WebKit Bugzilla
Attachment 371848 Details for
Bug 198726
: Roll out PAC cage
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for landing
patch.diff (text/plain), 121.37 KB, created by
Saam Barati
on 2019-06-11 08:53:21 PDT
(
hide
)
Description:
patch for landing
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2019-06-11 08:53:21 PDT
Size:
121.37 KB
patch
obsolete
>Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 246271) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,177 @@ >+2019-06-10 Saam Barati <sbarati@apple.com> >+ >+ Roll out PAC cage >+ https://bugs.webkit.org/show_bug.cgi?id=198726 >+ >+ Reviewed by Keith Miller. >+ >+ This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. >+ >+ The resulting state we're in is we have Gigacage enabled on arm64. >+ There is no more PAC caging. >+ >+ We're doing this because there are performance issues with PAC caging >+ that we haven't resolved yet. >+ >+ * assembler/CPU.h: >+ (JSC::isARM64E): Deleted. >+ * assembler/MacroAssemblerARM64E.h: >+ (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. >+ (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. >+ (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. >+ * b3/B3LowerToAir.cpp: >+ * b3/B3PatchpointSpecial.cpp: >+ (JSC::B3::PatchpointSpecial::admitsStack): >+ * b3/B3StackmapSpecial.cpp: >+ (JSC::B3::StackmapSpecial::forEachArgImpl): >+ (JSC::B3::StackmapSpecial::isArgValidForRep): >+ * b3/B3Validate.cpp: >+ * b3/B3ValueRep.cpp: >+ (JSC::B3::ValueRep::addUsedRegistersTo const): >+ (JSC::B3::ValueRep::dump const): >+ (WTF::printInternal): >+ * b3/B3ValueRep.h: >+ (JSC::B3::ValueRep::ValueRep): >+ (JSC::B3::ValueRep::isReg const): >+ * dfg/DFGOperations.cpp: >+ (JSC::DFG::newTypedArrayWithSize): >+ * dfg/DFGSpeculativeJIT.cpp: >+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): >+ (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): >+ (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): >+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): >+ (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): >+ * dfg/DFGSpeculativeJIT.h: >+ * dfg/DFGSpeculativeJIT64.cpp: >+ (JSC::DFG::SpeculativeJIT::compile): >+ * ftl/FTLLowerDFGToB3.cpp: >+ (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): >+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): >+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): >+ (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): >+ (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): >+ (JSC::FTL::DFG::LowerDFGToB3::caged): >+ (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): >+ (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. >+ (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. >+ * heap/ConservativeRoots.cpp: >+ (JSC::ConservativeRoots::genericAddPointer): >+ * jit/AssemblyHelpers.h: >+ (JSC::AssemblyHelpers::cageConditionally): >+ * jit/IntrinsicEmitter.cpp: >+ (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): >+ * jit/JITPropertyAccess.cpp: >+ (JSC::JIT::emitDirectArgumentsGetByVal): >+ (JSC::JIT::emitIntTypedArrayGetByVal): >+ (JSC::JIT::emitFloatTypedArrayGetByVal): >+ (JSC::JIT::emitIntTypedArrayPutByVal): >+ (JSC::JIT::emitFloatTypedArrayPutByVal): >+ * jit/PolymorphicCallStubRoutine.cpp: >+ (JSC::PolymorphicCallNode::clearCallLinkInfo): >+ * jit/RegisterSet.h: >+ * llint/LowLevelInterpreter64.asm: >+ * runtime/ArrayBuffer.cpp: >+ (JSC::SharedArrayBufferContents::SharedArrayBufferContents): >+ (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): >+ (JSC::ArrayBufferContents::ArrayBufferContents): >+ (JSC::ArrayBufferContents::destroy): >+ (JSC::ArrayBufferContents::tryAllocate): >+ (JSC::ArrayBufferContents::makeShared): >+ (JSC::ArrayBufferContents::copyTo): >+ * runtime/ArrayBuffer.h: >+ (JSC::SharedArrayBufferContents::data const): >+ (JSC::ArrayBufferContents::data const): >+ (JSC::ArrayBuffer::data): >+ (JSC::ArrayBuffer::data const): >+ (JSC::ArrayBuffer::byteLength const): >+ * runtime/ArrayBufferView.cpp: >+ (JSC::ArrayBufferView::ArrayBufferView): >+ * runtime/ArrayBufferView.h: >+ (JSC::ArrayBufferView::baseAddress const): >+ (JSC::ArrayBufferView::setRangeImpl): >+ (JSC::ArrayBufferView::getRangeImpl): >+ (JSC::ArrayBufferView::byteLength const): Deleted. >+ * runtime/CachedTypes.cpp: >+ (JSC::CachedScopedArgumentsTable::encode): >+ (JSC::CachedScopedArgumentsTable::decode const): >+ * runtime/CagedBarrierPtr.h: >+ (JSC::CagedBarrierPtr::CagedBarrierPtr): >+ (JSC::CagedBarrierPtr::set): >+ (JSC::CagedBarrierPtr::get const): >+ (JSC::CagedBarrierPtr::getMayBeNull const): >+ (JSC::CagedBarrierPtr::operator== const): >+ (JSC::CagedBarrierPtr::operator!= const): >+ (JSC::CagedBarrierPtr::operator bool const): >+ (JSC::CagedBarrierPtr::setWithoutBarrier): >+ (JSC::CagedBarrierPtr::operator* const): >+ (JSC::CagedBarrierPtr::operator-> const): >+ (JSC::CagedBarrierPtr::operator[] const): >+ (JSC::CagedBarrierPtr::getUnsafe const): Deleted. >+ (JSC::CagedBarrierPtr::at const): Deleted. >+ * runtime/DataView.cpp: >+ (JSC::DataView::DataView): >+ * runtime/DataView.h: >+ (JSC::DataView::get): >+ (JSC::DataView::set): >+ * runtime/DirectArguments.cpp: >+ (JSC::DirectArguments::visitChildren): >+ (JSC::DirectArguments::overrideThings): >+ (JSC::DirectArguments::unmapArgument): >+ * runtime/DirectArguments.h: >+ * runtime/GenericArguments.h: >+ * runtime/GenericArgumentsInlines.h: >+ (JSC::GenericArguments<Type>::visitChildren): >+ (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): >+ (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): >+ (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): >+ * runtime/GenericTypedArrayView.h: >+ * runtime/GenericTypedArrayViewInlines.h: >+ (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): >+ * runtime/JSArrayBufferView.cpp: >+ (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): >+ (JSC::JSArrayBufferView::JSArrayBufferView): >+ (JSC::JSArrayBufferView::finalize): >+ (JSC::JSArrayBufferView::slowDownAndWasteMemory): >+ * runtime/JSArrayBufferView.h: >+ (JSC::JSArrayBufferView::ConstructionContext::vector const): >+ (JSC::JSArrayBufferView::isNeutered): >+ (JSC::JSArrayBufferView::vector const): >+ (JSC::JSArrayBufferView::hasVector const): Deleted. >+ * runtime/JSGenericTypedArrayViewInlines.h: >+ (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): >+ (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): >+ (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): >+ * runtime/Options.h: >+ * runtime/ScopedArgumentsTable.cpp: >+ (JSC::ScopedArgumentsTable::clone): >+ (JSC::ScopedArgumentsTable::setLength): >+ * runtime/ScopedArgumentsTable.h: >+ * runtime/SymbolTable.h: >+ * wasm/WasmAirIRGenerator.cpp: >+ (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::AirIRGenerator::addCallIndirect): >+ * wasm/WasmB3IRGenerator.cpp: >+ (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::B3IRGenerator::addCallIndirect): >+ * wasm/WasmBBQPlan.cpp: >+ (JSC::Wasm::BBQPlan::complete): >+ * wasm/WasmBinding.cpp: >+ (JSC::Wasm::wasmToWasm): >+ * wasm/WasmInstance.h: >+ (JSC::Wasm::Instance::cachedMemory const): >+ (JSC::Wasm::Instance::updateCachedMemory): >+ * wasm/WasmMemory.cpp: >+ (JSC::Wasm::Memory::Memory): >+ (JSC::Wasm::Memory::~Memory): >+ (JSC::Wasm::Memory::grow): >+ (JSC::Wasm::Memory::dump const): >+ * wasm/WasmMemory.h: >+ (JSC::Wasm::Memory::memory const): >+ * wasm/js/JSToWasm.cpp: >+ (JSC::Wasm::createJSToWasmWrapper): >+ * wasm/js/WebAssemblyFunction.cpp: >+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow): >+ > 2019-06-10 Timothy Hatcher <timothy@apple.com> > > Integrate dark mode support for iOS. >Index: Source/JavaScriptCore/assembler/CPU.h >=================================================================== >--- Source/JavaScriptCore/assembler/CPU.h (revision 246271) >+++ Source/JavaScriptCore/assembler/CPU.h (working copy) >@@ -56,15 +56,6 @@ constexpr bool isARM64() > #endif > } > >-constexpr bool isARM64E() >-{ >-#if CPU(ARM64E) >- return true; >-#else >- return false; >-#endif >-} >- > constexpr bool isX86() > { > #if CPU(X86_64) || CPU(X86) >Index: Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >=================================================================== >--- Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h (revision 246271) >+++ Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h (working copy) >@@ -82,28 +82,6 @@ public: > m_assembler.xpaci(target); > } > >- ALWAYS_INLINE void tagArrayPtr(RegisterID length, RegisterID target) >- { >- m_assembler.pacdb(target, length); >- } >- >- ALWAYS_INLINE void untagArrayPtr(RegisterID length, RegisterID target) >- { >- m_assembler.autdb(target, length); >- } >- >- ALWAYS_INLINE void untagArrayPtr(Address length, RegisterID target) >- { >- auto lengthGPR = getCachedDataTempRegisterIDAndInvalidate(); >- load32(length, lengthGPR); >- m_assembler.autdb(target, lengthGPR); >- } >- >- ALWAYS_INLINE void removeArrayPtrTag(RegisterID target) >- { >- m_assembler.xpacd(target); >- } >- > static const RegisterID InvalidGPR = static_cast<RegisterID>(-1); > > enum class CallSignatureType { >Index: Source/JavaScriptCore/b3/B3LowerToAir.cpp >=================================================================== >--- Source/JavaScriptCore/b3/B3LowerToAir.cpp (revision 246271) >+++ Source/JavaScriptCore/b3/B3LowerToAir.cpp (working copy) >@@ -1274,7 +1274,6 @@ private: > arg = tmp(value.value()); > break; > case ValueRep::SomeRegister: >- case ValueRep::SomeLateRegister: > arg = tmp(value.value()); > break; > case ValueRep::SomeRegisterWithClobber: { >Index: Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp >=================================================================== >--- Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp (revision 246271) >+++ Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp (working copy) >@@ -120,7 +120,6 @@ bool PatchpointSpecial::admitsStack(Inst > case ValueRep::SomeRegister: > case ValueRep::SomeRegisterWithClobber: > case ValueRep::SomeEarlyRegister: >- case ValueRep::SomeLateRegister: > case ValueRep::Register: > case ValueRep::LateRegister: > return false; >Index: Source/JavaScriptCore/b3/B3StackmapSpecial.cpp >=================================================================== >--- Source/JavaScriptCore/b3/B3StackmapSpecial.cpp (revision 246271) >+++ Source/JavaScriptCore/b3/B3StackmapSpecial.cpp (working copy) >@@ -113,7 +113,6 @@ void StackmapSpecial::forEachArgImpl( > case ValueRep::SomeRegisterWithClobber: > role = Arg::UseDef; > break; >- case ValueRep::SomeLateRegister: > case ValueRep::LateRegister: > role = Arg::LateUse; > break; >@@ -255,7 +254,6 @@ bool StackmapSpecial::isArgValidForRep(A > case ValueRep::SomeRegister: > case ValueRep::SomeRegisterWithClobber: > case ValueRep::SomeEarlyRegister: >- case ValueRep::SomeLateRegister: > return arg.isTmp(); > case ValueRep::LateRegister: > case ValueRep::Register: >Index: Source/JavaScriptCore/b3/B3Validate.cpp >=================================================================== >--- Source/JavaScriptCore/b3/B3Validate.cpp (revision 246271) >+++ Source/JavaScriptCore/b3/B3Validate.cpp (working copy) >@@ -580,7 +580,6 @@ private: > break; > case ValueRep::Register: > case ValueRep::LateRegister: >- case ValueRep::SomeLateRegister: > if (value.rep().kind() == ValueRep::LateRegister) > VALIDATE(role == ConstraintRole::Use, ("At ", *context, ": ", value)); > if (value.rep().reg().isGPR()) >Index: Source/JavaScriptCore/b3/B3ValueRep.cpp >=================================================================== >--- Source/JavaScriptCore/b3/B3ValueRep.cpp (revision 246271) >+++ Source/JavaScriptCore/b3/B3ValueRep.cpp (working copy) >@@ -42,7 +42,6 @@ void ValueRep::addUsedRegistersTo(Regist > case SomeRegister: > case SomeRegisterWithClobber: > case SomeEarlyRegister: >- case SomeLateRegister: > case Constant: > return; > case LateRegister: >@@ -75,7 +74,6 @@ void ValueRep::dump(PrintStream& out) co > case SomeRegister: > case SomeRegisterWithClobber: > case SomeEarlyRegister: >- case SomeLateRegister: > return; > case LateRegister: > case Register: >@@ -185,9 +183,6 @@ void printInternal(PrintStream& out, Val > case ValueRep::SomeEarlyRegister: > out.print("SomeEarlyRegister"); > return; >- case ValueRep::SomeLateRegister: >- out.print("SomeLateRegister"); >- return; > case ValueRep::Register: > out.print("Register"); > return; >Index: Source/JavaScriptCore/b3/B3ValueRep.h >=================================================================== >--- Source/JavaScriptCore/b3/B3ValueRep.h (revision 246271) >+++ Source/JavaScriptCore/b3/B3ValueRep.h (working copy) >@@ -74,11 +74,7 @@ public: > // that the def happens before any of the effects of the stackmap. This is only valid for > // the result constraint of a Patchpoint. > SomeEarlyRegister, >- >- // As an input representation, this tells us that B3 should pick some register, but implies >- // the use happens after any defs. This is only works for patchpoints. >- SomeLateRegister, >- >+ > // As an input representation, this forces a particular register. As an output > // representation, this tells us what register B3 picked. > Register, >@@ -115,7 +111,7 @@ public: > ValueRep(Kind kind) > : m_kind(kind) > { >- ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeRegisterWithClobber || kind == SomeEarlyRegister || kind == SomeLateRegister); >+ ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeRegisterWithClobber || kind == SomeEarlyRegister); > } > > static ValueRep reg(Reg reg) >@@ -189,7 +185,7 @@ public: > > bool isAny() const { return kind() == WarmAny || kind() == ColdAny || kind() == LateColdAny; } > >- bool isReg() const { return kind() == Register || kind() == LateRegister || kind() == SomeLateRegister; } >+ bool isReg() const { return kind() == Register || kind() == LateRegister; } > > Reg reg() const > { >Index: Source/JavaScriptCore/dfg/DFGOperations.