WebKit Bugzilla
Attachment 368301 Details for
Bug 197110
: Remove Gigacage from arm64 and use PAC for arm64e instead
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
WIP
bug-197110-20190425223335.patch (text/plain), 81.64 KB, created by
Keith Miller
on 2019-04-25 22:33:41 PDT
(
hide
)
Description:
WIP
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-04-25 22:33:41 PDT
Size:
81.64 KB
patch
obsolete
>Subversion Revision: 243941 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index eef98aa114150b102ec245d579868c7ed4e7652c..ce0225a5ab989c54dde3c4ef3002ef74a58ca21b 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,105 @@ >+2019-04-25 Keith Miller <keith_miller@apple.com> >+ >+ Remove Gigacage from arm64 and use PAC for arm64e instead >+ https://bugs.webkit.org/show_bug.cgi?id=197110 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * assembler/MacroAssemblerARM64E.h: >+ (JSC::MacroAssemblerARM64E::tagArrayPtr): >+ (JSC::MacroAssemblerARM64E::untagArrayPtr): >+ (JSC::MacroAssemblerARM64E::removeArrayPtrTag): >+ * b3/B3LowerToAir.cpp: >+ * b3/B3PatchpointSpecial.cpp: >+ (JSC::B3::PatchpointSpecial::admitsStack): >+ * b3/B3StackmapSpecial.cpp: >+ (JSC::B3::StackmapSpecial::forEachArgImpl): >+ (JSC::B3::StackmapSpecial::isArgValidForRep): >+ * b3/B3Validate.cpp: >+ * b3/B3ValueRep.cpp: >+ (JSC::B3::ValueRep::addUsedRegistersTo const): >+ (JSC::B3::ValueRep::dump const): >+ (WTF::printInternal): >+ * b3/B3ValueRep.h: >+ (JSC::B3::ValueRep::ValueRep): >+ (JSC::B3::ValueRep::isReg const): >+ * dfg/DFGOperations.cpp: >+ (JSC::DFG::newTypedArrayWithSize): >+ * dfg/DFGSpeculativeJIT.cpp: >+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): >+ (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): >+ (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): >+ (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): >+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): >+ (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): >+ * dfg/DFGSpeculativeJIT.h: >+ * dfg/DFGSpeculativeJIT64.cpp: >+ (JSC::DFG::SpeculativeJIT::compile): >+ * ftl/FTLLowerDFGToB3.cpp: >+ (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): >+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): >+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): >+ (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): >+ (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): >+ (JSC::FTL::DFG::LowerDFGToB3::caged): >+ (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): >+ * jit/AssemblyHelpers.h: >+ (JSC::AssemblyHelpers::cageConditionally): >+ * jit/IntrinsicEmitter.cpp: >+ (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): >+ * jit/JITPropertyAccess.cpp: >+ (JSC::JIT::emitIntTypedArrayGetByVal): >+ (JSC::JIT::emitFloatTypedArrayGetByVal): >+ (JSC::JIT::emitIntTypedArrayPutByVal): >+ (JSC::JIT::emitFloatTypedArrayPutByVal): >+ * jit/PolymorphicCallStubRoutine.cpp: >+ (JSC::PolymorphicCallNode::clearCallLinkInfo): >+ * llint/LowLevelInterpreter64.asm: >+ * offlineasm/arm64.rb: >+ * offlineasm/arm64e.rb: Added. >+ * offlineasm/ast.rb: >+ * offlineasm/instructions.rb: >+ * offlineasm/registers.rb: >+ * offlineasm/x86.rb: >+ * runtime/JSArrayBufferView.cpp: >+ (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): >+ (JSC::JSArrayBufferView::JSArrayBufferView): >+ (JSC::JSArrayBufferView::finalize): >+ (JSC::JSArrayBufferView::slowDownAndWasteMemory): >+ * runtime/JSArrayBufferView.h: >+ (JSC::JSArrayBufferView::ConstructionContext::vector const): >+ (JSC::JSArrayBufferView::isNeutered): >+ (JSC::JSArrayBufferView::hasVector const): >+ (JSC::JSArrayBufferView::vector const): >+ * runtime/JSGenericTypedArrayViewInlines.h: >+ (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): >+ (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): >+ * runtime/Options.h: >+ * wasm/WasmAirIRGenerator.cpp: >+ (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::AirIRGenerator::addCallIndirect): >+ * wasm/WasmB3IRGenerator.cpp: >+ (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::B3IRGenerator::addCallIndirect): >+ * wasm/WasmBBQPlan.cpp: >+ (JSC::Wasm::BBQPlan::complete): >+ * wasm/WasmBinding.cpp: >+ (JSC::Wasm::wasmToWasm): >+ * wasm/WasmInstance.h: >+ (JSC::Wasm::Instance::cachedMemory const): >+ (JSC::Wasm::Instance::updateCachedMemory): >+ * wasm/WasmMemory.cpp: >+ (JSC::Wasm::Memory::Memory): >+ (JSC::Wasm::Memory::~Memory): >+ (JSC::Wasm::Memory::grow): >+ (JSC::Wasm::Memory::dump const): >+ * wasm/WasmMemory.h: >+ (JSC::Wasm::Memory::memory const): >+ * wasm/js/JSToWasm.cpp: >+ (JSC::Wasm::createJSToWasmWrapper): >+ * wasm/js/WebAssemblyFunction.cpp: >+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow): >+ > 2019-04-05 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r243833. >diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog >index ca6fb4333bbb6fc9d8e7fd607fc34357c6928960..242fb639e2e85250dd84843f365c081db425e258 100644 >--- a/Source/WTF/ChangeLog >+++ b/Source/WTF/ChangeLog >@@ -1,3 +1,23 @@ >+2019-04-25 Keith Miller <keith_miller@apple.com> >+ >+ Remove Gigacage from arm64 and use PAC for arm64e instead >+ https://bugs.webkit.org/show_bug.cgi?id=197110 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * WTF.xcodeproj/project.pbxproj: >+ * wtf/PtrTag.h: >+ (WTF::tagArrayPtr): >+ (WTF::untagArrayPtr): >+ (WTF::removeArrayPtrTag): >+ (WTF::retagArrayPtr): >+ * wtf/TaggedArrayStoragePtr.h: Added. >+ (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): >+ (WTF::TaggedArrayStoragePtr::get const): >+ (WTF::TaggedArrayStoragePtr::getUnsafe const): >+ (WTF::TaggedArrayStoragePtr::resize): >+ (WTF::TaggedArrayStoragePtr::operator bool const): >+ > 2019-04-05 Michael Catanzaro <mcatanzaro@igalia.com> > > Unreviewed manual rollout of r243929 >diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog >index 45248c7aef12444960b924367d9c4dc004f59f92..fd16fcddf0194210d19af932f29945c01753ce51 100644 >--- a/Source/bmalloc/ChangeLog >+++ b/Source/bmalloc/ChangeLog >@@ -1,3 +1,12 @@ >+2019-04-25 Keith Miller <keith_miller@apple.com> >+ >+ Remove Gigacage from arm64 and use PAC for arm64e instead >+ https://bugs.webkit.org/show_bug.cgi?id=197110 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * bmalloc/Gigacage.h: >+ > 2019-04-04 Yusuke Suzuki <ysuzuki@apple.com> > > [WebCore] Put most of derived classes of ScriptWrappable into IsoHeap >diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h b/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >index 41940cde66ec51161fc904520e5572f85b46d068..d30eaad671c4b2e37759808cbd270d49e6f5ae5d 100644 >--- a/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >+++ b/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >@@ -82,6 +82,29 @@ public: > m_assembler.xpaci(target); > } > >+ ALWAYS_INLINE void tagArrayPtr(RegisterID target, RegisterID length) >+ { >+ m_assembler.pacdb(target, length); >+ } >+ >+ ALWAYS_INLINE void untagArrayPtr(RegisterID target, RegisterID length) >+ { >+ m_assembler.autdb(target, length); >+ } >+ >+ ALWAYS_INLINE void untagArrayPtr(RegisterID target, Address length) >+ { >+ auto lengthGPR = getCachedDataTempRegisterIDAndInvalidate(); >+ load32(length, lengthGPR); >+ m_assembler.autdb(target, lengthGPR); >+ } >+ >+ ALWAYS_INLINE void removeArrayPtrTag(RegisterID target) >+ { >+ m_assembler.xpacd(target); >+ } >+ >+ > static const RegisterID InvalidGPR = static_cast<RegisterID>(-1); > > enum class CallSignatureType { >diff --git a/Source/JavaScriptCore/b3/B3LowerToAir.cpp b/Source/JavaScriptCore/b3/B3LowerToAir.cpp >index 1b3a92e5226320365dfaae6303c0fe1e2dbb9ee8..b4098bcdd19796a3fb213196d8a03ea92c64cf21 100644 >--- a/Source/JavaScriptCore/b3/B3LowerToAir.cpp >+++ b/Source/JavaScriptCore/b3/B3LowerToAir.cpp >@@ -1274,6 +1274,7 @@ private: > arg = tmp(value.value()); > break; > case ValueRep::SomeRegister: >+ case ValueRep::SomeLateRegister: > arg = tmp(value.value()); > break; > case ValueRep::SomeRegisterWithClobber: { >diff --git a/Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp b/Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp >index daae2432c5b5bf44d8ec3f16f709e03c0cc57a23..1532edff2b94f94dea81da472eeeca0ca3e46d10 100644 >--- a/Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp >+++ b/Source/JavaScriptCore/b3/B3PatchpointSpecial.cpp >@@ -120,6 +120,7 @@ bool PatchpointSpecial::admitsStack(Inst& inst, unsigned argIndex) > case ValueRep::SomeRegister: > case ValueRep::SomeRegisterWithClobber: > case ValueRep::SomeEarlyRegister: >+ case ValueRep::SomeLateRegister: > case ValueRep::Register: > case ValueRep::LateRegister: > return false; >diff --git a/Source/JavaScriptCore/b3/B3StackmapSpecial.cpp b/Source/JavaScriptCore/b3/B3StackmapSpecial.cpp >index e7c6b495b6bb11207c97994e77dac2ee7f68c03b..957ac940ebaa81acea15b6b66fcc51ed95957faa 100644 >--- a/Source/JavaScriptCore/b3/B3StackmapSpecial.cpp >+++ b/Source/JavaScriptCore/b3/B3StackmapSpecial.cpp >@@ -113,6 +113,7 @@ void StackmapSpecial::forEachArgImpl( > case ValueRep::SomeRegisterWithClobber: > role = Arg::UseDef; > break; >+ case ValueRep::SomeLateRegister: > case ValueRep::LateRegister: > role = Arg::LateUse; > break; >@@ -254,6 +255,7 @@ bool StackmapSpecial::isArgValidForRep(Air::Code& code, const Air::Arg& arg, con > case ValueRep::SomeRegister: > case ValueRep::SomeRegisterWithClobber: > case ValueRep::SomeEarlyRegister: >+ case ValueRep::SomeLateRegister: > return arg.isTmp(); > case ValueRep::LateRegister: > case ValueRep::Register: >diff --git a/Source/JavaScriptCore/b3/B3Validate.cpp b/Source/JavaScriptCore/b3/B3Validate.cpp >index f5cd7d2f0c91e86868d12ef809a150ddffb4d08b..f7b3c55f8eef099b0bd78c405fdff0775b613c7a 100644 >--- a/Source/JavaScriptCore/b3/B3Validate.cpp >+++ b/Source/JavaScriptCore/b3/B3Validate.cpp >@@ -580,6 +580,7 @@ private: > break; > case ValueRep::Register: > case ValueRep::LateRegister: >+ case ValueRep::SomeLateRegister: > if (value.rep().kind() == ValueRep::LateRegister) > VALIDATE(role == ConstraintRole::Use, ("At ", *context, ": ", value)); > if (value.rep().reg().isGPR()) >diff --git a/Source/JavaScriptCore/b3/B3ValueRep.cpp b/Source/JavaScriptCore/b3/B3ValueRep.cpp >index 45a1113e0de435469d93029ba48913b1e71d5da3..d4b47f14b0e89c08cd661b488b5e6eeb9440f195 100644 >--- a/Source/JavaScriptCore/b3/B3ValueRep.cpp >+++ b/Source/JavaScriptCore/b3/B3ValueRep.cpp >@@ -42,6 +42,7 @@ void ValueRep::addUsedRegistersTo(RegisterSet& set) const > case SomeRegister: > case SomeRegisterWithClobber: > case SomeEarlyRegister: >+ case SomeLateRegister: > case Constant: > return; > case LateRegister: >@@ -74,6 +75,7 @@ void ValueRep::dump(PrintStream& out) const > case SomeRegister: > case SomeRegisterWithClobber: > case SomeEarlyRegister: >+ case SomeLateRegister: > return; > case LateRegister: > case Register: >@@ -183,6 +185,9 @@ void printInternal(PrintStream& out, ValueRep::Kind kind) > case ValueRep::SomeEarlyRegister: > out.print("SomeEarlyRegister"); > return; >+ case ValueRep::SomeLateRegister: >+ out.print("SomeLateRegister"); >+ return; > case ValueRep::Register: > out.print("Register"); > return; >diff --git a/Source/JavaScriptCore/b3/B3ValueRep.h b/Source/JavaScriptCore/b3/B3ValueRep.h >index 463f27e40d64e1bfd2e212e368cbea2fbdf370b7..fcfa7fcfdda066d58c7c71a5852d5bdbb35d9194 100644 >--- a/Source/JavaScriptCore/b3/B3ValueRep.h >+++ b/Source/JavaScriptCore/b3/B3ValueRep.h >@@ -74,7 +74,12 @@ public: > // that the def happens before any of the effects of the stackmap. This is only valid for > // the result constraint of a Patchpoint. > SomeEarlyRegister, >- >+ >+ // As an input representation, this tells us that B3 should pick some register, but implies >+ // that the use happens after any of the effects of the patchpoint. >+ // This is only works for patchpoints. >+ SomeLateRegister, >+ > // As an input representation, this forces a particular register. As an output > // representation, this tells us what register B3 picked. > Register, >@@ -111,7 +116,7 @@ public: > ValueRep(Kind kind) > : m_kind(kind) > { >- ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeRegisterWithClobber || kind == SomeEarlyRegister); >+ ASSERT(kind == WarmAny || kind == ColdAny || kind == LateColdAny || kind == SomeRegister || kind == SomeRegisterWithClobber || kind == SomeEarlyRegister || kind == SomeLateRegister); > } > > static ValueRep reg(Reg reg) >@@ -185,7 +190,7 @@ public: > > bool isAny() const { return kind() == WarmAny || kind() == ColdAny || kind() == LateColdAny; } > >- bool isReg() const { return kind() == Register || kind() == LateRegister; } >+ bool isReg() const { return kind() == Register || kind() == LateRegister || kind() == SomeLateRegister; } > > Reg reg() const > { >diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp >index dd2854b492704fb5701b39785323d5c6cf317ee2..cd880915f935a149933fcf4f9569003dbd140dae 100644 >--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp >+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp >@@ -198,7 +198,7 @@ char* newTypedArrayWithSize(ExecState* exec, Structure* structure, int32_t size, > } > > if (vector) >- return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, vector)); >+ return bitwise_cast<char*>(ViewClass::createWithFastVector(exec, structure, size, WTF::removeArrayPtrTag(vector))); > > RELEASE_AND_RETURN(scope, bitwise_cast<char*>(ViewClass::create(exec, structure, size))); > } >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >index c956405e52d828ff193cd0ba83d9a165d23c3c4b..60f258df2c8c0362ce1c7cd55cbeba0eebb28f07 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >@@ -39,6 +39,7 @@ > #include "DFGSaneStringGetByValSlowPathGenerator.h" > #include "DFGSlowPathGenerator.h" > #include "DFGSnippetParams.h" >+#include "DisallowMacroScratchRegisterUsage.h" > #include "DirectArguments.h" > #include "JITAddGenerator.h" > #include "JITBitAndGenerator.h" >@@ -68,6 +69,8 @@ > #include <wtf/Box.h> > #include <wtf/MathExtras.h> > >+#include "ProbeContext.h" >+ > namespace JSC { namespace DFG { > > SpeculativeJIT::SpeculativeJIT(JITCompiler& jit) >@@ -2872,9 +2875,21 @@ JITCompiler::Jump SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds(Node* > MacroAssembler::Address(base, JSArrayBufferView::offsetOfMode()), > TrustedImm32(WastefulTypedArray)); > >- JITCompiler::Jump hasNullVector = m_jit.branchTestPtr( >+ JITCompiler::Jump hasNullVector; >+#if CPU(ARM64E) >+ { >+ GPRReg scratch = m_jit.scratchRegister(); >+ DisallowMacroScratchRegisterUsage disallowScratch(m_jit); >+ >+ m_jit.loadPtr(MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()), scratch); >+ m_jit.removeArrayPtrTag(scratch); >+ hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); >+ } >+#else // CPU(ARM64E) >+ hasNullVector = m_jit.branchTestPtr( > MacroAssembler::Zero, > MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector())); >+#endif > speculationCheck(Uncountable, JSValueSource(), node, hasNullVector); > notWasteful.link(&m_jit); > } >@@ -3086,6 +3101,10 @@ void SpeculativeJIT::compilePutByValForIntTypedArray(GPRReg base, GPRReg propert > > StorageOperand storage(this, m_jit.graph().varArgChild(node, 3)); > GPRReg storageReg = storage.gpr(); >+ >+ // m_jit.probe([=] (Probe::Context& context) { >+ // ASSERT(*context.gpr<char*>(storageReg) || true); >+ // }); > > Edge valueUse = m_jit.graph().varArgChild(node, 2); > >@@ -6668,9 +6687,10 @@ void SpeculativeJIT::compileConstantStoragePointer(Node* node) > storageResult(storageGPR, node); > } > >-void SpeculativeJIT::cageTypedArrayStorage(GPRReg storageReg) >+void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) > { > #if GIGACAGE_ENABLED >+ UNUSED_PARAM(baseReg); > if (!Gigacage::shouldBeEnabled()) > return; > >@@ -6682,7 +6702,10 @@ void SpeculativeJIT::cageTypedArrayStorage(GPRReg storageReg) > } > > m_jit.cage(Gigacage::Primitive, storageReg); >+#elif CPU(ARM64E) >+ m_jit.untagArrayPtr(storageReg, MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength())); > #else >+ UNUSED_PARAM(baseReg); > UNUSED_PARAM(storageReg); > #endif > } >@@ -6706,16 +6729,17 @@ void SpeculativeJIT::compileGetIndexedPropertyStorage(Node* node) > > m_jit.loadPtr(MacroAssembler::Address(storageReg, StringImpl::dataOffset()), storageReg); > break; >- >- default: >+ >+ default: { > auto typedArrayType = node->arrayMode().typedArrayType(); > ASSERT_UNUSED(typedArrayType, isTypedView(typedArrayType)); > > m_jit.loadPtr(JITCompiler::Address(baseReg, JSArrayBufferView::offsetOfVector()), storageReg); >- cageTypedArrayStorage(storageReg); >+ cageTypedArrayStorage(baseReg, storageReg); > break; > } >- >+ } >+ > storageResult(storageReg, node); > } > >@@ -6745,7 +6769,7 @@ void SpeculativeJIT::compileGetTypedArrayByteOffset(Node* node) > m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR); > m_jit.cage(Gigacage::JSValue, dataGPR); > >- cageTypedArrayStorage(vectorGPR); >+ cageTypedArrayStorage(baseGPR, vectorGPR); > > m_jit.loadPtr(MacroAssembler::Address(dataGPR, Butterfly::offsetOfArrayBuffer()), arrayBufferGPR); > // FIXME: This needs caging. >@@ -9742,6 +9766,9 @@ void SpeculativeJIT::compileNewTypedArrayWithSize(Node* node) > TrustedImm32(0), > MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour)); > m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit); >+#if !GIGACAGE_ENABLED && CPU(ARM64E) >+ m_jit.tagArrayPtr(storageGPR, sizeGPR); >+#endif > done.link(&m_jit); > > auto butterfly = TrustedImmPtr(nullptr); >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >index e65de38b0bb1becead325f552f4685c7ffa0f314..531f951aabddc983e7a3a33151bf950def178306 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >@@ -1650,7 +1650,7 @@ public: > template<bool strict> > GPRReg fillSpeculateInt32Internal(Edge, DataFormat& returnFormat); > >- void cageTypedArrayStorage(GPRReg); >+ void cageTypedArrayStorage(GPRReg, GPRReg); > > void recordSetLocal( > VirtualRegister bytecodeReg, VirtualRegister machineReg, DataFormat format) >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >index 3afcc740565ddcd51d92a99c4b9f165fd4d1d887..b0e989573df27bdbd32289029d57a2d6c9b82ea9 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >@@ -4672,7 +4672,7 @@ void SpeculativeJIT::compile(Node* node) > m_jit.branch64(MacroAssembler::AboveOrEqual, t2, t1)); > > m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2); >- cageTypedArrayStorage(t2); >+ cageTypedArrayStorage(dataViewGPR, t2); > > m_jit.zeroExtend32ToPtr(indexGPR, t1); > auto baseIndex = JITCompiler::BaseIndex(t2, t1, MacroAssembler::TimesOne); >@@ -4868,7 +4868,7 @@ void SpeculativeJIT::compile(Node* node) > m_jit.branch64(MacroAssembler::AboveOrEqual, t2, t1)); > > m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2); >- cageTypedArrayStorage(t2); >+ cageTypedArrayStorage(dataViewGPR, t2); > > m_jit.zeroExtend32ToPtr(indexGPR, t1); > auto baseIndex = JITCompiler::BaseIndex(t2, t1, MacroAssembler::TimesOne); >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index 9dfd810ccaf2ee21760adbf4576b5995933d000f..cf6c0ee1e22efafa6508b7751fa18f523afd8a2c 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -3841,7 +3841,7 @@ private: > > DFG_ASSERT(m_graph, m_node, isTypedView(m_node->arrayMode().typedArrayType()), m_node->arrayMode().typedArrayType()); > LValue vector = m_out.loadPtr(cell, m_heaps.JSArrayBufferView_vector); >- setStorage(caged(Gigacage::Primitive, vector)); >+ setStorage(caged(Gigacage::Primitive, vector, cell)); > } > > void compileCheckArray() >@@ -3885,10 +3885,10 @@ private: > > m_out.appendTo(notNull, continuation); > >- LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly)); >+ LValue butterflyPtr = caged(Gigacage::JSValue, m_out.loadPtr(basePtr, m_heaps.JSObject_butterfly), basePtr); > LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer); > >- LValue vectorPtr = caged(Gigacage::Primitive, vector); >+ LValue vectorPtr = caged(Gigacage::Primitive, vector, basePtr); > > // FIXME: This needs caging. > // https://bugs.webkit.org/show_bug.cgi?id=175515 >@@ -6440,6 +6440,17 @@ private: > m_out.int64Zero, > m_heaps.typedArrayProperties); > >+#if !GIGACAGE_ENABLED && CPU(ARM64E) >+ PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >+ authenticate->appendSomeRegister(storage); >+ authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >+ authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >+ jit.move(params[1].gpr(), params[0].gpr()); >+ jit.tagArrayPtr(params[0].gpr(), params[2].gpr()); >+ }); >+ storage = authenticate; >+#endif >+ > ValueFromBlock haveStorage = m_out.anchor(storage); > > LValue fastResultValue = >@@ -12656,7 +12667,7 @@ private: > indexToCheck = m_out.add(indexToCheck, m_out.constInt64(data.byteSize - 1)); > speculate(OutOfBounds, noValue(), nullptr, m_out.aboveOrEqual(indexToCheck, length)); > >- LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector)); >+ LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector), dataView); > > TypedPointer pointer(m_heaps.typedArrayProperties, m_out.add(vector, m_out.zeroExtPtr(index))); > >@@ -12815,7 +12826,7 @@ private: > RELEASE_ASSERT_NOT_REACHED(); > } > >- LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector)); >+ LValue vector = caged(Gigacage::Primitive, m_out.loadPtr(dataView, m_heaps.JSArrayBufferView_vector), dataView); > TypedPointer pointer(m_heaps.typedArrayProperties, m_out.add(vector, m_out.zeroExtPtr(index))); > > if (data.isFloatingPoint) { >@@ -14063,9 +14074,10 @@ private: > } > } > >- LValue caged(Gigacage::Kind kind, LValue ptr) >+ LValue caged(Gigacage::Kind kind, LValue ptr, LValue base) > { > #if GIGACAGE_ENABLED >+ UNUSED_PARAM(base); > if (!Gigacage::isEnabled(kind)) > return ptr; > >@@ -14094,6 +14106,21 @@ private: > // and possibly other smart things if we want to be able to remove this opaque. > // https://bugs.webkit.org/show_bug.cgi?id=175493 > return m_out.opaque(result); >+#elif CPU(ARM64E) >+ if (kind == Gigacage::Primitive) { >+ LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); >+ >+ PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >+ authenticate->appendSomeRegister(ptr); >+ authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >+ authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >+ jit.move(params[1].gpr(), params[0].gpr()); >+ jit.untagArrayPtr(params[0].gpr(), params[2].gpr()); >+ }); >+ return authenticate; >+ } >+ >+ return ptr; > #else > UNUSED_PARAM(kind); > return ptr; >@@ -16509,6 +16536,15 @@ private: > > LBasicBlock lastNext = m_out.appendTo(isWasteful, continuation); > LValue vector = m_out.loadPtr(base, m_heaps.JSArrayBufferView_vector); >+#if CPU(ARM64E) >+ PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >+ authenticate->appendSomeRegister(vector); >+ authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >+ jit.move(params[1].gpr(), params[0].gpr()); >+ jit.removeArrayPtrTag(params[0].gpr()); >+ }); >+ vector = authenticate; >+#endif > speculate(Uncountable, jsValueValue(vector), m_node, m_out.isZero64(vector)); > m_out.jump(continuation); > >diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.h b/Source/JavaScriptCore/jit/AssemblyHelpers.h >index 9b46fe58ead4a50635c50b2ead8c10c66606bf09..a9a88f59aa2aed687b415a1fb5c387be27fb5be6 100644 >--- a/Source/JavaScriptCore/jit/AssemblyHelpers.h >+++ b/Source/JavaScriptCore/jit/AssemblyHelpers.h >@@ -1571,7 +1571,7 @@ public: > #endif > } > >- void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratch) >+ void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength) > { > #if GIGACAGE_ENABLED > if (!Gigacage::isEnabled(kind)) >@@ -1580,11 +1580,14 @@ public: > if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled()) > return cage(kind, storage); > >- loadPtr(&Gigacage::basePtr(kind), scratch); >- Jump done = branchTestPtr(Zero, scratch); >+ loadPtr(&Gigacage::basePtr(kind), scratchOrLength); >+ Jump done = branchTestPtr(Zero, scratchOrLength); > andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); >- addPtr(scratch, storage); >+ addPtr(scratchOrLength, storage); > done.link(this); >+#elif CPU(ARM64E) >+ if (kind == Gigacage::Primitive) >+ untagArrayPtr(storage, scratchOrLength); > #else > UNUSED_PARAM(kind); > UNUSED_PARAM(storage); >diff --git a/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp b/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp >index cae39e935cb93ed97618370ed71b9945b55425d0..06c6127641bf4b688e315e279145278a32384b4d 100644 >--- a/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp >+++ b/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp >@@ -114,6 +114,9 @@ void IntrinsicGetterAccessCase::emitIntrinsicGetter(AccessGenerationState& state > > jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR); > jit.loadPtr(MacroAssembler::Address(baseGPR, JSArrayBufferView::offsetOfVector()), valueGPR); >+#if !GIGACAGE_ENABLED && CPU(ARM64E) >+ jit.removeArrayPtrTag(valueGPR); >+#endif > jit.loadPtr(MacroAssembler::Address(scratchGPR, Butterfly::offsetOfArrayBuffer()), scratchGPR); > jit.loadPtr(MacroAssembler::Address(scratchGPR, ArrayBuffer::offsetOfData()), scratchGPR); > jit.subPtr(scratchGPR, valueGPR); >diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >index 8d8d5dbbbdba34fdae09880124668bf4f0bb4bce..375af705e1f94eecd095b36eb9e98a3167f7d252 100644 >--- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >+++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >@@ -1660,7 +1660,8 @@ JIT::JumpList JIT::emitIntTypedArrayGetByVal(const Instruction*, PatchableJump& > > load8(Address(base, JSCell::typeInfoTypeOffset()), scratch); > badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type))); >- slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength()))); >+ load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); >+ slowCases.append(branch32(AboveOrEqual, property, scratch2)); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); > cageConditionally(Gigacage::Primitive, scratch, scratch2); > >@@ -1723,7 +1724,8 @@ JIT::JumpList JIT::emitFloatTypedArrayGetByVal(const Instruction*, PatchableJump > > load8(Address(base, JSCell::typeInfoTypeOffset()), scratch); > badType = patchableBranch32(NotEqual, scratch, TrustedImm32(typeForTypedArrayType(type))); >- slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength()))); >+ load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); >+ slowCases.append(branch32(AboveOrEqual, property, scratch2)); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); > cageConditionally(Gigacage::Primitive, scratch, scratch2); > >@@ -1773,7 +1775,8 @@ JIT::JumpList JIT::emitIntTypedArrayPutByVal(Op bytecode, PatchableJump& badType > > load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch); > badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type))); >- Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength())); >+ load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2); >+ Jump inBounds = branch32(Below, property, lateScratch2); > emitArrayProfileOutOfBoundsSpecialCase(profile); > slowCases.append(jump()); > inBounds.link(this); >@@ -1848,7 +1851,8 @@ JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Op bytecode, PatchableJump& badTy > > load8(Address(base, JSCell::typeInfoTypeOffset()), earlyScratch); > badType = patchableBranch32(NotEqual, earlyScratch, TrustedImm32(typeForTypedArrayType(type))); >- Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength())); >+ load32(Address(base, JSArrayBufferView::offsetOfLength()), lateScratch2); >+ Jump inBounds = branch32(Below, property, lateScratch2); > emitArrayProfileOutOfBoundsSpecialCase(profile); > slowCases.append(jump()); > inBounds.link(this); >diff --git a/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp b/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp >index 7cf74b164d3cbb06428a73432ce774245d6e18d0..91bb5856d178beaa4b9f77917a0cc35d2bd9c116 100644 >--- a/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp >+++ b/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp >@@ -57,9 +57,6 @@ void PolymorphicCallNode::unlink(VM& vm) > > void PolymorphicCallNode::clearCallLinkInfo() > { >- if (Options::dumpDisassembly()) >- dataLog("Clearing call link info for polymorphic call at ", m_callLinkInfo->callReturnLocation(), ", ", m_callLinkInfo->codeOrigin(), "\n"); >- > m_callLinkInfo = nullptr; > } > >diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >index 3a13c6749b7ae576939fb0bfbabb320ea1aa60bd..c80743584509cfee30993a6eb11255d213351c62 100644 >--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >@@ -408,19 +408,28 @@ macro checkSwitchToJITForLoop() > end) > end > >-macro uncage(basePtr, mask, ptr, scratch) >+macro uncage(basePtr, mask, ptr, scratchOrLength) > if GIGACAGE_ENABLED and not C_LOOP >- loadp basePtr, scratch >- btpz scratch, .done >+ loadp basePtr, scratchOrLength >+ btpz scratchOrLength, .done > andp mask, ptr >- addp scratch, ptr >+ addp scratchOrLength, ptr > .done: > end > end > >-macro loadCaged(basePtr, mask, source, dest, scratch) >+macro loadCagedPrimitive(source, dest, scratchOrLength) > loadp source, dest >- uncage(basePtr, mask, dest, scratch) >+ if GIGACAGE_ENABLED >+ uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength) >+ elsif ARM64E >+ untagArrayPtr scratchOrLength, dest >+ end >+end >+ >+macro loadCagedJSValue(source, dest, scratchOrLength) >+ loadp source, dest >+ uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, dest, scratchOrLength) > end > > macro loadVariable(get, fieldName, valueReg) >@@ -1310,7 +1319,7 @@ llintOpWithMetadata(op_get_by_id, OpGetById, macro (size, get, dispatch, metadat > arrayProfile(OpGetById::Metadata::m_modeMetadata.arrayLengthMode.arrayProfile, t0, t2, t5) > btiz t0, IsArray, .opGetByIdSlow > btiz t0, IndexingShapeMask, .opGetByIdSlow >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t3], t0, t1) >+ loadCagedJSValue(JSObject::m_butterfly[t3], t0, t1) > loadi -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], t0 > bilt t0, 0, .opGetByIdSlow > orq tagTypeNumber, t0 >@@ -1433,7 +1442,7 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad > loadConstantOrVariableInt32(size, t3, t1, .opGetByValSlow) > sxi2q t1, t1 > >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t0], t3, tagTypeNumber) >+ loadCagedJSValue(JSObject::m_butterfly[t0], t3, tagTypeNumber) > move TagTypeNumber, tagTypeNumber > > andi IndexingShapeMask, t2 >@@ -1477,7 +1486,17 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad > biaeq t2, NumberOfTypedArrayTypesExcludingDataView, .opGetByValSlow > > # Sweet, now we know that we have a typed array. Do some basic things now. >- biaeq t1, JSArrayBufferView::m_length[t0], .opGetByValSlow >+ >+ if ARM64E >+ const scratchOrLength = t6 >+ loadi JSArrayBufferView::m_length[t0], scratchOrLength >+ biaeq t1, scratchOrLength, .opGetByValSlow >+ else >+ const scratchOrLength = t0 >+ biaeq t1, JSArrayBufferView::m_length[t0], .opGetByValSlow >+ end >+ >+ loadCagedPrimitive(JSArrayBufferView::m_vector[t0], t3, scratchOrLength) > > # Now bisect through the various types: > # Int8ArrayType, >@@ -1499,7 +1518,6 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad > bia t2, Int8ArrayType - FirstTypedArrayType, .opGetByValUint8ArrayOrUint8ClampedArray > > # We have Int8ArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadbs [t3, t1], t0 > finishIntGetByVal(t0, t1) > >@@ -1507,13 +1525,11 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad > bia t2, Uint8ArrayType - FirstTypedArrayType, .opGetByValUint8ClampedArray > > # We have Uint8ArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadb [t3, t1], t0 > finishIntGetByVal(t0, t1) > > .opGetByValUint8ClampedArray: > # We have Uint8ClampedArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadb [t3, t1], t0 > finishIntGetByVal(t0, t1) > >@@ -1522,13 +1538,11 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad > bia t2, Int16ArrayType - FirstTypedArrayType, .opGetByValUint16Array > > # We have Int16ArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadhs [t3, t1, 2], t0 > finishIntGetByVal(t0, t1) > > .opGetByValUint16Array: > # We have Uint16ArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadh [t3, t1, 2], t0 > finishIntGetByVal(t0, t1) > >@@ -1540,13 +1554,11 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad > bia t2, Int32ArrayType - FirstTypedArrayType, .opGetByValUint32Array > > # We have Int32ArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadi [t3, t1, 4], t0 > finishIntGetByVal(t0, t1) > > .opGetByValUint32Array: > # We have Uint32ArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > # This is the hardest part because of large unsigned values. > loadi [t3, t1, 4], t0 > bilt t0, 0, .opGetByValSlow # This case is still awkward to implement in LLInt. >@@ -1558,7 +1570,6 @@ llintOpWithMetadata(op_get_by_val, OpGetByVal, macro (size, get, dispatch, metad > bieq t2, Float32ArrayType - FirstTypedArrayType, .opGetByValSlow > > # We have Float64ArrayType. >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, JSArrayBufferView::m_vector[t0], t3, t2) > loadd [t3, t1, 8], ft0 > bdnequn ft0, ft0, .opGetByValSlow > finishDoubleGetByVal(ft0, t0, t1) >@@ -1594,7 +1605,7 @@ macro putByValOp(opcodeName, opcodeStruct) > get(m_property, t0) > loadConstantOrVariableInt32(size, t0, t3, .opPutByValSlow) > sxi2q t3, t3 >- loadCaged(_g_gigacageBasePtrs + Gigacage::BasePtrs::jsValue, constexpr Gigacage::jsValueGigacageMask, JSObject::m_butterfly[t1], t0, tagTypeNumber) >+ loadCagedJSValue(JSObject::m_butterfly[t1], t0, tagTypeNumber) > move TagTypeNumber, tagTypeNumber > btinz t2, CopyOnWrite, .opPutByValSlow > andi IndexingShapeMask, t2 >diff --git a/Source/JavaScriptCore/offlineasm/arm64.rb b/Source/JavaScriptCore/offlineasm/arm64.rb >index c09e1570270d51d992341b2e2e6dd2cd1748b127..416fe369688008b70414d2ddc5830cfac42a8fbf 100644 >--- a/Source/JavaScriptCore/offlineasm/arm64.rb >+++ b/Source/JavaScriptCore/offlineasm/arm64.rb >@@ -123,7 +123,9 @@ class RegisterID > when 't4' > arm64GPRName('x4', kind) > when 't5' >- arm64GPRName('x5', kind) >+ arm64GPRName('x5', kind) >+ when 't6' >+ arm64GPRName('x6', kind) > when 'cfr' > arm64GPRName('x29', kind) > when 'csr0' >@@ -361,8 +363,7 @@ def arm64CortexA53Fix835769(list) > end > > class Sequence >- def getModifiedListARM64 >- result = @list >+ def getModifiedListARM64(result = @list) > result = riscLowerNot(result) > result = riscLowerSimpleBranchOps(result) > >@@ -387,7 +388,7 @@ class Sequence > "jmp", "call", "leap", "leaq" > size = $currentSettings["ADDRESS64"] ? 