09d55c061850a76a8a94954011b77..0aff93f5605e0ca7d66004e91bca6f86f473771f 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,24 @@ >+2019-06-09 Commit Queue <commit-queue@webkit.org> >+ >+ Unreviewed, rolling out r246150, r246160, and r246166. >+ https://bugs.webkit.org/show_bug.cgi?id=198698 >+ >+ Regresses page loading time on iOS 13 (Requested by keith_m__ >+ on #webkit). >+ >+ Reverted changesets: >+ >+ "Reenable Gigacage on ARM64." >+ https://bugs.webkit.org/show_bug.cgi?id=198453 >+ https://trac.webkit.org/changeset/246150 >+ >+ "Unrevied build fix for FTL without Gigacage." >+ https://trac.webkit.org/changeset/246160 >+ >+ "Fix typo in cageWithoutUntagging" >+ https://bugs.webkit.org/show_bug.cgi?id=198617 >+ https://trac.webkit.org/changeset/246166 >+ > 2019-06-09 Yusuke Suzuki <ysuzuki@apple.com> > > [JSC] Use mergePrediction in ValuePow prediction propagation >diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog >index 9f0491f258324a3dc18ae0a9964388487b766e3c..eb6fdaefb44ce3ff1025ac2ef306b3fb6d44df79 100644 >--- a/Source/bmalloc/ChangeLog >+++ b/Source/bmalloc/ChangeLog >@@ -1,3 +1,24 @@ >+2019-06-09 Commit Queue <commit-queue@webkit.org> >+ >+ Unreviewed, rolling out r246150, r246160, and r246166. >+ https://bugs.webkit.org/show_bug.cgi?id=198698 >+ >+ Regresses page loading time on iOS 13 (Requested by keith_m__ >+ on #webkit). >+ >+ Reverted changesets: >+ >+ "Reenable Gigacage on ARM64." >+ https://bugs.webkit.org/show_bug.cgi?id=198453 >+ https://trac.webkit.org/changeset/246150 >+ >+ "Unrevied build fix for FTL without Gigacage." >+ https://trac.webkit.org/changeset/246160 >+ >+ "Fix typo in cageWithoutUntagging" >+ https://bugs.webkit.org/show_bug.cgi?id=198617 >+ https://trac.webkit.org/changeset/246166 >+ > 2019-06-06 Keith Miller <keith_miller@apple.com> > > Reenable Gigacage on ARM64. >diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h b/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h >index 3f4c16d60f89b23f32cc6cb7bdd881ff01bf0af0..4efd6f90d732da68f32345fa71682d82b86941f6 100644 >--- a/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h >+++ b/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h >@@ -2526,15 +2526,6 @@ public: > m_assembler.fcsel<64>(dest, thenCase, elseCase, ARM64Condition(cond)); > } > >- // Bit field operations: >- >- // destBitOffset is the top bit of the destination where the bits should be copied to. Zero is the lowest order bit. >- void bitFieldInsert64(RegisterID source, unsigned destBitOffset, unsigned width, RegisterID dest) >- { >- ASSERT(width <= 64 - destBitOffset && destBitOffset < 64); >- m_assembler.bfi<64>(dest, source, destBitOffset, width); >- } >- > // Forwards / external control flow operations: > // > // This set of jump and conditional branch operations return a Jump >diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h b/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >index fd7eec808551bdf7287afc1b1ec453f2f82082d2..0b968f6afedfea695a4a3a308d340f076c9cfa40 100644 >--- a/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >+++ b/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >@@ -39,8 +39,6 @@ using Assembler = TARGET_ASSEMBLER; > > class MacroAssemblerARM64E : public MacroAssemblerARM64 { > public: >- static constexpr unsigned numberOfPACBits = 25; >- > ALWAYS_INLINE void tagReturnAddress() > { > tagPtr(ARM64Registers::sp, ARM64Registers::lr); >diff --git a/Source/JavaScriptCore/assembler/testmasm.cpp b/Source/JavaScriptCore/assembler/testmasm.cpp >index 1050b39983e4e65052824c04f0bb1254a313e2c8..cc25c94896ed37ce0f05773fd5b838e7e0e3950e 100644 >--- a/Source/JavaScriptCore/assembler/testmasm.cpp >+++ b/Source/JavaScriptCore/assembler/testmasm.cpp >@@ -39,7 +39,6 @@ > #include <wtf/Function.h> > #include <wtf/Lock.h> > #include <wtf/NumberOfCores.h> >-#include <wtf/PtrTag.h> > #include <wtf/Threading.h> > #include <wtf/text/StringCommon.h> > >@@ -110,15 +109,6 @@ template<typename T> T nextID(T id) { return