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGOperations.cpp (revision 246271) >+++ Source/JavaScriptCore/dfg/DFGOperations.cpp (working copy) >@@ -198,7 +198,7 @@ char* newTypedArrayWithSize(ExecState* e > } > > if (vector) >- return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, untagArrayPtr(vector, size))); >+ return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, vector)); > > RELEASE_AND_RETURN(scope, bitwise_cast<char*>(ViewClass::create(exec, structure, size))); > } >Index: Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (revision 246271) >+++ Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (working copy) >@@ -4682,7 +4682,7 @@ void SpeculativeJIT::compile(Node* node) > m_jit.branch64(MacroAssembler::AboveOrEqual, t2, t1)); > > m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2); >- cageTypedArrayStorage(dataViewGPR, t2); >+ cageTypedArrayStorage(t2); > > m_jit.zeroExtend32ToPtr(indexGPR, t1); > auto baseIndex = JITCompiler::BaseIndex(t2, t1, MacroAssembler::TimesOne); >@@ -4878,7 +4878,7 @@ void SpeculativeJIT::compile(Node* node) > m_jit.branch64(MacroAssembler::AboveOrEqual, t2, t1)); > > m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2); >- cageTypedArrayStorage(dataViewGPR, t2); >+ cageTypedArrayStorage(t2); > > m_jit.zeroExtend32ToPtr(indexGPR, t1); > auto baseIndex = JITCompiler::BaseIndex(t2, t1, MacroAssembler::TimesOne); >Index: Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (revision 246271) >+++ Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (working copy) >@@ -40,7 +40,6 @@ > #include "DFGSlowPathGenerator.h" > #include "DFGSnippetParams.h" > #include "DirectArguments.h" >-#include "DisallowMacroScratchRegisterUsage.h" > #include "JITAddGenerator.h" > #include "JITBitAndGenerator.h" > #include "JITBitOrGenerator.h" >@@ -2872,21 +2871,9 @@ JITCompiler::Jump SpeculativeJIT::jumpFo > MacroAssembler::Address(base, JSArrayBufferView::offsetOfMode()), > TrustedImm32(WastefulTypedArray)); > >- JITCompiler::Jump hasNullVector; >-#if !GIGACAGE_ENABLED && CPU(ARM64E) >- { >- GPRReg scratch = m_jit.scratchRegister(); >- DisallowMacroScratchRegisterUsage disallowScratch(m_jit); >- >- m_jit.loadPtr(MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()), scratch); >- m_jit.removeArrayPtrTag(scratch); >- hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); >- } >-#else // !GIGACAGE_ENABLED && CPU(ARM64E) >- hasNullVector = m_jit.branchTestPtr( >+ JITCompiler::Jump hasNullVector = m_jit.branchTestPtr( > MacroAssembler::Zero, > MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector())); >-#endif > speculationCheck(Uncountable, JSValueSource(), node, hasNullVector); > notWasteful.link(&m_jit); > } >@@ -6758,10 +6745,9 @@ void SpeculativeJIT::compileConstantStor > storageResult(storageGPR, node); > } > >-void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) >+void SpeculativeJIT::cageTypedArrayStorage(GPRReg storageReg) > { > #if GIGACAGE_ENABLED >- UNUSED_PARAM(baseReg); > if (!Gigacage::shouldBeEnabled()) > return; > >@@ -6773,10 +6759,7 @@ void SpeculativeJIT::cageTypedArrayStora > } > > m_jit.cage(Gigacage::Primitive, storageReg); >-#elif CPU(ARM64E) >- m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); > #else >- UNUSED_PARAM(baseReg); > UNUSED_PARAM(storageReg); > #endif > } >@@ -6800,17 +6783,16 @@ void SpeculativeJIT::compileGetIndexedPr > > m_jit.loadPtr(MacroAssembler::Address(storageReg, StringImpl::dataOffset()), storageReg); > break; >- >- default: { >+ >+ default: > auto typedArrayType = node->arrayMode().typedArrayType(); > ASSERT_UNUSED(typedArrayType, isTypedView(typedArrayType)); > > m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfVector()), storageReg); >- cageTypedArrayStorage(baseReg, storageReg); >+ cageTypedArrayStorage(storageReg); > break; > } >- } >- >+ > storageResult(storageReg, node); > } > >@@ -6835,24 +6817,17 @@ void SpeculativeJIT::compileGetTypedArra > TrustedImm32(WastefulTypedArray)); > > m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), vectorGPR); >- >- // FIXME: This should mask the PAC bits >- // https://bugs.webkit.org/show_bug.cgi?id=197701 > JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR); > > m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR); > m_jit.cage(Gigacage::JSValue, dataGPR); > >- cageTypedArrayStorage(baseGPR, vectorGPR); >+ cageTypedArrayStorage(vectorGPR); > > m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), arrayBufferGPR); > // FIXME: This needs caging. > // https://bugs.webkit.org/show_bug.cgi?id=175515 > m_jit.loadPtr(MacroAssembler::Address(arrayBufferGPR, ArrayBuffer::offsetOfData()), dataGPR); >-#if CPU(ARM64E) >- m_jit.removeArrayPtrTag(dataGPR); >-#endif >- > m_jit.subPtr(dataGPR, vectorGPR); > > JITCompiler::Jump done = m_jit.jump(); >@@ -9845,11 +9820,6 @@ void SpeculativeJIT::compileNewTypedArra > MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour)); > m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit); > done.link(&m_jit); >-#if !GIGACAGE_ENABLED && CPU(ARM64E) >- // sizeGPR is still boxed as a number and there is no 32-bit variant of the PAC instructions. >- m_jit.zeroExtend32ToPtr(sizeGPR, scratchGPR); >- m_jit.tagArrayPtr(scratchGPR, storageGPR); >-#endif > > auto butterfly = TrustedImmPtr(nullptr); > emitAllocateJSObject<JSArrayBufferView>( >@@ -9871,7 +9841,7 @@ void SpeculativeJIT::compileNewTypedArra > addSlowPathGenerator(slowPathCall( > slowCases, this, operationNewTypedArrayWithSizeForType(typedArrayType), > resultGPR, structure, sizeGPR, storageGPR)); >- >+ > cellResult(resultGPR, node); > } > >Index: Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >=================================================================== >--- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (revision 246271) >+++ Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (working copy) >@@ -1652,7 +1652,7 @@ public: > template<bool strict> > GPRReg fillSpeculateInt32Internal(Edge, DataFormat& returnFormat); > >- void cageTypedArrayStorage(GPRReg, GPRReg); >+ void cageTypedArrayStorage(GPRReg); > > void recordSetLocal( > VirtualRegister bytecodeReg, VirtualRegister machineReg, DataFormat format) >Index: Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >=================================================================== >--- Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (revision 246271) >+++ Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (working copy) >@@ -3883,7 +3883,7 @@ private: > > DFG_ASSERT(m_graph, m_node, isTypedView(m_node->arrayMode().typedArrayType()), m_node->arrayMode().typedArrayType()); > LValue vector = m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector); >- setStorage(caged(Gigacage::Primitive, vector, cell)); >+ setStorage(caged(Gigacage::Primitive, vector)); > } > > void compileCheckArray() >@@ -3927,15 +3927,14 @@ private: > > m_out.appendTo(notNull, continuation); > >- LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly), basePtr); >+ LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly)); > LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer); > >- LValue vectorPtr = caged(Gigacage::Primitive, vector, basePtr); >+ LValue vectorPtr = caged(Gigacage::Primitive, vector); > > // FIXME: This needs caging. > // https://bugs.webkit.org/show_bug.cgi?id=175515 > LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data); >- dataPtr = removeArrayPtrTag(dataPtr); > > ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(vectorPtr, dataPtr)); > >@@ -6485,20 +6484,6 @@ private: > m_out.int64Zero, > m_heaps.typedArrayProperties); > >-#if !GIGACAGE_ENABLED && CPU(ARM64E) >- { >- LValue sizePtr = m_out.zeroExtPtr(size); >- PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >- authenticate->appendSomeRegister(storage); >- authenticate->append(sizePtr, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >- authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >- jit.move(params[1].gpr(), params[0].gpr()); >- jit.tagArrayPtr(params[2].gpr(), params[0].gpr()); >- }); >- storage = authenticate; >- } >-#endif >- > ValueFromBlock haveStorage = m_out.anchor(storage); > > LValue fastResultValue = >@@ -12717,7 +12702,7 @@ private: > indexToCheck = m_out.add(indexToCheck, m_out.constInt64(data.byteSize - 1)); > speculate(OutOfBounds, noValue(), nullptr, m_out.aboveOrEqual(indexToCheck, length)); > >- LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector), dataView); >+ LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector)); > > TypedPointer pointer(m_heaps.typedArrayProperties, m_out.add(vector, m_out.zeroExtPtr(index))); > >@@ -12876,7 +12861,7 @@ private: > RELEASE_ASSERT_NOT_REACHED(); > } > >- LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector), dataView); >+ LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector)); > TypedPointer pointer(m_heaps.typedArrayProperties, m_out.add(vector, m_out.zeroExtPtr(index))); > > if (data.isFloatingPoint) { >@@ -14123,42 +14108,10 @@ private: > m_out.appendTo(performStore, lastNext); > } > } >- >- LValue untagArrayPtr(LValue ptr, LValue size) >- { >-#if CPU(ARM64E) >- PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >- authenticate->appendSomeRegister(ptr); >- authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >- authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >- jit.move(params[1].gpr(), params[0].gpr()); >- jit.untagArrayPtr(params[2].gpr(), params[0].gpr()); >- }); >- return authenticate; >-#else >- UNUSED_PARAM(size); >- return ptr; >-#endif >- } >- >- LValue removeArrayPtrTag(LValue ptr) >- { >-#if CPU(ARM64E) >- PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >- authenticate->appendSomeRegister(ptr); >- authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >- jit.move(params[1].gpr(), params[0].gpr()); >- jit.removeArrayPtrTag(params[0].gpr()); >- }); >- return authenticate; >-#endif >- return ptr; >- } >- >- LValue caged(Gigacage::Kind kind, LValue ptr, LValue base) >+ >+ LValue caged(Gigacage::Kind kind, LValue ptr) > { > #if GIGACAGE_ENABLED >- UNUSED_PARAM(base); > if (!Gigacage::isEnabled(kind)) > return ptr; > >@@ -14187,16 +14140,8 @@ private: > // and possibly other smart things if we want to be able to remove this opaque. > // https://bugs.webkit.org/show_bug.cgi?id=175493 > return m_out.opaque(result); >-#elif CPU(ARM64E) >- if (kind == Gigacage::Primitive) { >- LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); >- return untagArrayPtr(ptr, size); >- } >- >- return ptr; > #else > UNUSED_PARAM(kind); >- UNUSED_PARAM(base); > return ptr; > #endif > } >@@ -16610,9 +16555,6 @@ private: > > LBasicBlock lastNext = m_out.appendTo(isWasteful, continuation); > LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_vector); >- // FIXME: We could probably make this a mask. >- // https://bugs.webkit.org/show_bug.cgi?id=197701 >- vector = removeArrayPtrTag(vector); > speculate(Uncountable, jsValueValue(vector), m_node, m_out.isZero64(vector)); > m_out.jump(continuation); > >Index: Source/JavaScriptCore/heap/ConservativeRoots.cpp >=================================================================== >--- Source/JavaScriptCore/heap/ConservativeRoots.cpp (revision 246271) >+++ Source/JavaScriptCore/heap/ConservativeRoots.cpp (working copy) >@@ -68,7 +68,6 @@ void ConservativeRoots::grow() > template<typename MarkHook> > inline void ConservativeRoots::genericAddPointer(void* p, HeapVersion markingVersion, HeapVersion newlyAllocatedVersion, TinyBloomFilter filter, MarkHook& markHook) > { >- p = removeArrayPtrTag(p); > markHook.mark(p); > > HeapUtil::findGCObjectPointersForMarking( >Index: Source/JavaScriptCore/jit/AssemblyHelpers.h >=================================================================== >--- Source/JavaScriptCore/jit/AssemblyHelpers.h (revision 246271) >+++ Source/JavaScriptCore/jit/AssemblyHelpers.h (working copy) >@@ -1569,7 +1569,7 @@ public: > #endif > } > >- void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength) >+ void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch) > { > #if GIGACAGE_ENABLED > if (!Gigacage::isEnabled(kind)) >@@ -1578,18 +1578,15 @@ public: > if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled()) > return cage(kind, storage); > >- loadPtr(&Gigacage::basePtr(kind), scratchOrLength); >- Jump done = branchTestPtr(Zero, scratchOrLength); >+ loadPtr(&Gigacage::basePtr(kind), scratch); >+ Jump done = branchTestPtr(Zero, scratch); > andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); >- addPtr(scratchOrLength, storage); >+ addPtr(scratch, storage); > done.link(this); >-#elif CPU(ARM64E) >- if (kind == Gigacage::Primitive) >- untagArrayPtr(scratchOrLength, storage); > #else > UNUSED_PARAM(kind); > UNUSED_PARAM(storage); >- UNUSED_PARAM(scratchOrLength); >+ UNUSED_PARAM(scratch); > #endif > } > >Index: Source/JavaScriptCore/jit/IntrinsicEmitter.cpp >=================================================================== >--- Source/JavaScriptCore/jit/IntrinsicEmitter.cpp (revision 246271) >+++ Source/JavaScriptCore/jit/IntrinsicEmitter.cpp (working copy) >@@ -114,14 +114,8 @@ void IntrinsicGetterAccessCase::emitIntr > > jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); > jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), valueGPR); >-#if CPU(ARM64E) >- jit.removeArrayPtrTag(valueGPR); >-#endif > jit.loadPtr(MacroAssembler::Address(scratchGPR, Butterfly::offsetOfArrayBuffer()), scratchGPR); > jit.loadPtr(MacroAssembler::Address(scratchGPR, ArrayBuffer::offsetOfData()), scratchGPR); >-#if CPU(ARM64E) >- jit.removeArrayPtrTag(scratchGPR); >-#endif > jit.subPtr(scratchGPR, valueGPR); > > CCallHelpers::Jump done = jit.jump(); >Index: Source/JavaScriptCore/jit/JITPropertyAccess.cpp >=================================================================== >--- Source/JavaScriptCore/jit/JITPropertyAccess.cpp (revision 246271) >+++ Source/JavaScriptCore/jit/JITPropertyAccess.cpp (working copy) >@@ -1589,7 +1589,7 @@ JIT::JumpList JIT::emitDirectArgumentsGe > load32(Address(base, DirectArguments::offsetOfLength()), scratch2); > slowCases.append(branch32(AboveOrEqual, property, scratch2)); > slowCases.append(branchTestPtr(NonZero, Address(base, DirectArguments::offsetOfMappedArguments()))); >- >+ > loadValue(BaseIndex(base, property, TimesEight, DirectArguments::storageOffset()), result); > > return slowCases; >@@ -1669,8 +1669,7 @@ JIT::JumpList JIT::emitIntTypedArrayGetB > > load8(Address(base, JSCell::typeInfoTypeOffset()), scratch); > badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type))); >- load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); >- slowCases.append(branch32(AboveOrEqual, property, scratch2)); >+ slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength()))); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); > cageConditionally(Gigacage::Primitive, scratch, scratch2); > >@@ -1733,8 +1732,7 @@ JIT::JumpList JIT::emitFloatTypedArrayGe > > load8(Address(base, JSCell::typeInfoTypeOffset()), scratch); > badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type))); >- load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); >- slowCases.append(branch32(AboveOrEqual, property, scratch2)); >+ slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength()))); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); > cageConditionally(Gigacage::Primitive, scratch, scratch2); > >@@ -1784,8 +1782,7 @@ JIT::JumpList JIT::emitIntTypedArrayPutB > > load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch); > badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type))); >- load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2); >- Jump inBounds = branch32(Below, property, lateScratch2); >+ Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength())); > emitArrayProfileOutOfBoundsSpecialCase(profile); > slowCases.append(jump()); > inBounds.link(this); >@@ -1860,8 +1857,7 @@ JIT::JumpList JIT::emitFloatTypedArrayPu > > load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch); > badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type))); >- load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2); >- Jump inBounds = branch32(Below, property, lateScratch2); >+ Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength())); > emitArrayProfileOutOfBoundsSpecialCase(profile); > slowCases.append(jump()); > inBounds.link(this); >Index: Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp >=================================================================== >--- Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp (revision 246271) >+++ Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp (working copy) >@@ -57,6 +57,9 @@ void PolymorphicCallNode::unlink(VM& vm) > > void PolymorphicCallNode::clearCallLinkInfo() > { >+ if (Options::dumpDisassembly()) >+ dataLog("Clearing call link info for polymorphic call at ", m_callLinkInfo->callReturnLocation(), ", ", m_callLinkInfo->codeOrigin(), "\n"); >+ > m_callLinkInfo = nullptr; > } > >Index: Source/JavaScriptCore/jit/RegisterSet.h >=================================================================== >--- Source/JavaScriptCore/jit/RegisterSet.h (revision 246271) >+++ Source/JavaScriptCore/jit/RegisterSet.h (working copy) >@@ -84,9 +84,7 @@ public: > set(regs.tagGPR(), value); > set(regs.payloadGPR(), value); > } >- >- void set(const RegisterSet& other, bool value = true) { value ? merge(other) : exclude(other); } >- >+ > void clear(Reg reg) > { > ASSERT(!!reg); >Index: Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >=================================================================== >--- Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (revision 246271) >+++ Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (working copy) >@@ -422,29 +422,20 @@ macro checkSwitchToJITForLoop() > end) > end > >-macro uncage(basePtr, mask, ptr, scratchOrLength) >- if GIGACAGE_ENABLED and not (C_LOOP or C_LOOP_WIN) >- loadp basePtr, scratchOrLength >- btpz scratchOrLength, .done >+macro uncage(basePtr, mask, ptr, scratch) >+ if GIGACAGE_ENABLED and not C_LOOP >+ loadp basePtr, scratch >+ btpz scratch, .done > andp mask, ptr >- addp scratchOrLength, ptr >- .done: >- end >-end >- >-macro loadCagedPrimitive(source, dest, scratchOrLength) >- loadp source, dest >- if GIGACAGE_ENABLED >- uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength) >- elsif ARM64E >- untagArrayPtr scratchOrLength, dest >+ addp scratch, ptr >+ .done: > end > end > >-macro loadCagedJSValue(source, dest, scratchOrLength) >+macro loadCaged(basePtr, mask, source, dest, scratch) > loadp source, dest >- uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, dest, scratchOrLength) >-end >+ uncage(basePtr, mask, dest, scratch) >+ end > > macro loadVariable(get, fieldName, valueReg) > get(fieldName, valueReg) >@@ -1344,7 +1335,7 @@ llintOpWithMetadata(op_get_by_id, OpGetB > arrayProfile(OpGetById::Metadata::m_modeMetadata.arrayLengthMode.arrayProfile, t0, t2, t5) > btiz t0, IsArray, .opGetByIdSlow > btiz t0, IndexingShapeMask, .opGetByIdSlow >- loadCagedJSValue(JSObject::m_butterfly[t3], t0, t1) >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t3], t0, t1) > loadi -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], t0 > bilt t0, 0, .opGetByIdSlow > orq tagTypeNumber, t0 >@@ -1467,7 +1458,7 @@ llintOpWithMetadata(op_get_by_val, OpGet > loadConstantOrVariableInt32(size, t3, t1, .opGetByValSlow) > sxi2q t1, t1 > >- loadCagedJSValue(JSObject::m_butterfly[t0], t3, tagTypeNumber) >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t0], t3, tagTypeNumber) > move TagTypeNumber, tagTypeNumber > > andi IndexingShapeMask, t2 >@@ -1511,17 +1502,7 @@ llintOpWithMetadata(op_get_by_val, OpGet > biaeq t2, NumberOfTypedArrayTypesExcludingDataView, .opGetByValSlow > > # Sweet, now we know that we have a typed array. Do some basic things now. >- >- if ARM64E >- const scratchOrLength = t6 >- loadi JSArrayBufferView::m_length[t0], scratchOrLength >- biaeq t1, scratchOrLength, .opGetByValSlow >- else >- const scratchOrLength = t0 >- biaeq t1, JSArrayBufferView::m_length[t0], .opGetByValSlow >- end >- >- loadCagedPrimitive(JSArrayBufferView::m_vector[t0], t3, scratchOrLength) >+ biaeq t1, JSArrayBufferView::m_length[t0], .opGetByValSlow > > # Now bisect through the various types: > # Int8ArrayType, >@@ -1543,6 +1524,7 @@ llintOpWithMetadata(op_get_by_val, OpGet > bia t2, Int8ArrayType - FirstTypedArrayType, .opGetByValUint8ArrayOrUint8ClampedArray > > # We have Int8ArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadbsi [t3, t1], t0 > finishIntGetByVal(t0, t1) > >@@ -1550,11 +1532,13 @@ llintOpWithMetadata(op_get_by_val, OpGet > bia t2, Uint8ArrayType - FirstTypedArrayType, .opGetByValUint8ClampedArray > > # We have Uint8ArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadb [t3, t1], t0 > finishIntGetByVal(t0, t1) > > .opGetByValUint8ClampedArray: > # We have Uint8ClampedArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadb [t3, t1], t0 > finishIntGetByVal(t0, t1) > >@@ -1563,11 +1547,13 @@ llintOpWithMetadata(op_get_by_val, OpGet > bia t2, Int16ArrayType - FirstTypedArrayType, .opGetByValUint16Array > > # We have Int16ArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadhsi [t3, t1, 2], t0 > finishIntGetByVal(t0, t1) > > .opGetByValUint16Array: > # We have Uint16ArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadh [t3, t1, 2], t0 > finishIntGetByVal(t0, t1) > >@@ -1579,11 +1565,13 @@ llintOpWithMetadata(op_get_by_val, OpGet > bia t2, Int32ArrayType - FirstTypedArrayType, .opGetByValUint32Array > > # We have Int32ArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadi [t3, t1, 4], t0 > finishIntGetByVal(t0, t1) > > .opGetByValUint32Array: > # We have Uint32ArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > # This is the hardest part because of large unsigned values. > loadi [t3, t1, 4], t0 > bilt t0, 0, .opGetByValSlow # This case is still awkward to implement in LLInt. >@@ -1595,6 +1583,7 @@ llintOpWithMetadata(op_get_by_val, OpGet > bieq t2, Float32ArrayType - FirstTypedArrayType, .opGetByValSlow > > # We have Float64ArrayType. >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadd [t3, t1, 8], ft0 > bdnequn ft0, ft0, .opGetByValSlow > finishDoubleGetByVal(ft0, t0, t1) >@@ -1630,7 +1619,7 @@ macro putByValOp(opcodeName, opcodeStruc > get(m_property, t0) > loadConstantOrVariableInt32(size, t0, t3, .opPutByValSlow) > sxi2q t3, t3 >- loadCagedJSValue(JSObject::m_butterfly[t1], t0, tagTypeNumber) >+ loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t1], t0, tagTypeNumber) > move TagTypeNumber, tagTypeNumber > btinz t2, CopyOnWrite, .opPutByValSlow > andi IndexingShapeMask, t2 >Index: Source/JavaScriptCore/runtime/ArrayBuffer.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/ArrayBuffer.cpp (revision 246271) >+++ Source/JavaScriptCore/runtime/ArrayBuffer.cpp (working copy) >@@ -33,17 +33,15 @@ > > namespace JSC { > >-SharedArrayBufferContents::SharedArrayBufferContents(void* data, unsigned size, ArrayBufferDestructorFunction&& destructor) >- : m_data(data, size) >+SharedArrayBufferContents::SharedArrayBufferContents(void* data, ArrayBufferDestructorFunction&& destructor) >+ : m_data(data) > , m_destructor(WTFMove(destructor)) >- , m_sizeInBytes(size) > { > } > > SharedArrayBufferContents::~SharedArrayBufferContents() > { >- // FIXME: we shouldn't use getUnsafe here https://bugs.webkit.org/show_bug.cgi?id=197698 >- m_destructor(m_data.getUnsafe()); >+ m_destructor(m_data.getMayBeNull()); > } > > ArrayBufferContents::ArrayBufferContents() >@@ -58,7 +56,7 @@ ArrayBufferContents::ArrayBufferContents > } > > ArrayBufferContents::ArrayBufferContents(void* data, unsigned sizeInBytes, ArrayBufferDestructorFunction&& destructor) >- : m_data(data, sizeInBytes) >+ : m_data(data) > , m_sizeInBytes(sizeInBytes) > { > RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); >@@ -84,8 +82,7 @@ void ArrayBufferContents::clear() > > void ArrayBufferContents::destroy() > { >- // FIXME: We shouldn't use getUnsafe here: https://bugs.webkit.org/show_bug.cgi?id=197698 >- m_destructor(m_data.getUnsafe()); >+ m_destructor(m_data.getMayBeNull()); > } > > void ArrayBufferContents::reset() >@@ -106,29 +103,26 @@ void ArrayBufferContents::tryAllocate(un > return; > } > } >- size_t sizeInBytes = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); >- size_t allocationSize = sizeInBytes; >- if (!allocationSize) >- allocationSize = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. >- >- void* data = Gigacage::tryMalloc(Gigacage::Primitive, allocationSize); >- m_data = DataType(data, sizeInBytes); >- if (!data) { >+ size_t size = static_cast<size_t>(numElements) * static_cast<size_t>(elementByteSize); >+ if (!size) >+ size = 1; // Make sure malloc actually allocates something, but not too much. We use null to mean that the buffer is neutered. >+ m_data = Gigacage::tryMalloc(Gigacage::Primitive, size); >+ if (!m_data) { > reset(); > return; > } > > if (policy == ZeroInitialize) >- memset(data, 0, allocationSize); >+ memset(m_data.get(), 0, size); > >- m_sizeInBytes = sizeInBytes; >+ m_sizeInBytes = numElements * elementByteSize; > RELEASE_ASSERT(m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); > m_destructor = [] (void* p) { Gigacage::free(Gigacage::Primitive, p); }; > } > > void ArrayBufferContents::makeShared() > { >- m_shared = adoptRef(new SharedArrayBufferContents(data(), sizeInBytes(), WTFMove(m_destructor))); >+ m_shared = adoptRef(new SharedArrayBufferContents(m_data.getMayBeNull(), WTFMove(m_destructor))); > m_destructor = [] (void*) { }; > } > >@@ -149,7 +143,7 @@ void ArrayBufferContents::copyTo(ArrayBu > other.tryAllocate(m_sizeInBytes, sizeof(char), ArrayBufferContents::DontInitialize); > if (!other.m_data) > return; >- memcpy(other.data(), data(), m_sizeInBytes); >+ memcpy(other.m_data.get(), m_data.get(), m_sizeInBytes); > other.m_sizeInBytes = m_sizeInBytes; > RELEASE_ASSERT(other.m_sizeInBytes <= MAX_ARRAY_BUFFER_SIZE); > } >Index: Source/JavaScriptCore/runtime/ArrayBuffer.h >=================================================================== >--- Source/JavaScriptCore/runtime/ArrayBuffer.h (revision 246271) >+++ Source/JavaScriptCore/runtime/ArrayBuffer.h (working copy) >@@ -48,16 +48,14 @@ typedef Function<void(void*)> ArrayBuffe > > class SharedArrayBufferContents : public ThreadSafeRefCounted<SharedArrayBufferContents> { > public: >- SharedArrayBufferContents(void* data, unsigned size, ArrayBufferDestructorFunction&&); >+ SharedArrayBufferContents(void* data, ArrayBufferDestructorFunction&&); > ~SharedArrayBufferContents(); > >- void* data() const { return m_data.getMayBeNull(m_sizeInBytes); } >+ void* data() const { return m_data.getMayBeNull(); } > > private: >- using DataType = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>; >- DataType m_data; >+ CagedPtr<Gigacage::Primitive, void> m_data; > ArrayBufferDestructorFunction m_destructor; >- unsigned m_sizeInBytes; > }; > > class ArrayBufferContents { >@@ -75,7 +73,7 @@ public: > > explicit operator bool() { return !!m_data; } > >- void* data() const { return m_data.getMayBeNull(sizeInBytes()); } >+ void* data() const { return m_data.getMayBeNull(); } > unsigned sizeInBytes() const { return m_sizeInBytes; } > > bool isShared() const { return m_shared; } >@@ -100,8 +98,7 @@ private: > > ArrayBufferDestructorFunction m_destructor; > RefPtr<SharedArrayBufferContents> m_shared; >- using DataType = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>; >- DataType m_data; >+ CagedPtr<Gigacage::Primitive, void> m_data; > unsigned m_sizeInBytes; > }; > >@@ -177,17 +174,17 @@ public: > > void* ArrayBuffer::data() > { >- return m_contents.data(); >+ return m_contents.m_data.getMayBeNull(); > } > > const void* ArrayBuffer::data() const > { >- return m_contents.data(); >+ return m_contents.m_data.getMayBeNull(); > } > > unsigned ArrayBuffer::byteLength() const > { >- return m_contents.sizeInBytes(); >+ return m_contents.m_sizeInBytes; > } > > bool ArrayBuffer::isShared() const >Index: Source/JavaScriptCore/runtime/ArrayBufferView.