8 : 4 > else >- raise "Bad instruction #{node.opcode} for heap access at #{node.codeOriginString}" >+ raise "Bad instruction #{node.opcode} for heap access at #{node.codeOriginString}: #{node.dump}" > end > > if address.is_a? BaseIndex >diff --git a/Source/JavaScriptCore/offlineasm/arm64e.rb b/Source/JavaScriptCore/offlineasm/arm64e.rb >new file mode 100644 >index 0000000000000000000000000000000000000000..17bf669a556281c93effe6272b56ffc222f7c113 >--- /dev/null >+++ b/Source/JavaScriptCore/offlineasm/arm64e.rb >@@ -0,0 +1,117 @@ >+# Copyright (C) 2018 Apple Inc. All rights reserved. >+# >+# Redistribution and use in source and binary forms, with or without >+# modification, are permitted provided that the following conditions >+# are met: >+# 1. Redistributions of source code must retain the above copyright >+# notice, this list of conditions and the following disclaimer. >+# 2. Redistributions in binary form must reproduce the above copyright >+# notice, this list of conditions and the following disclaimer in the >+# documentation and/or other materials provided with the distribution. >+# >+# THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY >+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE >+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR >+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR >+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, >+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, >+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR >+# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY >+# OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT >+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE >+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >+ >+class ARM64E >+ # FIXME: This is fragile and needs to match the enum value in PtrTag.h. >+ CFunctionPtrTag = 2 >+end >+ >+class Sequence >+ def getModifiedListARM64E >+ result = riscLowerMisplacedAddresses(@list) >+ getModifiedListARM64(result) >+ end >+end >+ >+class Instruction >+ def self.lowerMisplacedAddressesARM64E(node, newList) >+ wasHandled = false >+ if node.is_a? Instruction >+ postInstructions = [] >+ annotation = node.annotation >+ codeOrigin = node.codeOrigin >+ case node.opcode >+ when "jmp", "call" >+ if node.operands.size > 1 >+ if node.operands[1].is_a? RegisterID >+ tag = riscAsRegister(newList, postInstructions, node.operands[1], "p", false) >+ else >+ tag = Tmp.new(codeOrigin, :gpr) >+ newList << Instruction.new(codeOrigin, "move", [node.operands[1], tag], annotation) >+ end >+ operands = [riscAsRegister(newList, postInstructions, node.operands[0], "p", false), tag] >+ newList << Instruction.new(codeOrigin, node.opcode, operands, annotation) >+ wasHandled = true >+ end >+ when "untagArrayPtr" >+ newOperands = node.operands.map { >+ | operand | >+ if operand.address? >+ tmp = Tmp.new(codeOrigin, :gpr) >+ newList << Instruction.new(codeOrigin, "loadp", [operand, tmp], annotation) >+ tmp >+ else >+ operand >+ end >+ } >+ newList << Instruction.new(codeOrigin, node.opcode, newOperands, annotation) >+ wasHandled = true >+ end >+ newList += postInstructions if wasHandled >+ end >+ return wasHandled, newList >+ end >+ >+ def lowerARM64E >+ case opcode >+ when "call" >+ if operands.size == 1 or operands[0].label? >+ lowerARM64 >+ elsif operands[1] == ARM64E::CFunctionPtrTag >+ emitARM64Unflipped("blraaz", [operands[0]], :ptr) >+ else >+ emitARM64Unflipped("blrab", operands, :ptr) >+ end >+ when "jmp" >+ if operands[0].label? >+ lowerARM64 >+ else >+ emitARM64Unflipped("brab", operands, :ptr) >+ end >+ when "tagReturnAddress" >+ raise if operands.size < 1 or not operands[0].is_a? RegisterID >+ if operands[0].is_a? RegisterID and operands[0].name == "sp" >+ $asm.puts "pacibsp" >+ else >+ emitARM64Unflipped("pacib lr,", operands, :ptr) >+ end >+ when "untagReturnAddress" >+ raise if operands.size < 1 or not operands[0].is_a? RegisterID >+ if operands[0].is_a? RegisterID and operands[0].name == "sp" >+ $asm.puts "autibsp" >+ else >+ emitARM64Unflipped("autib lr,", operands, :ptr) >+ end >+ when "removeCodePtrTag" >+ raise unless operands[0].is_a? RegisterID >+ emitARM64Unflipped("xpaci ", operands, :ptr) >+ when "untagArrayPtr" >+ raise if operands.size != 2 or not operands.each { |operand| operand.is_a? RegisterID or operand.is_a? Tmp } >+ emitARM64("autdb ", operands, :ptr) >+ when "ret" >+ $asm.puts "retab" >+ else >+ lowerARM64 >+ end >+ end >+end >diff --git a/Source/JavaScriptCore/offlineasm/ast.rb b/Source/JavaScriptCore/offlineasm/ast.rb >index 586ba5cd6b0f5c96d0b4041c2f5ef15662ab374b..2edca7235132583ef50d0c217babbd65369cba18 100644 >--- a/Source/JavaScriptCore/offlineasm/ast.rb >+++ b/Source/JavaScriptCore/offlineasm/ast.rb >@@ -938,7 +938,7 @@ class Instruction < Node > $asm.putGlobalAnnotation > when "emit" > $asm.puts "#{operands[0].dump}" >- when "tagReturnAddress", "untagReturnAddress", "removeCodePtrTag" >+ when "tagReturnAddress", "untagReturnAddress", "removeCodePtrTag", "untagArrayPtr" > else > raise "Unhandled opcode #{opcode} at #{codeOriginString}" > end >diff --git a/Source/JavaScriptCore/offlineasm/instructions.rb b/Source/JavaScriptCore/offlineasm/instructions.rb >index c658b9b13738310be7272deb1466e2f830d4da6f..69e4b6aa8fe4b468b1a48df380e9741c7bf9d417 100644 >--- a/Source/JavaScriptCore/offlineasm/instructions.rb >+++ b/Source/JavaScriptCore/offlineasm/instructions.rb >@@ -253,7 +253,8 @@ MACRO_INSTRUCTIONS = > "memfence", > "tagReturnAddress", > "untagReturnAddress", >- "removeCodePtrTag" >+ "removeCodePtrTag", >+ "untagArrayPtr", > ] > > X86_INSTRUCTIONS = >diff --git a/Source/JavaScriptCore/offlineasm/registers.rb b/Source/JavaScriptCore/offlineasm/registers.rb >index b6ed36d002bfd2aefcd5915cf36ff57f7e8f3053..aa8a40fd4e853cd48d45ecc2666cd9a164609d39 100644 >--- a/Source/JavaScriptCore/offlineasm/registers.rb >+++ b/Source/JavaScriptCore/offlineasm/registers.rb >@@ -31,6 +31,7 @@ GPRS = > "t3", > "t4", > "t5", >+ "t6", > "cfr", > "a0", > "a1", >diff --git a/Source/JavaScriptCore/offlineasm/x86.rb b/Source/JavaScriptCore/offlineasm/x86.rb >index 796996468e23b190ce76db6d482ca8c181691104..f2deba81b76317568d812e6b8dc750ad34245bd8 100644 >--- a/Source/JavaScriptCore/offlineasm/x86.rb >+++ b/Source/JavaScriptCore/offlineasm/x86.rb >@@ -49,7 +49,8 @@ require "config" > # rdx => t2, a2, r1 > # rcx => t3, a3 > # r8 => t4 >-# r10 => t5 >+# r9 => t5 >+# r10 => t6 > # rbx => csr0 (callee-save, PB, unused in baseline) > # r12 => csr1 (callee-save) > # r13 => csr2 (callee-save) >diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp b/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp >index c2de003ff6b710dde7ddbbe81994a5828e4572cc..d2b2c78f1621676f211a85afea80d30f17e9e0f9 100644 >--- a/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp >+++ b/Source/JavaScriptCore/runtime/JSArrayBufferView.cpp >@@ -50,11 +50,12 @@ String JSArrayBufferView::toStringName(const JSObject*, ExecState*) > JSArrayBufferView::ConstructionContext::ConstructionContext( > Structure* structure, uint32_t length, void* vector) > : m_structure(structure) >- , m_vector(vector) >+ , m_vector(vector, length) > , m_length(length) > , m_mode(FastTypedArray) > , m_butterfly(nullptr) > { >+ ASSERT(vector == WTF::removeArrayPtrTag(vector)); > RELEASE_ASSERT(length <= fastSizeLimit); > } > >@@ -74,11 +75,11 @@ JSArrayBufferView::ConstructionContext::ConstructionContext( > return; > > m_structure = structure; >- m_vector = temp; >+ m_vector = TaggedArrayStoragePtr<void>(temp, length); > m_mode = FastTypedArray; > > if (mode == ZeroFill) { >- uint64_t* asWords = static_cast<uint64_t*>(m_vector.getMayBeNull()); >+ uint64_t* asWords = static_cast<uint64_t*>(vector()); > for (unsigned i = size / sizeof(uint64_t); i--;) > asWords[i] = 0; > } >@@ -91,11 +92,11 @@ JSArrayBufferView::ConstructionContext::ConstructionContext( > return; > > size_t size = static_cast<size_t>(length) * static_cast<size_t>(elementSize); >- m_vector = Gigacage::tryMalloc(Gigacage::Primitive, size); >- if (!m_vector) >+ m_vector = TaggedArrayStoragePtr<void>(Gigacage::tryMalloc(Gigacage::Primitive, size), length); >+ if (!m_vector.getUnsafe()) > return; > if (mode == ZeroFill) >- memset(m_vector.get(), 0, size); >+ memset(m_vector.get(length), 0, size); > > vm.heap.reportExtraMemoryAllocated(static_cast<size_t>(length) * elementSize); > >@@ -110,7 +111,8 @@ JSArrayBufferView::ConstructionContext::ConstructionContext( > , m_length(length) > , m_mode(WastefulTypedArray) > { >- m_vector = static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset; >+ ASSERT(arrayBuffer->data() == WTF::removeArrayPtrTag(arrayBuffer->data())); >+ m_vector = TaggedArrayStoragePtr<void>(static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset, length); > IndexingHeader indexingHeader; > indexingHeader.setArrayBuffer(arrayBuffer.get()); > m_butterfly = Butterfly::create(vm, 0, 0, 0, true, indexingHeader, 0); >@@ -124,7 +126,8 @@ JSArrayBufferView::ConstructionContext::ConstructionContext( > , m_mode(DataViewMode) > , m_butterfly(0) > { >- m_vector = static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset; >+ ASSERT(arrayBuffer->data() == WTF::removeArrayPtrTag(arrayBuffer->data())); >+ m_vector = TaggedArrayStoragePtr<void>(static_cast<uint8_t*>(arrayBuffer->data()) + byteOffset, length); > } > > JSArrayBufferView::JSArrayBufferView(VM& vm, ConstructionContext& context) >@@ -133,7 +136,8 @@ JSArrayBufferView::JSArrayBufferView(VM& vm, ConstructionContext& context) > , m_mode(context.mode()) > { > setButterfly(vm, context.butterfly()); >- m_vector.setWithoutBarrier(context.vector()); >+ ASSERT(context.vector() == WTF::removeArrayPtrTag(context.vector())); >+ m_vector.setWithoutBarrier(TaggedArrayStoragePtr<void>(context.vector(), m_length)); > } > > void JSArrayBufferView::finishCreation(VM& vm) >@@ -194,7 +198,7 @@ void JSArrayBufferView::finalize(JSCell* cell) > JSArrayBufferView* thisObject = static_cast<JSArrayBufferView*>(cell); > ASSERT(thisObject->m_mode == OversizeTypedArray || thisObject->m_mode == WastefulTypedArray); > if (thisObject->m_mode == OversizeTypedArray) >- Gigacage::free(Gigacage::Primitive, thisObject->m_vector.get()); >+ Gigacage::free(Gigacage::Primitive, thisObject->vector()); > } > > JSArrayBuffer* JSArrayBufferView::unsharedJSBuffer(ExecState* exec) >@@ -283,7 +287,7 @@ ArrayBuffer* JSArrayBufferView::slowDownAndWasteMemory() > { > auto locker = holdLock(cellLock()); > butterfly()->indexingHeader()->setArrayBuffer(buffer.get()); >- m_vector.setWithoutBarrier(buffer->data()); >+ m_vector.setWithoutBarrier(TaggedArrayStoragePtr<void>(buffer->data(), m_length)); > WTF::storeStoreFence(); > m_mode = WastefulTypedArray; > } >diff --git a/Source/JavaScriptCore/runtime/JSArrayBufferView.h b/Source/JavaScriptCore/runtime/JSArrayBufferView.h >index ef7ebe1ad2a5d17613299295e478b4774bd66796..bf7e4baebf350b80269c832600e5ac0d712cc9a9 100644 >--- a/Source/JavaScriptCore/runtime/JSArrayBufferView.h >+++ b/Source/JavaScriptCore/runtime/JSArrayBufferView.h >@@ -27,6 +27,7 @@ > > #include "AuxiliaryBarrier.h" > #include "JSObject.h" >+#include <wtf/TaggedArrayStoragePtr.h> > > namespace JSC { > >@@ -133,14 +134,14 @@ protected: > bool operator!() const { return !m_structure; } > > Structure* structure() const { return m_structure; } >- void* vector() const { return m_vector.getMayBeNull(); } >+ void* vector() const { return m_vector.get(m_length); } > uint32_t length() const { return m_length; } > TypedArrayMode mode() const { return m_mode; } > Butterfly* butterfly() const { return m_butterfly; } > > private: > Structure* m_structure; >- CagedPtr<Gigacage::Primitive, void> m_vector; >+ TaggedArrayStoragePtr<void> m_vector; > uint32_t m_length; > TypedArrayMode m_mode; > Butterfly* m_butterfly; >@@ -164,10 +165,11 @@ public: > JSArrayBuffer* possiblySharedJSBuffer(ExecState* exec); > RefPtr<ArrayBufferView> unsharedImpl(); > JS_EXPORT_PRIVATE RefPtr<ArrayBufferView> possiblySharedImpl(); >- bool isNeutered() { return hasArrayBuffer() && !vector(); } >+ bool isNeutered() { return hasArrayBuffer() && !hasVector(); } > void neuter(); >- >- void* vector() const { return m_vector.getMayBeNull(); } >+ >+ bool hasVector() const { return !!m_vector; } >+ void* vector() const { ASSERT(hasVector()); return m_vector.get().get(length()); } > > unsigned byteOffset(); > unsigned length() const { return m_length; } >@@ -191,7 +193,7 @@ protected: > > static String toStringName(const JSObject*, ExecState*); > >- CagedBarrierPtr<Gigacage::Primitive, void> m_vector; >+ AuxiliaryBarrier<TaggedArrayStoragePtr<void>> m_vector; > uint32_t m_length; > TypedArrayMode m_mode; > }; >diff --git a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h >index 1c5d5732a8be57f3390fa2f039e2b3e70dc873df..3e6c6dde4f02f325661a7d7e2332d49d84644d0b 100644 >--- a/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h >+++ b/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h >@@ -496,7 +496,7 @@ size_t JSGenericTypedArrayView<Adaptor>::estimatedSize(JSCell* cell, VM& vm) > > if (thisObject->m_mode == OversizeTypedArray) > return Base::estimatedSize(thisObject, vm) + thisObject->byteSize(); >- if (thisObject->m_mode == FastTypedArray && thisObject->m_vector) >+ if (thisObject->m_mode == FastTypedArray && thisObject->hasVector()) > return Base::estimatedSize(thisObject, vm) + thisObject->byteSize(); > > return Base::estimatedSize(thisObject, vm); >@@ -515,7 +515,7 @@ void JSGenericTypedArrayView<Adaptor>::visitChildren(JSCell* cell, SlotVisitor& > { > auto locker = holdLock(thisObject->cellLock()); > mode = thisObject->m_mode; >- vector = thisObject->m_vector.getMayBeNull(); >+ vector = thisObject->m_vector.get().getUnsafe(); > byteSize = thisObject->byteSize(); > } > >diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h >index 1d55196bc50969141ed762d0954a548a5b6debf2..408c7ffa2becd2e24801393b01d285cdceba6cab 100644 >--- a/Source/JavaScriptCore/runtime/Options.h >+++ b/Source/JavaScriptCore/runtime/Options.h >@@ -492,8 +492,7 @@ constexpr bool enableWebAssemblyStreamingApi = false; > v(unsigned, webAssemblyLoopDecrement, 15, Normal, "The amount the tier up countdown is decremented on each loop backedge.") \ > v(unsigned, webAssemblyFunctionEntryDecrement, 1, Normal, "The amount the tier up countdown is decremented on each function entry.") \ > \ >- /* FIXME: enable fast memories on iOS and pre-allocate them. https://bugs.webkit.org/show_bug.cgi?id=170774 */ \ >- v(bool, useWebAssemblyFastMemory, !isIOS(), Normal, "If true, we will try to use a 32-bit address space with a signal handler to bounds check wasm