static_cast<T>(id + 1); } > CRASH(); \ > } while (false) > >-#define CHECK_NOT_EQ(_actual, _expected) do { \ >- if ((_actual) != (_expected)) \ >- break; \ >- crashLock.lock(); \ >- dataLog("FAILED while testing " #_actual ": expected not: ", _expected, ", actual: ", _actual, "\n"); \ >- WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_NOT_EQ("#_actual ", " #_expected ")"); \ >- CRASH(); \ >- } while (false) >- > #if ENABLE(MASM_PROBE) > bool isPC(MacroAssembler::RegisterID id) > { >@@ -1013,47 +1003,6 @@ void testMoveDoubleConditionally64() > #endif > } > >-static void testCagePreservesPACFailureBit() >-{ >- auto cage = compile([] (CCallHelpers& jit) { >- jit.emitFunctionPrologue(); >- jit.cageConditionally(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2); >- jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR); >- jit.emitFunctionEpilogue(); >- jit.ret(); >- }); >- >- void* ptr = Gigacage::tryMalloc(Gigacage::Primitive, 1); >- void* taggedPtr = tagArrayPtr(ptr, 1); >- dataLogLn("starting test"); >- if (isARM64E()) { >- // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now. >- CHECK_NOT_EQ(invoke<void*>(cage, taggedPtr, 2), ptr); >- } else >- CHECK_EQ(invoke<void*>(cage, taggedPtr, 2), ptr); >- >- CHECK_EQ(invoke<void*>(cage, taggedPtr, 1), ptr); >- >- auto cageWithoutAuthentication = compile([] (CCallHelpers& jit) { >- jit.emitFunctionPrologue(); >- jit.cageWithoutUntagging(Gigacage::Primitive, GPRInfo::argumentGPR0); >- jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR); >- jit.emitFunctionEpilogue(); >- jit.ret(); >- }); >- >- if (isARM64E()) { >- // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now. >- CHECK_NOT_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr); >- } else >- CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr); >- >- CHECK_EQ(untagArrayPtr(taggedPtr, 1), ptr); >- CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 1)), ptr); >- >- Gigacage::free(Gigacage::Primitive, ptr); >-} >- > #define RUN(test) do { \ > if (!shouldRun(#test)) \ > break; \ >@@ -1139,8 +1088,6 @@ void run(const char* filter) > RUN(testMoveDoubleConditionally32()); > RUN(testMoveDoubleConditionally64()); > >- RUN(testCagePreservesPACFailureBit()); >- > if (tasks.isEmpty()) > usage(); > >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >index ec2b3c82e42819e2a684319472450778b5066604..7b96ec03e96439d108586506fa9e409626f9420e 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >@@ -2873,7 +2873,7 @@ JITCompiler::Jump SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds(Node* > TrustedImm32(WastefulTypedArray)); > > JITCompiler::Jump hasNullVector; >-#if CPU(ARM64E) >+#if !GIGACAGE_ENABLED && CPU(ARM64E) > { > GPRReg scratch = m_jit.scratchRegister(); > DisallowMacroScratchRegisterUsage disallowScratch(m_jit); >@@ -2882,7 +2882,7 @@ JITCompiler::Jump SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds(Node* > m_jit.removeArrayPtrTag(scratch); > hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); > } >-#else // CPU(ARM64E) >+#else // !GIGACAGE_ENABLED && CPU(ARM64E) > hasNullVector = m_jit.branchTestPtr( > MacroAssembler::Zero, > MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector())); >@@ -6760,13 +6760,6 @@ void SpeculativeJIT::compileConstantStoragePointer(Node* node) > > void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) > { >-#if CPU(ARM64E) >- m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); >-#else >- UNUSED_PARAM(baseReg); >- UNUSED_PARAM(storageReg); >-#endif >- > #if GIGACAGE_ENABLED > UNUSED_PARAM(baseReg); > if (!Gigacage::shouldBeEnabled()) >@@ -6779,7 +6772,12 @@ void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) > return; > } > >- m_jit.cageWithoutUntagging(Gigacage::Primitive, storageReg); >+ m_jit.cage(Gigacage::Primitive, storageReg); >+#elif CPU(ARM64E) >+ m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); >+#else >+ UNUSED_PARAM(baseReg); >+ UNUSED_PARAM(storageReg); > #endif > } > >@@ -6843,7 +6841,7 @@ void SpeculativeJIT::compileGetTypedArrayByteOffset(Node* node) > JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR); > > m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR); >- m_jit.cageWithoutUntagging(Gigacage::JSValue, dataGPR); >+ m_jit.cage(Gigacage::JSValue, dataGPR); > > cageTypedArrayStorage(baseGPR, vectorGPR); > >@@ -9847,7 +9845,7 @@ void SpeculativeJIT::compileNewTypedArrayWithSize(Node* node) > MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour)); > m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit); > done.link(&m_jit); >-#if CPU(ARM64E) >+#if !GIGACAGE_ENABLED && CPU(ARM64E) > // sizeGPR is still boxed as a number and there is no 32-bit variant of the PAC instructions. > m_jit.zeroExtend32ToPtr(sizeGPR, scratchGPR); > m_jit.tagArrayPtr(scratchGPR, storageGPR); >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index 24ea97da75939781022d5fa3697cc6c43f1dc1a3..d72af41b41368c1c0f9e159040afd51cf5fb1602 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -6485,7 +6485,7 @@ private: > m_out.int64Zero, > m_heaps.typedArrayProperties); > >-#if CPU(ARM64E) >+#if !GIGACAGE_ENABLED && CPU(ARM64E) > { > LValue sizePtr = m_out.zeroExtPtr(size); > PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >@@ -14157,16 +14157,6 @@ private: > > LValue caged(Gigacage::Kind kind, LValue ptr, LValue base) > { >-#if CPU(ARM64E) >- if (kind == Gigacage::Primitive) { >- LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); >- ptr = untagArrayPtr(ptr, size); >- } >-#else >- UNUSED_PARAM(kind); >- UNUSED_PARAM(base); >-#endif >- > #if GIGACAGE_ENABLED > UNUSED_PARAM(base); > if (!Gigacage::isEnabled(kind)) >@@ -14185,18 +14175,6 @@ private: > LValue masked = m_out.bitAnd(ptr, mask); > LValue result = m_out.add(masked, basePtr); > >-#if CPU(ARM64E) >- { >- PatchpointValue* merge = m_out.patchpoint(pointerType()); >- merge->append(result, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >- merge->appendSomeRegister(ptr); >- merge->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >- jit.move(params[2].gpr(), params[0].gpr()); >- jit.bitFieldInsert64(params[1].gpr(), 0, 64 - MacroAssembler::numberOfPACBits, params[0].gpr()); >- }); >- result = merge; >- } >-#endif > // Make sure that B3 doesn't try to do smart reassociation of these pointer bits. > // FIXME: In an ideal world, B3 would not do harmful reassociations, and if it did, it would be able > // to undo them during constant hoisting and regalloc. As it stands, if you remove this then Octane >@@ -14209,8 +14187,18 @@ private: > // and possibly other smart things if we want to be able to remove this opaque. > // https://bugs.webkit.org/show_bug.cgi?id=175493 > return m_out.opaque(result); >-#endif >+#elif CPU(ARM64E) >+ if (kind == Gigacage::Primitive) { >+ LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); >+ return untagArrayPtr(ptr, size); >+ } >+ >+ return ptr; >+#else >+ UNUSED_PARAM(kind); >+ UNUSED_PARAM(base); > return ptr; >+#endif > } > > void buildSwitch(SwitchData* data, LType type, LValue switchValue) >diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.h b/Source/JavaScriptCore/jit/AssemblyHelpers.h >index a77d43a501086730d7dc9985f42db5219a2f9259..d9268e83691421ffedc1541217c867f351edb8d4 100644 >--- a/Source/JavaScriptCore/jit/AssemblyHelpers.h >+++ b/Source/JavaScriptCore/jit/AssemblyHelpers.h >@@ -1554,74 +1554,43 @@ public: > storeFence(); > ok.link(this); > } >- >- void cageWithoutUntagging(Gigacage::Kind kind, GPRReg storage) >+ >+ void cage(Gigacage::Kind kind, GPRReg storage) > { > #if GIGACAGE_ENABLED > if (!Gigacage::isEnabled(kind)) > return; >- >-#if CPU(ARM64E) >- RegisterID tempReg = InvalidGPRReg; >- if (kind == Gigacage::Primitive) { >- tempReg = getCachedMemoryTempRegisterIDAndInvalidate(); >- move(storage, tempReg); >- // Flip the registers since bitFieldInsert only inserts into the low bits. >- std::swap(storage, tempReg); >- } >-#endif >+ > andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); > addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage); >-#if CPU(ARM64E) >- if (kind == Gigacage::Primitive) >- bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg); >-#endif >- > #else > UNUSED_PARAM(kind); > UNUSED_PARAM(storage); > #endif > } >- >- // length may be the same register as scratch. >- void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch) >+ >+ void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength) > { >-#if CPU(ARM64E) >- if (kind == Gigacage::Primitive) >- untagArrayPtr(length, storage); >-#else >- UNUSED_PARAM(kind); >- UNUSED_PARAM(storage); >- UNUSED_PARAM(length); >-#endif >- > #if GIGACAGE_ENABLED > if (!Gigacage::isEnabled(kind)) > return; > > if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled()) >- cageWithoutUntagging(kind, storage); >- else { >- loadPtr(&Gigacage::basePtr(kind), scratch); >- Jump done = branchTestPtr(Zero, scratch); >-#if CPU(ARM64E) >- auto tempReg = getCachedMemoryTempRegisterIDAndInvalidate(); >- move(storage, tempReg); >- andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg); >- addPtr(scratch, tempReg); >- bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage); >-#else >- andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); >- addPtr(scratch, storage); >-#endif >- done.link(this); >- >- >- } >+ return cage(kind, storage); >+ >+ loadPtr(&Gigacage::basePtr(kind), scratchOrLength); >+ Jump done = branchTestPtr(Zero, scratchOrLength); >+ andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); >+ addPtr(scratchOrLength, storage); >+ done.link(this); >+#elif CPU(ARM64E) >+ if (kind == Gigacage::Primitive) >+ untagArrayPtr(scratchOrLength, storage); > #else >- UNUSED_PARAM(scratch); >+ UNUSED_PARAM(kind); >+ UNUSED_PARAM(storage); >+ UNUSED_PARAM(scratchOrLength); > #endif >- > } > > void emitComputeButterflyIndexingMask(GPRReg vectorLengthGPR, GPRReg scratchGPR, GPRReg resultGPR) >diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >index cbb78d5b3ebbb28e88911d525a5799f7f684917b..9d621481f77474efb831bd4e5f1f58229e332556 100644 >--- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >+++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >@@ -1672,7 +1672,7 @@ JIT::JumpList JIT::emitIntTypedArrayGetByVal(const Instruction*, PatchableJump& > load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); > slowCases.append(branch32(AboveOrEqual, property, scratch2)); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); >- cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2); >+ cageConditionally(Gigacage::Primitive, scratch, scratch2); > > switch (elementSize(type)) { > case 1: >@@ -1736,7 +1736,7 @@ JIT::JumpList JIT::emitFloatTypedArrayGetByVal(const Instruction*, PatchableJump > load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); > slowCases.append(branch32(AboveOrEqual, property, scratch2)); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); >- cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2); >+ cageConditionally(Gigacage::Primitive, scratch, scratch2); > > switch (elementSize(type)) { > case 4: >@@ -1801,7 +1801,7 @@ JIT::JumpList JIT::emitIntTypedArrayPutByVal(Op bytecode, PatchableJump& badType > // We would be loading this into base as in get_by_val, except that the slow > // path expects the base to be unclobbered. > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); >- cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2); >+ cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2); > > if (isClamped(type)) { > ASSERT(elementSize(type) == 1); >@@ -1890,7 +1890,7 @@ JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Op bytecode, PatchableJump& badTy > // We would be loading this into base as in get_by_val, except that the slow > // path expects the base to be unclobbered. > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); >- cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2); >+ cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2); > > switch (elementSize(type)) { > case 4: >diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >index c0ad83c6c4360f2826ec9968c383f6b7540d8a42..4032e7e8f3f87bcbdbe1ef9cdfd17233b6c855da 100644 >--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >@@ -76,7 +76,7 @@ > # > # - pc holds the (native) program counter on 32-bits ARM architectures (ARMv7) > # >-# - t0, t1, t2, t3, t4, and optionally t5, t6, and t7 are temporary registers that can get trashed on >+# - t0, t1, t2, t3, t4 and optionally t5 are temporary registers that can get trashed on > # calls, and are pairwise distinct registers. t4 holds the JS program counter, so use > # with caution in opcodes (actually, don't use it in opcodes at all, except as PC). > # >diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >index 903635af525a8b1f447060314307d1083d3635ad..6aaf0dd10c3eb8af6b277713419ac40e3d878397 100644 >--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >@@ -434,19 +434,10 @@ end > > macro loadCagedPrimitive(source, dest, scratchOrLength) > loadp source, dest >- if ARM64E >- const result = t7 >- untagArrayPtr scratchOrLength, dest >- move dest, result >- else >- const result = dest >- end > if GIGACAGE_ENABLED >- uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, result, scratchOrLength) >- if ARM64E >- const numberOfPACBits = constexpr MacroAssembler::numberOfPACBits >- bfiq result, 0, 64 - numberOfPACBits, dest >- end >+ uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength) >+ elsif ARM64E >+ untagArrayPtr scratchOrLength, dest > end > end > >diff --git a/Source/JavaScriptCore/offlineasm/arm64.rb b/Source/JavaScriptCore/offlineasm/arm64.rb >index 23d948f0a31d77159be46fad6460f0d6463ed50b..58bbc2aafd9b484edc665e6ad02648c44c9e177c 100644 >--- a/Source/JavaScriptCore/offlineasm/arm64.rb >+++ b/Source/JavaScriptCore/offlineasm/arm64.rb >@@ -126,8 +126,6 @@ class RegisterID > arm64GPRName('x5', kind) > when 't6' > arm64GPRName('x6', kind) >- when 't7' >- arm64GPRName('x7', kind) > when 'cfr' > arm64GPRName('x29', kind) > when 'csr0' >@@ -1021,8 +1019,6 @@ class Instruction > $asm.puts "smaddl #{operands[2].arm64Operand(:quad)}, #{operands[0].arm64Operand(:word)}, #{operands[1].arm64Operand(:word)}, xzr" > when "memfence" > $asm.puts "dmb sy" >- when "bfiq" >- $asm.puts "bfi #{operands[3].arm64Operand(:quad)}, #{operands[0].arm64Operand(:quad)}, #{operands[1].value}, #{operands[2].value}" > when "pcrtoaddr" > $asm.puts "adr #{operands[1].arm64Operand(:quad)}, #{operands[0].value}" > when "nopCortexA53Fix835769" >diff --git a/Source/JavaScriptCore/offlineasm/instructions.rb b/Source/JavaScriptCore/offlineasm/instructions.rb >index 71788b108372af09bf8ed89fbf9ab1d9e17ad3bd..2ad5944e9055a559136c28e36b872edb9bdd84e9 100644 >--- a/Source/JavaScriptCore/offlineasm/instructions.rb >+++ b/Source/JavaScriptCore/offlineasm/instructions.rb >@@ -273,7 +273,6 @@ ARM_INSTRUCTIONS = > > ARM64_INSTRUCTIONS = > [ >- "bfiq", # Bit field insert <source reg> <last bit written> <width immediate> <dest reg> > "pcrtoaddr", # Address from PC relative offset - adr instruction > "nopFixCortexA53Err835769", # nop on Cortex-A53 (nothing otherwise) > "globaladdr" >diff --git a/Source/JavaScriptCore/offlineasm/registers.rb b/Source/JavaScriptCore/offlineasm/registers.rb >index 158d141946f8fdbb9c24fe9ebfc12e57a4a8d8b3..aa8a40fd4e853cd48d45ecc2666cd9a164609d39 100644 >--- a/Source/JavaScriptCore/offlineasm/registers.rb >+++ b/Source/JavaScriptCore/offlineasm/registers.rb >@@ -32,7 +32,6 @@ GPRS = > "t4", > "t5", > "t6", >- "t7", > "cfr", > "a0", > "a1", >diff --git a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >index adb33f5404780b54d1a9e8111249878c37c5ae73..57b3df810e4b12f9e73ac4b14780b1649d873cb2 100644 >--- a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >@@ -848,14 +848,15 @@ void AirIRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit resto > patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; > > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >- AllowMacroScratchRegisterUsage