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/ArrayBufferView.cpp (revision 246271) >+++ Source/JavaScriptCore/runtime/ArrayBufferView.cpp (working copy) >@@ -25,22 +25,17 @@ > > #include "config.h" > #include "ArrayBufferView.h" >-#include <wtf/CheckedArithmetic.h> > > namespace JSC { > > ArrayBufferView::ArrayBufferView( >- RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned byteLength) >+ RefPtr<ArrayBuffer>&& buffer, >+ unsigned byteOffset) > : m_byteOffset(byteOffset) > , m_isNeuterable(true) >- , m_byteLength(byteLength) > , m_buffer(WTFMove(buffer)) > { >- Checked<unsigned, CrashOnOverflow> length(byteOffset); >- length += byteLength; >- RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(length <= m_buffer->byteLength()); >- if (m_buffer) >- m_baseAddress = BaseAddress(static_cast<char*>(m_buffer->data()) + m_byteOffset, byteLength); >+ m_baseAddress = m_buffer ? (static_cast<char*>(m_buffer->data()) + m_byteOffset) : 0; > } > > ArrayBufferView::~ArrayBufferView() >Index: Source/JavaScriptCore/runtime/ArrayBufferView.h >=================================================================== >--- Source/JavaScriptCore/runtime/ArrayBufferView.h (revision 246271) >+++ Source/JavaScriptCore/runtime/ArrayBufferView.h (working copy) >@@ -71,8 +71,8 @@ public: > void* baseAddress() const > { > if (isNeutered()) >- return nullptr; >- return m_baseAddress.getMayBeNull(byteLength()); >+ return 0; >+ return m_baseAddress.getMayBeNull(); > } > > void* data() const { return baseAddress(); } >@@ -84,7 +84,7 @@ public: > return m_byteOffset; > } > >- unsigned byteLength() const { return m_byteLength; } >+ virtual unsigned byteLength() const = 0; > > JS_EXPORT_PRIVATE void setNeuterable(bool flag); > bool isNeuterable() const { return m_isNeuterable; } >@@ -113,12 +113,13 @@ public: > virtual JSArrayBufferView* wrap(ExecState*, JSGlobalObject*) = 0; > > protected: >- JS_EXPORT_PRIVATE ArrayBufferView(RefPtr<ArrayBuffer>&&, unsigned byteOffset, unsigned byteLength); >+ JS_EXPORT_PRIVATE ArrayBufferView(RefPtr<ArrayBuffer>&&, unsigned byteOffset); > > inline bool setImpl(ArrayBufferView*, unsigned byteOffset); > >- inline bool setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset); >- inline bool getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset); >+ // Caller passes in bufferByteLength to avoid a virtual function call. >+ inline bool setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength); >+ inline bool getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength); > > inline bool zeroRangeImpl(unsigned byteOffset, size_t rangeByteLength); > >@@ -149,11 +150,9 @@ protected: > > unsigned m_byteOffset : 31; > bool m_isNeuterable : 1; >- unsigned m_byteLength; > >- using BaseAddress = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>; > // This is the address of the ArrayBuffer's storage, plus the byte offset. >- BaseAddress m_baseAddress; >+ CagedPtr<Gigacage::Primitive, void> m_baseAddress; > > private: > friend class ArrayBuffer; >@@ -174,10 +173,12 @@ bool ArrayBufferView::setImpl(ArrayBuffe > return true; > } > >-bool ArrayBufferView::setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset) >+bool ArrayBufferView::setRangeImpl(const void* data, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength) > { >- if (byteOffset > byteLength() >- || byteOffset + dataByteLength > byteLength() >+ // Do not replace with RELEASE_ASSERT; we want to avoid the virtual byteLength() function call in release. >+ ASSERT_WITH_SECURITY_IMPLICATION(bufferByteLength == byteLength()); >+ if (byteOffset > bufferByteLength >+ || byteOffset + dataByteLength > bufferByteLength > || byteOffset + dataByteLength < byteOffset) { > // Out of range offset or overflow > return false; >@@ -188,10 +189,12 @@ bool ArrayBufferView::setRangeImpl(const > return true; > } > >-bool ArrayBufferView::getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset) >+bool ArrayBufferView::getRangeImpl(void* destination, size_t dataByteLength, unsigned byteOffset, unsigned bufferByteLength) > { >- if (byteOffset > byteLength() >- || byteOffset + dataByteLength > byteLength() >+ // Do not replace with RELEASE_ASSERT; we want to avoid the virtual byteLength() function call in release. >+ ASSERT_WITH_SECURITY_IMPLICATION(bufferByteLength == byteLength()); >+ if (byteOffset > bufferByteLength >+ || byteOffset + dataByteLength > bufferByteLength > || byteOffset + dataByteLength < byteOffset) { > // Out of range offset or overflow > return false; >Index: Source/JavaScriptCore/runtime/CachedTypes.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/CachedTypes.cpp (revision 246271) >+++ Source/JavaScriptCore/runtime/CachedTypes.cpp (working copy) >@@ -1088,13 +1088,13 @@ public: > void encode(Encoder& encoder, const ScopedArgumentsTable& scopedArgumentsTable) > { > m_length = scopedArgumentsTable.m_length; >- m_arguments.encode(encoder, scopedArgumentsTable.m_arguments.get(m_length), m_length); >+ m_arguments.encode(encoder, scopedArgumentsTable.m_arguments.get(), m_length); > } > > ScopedArgumentsTable* decode(Decoder& decoder) const > { > ScopedArgumentsTable* scopedArgumentsTable = ScopedArgumentsTable::create(decoder.vm(), m_length); >- m_arguments.decode(decoder, scopedArgumentsTable->m_arguments.get(m_length), m_length); >+ m_arguments.decode(decoder, scopedArgumentsTable->m_arguments.get(), m_length); > return scopedArgumentsTable; > } > >Index: Source/JavaScriptCore/runtime/CagedBarrierPtr.h >=================================================================== >--- Source/JavaScriptCore/runtime/CagedBarrierPtr.h (revision 246271) >+++ Source/JavaScriptCore/runtime/CagedBarrierPtr.h (working copy) >@@ -35,41 +35,87 @@ class VM; > > // This is a convenient combo of AuxiliaryBarrier and CagedPtr. > >-template<Gigacage::Kind passedKind, typename T, bool shouldTag = false> >+template<Gigacage::Kind passedKind, typename T> > class CagedBarrierPtr { > public: > static constexpr Gigacage::Kind kind = passedKind; >- using Type = T; >- using CagedType = CagedPtr<kind, Type, shouldTag>; >+ typedef T Type; > >- CagedBarrierPtr() = default; >+ CagedBarrierPtr() { } > > template<typename U> >- CagedBarrierPtr(VM& vm, JSCell* cell, U&& value, unsigned size) >+ CagedBarrierPtr(VM& vm, JSCell* cell, U&& value) > { >- m_barrier.set(vm, cell, CagedType(std::forward<U>(value), size)); >+ m_barrier.set(vm, cell, std::forward<U>(value)); > } > > void clear() { m_barrier.clear(); } > > template<typename U> >- void set(VM& vm, JSCell* cell, U&& value, unsigned size) >+ void set(VM& vm, JSCell* cell, U&& value) > { >- m_barrier.set(vm, cell, CagedType(std::forward<U>(value), size)); >+ m_barrier.set(vm, cell, std::forward<U>(value)); > } > >- T* get(unsigned size) const { return m_barrier.get().get(size); } >- T* getMayBeNull(unsigned size) const { return m_barrier.get().getMayBeNull(size); } >- T* getUnsafe() const { return m_barrier.get().getUnsafe(); } >- >- // We need the template here so that the type of U is deduced at usage time rather than class time. U should always be T. >- template<typename U = T> >- typename std::enable_if<!std::is_same<void, U>::value, T>::type& >- /* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; } >+ T* get() const { return m_barrier.get().get(); } >+ T* getMayBeNull() const { return m_barrier.get().getMayBeNull(); } >+ >+ bool operator==(const CagedBarrierPtr& other) const >+ { >+ return getMayBeNull() == other.getMayBeNull(); >+ } >+ >+ bool operator!=(const CagedBarrierPtr& other) const >+ { >+ return !(*this == other); >+ } >+ >+ explicit operator bool() const >+ { >+ return *this != CagedBarrierPtr(); >+ } >+ >+ template<typename U> >+ void setWithoutBarrier(U&& value) { m_barrier.setWithoutBarrier(std::forward<U>(value)); } >+ >+ T& operator*() const { return *get(); } >+ T* operator->() const { return get(); } >+ >+ template<typename IndexType> >+ T& operator[](IndexType index) const { return get()[index]; } >+ >+private: >+ AuxiliaryBarrier<CagedPtr<kind, T>> m_barrier; >+}; > >+template<Gigacage::Kind passedKind> >+class CagedBarrierPtr<passedKind, void> { >+public: >+ static constexpr Gigacage::Kind kind = passedKind; >+ typedef void Type; >+ >+ CagedBarrierPtr() { } >+ >+ template<typename U> >+ CagedBarrierPtr(VM& vm, JSCell* cell, U&& value) >+ { >+ m_barrier.set(vm, cell, std::forward<U>(value)); >+ } >+ >+ void clear() { m_barrier.clear(); } >+ >+ template<typename U> >+ void set(VM& vm, JSCell* cell, U&& value) >+ { >+ m_barrier.set(vm, cell, std::forward<U>(value)); >+ } >+ >+ void* get() const { return m_barrier.get().get(); } >+ void* getMayBeNull() const { return m_barrier.get().getMayBeNull(); } >+ > bool operator==(const CagedBarrierPtr& other) const > { >- return m_barrier.get() == other.m_barrier.get(); >+ return getMayBeNull() == other.getMayBeNull(); > } > > bool operator!=(const CagedBarrierPtr& other) const >@@ -79,14 +125,14 @@ public: > > explicit operator bool() const > { >- return !!m_barrier.get(); >+ return *this != CagedBarrierPtr(); > } > > template<typename U> >- void setWithoutBarrier(U&& value, unsigned size) { m_barrier.setWithoutBarrier(CagedType(std::forward<U>(value), size)); } >+ void setWithoutBarrier(U&& value) { m_barrier.setWithoutBarrier(std::forward<U>(value)); } > > private: >- AuxiliaryBarrier<CagedType> m_barrier; >+ AuxiliaryBarrier<CagedPtr<kind, void>> m_barrier; > }; > > } // namespace JSC >Index: Source/JavaScriptCore/runtime/DataView.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/DataView.cpp (revision 246271) >+++ Source/JavaScriptCore/runtime/DataView.cpp (working copy) >@@ -33,7 +33,8 @@ > namespace JSC { > > DataView::DataView(RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned byteLength) >- : ArrayBufferView(WTFMove(buffer), byteOffset, byteLength) >+ : ArrayBufferView(WTFMove(buffer), byteOffset) >+ , m_byteLength(byteLength) > { > } > >Index: Source/JavaScriptCore/runtime/DataView.h >=================================================================== >--- Source/JavaScriptCore/runtime/DataView.h (revision 246271) >+++ Source/JavaScriptCore/runtime/DataView.h (working copy) >@@ -38,6 +38,11 @@ public: > JS_EXPORT_PRIVATE static Ref<DataView> create(RefPtr<ArrayBuffer>&&, unsigned byteOffset, unsigned length); > static Ref<DataView> create(RefPtr<ArrayBuffer>&&); > >+ unsigned byteLength() const override >+ { >+ return m_byteLength; >+ } >+ > TypedArrayType getType() const override > { > return TypeDataView; >@@ -57,7 +62,7 @@ public: > } else > RELEASE_ASSERT(offset + sizeof(T) <= byteLength()); > return flipBytesIfLittleEndian( >- *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get(byteLength())) + offset), >+ *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset), > littleEndian); > } > >@@ -81,9 +86,12 @@ public: > *status = true; > } else > RELEASE_ASSERT(offset + sizeof(T) <= byteLength()); >- *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get(byteLength())) + offset) = >+ *reinterpret_cast<T*>(static_cast<uint8_t*>(m_baseAddress.get()) + offset) = > flipBytesIfLittleEndian(value, littleEndian); > } >+ >+private: >+ unsigned m_byteLength; > }; > > } // namespace JSC >Index: Source/JavaScriptCore/runtime/DirectArguments.