allowScratch(jit); >+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); > GPRReg baseMemory = pinnedRegs->baseMemoryPointer; > GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; > > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > > emitPatchpoint(block, patchpoint, Tmp(), instance); >@@ -1987,7 +1988,7 @@ auto AirIRGenerator::addCallIndirect(const Signature& signature, Vector<Expressi > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > > emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue()); >diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >index 55bd2d8b5fe66196a5e2d5d2962ed16a9626a94d..2226ffc72c9382cc26fb3ebbe09429760ef44ab7 100644 >--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >@@ -491,14 +491,15 @@ void B3IRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit restor > > patchpoint->append(instance, ValueRep::SomeRegister); > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >- AllowMacroScratchRegisterUsage allowScratch(jit); >+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); > GPRReg baseMemory = pinnedRegs->baseMemoryPointer; > GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; > > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > } > } >@@ -1400,7 +1401,7 @@ auto B3IRGenerator::addCallIndirect(const Signature& signature, Vector<Expressio > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation); > >diff --git a/Source/JavaScriptCore/wasm/WasmBinding.cpp b/Source/JavaScriptCore/wasm/WasmBinding.cpp >index 23c96474f4b7557e19ae182a60ce9077f736abbd..fed45b1063c9a36bf651cf803ee10f1c5be7c654 100644 >--- a/Source/JavaScriptCore/wasm/WasmBinding.cpp >+++ b/Source/JavaScriptCore/wasm/WasmBinding.cpp >@@ -67,11 +67,11 @@ Expected<MacroAssemblerCodeRef<WasmEntryPtrTag>, BindingFailure> wasmToWasm(unsi > // FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952 > // Set up the callee's baseMemory register as well as the memory size registers. > { >- GPRReg scratchOrSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1); >+ GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1); > > jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*). >- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > } > > // Tail call into the callee WebAssembly function. >diff --git a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >index 26313e84269657fee9b6cbd73b57058c445fb5b8..657da57aeb7ce3daeaf3c25747818b620dce1492 100644 >--- a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >+++ b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >@@ -228,7 +228,7 @@ std::unique_ptr<InternalFunction> createJSToWasmWrapper(CompilationContext& comp > } > > jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > } > > CCallHelpers::Call call = jit.threadSafePatchableNearCall(); >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >index 91b5b8388520a142aae09c52dc3fc8538e17bcff..2ff0e78e582f6561a28f3c59537821c03980b890 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >@@ -423,7 +423,7 @@ MacroAssemblerCodePtr<JSEntryPtrTag> WebAssemblyFunction::jsCallEntrypointSlow() > } > > jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > } > > // We use this callee to indicate how to unwind past these types of frames: >diff --git a/Source/bmalloc/bmalloc/Gigacage.h b/Source/bmalloc/bmalloc/Gigacage.h >index a37d0baf9979deecc2e9e2542a8c2958ddf86b57..76d72df74a136f0219155cf208f7c77958c4e996 100644 >--- a/Source/bmalloc/bmalloc/Gigacage.h >+++ b/Source/bmalloc/bmalloc/Gigacage.h >@@ -34,8 +34,7 @@ > #include <cstddef> > #include <inttypes.h> > >-#if ((BOS(DARWIN) || BOS(LINUX)) && \ >- (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS))))) >+#if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64)) > #define GIGACAGE_ENABLED 1 > #else > #define GIGACAGE_ENABLED 0
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=371710">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198698
: 371710