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/DirectArguments.cpp (revision 246271) >+++ Source/JavaScriptCore/runtime/DirectArguments.cpp (working copy) >@@ -101,7 +101,7 @@ void DirectArguments::visitChildren(JSCe > visitor.append(thisObject->m_callee); > > if (thisObject->m_mappedArguments) >- visitor.markAuxiliary(thisObject->m_mappedArguments.get(thisObject->internalLength())); >+ visitor.markAuxiliary(thisObject->m_mappedArguments.get()); > GenericArguments<DirectArguments>::visitChildren(thisCell, visitor); > } > >@@ -120,8 +120,8 @@ void DirectArguments::overrideThings(VM& > > void* backingStore = vm.gigacageAuxiliarySpace(m_mappedArguments.kind).allocateNonVirtual(vm, mappedArgumentsSize(), nullptr, AllocationFailureMode::Assert); > bool* overrides = static_cast<bool*>(backingStore); >- m_mappedArguments.set(vm, this, overrides, internalLength()); >- for (unsigned i = internalLength(); i--;) >+ m_mappedArguments.set(vm, this, overrides); >+ for (unsigned i = m_length; i--;) > overrides[i] = false; > } > >@@ -134,7 +134,7 @@ void DirectArguments::overrideThingsIfNe > void DirectArguments::unmapArgument(VM& vm, unsigned index) > { > overrideThingsIfNecessary(vm); >- m_mappedArguments.at(index, internalLength()) = true; >+ m_mappedArguments[index] = true; > } > > void DirectArguments::copyToArguments(ExecState* exec, VirtualRegister firstElementDest, unsigned offset, unsigned length) >Index: Source/JavaScriptCore/runtime/DirectArguments.h >=================================================================== >--- Source/JavaScriptCore/runtime/DirectArguments.h (revision 246271) >+++ Source/JavaScriptCore/runtime/DirectArguments.h (working copy) >@@ -86,7 +86,7 @@ public: > > bool isMappedArgument(uint32_t i) const > { >- return i < m_length && (!m_mappedArguments || !m_mappedArguments.at(i, m_length)); >+ return i < m_length && (!m_mappedArguments || !m_mappedArguments[i]); > } > > bool isMappedArgumentInDFG(uint32_t i) const >@@ -182,8 +182,7 @@ private: > WriteBarrier<JSFunction> m_callee; > uint32_t m_length; // Always the actual length of captured arguments and never what was stored into the length property. > uint32_t m_minCapacity; // The max of this and length determines the capacity of this object. It may be the actual capacity, or maybe something smaller. We arrange it this way to be kind to the JITs. >- using MappedArguments = CagedBarrierPtr<Gigacage::Primitive, bool>; >- MappedArguments m_mappedArguments; // If non-null, it means that length, callee, and caller are fully materialized properties. >+ CagedBarrierPtr<Gigacage::Primitive, bool> m_mappedArguments; // If non-null, it means that length, callee, and caller are fully materialized properties. > }; > > } // namespace JSC >Index: Source/JavaScriptCore/runtime/GenericArguments.h >=================================================================== >--- Source/JavaScriptCore/runtime/GenericArguments.h (revision 246271) >+++ Source/JavaScriptCore/runtime/GenericArguments.h (working copy) >@@ -60,9 +60,8 @@ protected: > bool isModifiedArgumentDescriptor(unsigned index, unsigned length); > > void copyToArguments(ExecState*, VirtualRegister firstElementDest, unsigned offset, unsigned length); >- >- using ModifiedArgumentsPtr = CagedBarrierPtr<Gigacage::Primitive, bool>; >- ModifiedArgumentsPtr m_modifiedArgumentsDescriptor; >+ >+ CagedBarrierPtr<Gigacage::Primitive, bool> m_modifiedArgumentsDescriptor; > }; > > } // namespace JSC >Index: Source/JavaScriptCore/runtime/GenericArgumentsInlines.h >=================================================================== >--- Source/JavaScriptCore/runtime/GenericArgumentsInlines.h (revision 246271) >+++ Source/JavaScriptCore/runtime/GenericArgumentsInlines.h (working copy) >@@ -38,7 +38,7 @@ void GenericArguments<Type>::visitChildr > Base::visitChildren(thisCell, visitor); > > if (thisObject->m_modifiedArgumentsDescriptor) >- visitor.markAuxiliary(thisObject->m_modifiedArgumentsDescriptor.getUnsafe()); >+ visitor.markAuxiliary(thisObject->m_modifiedArgumentsDescriptor.get()); > } > > template<typename Type> >@@ -265,7 +265,7 @@ void GenericArguments<Type>::initModifie > if (argsLength) { > void* backingStore = vm.gigacageAuxiliarySpace(m_modifiedArgumentsDescriptor.kind).allocateNonVirtual(vm, WTF::roundUpToMultipleOf<8>(argsLength), nullptr, AllocationFailureMode::Assert); > bool* modifiedArguments = static_cast<bool*>(backingStore); >- m_modifiedArgumentsDescriptor.set(vm, this, modifiedArguments, argsLength); >+ m_modifiedArgumentsDescriptor.set(vm, this, modifiedArguments); > for (unsigned i = argsLength; i--;) > modifiedArguments[i] = false; > } >@@ -283,7 +283,7 @@ void GenericArguments<Type>::setModified > { > initModifiedArgumentsDescriptorIfNecessary(vm, length); > if (index < length) >- m_modifiedArgumentsDescriptor.at(index, length) = true; >+ m_modifiedArgumentsDescriptor[index] = true; > } > > template<typename Type> >@@ -292,7 +292,7 @@ bool GenericArguments<Type>::isModifiedA > if (!m_modifiedArgumentsDescriptor) > return false; > if (index < length) >- return m_modifiedArgumentsDescriptor.at(index, length); >+ return m_modifiedArgumentsDescriptor[index]; > return false; > } > >Index: Source/JavaScriptCore/runtime/GenericTypedArrayView.h >=================================================================== >--- Source/JavaScriptCore/runtime/GenericTypedArrayView.h (revision 246271) >+++ Source/JavaScriptCore/runtime/GenericTypedArrayView.h (working copy) >@@ -58,7 +58,8 @@ public: > return setRangeImpl( > reinterpret_cast<const char*>(data), > count * sizeof(typename Adaptor::Type), >- offset * sizeof(typename Adaptor::Type)); >+ offset * sizeof(typename Adaptor::Type), >+ internalByteLength()); > } > > bool zeroRange(unsigned offset, size_t count) >@@ -72,7 +73,12 @@ public: > { > if (isNeutered()) > return 0; >- return byteLength() / sizeof(typename Adaptor::Type); >+ return m_length; >+ } >+ >+ unsigned byteLength() const override >+ { >+ return internalByteLength(); > } > > typename Adaptor::Type item(unsigned index) const >@@ -98,7 +104,8 @@ public: > return getRangeImpl( > reinterpret_cast<char*>(data), > count * sizeof(typename Adaptor::Type), >- offset * sizeof(typename Adaptor::Type)); >+ offset * sizeof(typename Adaptor::Type), >+ internalByteLength()); > } > > bool checkInboundData(unsigned offset, size_t count) const >@@ -119,6 +126,14 @@ public: > } > > JSArrayBufferView* wrap(ExecState*, JSGlobalObject*) override; >+ >+private: >+ unsigned internalByteLength() const >+ { >+ return length() * sizeof(typename Adaptor::Type); >+ } >+ >+ unsigned m_length; > }; > > } // namespace JSC >Index: Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h >=================================================================== >--- Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h (revision 246271) >+++ Source/JavaScriptCore/runtime/GenericTypedArrayViewInlines.h (working copy) >@@ -32,8 +32,9 @@ namespace JSC { > > template<typename Adaptor> > GenericTypedArrayView<Adaptor>::GenericTypedArrayView( >-RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned length) >- : ArrayBufferView(WTFMove(buffer), byteOffset, length * sizeof(typename Adaptor::Type)) >+ RefPtr<ArrayBuffer>&& buffer, unsigned byteOffset, unsigned length) >+ : ArrayBufferView(WTFMove(buffer), byteOffset) >+ , m_length(length) > { > } > >Index: Source/JavaScriptCore/runtime/JSArrayBufferView.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (revision 246271) >+++ Source/JavaScriptCore/runtime/JSArrayBufferView.cpp (working copy) >@@ -1,5 +1,5 @@ > /* >- * Copyright (C) 2013-2019 Apple Inc. All rights reserved. >+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -50,12 +50,11 @@ String JSArrayBufferView::toStringName(c > JSArrayBufferView::ConstructionContext::ConstructionContext( > Structure* structure, uint32_t length, void* vector) > : m_structure(structure) >- , m_vector(vector, length) >+ , m_vector(vector) > , m_length(length) > , m_mode(FastTypedArray) > , m_butterfly(nullptr) > { >- ASSERT(vector == removeArrayPtrTag(vector)); > RELEASE_ASSERT(length <= fastSizeLimit); > } > >@@ -75,11 +74,11 @@ JSArrayBufferView::ConstructionContext:: > return; > > m_structure = structure; >- m_vector = VectorType(temp, length); >+ m_vector = temp; > m_mode = FastTypedArray; > > if (mode == ZeroFill) { >- uint64_t* asWords = static_cast<uint64_t*>(vector()); >+ uint64_t* asWords = static_cast<uint64_t*>(m_vector.getMayBeNull()); > for (unsigned i = size / sizeof(uint64_t); i--;) > asWords[i] = 0; > } >@@ -92,11 +91,11 @@ JSArrayBufferView::ConstructionContext:: > return; > > size_t size = static_cast<size_t>(length) * static_cast<size_t>(elementSize); >- m_vector = VectorType(Gigacage::tryMalloc(Gigacage::Primitive, size), length); >+ m_vector = Gigacage::tryMalloc(Gigacage::Primitive, size); > if (!m_vector) > return; > if (mode == ZeroFill) >- memset(vector(), 0, size); >+ memset(m_vector.get(), 0, size); > > vm.heap.reportExtraMemoryAllocated(static_cast<size_t>(length) * elementSize); > >@@ -111,8 +110,7 @@ JSArrayBufferView::ConstructionContext:: > , m_length(length) > , m_mode(WastefulTypedArray) > { >- ASSERT(arrayBuffer->data() == removeArrayPtrTag(arrayBuffer->data())); >- m_vector = VectorType(static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset, length); >+ m_vector = static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset; > IndexingHeader indexingHeader; > indexingHeader.setArrayBuffer(arrayBuffer.get()); > m_butterfly = Butterfly::create(vm, 0, 0, 0, true, indexingHeader, 0); >@@ -126,8 +124,7 @@ JSArrayBufferView::ConstructionContext:: > , m_mode(DataViewMode) > , m_butterfly(0) > { >- ASSERT(arrayBuffer->data() == removeArrayPtrTag(arrayBuffer->data())); >- m_vector = VectorType(static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset, length); >+ m_vector = static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset; > } > > JSArrayBufferView::JSArrayBufferView(VM& vm, ConstructionContext& context) >@@ -136,8 +133,7 @@ JSArrayBufferView::JSArrayBufferView(VM& > , m_mode(context.mode()) > { > setButterfly(vm, context.butterfly()); >- ASSERT(context.vector() == removeArrayPtrTag(context.vector())); >- m_vector.setWithoutBarrier(context.vector(), m_length); >+ m_vector.setWithoutBarrier(context.vector()); > } > > void JSArrayBufferView::finishCreation(VM& vm) >@@ -198,7 +194,7 @@ void JSArrayBufferView::finalize(JSCell* > JSArrayBufferView* thisObject = static_cast<JSArrayBufferView*>(cell); > ASSERT(thisObject->m_mode == OversizeTypedArray || thisObject->m_mode == WastefulTypedArray); > if (thisObject->m_mode == OversizeTypedArray) >- Gigacage::free(Gigacage::Primitive, thisObject->vector()); >+ Gigacage::free(Gigacage::Primitive, thisObject->m_vector.get()); > } > > JSArrayBuffer* JSArrayBufferView::unsharedJSBuffer(ExecState* exec) >@@ -287,7 +283,7 @@ ArrayBuffer* JSArrayBufferView::slowDown > { > auto locker = holdLock(cellLock()); > butterfly()->indexingHeader()->setArrayBuffer(buffer.get()); >- m_vector.setWithoutBarrier(buffer->data(), m_length); >+ m_vector.setWithoutBarrier(buffer->data()); > WTF::storeStoreFence(); > m_mode = WastefulTypedArray; > } >Index: Source/JavaScriptCore/runtime/JSArrayBufferView.h >=================================================================== >--- Source/JavaScriptCore/runtime/JSArrayBufferView.h (revision 246271) >+++ Source/JavaScriptCore/runtime/JSArrayBufferView.h (working copy) >@@ -1,5 +1,5 @@ > /* >- * Copyright (C) 2013-2019 Apple Inc. All rights reserved. >+ * Copyright (C) 2013, 2016 Apple Inc. All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -27,7 +27,6 @@ > > #include "AuxiliaryBarrier.h" > #include "JSObject.h" >-#include <wtf/TaggedArrayStoragePtr.h> > > namespace JSC { > >@@ -97,7 +96,6 @@ class JSArrayBufferView : public JSNonFi > public: > typedef JSNonFinalObject Base; > static const unsigned fastSizeLimit = 1000; >- using VectorPtr = CagedBarrierPtr<Gigacage::Primitive, void, tagCagedPtr>; > > static size_t sizeOf(uint32_t length, uint32_t elementSize) > { >@@ -135,15 +133,14 @@ protected: > bool operator!() const { return !m_structure; } > > Structure* structure() const { return m_structure; } >- void* vector() const { return m_vector.getMayBeNull(m_length); } >+ void* vector() const { return m_vector.getMayBeNull(); } > uint32_t length() const { return m_length; } > TypedArrayMode mode() const { return m_mode; } > Butterfly* butterfly() const { return m_butterfly; } > > private: > Structure* m_structure; >- using VectorType = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>; >- VectorType m_vector; >+ CagedPtr<Gigacage::Primitive, void> m_vector; > uint32_t m_length; > TypedArrayMode m_mode; > Butterfly* m_butterfly; >@@ -167,11 +164,10 @@ public: > JSArrayBuffer* possiblySharedJSBuffer(ExecState* exec); > RefPtr<ArrayBufferView> unsharedImpl(); > JS_EXPORT_PRIVATE RefPtr<ArrayBufferView> possiblySharedImpl(); >- bool isNeutered() { return hasArrayBuffer() && !hasVector(); } >+ bool isNeutered() { return hasArrayBuffer() && !vector(); } > void neuter(); >- >- bool hasVector() const { return !!m_vector; } >- void* vector() const { return m_vector.getMayBeNull(length()); } >+ >+ void* vector() const { return m_vector.getMayBeNull(); } > > unsigned byteOffset(); > unsigned length() const { return m_length; } >@@ -195,7 +191,7 @@ protected: > > static String toStringName(const JSObject*, ExecState*); > >- VectorPtr m_vector; >+ CagedBarrierPtr<Gigacage::Primitive, void> m_vector; > uint32_t m_length; > TypedArrayMode m_mode; > }; >Index: Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h >=================================================================== >--- Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (revision 246271) >+++ Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h (working copy) >@@ -77,7 +77,8 @@ JSGenericTypedArrayView<Adaptor>* JSGene > } > > template<typename Adaptor> >-JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createUninitialized(ExecState* exec, Structure* structure, unsigned length) >+JSGenericTypedArrayView<Adaptor>* JSGenericTypedArrayView<Adaptor>::createUninitialized( >+ ExecState* exec, Structure* structure, unsigned length) > { > VM& vm = exec->vm(); > auto scope = DECLARE_THROW_SCOPE(vm); >@@ -506,7 +507,7 @@ size_t JSGenericTypedArrayView<Adaptor>: > > if (thisObject->m_mode == OversizeTypedArray) > return Base::estimatedSize(thisObject, vm) + thisObject->byteSize(); >- if (thisObject->m_mode == FastTypedArray && thisObject->hasVector()) >+ if (thisObject->m_mode == FastTypedArray && thisObject->m_vector) > return Base::estimatedSize(thisObject, vm) + thisObject->byteSize(); > > return Base::estimatedSize(thisObject, vm); >@@ -525,7 +526,7 @@ void JSGenericTypedArrayView<Adaptor>::v > { > auto locker = holdLock(thisObject->cellLock()); > mode = thisObject->m_mode; >- vector = thisObject->vector(); >+ vector = thisObject->m_vector.getMayBeNull(); > byteSize = thisObject->byteSize(); > } > >Index: Source/JavaScriptCore/runtime/Options.h >=================================================================== >--- Source/JavaScriptCore/runtime/Options.h (revision 246271) >+++ Source/JavaScriptCore/runtime/Options.h (working copy) >@@ -492,7 +492,8 @@ constexpr bool enableWebAssemblyStreamin > v(unsigned, webAssemblyLoopDecrement, 15, Normal, "The amount the tier up countdown is decremented on each loop backedge.") \ > v(unsigned, webAssemblyFunctionEntryDecrement, 1, Normal, "The amount the tier up countdown is decremented on each function entry.") \ > \ >- v(bool, useWebAssemblyFastMemory, true, Normal, "If true, we will try to use a 32-bit address space with a signal handler to bounds check wasm memory.") \ >+ /* FIXME: enable fast memories on iOS and pre-allocate them. https://bugs.webkit.org/show_bug.cgi?id=170774 */ \ >+ v(bool, useWebAssemblyFastMemory, !isIOS(), Normal, "If true, we will try to use a 32-bit address space with a signal handler to bounds check wasm memory.") \ > v(bool, logWebAssemblyMemory, false, Normal, nullptr) \ > v(unsigned, webAssemblyFastMemoryRedzonePages, 128, Normal, "WebAssembly fast memories use 4GiB virtual allocations, plus a redzone (counted as multiple of 64KiB WebAssembly pages) at the end to catch reg+imm accesses which exceed 32-bit, anything beyond the redzone is explicitly bounds-checked") \ > v(bool, crashIfWebAssemblyCantFastMemory, false, Normal, "If true, we will crash if we can't obtain fast memory for wasm.") \ >Index: Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp (revision 246271) >+++ Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp (working copy) >@@ -68,16 +68,16 @@ ScopedArgumentsTable* ScopedArgumentsTab > { > ScopedArgumentsTable* result = create(vm, m_length); > for (unsigned i = m_length; i--;) >- result->at(i) = this->at(i); >+ result->m_arguments[i] = m_arguments[i]; > return result; > } > > ScopedArgumentsTable* ScopedArgumentsTable::setLength(VM& vm, uint32_t newLength) > { > if (LIKELY(!m_locked)) { >- ArgumentsPtr newArguments = ArgumentsPtr::create(newLength, newLength); >+ ArgumentsPtr newArguments = ArgumentsPtr::create(newLength); > for (unsigned i = std::min(m_length, newLength); i--;) >- newArguments.at(i, newLength) = this->at(i); >+ newArguments[i] = m_arguments[i]; > m_length = newLength; > m_arguments = WTFMove(newArguments); > return this; >@@ -85,12 +85,10 @@ ScopedArgumentsTable* ScopedArgumentsTab > > ScopedArgumentsTable* result = create(vm, newLength); > for (unsigned i = std::min(m_length, newLength); i--;) >- result->at(i) = this->at(i); >+ result->m_arguments[i] = m_arguments[i]; > return result; > } > >-static_assert(std::is_trivially_destructible<ScopeOffset>::value, ""); >- > ScopedArgumentsTable* ScopedArgumentsTable::set(VM& vm, uint32_t i, ScopeOffset value) > { > ScopedArgumentsTable* result; >Index: Source/JavaScriptCore/runtime/ScopedArgumentsTable.h >=================================================================== >--- Source/JavaScriptCore/runtime/ScopedArgumentsTable.h (revision 246271) >+++ Source/JavaScriptCore/runtime/ScopedArgumentsTable.h (working copy) >@@ -61,7 +61,10 @@ public: > uint32_t length() const { return m_length; } > ScopedArgumentsTable* setLength(VM&, uint32_t newLength); > >- ScopeOffset get(uint32_t i) const { return at(i); } >+ ScopeOffset get(uint32_t i) const >+ { >+ return const_cast<ScopedArgumentsTable*>(this)->at(i); >+ } > > void lock() > { >@@ -77,13 +80,13 @@ public: > static ptrdiff_t offsetOfLength() { return OBJECT_OFFSETOF(ScopedArgumentsTable, m_length); } > static ptrdiff_t offsetOfArguments() { return OBJECT_OFFSETOF(ScopedArgumentsTable, m_arguments); } > >- typedef CagedUniquePtr<Gigacage::Primitive, ScopeOffset> ArgumentsPtr; >+ typedef CagedUniquePtr<Gigacage::Primitive, ScopeOffset[]> ArgumentsPtr; > > private: >- ScopeOffset& at(uint32_t i) const >+ ScopeOffset& at(uint32_t i) > { > ASSERT_WITH_SECURITY_IMPLICATION(i < m_length); >- return m_arguments.get(length())[i]; >+ return m_arguments[i]; > } > > uint32_t m_length; >Index: Source/JavaScriptCore/runtime/SymbolTable.h >=================================================================== >--- Source/JavaScriptCore/runtime/SymbolTable.h (revision 246271) >+++ Source/JavaScriptCore/runtime/SymbolTable.h (working copy) >@@ -636,9 +636,8 @@ public: > void setArgumentsLength(VM& vm, uint32_t length) > { > if (UNLIKELY(!m_arguments)) >- m_arguments.set(vm, this, ScopedArgumentsTable::create(vm, length)); >- else >- m_arguments.set(vm, this, m_arguments->setLength(vm, length)); >+ m_arguments.set(vm, this, ScopedArgumentsTable::create(vm)); >+ m_arguments.set(vm, this, m_arguments->setLength(vm, length)); > } > > ScopeOffset argumentOffset(uint32_t i) const >Index: Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >=================================================================== >--- Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (revision 246271) >+++ Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp (working copy) >@@ -836,8 +836,6 @@ void AirIRGenerator::restoreWebAssemblyG > RegisterSet clobbers; > clobbers.set(pinnedRegs->baseMemoryPointer); > clobbers.set(pinnedRegs->sizeRegister); >- if (!isARM64()) >- clobbers.set(RegisterSet::macroScratchRegisters()); > > auto* patchpoint = addPatchpoint(B3::Void); > B3::Effects effects = B3::Effects::none(); >@@ -845,18 +843,10 @@ void AirIRGenerator::restoreWebAssemblyG > effects.reads = B3::HeapRange::top(); > patchpoint->effects = effects; > patchpoint->clobber(clobbers); >- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; > > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >- RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >- AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); >- GPRReg baseMemory = pinnedRegs->baseMemoryPointer; >- GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; >- > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); >- jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); >- >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), pinnedRegs->baseMemoryPointer); > }); > > emitPatchpoint(block, patchpoint, Tmp(), instance); >@@ -1968,8 +1958,6 @@ auto AirIRGenerator::addCallIndirect(con > // FIXME: We shouldn't have to do this: https://bugs.webkit.org/show_bug.cgi?id=172181 > patchpoint->clobber(PinnedRegisterInfo::get().toSave(MemoryMode::BoundsChecking)); > patchpoint->clobber(RegisterSet::macroScratchRegisters()); >- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; >- > patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { > AllowMacroScratchRegisterUsage allowScratch(jit); > GPRReg newContextInstance = params[0].gpr(); >@@ -1983,12 +1971,8 @@ auto AirIRGenerator::addCallIndirect(con > // FIXME: We should support more than one memory size register > // see: https://bugs.webkit.org/show_bug.cgi?id=162952 > ASSERT(pinnedRegs.sizeRegister != newContextInstance); >- GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister; >- > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. >- >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > > emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue()); >Index: Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >=================================================================== >--- Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (revision 246271) >+++ Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp (working copy) >@@ -47,7 +47,6 @@ > #include "B3VariableValue.h" > #include "B3WasmAddressValue.h" > #include "B3WasmBoundsCheckValue.h" >-#include "DisallowMacroScratchRegisterUsage.h" > #include "JSCInlines.h" > #include "JSWebAssemblyInstance.h" > #include "ScratchRegisterAllocator.h" >@@ -478,8 +477,6 @@ void B3IRGenerator::restoreWebAssemblyGl > RegisterSet clobbers; > clobbers.set(pinnedRegs->baseMemoryPointer); > clobbers.set(pinnedRegs->sizeRegister); >- if (!isARM64()) >- clobbers.set(RegisterSet::macroScratchRegisters()); > > B3::PatchpointValue* patchpoint = block->appendNew<B3::PatchpointValue>(proc, B3::Void, origin()); > Effects effects = Effects::none(); >@@ -487,19 +484,13 @@ void B3IRGenerator::restoreWebAssemblyGl > effects.reads = B3::HeapRange::top(); > patchpoint->effects = effects; > patchpoint->clobber(clobbers); >- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; > > patchpoint->append(instance, ValueRep::SomeRegister); >+ > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >- RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >- AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); > GPRReg baseMemory = pinnedRegs->baseMemoryPointer; >- GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; >- > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); >- >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > } > } >@@ -1380,8 +1371,6 @@ auto B3IRGenerator::addCallIndirect(cons > patchpoint->clobber(RegisterSet::macroScratchRegisters()); > patchpoint->append(newContextInstance, ValueRep::SomeRegister); > patchpoint->append(instanceValue(), ValueRep::SomeRegister); >- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; >- > patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { > AllowMacroScratchRegisterUsage allowScratch(jit); > GPRReg newContextInstance = params[0].gpr(); >@@ -1396,12 +1385,8 @@ auto B3IRGenerator::addCallIndirect(cons > // FIXME: We should support more than one memory size register > // see: https://bugs.webkit.org/show_bug.cgi?id=162952 > ASSERT(pinnedRegs.sizeRegister != newContextInstance); >- GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister; >- > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. >- >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation); > >Index: Source/JavaScriptCore/wasm/WasmBBQPlan.cpp >=================================================================== >--- Source/JavaScriptCore/wasm/WasmBBQPlan.cpp (revision 246271) >+++ Source/JavaScriptCore/wasm/WasmBBQPlan.cpp (working copy) >@@ -314,7 +314,7 @@ void BBQPlan::complete(const AbstractLoc > } > > m_wasmInternalFunctions[functionIndex]->entrypoint.compilation = std::make_unique<B3::Compilation>( >- FINALIZE_CODE(linkBuffer, B3CompilationPtrTag, "WebAssembly BBQ function[%i] %s", functionIndex, signature.toString().ascii().data()), >+ FINALIZE_CODE(linkBuffer, B3CompilationPtrTag, "WebAssembly function[%i] %s", functionIndex, signature.toString().ascii().data()), > WTFMove(context.wasmEntrypointByproducts)); > } > >Index: Source/JavaScriptCore/wasm/WasmBinding.cpp >=================================================================== >--- Source/JavaScriptCore/wasm/WasmBinding.cpp (revision 246271) >+++ Source/JavaScriptCore/wasm/WasmBinding.cpp (working copy) >@@ -46,7 +46,7 @@ Expected<MacroAssemblerCodeRef<WasmEntry > const PinnedRegisterInfo& pinnedRegs = PinnedRegisterInfo::get(); > JIT jit; > >- GPRReg scratch = wasmCallingConventionAir().prologueScratch(0); >+ GPRReg scratch = GPRInfo::nonPreservedNonArgumentGPR0; > GPRReg baseMemory = pinnedRegs.baseMemoryPointer; > ASSERT(baseMemory != scratch); > ASSERT(pinnedRegs.sizeRegister != baseMemory); >@@ -66,13 +66,8 @@ Expected<MacroAssemblerCodeRef<WasmEntry > > // FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952 > // Set up the callee's baseMemory register as well as the memory size registers. >- { >- GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1); >- >- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. >- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*). >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >- } >+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. >+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::void*. > > // Tail call into the callee WebAssembly function. > jit.loadPtr(scratch, scratch); >Index: Source/JavaScriptCore/wasm/WasmInstance.h >=================================================================== >--- Source/JavaScriptCore/wasm/WasmInstance.h (revision 246271) >+++ Source/JavaScriptCore/wasm/WasmInstance.h (working copy) >@@ -66,7 +66,7 @@ public: > Memory* memory() { return m_memory.get(); } > Table* table() { return m_table.get(); } > >- void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedMemorySize()); } >+ void* cachedMemory() const { return m_cachedMemory; } > size_t cachedMemorySize() const { return m_cachedMemorySize; } > > void setMemory(Ref<Memory>&& memory) >@@ -78,7 +78,7 @@ public: > void updateCachedMemory() > { > if (m_memory != nullptr) { >- m_cachedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>(memory()->memory(), memory()->size()); >+ m_cachedMemory = memory()->memory(); > m_cachedMemorySize = memory()->size(); > } > } >@@ -147,7 +147,7 @@ private: > } > void* m_owner { nullptr }; // In a JS embedding, this is a JSWebAssemblyInstance*. > Context* m_context { nullptr }; >- CagedPtr<Gigacage::Primitive, void, tagCagedPtr> m_cachedMemory; >+ void* m_cachedMemory { nullptr }; > size_t m_cachedMemorySize { 0 }; > Ref<Module> m_module; > RefPtr<CodeBlock> m_codeBlock; >Index: Source/JavaScriptCore/wasm/WasmMemory.cpp >=================================================================== >--- Source/JavaScriptCore/wasm/WasmMemory.cpp (revision 246271) >+++ Source/JavaScriptCore/wasm/WasmMemory.cpp (working copy) >@@ -253,11 +253,10 @@ Memory::Memory(PageCount initial, PageCo > ASSERT(!initial.bytes()); > ASSERT(m_mode == MemoryMode::BoundsChecking); > dataLogLnIf(verbose, "Memory::Memory allocating ", *this); >- ASSERT(!memory()); > } > > Memory::Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode mode, Function<void(NotifyPressure)>&& notifyMemoryPressure, Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback) >- : m_memory(memory, initial.bytes()) >+ : m_memory(memory) > , m_size(initial.bytes()) > , m_initial(initial) > , m_maximum(maximum) >@@ -339,14 +338,14 @@ Memory::~Memory() > memoryManager().freePhysicalBytes(m_size); > switch (m_mode) { > case MemoryMode::Signaling: >- if (mprotect(memory(), Memory::fastMappedBytes(), PROT_READ | PROT_WRITE)) { >+ if (mprotect(m_memory, Memory::fastMappedBytes(), PROT_READ | PROT_WRITE)) { > dataLog("mprotect failed: ", strerror(errno), "\n"); > RELEASE_ASSERT_NOT_REACHED(); > } >- memoryManager().freeFastMemory(memory()); >+ memoryManager().freeFastMemory(m_memory); > break; > case MemoryMode::BoundsChecking: >- Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size); >+ Gigacage::freeVirtualPages(Gigacage::Primitive, m_memory, m_size); > break; > } > } >@@ -420,26 +419,24 @@ Expected<PageCount, Memory::GrowFailReas > if (!newMemory) > return makeUnexpected(GrowFailReason::OutOfMemory); > >- memcpy(newMemory, memory(), m_size); >+ memcpy(newMemory, m_memory, m_size); > if (m_memory) >- Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size); >- m_memory = CagedMemory(newMemory, desiredSize); >+ Gigacage::freeVirtualPages(Gigacage::Primitive, m_memory, m_size); >+ m_memory = newMemory; > m_mappedCapacity = desiredSize; > m_size = desiredSize; >- ASSERT(memory() == newMemory); > return success(); > } > case MemoryMode::Signaling: { >- RELEASE_ASSERT(memory()); >+ RELEASE_ASSERT(m_memory); > // Signaling memory must have been pre-allocated virtually. >- uint8_t* startAddress = static_cast<uint8_t*>(memory()) + m_size; >+ uint8_t* startAddress = static_cast<uint8_t*>(m_memory) + m_size; > >- dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(memory()), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")"); >+ dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(m_memory), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")"); > if (mprotect(startAddress, extraBytes, PROT_READ | PROT_WRITE)) { > dataLog("mprotect failed: ", strerror(errno), "\n"); > RELEASE_ASSERT_NOT_REACHED(); > } >- m_memory.recage(m_size, desiredSize); > m_size = desiredSize; > return success(); > } >@@ -463,7 +460,7 @@ void Memory::registerInstance(Instance* > > void Memory::dump(PrintStream& out) const > { >- out.print("Memory at ", RawPointer(memory()), ", size ", m_size, "B capacity ", m_mappedCapacity, "B, initial ", m_initial, " maximum ", m_maximum, " mode ", makeString(m_mode)); >+ out.print("Memory at ", RawPointer(m_memory), ", size ", m_size, "B capacity ", m_mappedCapacity, "B, initial ", m_initial, " maximum ", m_maximum, " mode ", makeString(m_mode)); > } > > } // namespace JSC >Index: Source/JavaScriptCore/wasm/WasmMemory.h >=================================================================== >--- Source/JavaScriptCore/wasm/WasmMemory.h (revision 246271) >+++ Source/JavaScriptCore/wasm/WasmMemory.h (working copy) >@@ -30,7 +30,6 @@ > #include "WasmMemoryMode.h" > #include "WasmPageCount.h" > >-#include <wtf/CagedPtr.h> > #include <wtf/Expected.h> > #include <wtf/Function.h> > #include <wtf/RefCounted.h> >@@ -69,7 +68,7 @@ public: > static size_t fastMappedBytes(); // Includes redzone. > static bool addressIsInActiveFastMemory(void*); > >- void* memory() const { ASSERT(m_memory.getMayBeNull(size()) == m_memory.getUnsafe()); return m_memory.getMayBeNull(size()); } >+ void* memory() const { return m_memory; } > size_t size() const { return m_size; } > PageCount sizeInPages() const { return PageCount::fromBytes(m_size); } > >@@ -97,8 +96,7 @@ private: > Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback); > Memory(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback); > >- using CagedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>; >- CagedMemory m_memory; >+ void* m_memory { nullptr }; > size_t m_size { 0 }; > PageCount m_initial; > PageCount m_maximum; >Index: Source/JavaScriptCore/wasm/js/JSToWasm.cpp >=================================================================== >--- Source/JavaScriptCore/wasm/js/JSToWasm.cpp (revision 246271) >+++ Source/JavaScriptCore/wasm/js/JSToWasm.cpp (working copy) >@@ -29,7 +29,6 @@ > #if ENABLE(WEBASSEMBLY) > > #include "CCallHelpers.h" >-#include "DisallowMacroScratchRegisterUsage.h" > #include "JSCInlines.h" > #include "JSWebAssemblyInstance.h" > #include "JSWebAssemblyRuntimeError.h" >@@ -212,23 +211,15 @@ std::unique_ptr<InternalFunction> create > > if (!!info.memory) { > GPRReg baseMemory = pinnedRegs.baseMemoryPointer; >- GPRReg scratchOrSize = wasmCallingConventionAir().prologueScratch(0); > > if (Context::useFastTLS()) > jit.loadWasmContextInstance(baseMemory); > > GPRReg currentInstanceGPR = Context::useFastTLS() ? baseMemory : wasmContextInstanceGPR; >- if (isARM64E()) { >- if (mode != Wasm::MemoryMode::Signaling) >- scratchOrSize = pinnedRegs.sizeRegister; >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize); >- } else { >- if (mode != Wasm::MemoryMode::Signaling) >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); >- } >+ if (mode != MemoryMode::Signaling) >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); > > jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > } > > CCallHelpers::Call call = jit.threadSafePatchableNearCall(); >Index: Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >=================================================================== >--- Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (revision 246271) >+++ Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp (working copy) >@@ -410,20 +410,13 @@ MacroAssemblerCodePtr<JSEntryPtrTag> Web > > if (!!moduleInformation.memory) { > GPRReg baseMemory = pinnedRegs.baseMemoryPointer; >- GPRReg scratchOrSize = scratch2GPR; >- auto mode = instance()->memoryMode(); > >- if (isARM64E()) { >- if (mode != Wasm::MemoryMode::Signaling) >- scratchOrSize = pinnedRegs.sizeRegister; >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize); >- } else { >- if (mode != Wasm::MemoryMode::Signaling) >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); >+ if (instance()->memoryMode() != Wasm::MemoryMode::Signaling) { >+ ASSERT(pinnedRegs.sizeRegister != scratchGPR); >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); > } > > jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > } > > // We use this callee to indicate how to unwind past these types of frames: >Index: Source/WTF/ChangeLog >=================================================================== >--- Source/WTF/ChangeLog (revision 246271) >+++ Source/WTF/ChangeLog (working copy) >@@ -1,3 +1,47 @@ >+2019-06-10 Saam Barati <sbarati@apple.com> >+ >+ Roll out PAC cage >+ https://bugs.webkit.org/show_bug.cgi?id=198726 >+ >+ Reviewed by Keith Miller. >+ >+ * WTF.xcodeproj/project.pbxproj: >+ * wtf/CMakeLists.txt: >+ * wtf/CagedPtr.h: >+ (WTF::CagedPtr::CagedPtr): >+ (WTF::CagedPtr::get const): >+ (WTF::CagedPtr::getMayBeNull const): >+ (WTF::CagedPtr::operator=): >+ (WTF::CagedPtr::operator== const): >+ (WTF::CagedPtr::operator!= const): >+ (WTF::CagedPtr::operator bool const): >+ (WTF::CagedPtr::operator* const): >+ (WTF::CagedPtr::operator-> const): >+ (WTF::CagedPtr::operator[] const): >+ (WTF::CagedPtr::getUnsafe const): Deleted. >+ (WTF::CagedPtr::at const): Deleted. >+ (WTF::CagedPtr::recage): Deleted. >+ * wtf/CagedUniquePtr.h: >+ (WTF::CagedUniquePtr::CagedUniquePtr): >+ (WTF::CagedUniquePtr::create): >+ (WTF::CagedUniquePtr::operator=): >+ (WTF::CagedUniquePtr::~CagedUniquePtr): >+ (WTF::CagedUniquePtr::destroy): >+ * wtf/Gigacage.h: >+ (Gigacage::caged): >+ (Gigacage::cagedMayBeNull): Deleted. >+ * wtf/PtrTag.h: >+ (WTF::tagArrayPtr): Deleted. >+ (WTF::untagArrayPtr): Deleted. >+ (WTF::removeArrayPtrTag): Deleted. >+ (WTF::retagArrayPtr): Deleted. >+ * wtf/TaggedArrayStoragePtr.h: >+ (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted. >+ (WTF::TaggedArrayStoragePtr::get const): Deleted. >+ (WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted. >+ (WTF::TaggedArrayStoragePtr::resize): Deleted. >+ (WTF::TaggedArrayStoragePtr::operator bool const): Deleted. >+ > 2019-06-10 Timothy Hatcher <timothy@apple.com> > > Integrate dark mode support for iOS. >Index: Source/WTF/WTF.xcodeproj/project.pbxproj >=================================================================== >--- Source/WTF/WTF.xcodeproj/project.pbxproj (revision 246271) >+++ Source/WTF/WTF.xcodeproj/project.pbxproj (working copy) >@@ -651,7 +651,6 @@ > DCEE21FC1CEA7551000C2396 /* BlockObjCExceptions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BlockObjCExceptions.h; sourceTree = "<group>"; }; > DCEE21FD1CEA7551000C2396 /* BlockObjCExceptions.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = BlockObjCExceptions.mm; sourceTree = "<group>"; }; > DCEE22041CEB9869000C2396 /* BackwardsGraph.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BackwardsGraph.h; sourceTree = "<group>"; }; >- DEF7FE5F22581AC800C15129 /* TaggedArrayStoragePtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TaggedArrayStoragePtr.h; sourceTree = "<group>"; }; > E15556F318A0CC18006F48FB /* CryptographicUtilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CryptographicUtilities.cpp; sourceTree = "<group>"; }; > E15556F418A0CC18006F48FB /* CryptographicUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptographicUtilities.h; sourceTree = "<group>"; }; > E300E521203D645F00DA79BE /* UniqueArray.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UniqueArray.h; sourceTree = "<group>"; }; >@@ -1158,7 +1157,6 @@ > 5597F82C1D94B9970066BC21 /* SynchronizedFixedQueue.h */, > E3E158251EADA53C004A079D /* SystemFree.h */, > 0FB317C31C488001007E395A /* SystemTracing.h */, >- DEF7FE5F22581AC800C15129 /* TaggedArrayStoragePtr.h */, > E311FB151F0A568B003C08DE /* ThreadGroup.cpp */, > E311FB161F0A568B003C08DE /* ThreadGroup.h */, > A8A47332151A825B004123FF /* Threading.cpp */, >Index: Source/WTF/wtf/CMakeLists.txt >=================================================================== >--- Source/WTF/wtf/CMakeLists.txt (revision 246271) >+++ Source/WTF/wtf/CMakeLists.txt (working copy) >@@ -230,7 +230,6 @@ set(WTF_PUBLIC_HEADERS > SynchronizedFixedQueue.h > SystemFree.h > SystemTracing.h >- TaggedArrayStoragePtr.h > ThreadGroup.h > ThreadMessage.h > ThreadSafeRefCounted.h >Index: Source/WTF/wtf/CagedPtr.h >=================================================================== >--- Source/WTF/wtf/CagedPtr.h (revision 246271) >+++ Source/WTF/wtf/CagedPtr.h (working copy) >@@ -27,91 +27,107 @@ > > #include <wtf/DumbPtrTraits.h> > #include <wtf/Gigacage.h> >-#include <wtf/PtrTag.h> > > namespace WTF { > >-constexpr bool tagCagedPtr = true; >- >-template<Gigacage::Kind passedKind, typename T, bool shouldTag = false, typename PtrTraits = DumbPtrTraits<T>> >+template<Gigacage::Kind passedKind, typename T, typename PtrTraits = DumbPtrTraits<T>> > class CagedPtr { > public: > static constexpr Gigacage::Kind kind = passedKind; > > CagedPtr() : CagedPtr(nullptr) { } >- CagedPtr(std::nullptr_t) >- : m_ptr(shouldTag ? tagArrayPtr<T>(nullptr, 0) : nullptr) >- { } >- >- CagedPtr(T* ptr, unsigned size) >- : m_ptr(shouldTag ? tagArrayPtr(ptr, size) : ptr) >- { } >- >+ CagedPtr(std::nullptr_t) : m_ptr(nullptr) { } > >- T* get(unsigned size) const >+ explicit CagedPtr(T* ptr) >+ : m_ptr(ptr) >+ { >+ } >+ >+ T* get() const > { > ASSERT(m_ptr); >- T* ptr = PtrTraits::unwrap(m_ptr); >- if (shouldTag) >- ptr = untagArrayPtr(ptr, size); >- return Gigacage::caged(kind, ptr); >+ return Gigacage::caged(kind, PtrTraits::unwrap(m_ptr)); > } >- >- T* getMayBeNull(unsigned size) const >+ >+ T* getMayBeNull() const > { >- T* ptr = PtrTraits::unwrap(m_ptr); >- if (shouldTag) >- ptr = untagArrayPtr(ptr, size); >- return Gigacage::cagedMayBeNull(kind, ptr); >+ if (!m_ptr) >+ return nullptr; >+ return get(); > } > >- T* getUnsafe() const >+ CagedPtr& operator=(T* ptr) > { >- T* ptr = PtrTraits::unwrap(m_ptr); >- if (shouldTag) >- ptr = removeArrayPtrTag(ptr); >- return Gigacage::cagedMayBeNull(kind, ptr); >+ m_ptr = ptr; >+ return *this; > } > >- // We need the template here so that the type of U is deduced at usage time rather than class time. U should always be T. >- template<typename U = T> >- typename std::enable_if<!std::is_same<void, U>::value, T>::type& >- /* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; } >- >- void recage(unsigned oldSize, unsigned newSize) >+ CagedPtr& operator=(T*&& ptr) > { >- auto ptr = get(oldSize); >- ASSERT(ptr == getUnsafe()); >- *this = CagedPtr(ptr, newSize); >+ m_ptr = WTFMove(ptr); >+ return *this; > } > >- CagedPtr(CagedPtr& other) >- : m_ptr(other.m_ptr) >+ bool operator==(const CagedPtr& other) const > { >+ return getMayBeNull() == other.getMayBeNull(); > } >- >- CagedPtr& operator=(const CagedPtr& ptr) >+ >+ bool operator!=(const CagedPtr& other) const > { >- m_ptr = ptr.m_ptr; >- return *this; >+ return !(*this == other); > } >+ >+ explicit operator bool() const >+ { >+ return *this != CagedPtr(); >+ } >+ >+ T& operator*() const { return *get(); } >+ T* operator->() const { return get(); } >+ >+ template<typename IndexType> >+ T& operator[](IndexType index) const { return get()[index]; } >+ >+protected: >+ typename PtrTraits::StorageType m_ptr; >+}; >+ >+template<Gigacage::Kind passedKind, typename PtrTraits> >+class CagedPtr<passedKind, void, PtrTraits> { >+public: >+ static constexpr Gigacage::Kind kind = passedKind; > >- CagedPtr(CagedPtr&& other) >- : m_ptr(PtrTraits::exchange(other.m_ptr, nullptr)) >+ CagedPtr() : CagedPtr(nullptr) { } >+ CagedPtr(std::nullptr_t) : m_ptr(nullptr) { } >+ >+ explicit CagedPtr(void* ptr) >+ : m_ptr(ptr) >+ { >+ } >+ >+ void* get() const >+ { >+ ASSERT(m_ptr); >+ return Gigacage::caged(kind, PtrTraits::unwrap(m_ptr)); >+ } >+ >+ void* getMayBeNull() const > { >+ if (!m_ptr) >+ return nullptr; >+ return get(); > } > >- CagedPtr& operator=(CagedPtr&& ptr) >+ CagedPtr& operator=(void* ptr) > { >- m_ptr = PtrTraits::exchange(ptr.m_ptr, nullptr); >+ m_ptr = ptr; > return *this; > } > > bool operator==(const CagedPtr& other) const > { >- bool result = m_ptr == other.m_ptr; >- ASSERT(result == (getUnsafe() == other.getUnsafe())); >- return result; >+ return getMayBeNull() == other.getMayBeNull(); > } > > bool operator!=(const CagedPtr& other) const >@@ -121,7 +137,7 @@ public: > > explicit operator bool() const > { >- return getUnsafe() != nullptr; >+ return *this != CagedPtr(); > } > > protected: >@@ -131,5 +147,4 @@ protected: > } // namespace WTF > > using WTF::CagedPtr; >-using WTF::tagCagedPtr; > >Index: Source/WTF/wtf/CagedUniquePtr.h >=================================================================== >--- Source/WTF/wtf/CagedUniquePtr.h (revision 246271) >+++ Source/WTF/wtf/CagedUniquePtr.h (working copy) >@@ -29,30 +29,80 @@ > > namespace WTF { > >-template<Gigacage::Kind kind, typename T, bool shouldTag = false> >-class CagedUniquePtr : public CagedPtr<kind, T, shouldTag> { >- static_assert(std::is_trivially_destructible<T>::value, "We expect the contents of a caged pointer to be trivially destructable."); >+template<Gigacage::Kind kind, typename T, typename Enable = void> >+class CagedUniquePtr : public CagedPtr<kind, T> { > public: >- using Base = CagedPtr<kind, T, shouldTag>; >- CagedUniquePtr() = default; >- >- CagedUniquePtr(T* ptr, unsigned size) >- : Base(ptr, size) >- { } >+ CagedUniquePtr(T* ptr = nullptr) >+ : CagedPtr<kind, T>(ptr) >+ { >+ } >+ >+ CagedUniquePtr(CagedUniquePtr&& ptr) >+ : CagedPtr<kind, T>(ptr.m_ptr) >+ { >+ ptr.m_ptr = nullptr; >+ } >+ >+ CagedUniquePtr(const CagedUniquePtr&) = delete; >+ >+ template<typename... Arguments> >+ static CagedUniquePtr create(Arguments&&... arguments) >+ { >+ T* result = static_cast<T*>(Gigacage::malloc(kind, sizeof(T))); >+ new (result) T(std::forward<Arguments>(arguments)...); >+ return CagedUniquePtr(result); >+ } >+ >+ CagedUniquePtr& operator=(CagedUniquePtr&& ptr) >+ { >+ destroy(); >+ this->m_ptr = ptr.m_ptr; >+ ptr.m_ptr = nullptr; >+ return *this; >+ } >+ >+ CagedUniquePtr& operator=(const CagedUniquePtr&) = delete; >+ >+ ~CagedUniquePtr() >+ { >+ destroy(); >+ } >+ >+private: >+ void destroy() >+ { >+ if (!this->m_ptr) >+ return; >+ this->m_ptr->~T(); >+ Gigacage::free(kind, this->m_ptr); >+ } >+}; > >+template<Gigacage::Kind kind, typename T> >+class CagedUniquePtr<kind, T[], typename std::enable_if<std::is_trivially_destructible<T>::value>::type> : public CagedPtr<kind, T> { >+public: >+ CagedUniquePtr() : CagedPtr<kind, T>() { } >+ >+ CagedUniquePtr(T* ptr) >+ : CagedPtr<kind, T>(ptr) >+ { >+ } >+ > CagedUniquePtr(CagedUniquePtr&& ptr) >- : Base(std::forward<CagedUniquePtr&&>(ptr)) >- { } >+ : CagedPtr<kind, T>(ptr.m_ptr) >+ { >+ ptr.m_ptr = nullptr; >+ } > > CagedUniquePtr(const CagedUniquePtr&) = delete; > > template<typename... Arguments> >- static CagedUniquePtr create(unsigned length, Arguments&&... arguments) >+ static CagedUniquePtr create(size_t count, Arguments&&... arguments) > { >- T* result = static_cast<T*>(Gigacage::malloc(kind, sizeof(T) * length)); >- while (length--) >- new (result + length) T(arguments...); >- return CagedUniquePtr(result, length); >+ T* result = static_cast<T*>(Gigacage::mallocArray(kind, count, sizeof(T))); >+ while (count--) >+ new (result + count) T(std::forward<Arguments>(arguments)...); >+ return CagedUniquePtr(result); > } > > CagedUniquePtr& operator=(CagedUniquePtr&& ptr) >@@ -69,16 +119,83 @@ public: > { > destroy(); > } >+ >+private: >+ void destroy() >+ { >+ if (!this->m_ptr) >+ return; >+ Gigacage::free(kind, this->m_ptr); >+ } >+}; > >+template<Gigacage::Kind kind, typename T> >+class CagedUniquePtr<kind, T[], typename std::enable_if<!std::is_trivially_destructible<T>::value>::type> : public CagedPtr<kind, T> { >+public: >+ CagedUniquePtr() : CagedPtr<kind, T>() { } >+ >+ CagedUniquePtr(T* ptr, size_t count) >+ : CagedPtr<kind, T>(ptr) >+ , m_count(count) >+ { >+ } >+ >+ CagedUniquePtr(CagedUniquePtr&& ptr) >+ : CagedPtr<kind, T>(ptr.m_ptr) >+ , m_count(ptr.m_count) >+ { >+ ptr.clear(); >+ } >+ >+ CagedUniquePtr(const CagedUniquePtr&) = delete; >+ >+ template<typename... Arguments> >+ static CagedUniquePtr create(size_t count, Arguments&&... arguments) >+ { >+ T* result = static_cast<T*>(Gigacage::mallocArray(kind, count, sizeof(T))); >+ while (count--) >+ new (result + count) T(std::forward<Arguments>(arguments)...); >+ return CagedUniquePtr(result, count); >+ } >+ >+ CagedUniquePtr& operator=(CagedUniquePtr&& ptr) >+ { >+ destroy(); >+ this->m_ptr = ptr.m_ptr; >+ m_count = ptr.m_count; >+ ptr.clear(); >+ return *this; >+ } >+ >+ CagedUniquePtr& operator=(const CagedUniquePtr&) = delete; >+ >+ ~CagedUniquePtr() >+ { >+ destroy(); >+ } >+ >+ // FIXME: It's weird that we inherit CagedPtr::operator== and friends, which don't do anything >+ // about m_count. It "works" because pointer equality is enough so long as everything is sane, but >+ // it seems like a missed opportunity to assert things. >+ // https://bugs.webkit.org/show_bug.cgi?id=175541 >+ > private: > void destroy() > { >- T* ptr = Base::getUnsafe(); >- if (!ptr) >+ if (!this->m_ptr) > return; >- ptr->~T(); >- Gigacage::free(kind, ptr); >+ while (m_count--) >+ this->m_ptr[m_count].~T(); >+ Gigacage::free(kind, this->m_ptr); > } >+ >+ void clear() >+ { >+ this->m_ptr = nullptr; >+ m_count = 0; >+ } >+ >+ size_t m_count { 0 }; > }; > > } // namespace WTF >Index: Source/WTF/wtf/Gigacage.h >=================================================================== >--- Source/WTF/wtf/Gigacage.h (revision 246271) >+++ Source/WTF/wtf/Gigacage.h (working copy) >@@ -114,8 +114,6 @@ ALWAYS_INLINE size_t mask(Kind) { return > > template<typename T> > inline T* caged(Kind, T* ptr) { return ptr; } >-template<typename T> >-inline T* cagedMayBeNull(Kind, T* ptr) { return ptr; } > > inline bool isCaged(Kind, const void*) { return false; } > >Index: Source/WTF/wtf/PtrTag.h >=================================================================== >--- Source/WTF/wtf/PtrTag.h (revision 246271) >+++ Source/WTF/wtf/PtrTag.h (working copy) >@@ -122,38 +122,6 @@ constexpr bool enablePtrTagDebugAssert = > } while (false) > > >-template<typename T> >-inline T* tagArrayPtr(std::nullptr_t ptr, size_t length) >-{ >- ASSERT(!length); >- return ptrauth_sign_unauthenticated(static_cast<T*>(ptr), ptrauth_key_process_dependent_data, length); >-} >- >- >-template<typename T> >-inline T* tagArrayPtr(T* ptr, size_t length) >-{ >- return ptrauth_sign_unauthenticated(ptr, ptrauth_key_process_dependent_data, length); >-} >- >-template<typename T> >-inline T* untagArrayPtr(T* ptr, size_t length) >-{ >- return ptrauth_auth_data(ptr, ptrauth_key_process_dependent_data, length); >-} >- >-template<typename T> >-inline T* removeArrayPtrTag(T* ptr) >-{ >- return ptrauth_strip(ptr, ptrauth_key_process_dependent_data); >-} >- >-template<typename T> >-inline T* retagArrayPtr(T* ptr, size_t oldLength, size_t newLength) >-{ >- return ptrauth_auth_and_resign(ptr, ptrauth_key_process_dependent_data, oldLength, ptrauth_key_process_dependent_data, newLength); >-} >- > template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>> > inline constexpr T removeCodePtrTag(PtrType ptr) > { >@@ -427,38 +395,6 @@ inline bool usesPointerTagging() { retur > inline void registerPtrTagLookup(PtrTagLookup*) { } > inline void reportBadTag(const void*, PtrTag) { } > >-template<typename T> >-inline T* tagArrayPtr(std::nullptr_t, size_t size) >-{ >- ASSERT_UNUSED(size, !size); >- return nullptr; >-} >- >-template<typename T> >-inline T* tagArrayPtr(T* ptr, size_t) >-{ >- return ptr; >-} >- >-template<typename T> >-inline T* untagArrayPtr(T* ptr, size_t) >-{ >- return ptr; >-} >- >-template<typename T> >-inline T* removeArrayPtrTag(T* ptr) >-{ >- return ptr; >-} >- >-template<typename T> >-inline T* retagArrayPtr(T* ptr, size_t, size_t) >-{ >- return ptr; >-} >- >- > template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>> > constexpr T tagCodePtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); } > >@@ -558,11 +494,6 @@ using WTF::PtrTag; > > using WTF::reportBadTag; > >-using WTF::tagArrayPtr; >-using WTF::untagArrayPtr; >-using WTF::retagArrayPtr; >-using WTF::removeArrayPtrTag; >- > using WTF::tagCodePtr; > using WTF::untagCodePtr; > using WTF::retagCodePtr; >Index: Source/WTF/wtf/TaggedArrayStoragePtr.h >=================================================================== >--- Source/WTF/wtf/TaggedArrayStoragePtr.h (revision 246271) >+++ Source/WTF/wtf/TaggedArrayStoragePtr.h (working copy) >@@ -1,59 +0,0 @@ >-/* >- * Copyright (C) 2019 Apple Inc. All rights reserved. >- * >- * Redistribution and use in source and binary forms, with or without >- * modification, are permitted provided that the following conditions >- * are met: >- * 1. Redistributions of source code must retain the above copyright >- * notice, this list of conditions and the following disclaimer. >- * 2. Redistributions in binary form must reproduce the above copyright >- * notice, this list of conditions and the following disclaimer in the >- * documentation and/or other materials provided with the distribution. >- * >- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY >- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE >- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR >- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, >- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, >- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR >- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY >- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >- */ >- >-#pragma once >- >-#include <wtf/PtrTag.h> >- >-namespace WTF { >- >-template<typename PtrType> >-class TaggedArrayStoragePtr { >-public: >- TaggedArrayStoragePtr() >- : m_ptr(tagArrayPtr<PtrType>(nullptr, 0)) >- { } >- >- TaggedArrayStoragePtr(PtrType* ptr, unsigned length) >- : m_ptr(tagArrayPtr(ptr, length)) >- { } >- >- PtrType* get(unsigned length) const { return untagArrayPtr(m_ptr, length); } >- PtrType* getUnsafe() const { return removeArrayPtrTag(m_ptr); } >- >- void resize(unsigned oldLength, unsigned newLength) >- { >- m_ptr = retagArrayPtr(m_ptr, oldLength, newLength); >- } >- >- explicit operator bool() const { return !!getUnsafe(); } >- >-private: >- PtrType* m_ptr; >-}; >- >-} >- >-using WTF::TaggedArrayStoragePtr; >Index: Source/bmalloc/ChangeLog >=================================================================== >--- Source/bmalloc/ChangeLog (revision 246288) >+++ Source/bmalloc/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2019-06-10 Saam Barati <sbarati@apple.com> >+ >+ Roll out PAC cage >+ https://bugs.webkit.org/show_bug.cgi?id=198726 >+ >+ Reviewed by Keith Miller. >+ >+ * bmalloc/Gigacage.h: >+ (Gigacage::isEnabled): >+ (Gigacage::caged): >+ (Gigacage::cagedMayBeNull): Deleted. >+ > 2019-06-09 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r246150, r246160, and r246166. >Index: Source/bmalloc/bmalloc/Gigacage.h >=================================================================== >--- Source/bmalloc/bmalloc/Gigacage.h (revision 246271) >+++ Source/bmalloc/bmalloc/Gigacage.h (working copy) >@@ -34,7 +34,8 @@ > #include <cstddef> > #include <inttypes.h> > >-#if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64)) >+#if ((BOS(DARWIN) || BOS(LINUX)) && \ >+(BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS))))) > #define GIGACAGE_ENABLED 1 > #else > #define GIGACAGE_ENABLED 0 >@@ -199,14 +200,6 @@ BINLINE T* caged(Kind kind, T* ptr) > reinterpret_cast<uintptr_t>(ptr) & mask(kind))); > } > >-template<typename T> >-BINLINE T* cagedMayBeNull(Kind kind, T* ptr) >-{ >- if (!ptr) >- return ptr; >- return caged(kind, ptr); >-} >- > BINLINE bool isCaged(Kind kind, const void* ptr) > { > return caged(kind, ptr) == ptr; >@@ -226,9 +219,8 @@ BINLINE size_t size(Kind) { BCRASH(); re > BINLINE void ensureGigacage() { } > BINLINE bool wasEnabled() { return false; } > BINLINE bool isCaged(Kind, const void*) { return true; } >-BINLINE bool isEnabled(Kind) { return false; } >+BINLINE bool isEnabled() { return false; } > template<typename T> BINLINE T* caged(Kind, T* ptr) { return ptr; } >-template<typename T> BINLINE T* cagedMayBeNull(Kind, T* ptr) { return ptr; } > BINLINE void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { } > BINLINE bool canPrimitiveGigacageBeDisabled() { return false; } > BINLINE void disablePrimitiveGigacage() { }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=371848">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198726
:
371779
|
371790
| 371848