memory.") \ >+ v(bool, useWebAssemblyFastMemory, true, Normal, "If true, we will try to use a 32-bit address space with a signal handler to bounds check wasm memory.") \ > v(bool, logWebAssemblyMemory, false, Normal, nullptr) \ > v(unsigned, webAssemblyFastMemoryRedzonePages, 128, Normal, "WebAssembly fast memories use 4GiB virtual allocations, plus a redzone (counted as multiple of 64KiB WebAssembly pages) at the end to catch reg+imm accesses which exceed 32-bit, anything beyond the redzone is explicitly bounds-checked") \ > v(bool, crashIfWebAssemblyCantFastMemory, false, Normal, "If true, we will crash if we can't obtain fast memory for wasm.") \ >diff --git a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >index 07e219ce2a53a117e792f8bceed4dc0c52fd1d03..663e6d23623baa7df5d832ec33baf3a74004b635 100644 >--- a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >@@ -57,6 +57,8 @@ > #include <wtf/Optional.h> > #include <wtf/StdLibExtras.h> > >+#include "ProbeContext.h" >+ > namespace JSC { namespace Wasm { > > using namespace B3::Air; >@@ -833,6 +835,9 @@ void AirIRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit resto > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), pinnedRegs->baseMemoryPointer); >+#if CPU(ARM64E) >+ jit.untagArrayPtr(pinnedRegs->baseMemoryPointer, pinnedRegs->sizeRegister); >+#endif > }); > > emitPatchpoint(block, patchpoint, Tmp(), instance); >@@ -1856,6 +1861,9 @@ auto AirIRGenerator::addCallIndirect(const Signature& signature, Vector<Expressi > ASSERT(pinnedRegs.sizeRegister != newContextInstance); > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. >+#if CPU(ARM64E) >+ jit.untagArrayPtr(baseMemory, pinnedRegs.sizeRegister); >+#endif > }); > > emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue()); >diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >index 7a7bdc33dce376db123847c608a56984a8dc2049..aba9dac82fc0ca6efd0944c3fe87309b94d0cdb8 100644 >--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >@@ -482,6 +482,9 @@ void B3IRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit restor > GPRReg baseMemory = pinnedRegs->baseMemoryPointer; > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); >+#if CPU(ARM64E) >+ jit.untagArrayPtr(baseMemory, pinnedRegs->sizeRegister); >+#endif > }); > } > } >@@ -1285,6 +1288,9 @@ auto B3IRGenerator::addCallIndirect(const Signature& signature, Vector<Expressio > ASSERT(pinnedRegs.sizeRegister != newContextInstance); > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. >+#if CPU(ARM64E) >+ jit.untagArrayPtr(baseMemory, pinnedRegs.sizeRegister); >+#endif > }); > doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation); > >diff --git a/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp b/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp >index df0c08d41ce33e16c01235c4abdd1a5312a4347d..fe09d3300e4d34523e445c0a91e98044b806fe07 100644 >--- a/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp >+++ b/Source/JavaScriptCore/wasm/WasmBBQPlan.cpp >@@ -318,7 +318,7 @@ void BBQPlan::complete(const AbstractLocker& locker) > } > > m_wasmInternalFunctions[functionIndex]->entrypoint.compilation = std::make_unique<B3::Compilation>( >- FINALIZE_CODE(linkBuffer, B3CompilationPtrTag, "WebAssembly function[%i] %s", functionIndex, signature.toString().ascii().data()), >+ FINALIZE_CODE(linkBuffer, B3CompilationPtrTag, "WebAssembly BBQ function[%i] %s", functionIndex, signature.toString().ascii().data()), > WTFMove(context.wasmEntrypointByproducts)); > } > >diff --git a/Source/JavaScriptCore/wasm/WasmBinding.cpp b/Source/JavaScriptCore/wasm/WasmBinding.cpp >index ea13a25c0e102f7181f90266ec61962b9e75b997..99df975e7d7f2c11b50242fca09863a70ca7fc6d 100644 >--- a/Source/JavaScriptCore/wasm/WasmBinding.cpp >+++ b/Source/JavaScriptCore/wasm/WasmBinding.cpp >@@ -66,7 +66,10 @@ Expected<MacroAssemblerCodeRef<WasmEntryPtrTag>, BindingFailure> wasmToWasm(unsi > // FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952 > // Set up the callee's baseMemory register as well as the memory size registers. > jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. >- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::void*. >+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*). >+#if CPU(ARM64E) >+ jit.untagArrayPtr(baseMemory, pinnedRegs.sizeRegister); >+#endif > > // Tail call into the callee WebAssembly function. > jit.loadPtr(scratch, scratch); >diff --git a/Source/JavaScriptCore/wasm/WasmInstance.h b/Source/JavaScriptCore/wasm/WasmInstance.h >index 1d389bec0695cce1910fa08ce50caa78a3515d8f..387bdd15a52b5f084e67ac50f07925515d4ee414 100644 >--- a/Source/JavaScriptCore/wasm/WasmInstance.h >+++ b/Source/JavaScriptCore/wasm/WasmInstance.h >@@ -64,7 +64,7 @@ public: > Memory* memory() { return m_memory.get(); } > Table* table() { return m_table.get(); } > >- void* cachedMemory() const { return m_cachedMemory; } >+ void* cachedMemory() const { return m_cachedMemory.get(cachedMemorySize()); } > size_t cachedMemorySize() const { return m_cachedMemorySize; } > > void setMemory(Ref<Memory>&& memory) >@@ -76,7 +76,7 @@ public: > void updateCachedMemory() > { > if (m_memory != nullptr) { >- m_cachedMemory = memory()->memory(); >+ m_cachedMemory = TaggedArrayStoragePtr<void>(memory()->memory(), memory()->size()); > m_cachedMemorySize = memory()->size(); > } > } >@@ -143,7 +143,7 @@ private: > } > void* m_owner { nullptr }; // In a JS embedding, this is a JSWebAssemblyInstance*. > Context* m_context { nullptr }; >- void* m_cachedMemory { nullptr }; >+ TaggedArrayStoragePtr<void> m_cachedMemory; > size_t m_cachedMemorySize { 0 }; > Ref<Module> m_module; > RefPtr<CodeBlock> m_codeBlock; >diff --git a/Source/JavaScriptCore/wasm/WasmMemory.cpp b/Source/JavaScriptCore/wasm/WasmMemory.cpp >index b2da87084c2ba1162cd31b6cb99ad8e0afec305b..6b0d3454deb5dfa2e1cc687d488485ee22561c45 100644 >--- a/Source/JavaScriptCore/wasm/WasmMemory.cpp >+++ b/Source/JavaScriptCore/wasm/WasmMemory.cpp >@@ -253,10 +253,11 @@ Memory::Memory(PageCount initial, PageCount maximum, Function<void(NotifyPressur > ASSERT(!initial.bytes()); > ASSERT(m_mode == MemoryMode::BoundsChecking); > dataLogLnIf(verbose, "Memory::Memory allocating ", *this); >+ ASSERT(!memory()); > } > > Memory::Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode mode, Function<void(NotifyPressure)>&& notifyMemoryPressure, Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback) >- : m_memory(memory) >+ : m_memory(memory, initial.bytes()) > , m_size(initial.bytes()) > , m_initial(initial) > , m_maximum(maximum) >@@ -267,6 +268,7 @@ Memory::Memory(void* memory, PageCount initial, PageCount maximum, size_t mapped > , m_growSuccessCallback(WTFMove(growSuccessCallback)) > { > dataLogLnIf(verbose, "Memory::Memory allocating ", *this); >+ this->memory(); > } > > Ref<Memory> Memory::create() >@@ -338,14 +340,14 @@ Memory::~Memory() > memoryManager().freePhysicalBytes(m_size); > switch (m_mode) { > case MemoryMode::Signaling: >- if (mprotect(m_memory, Memory::fastMappedBytes(), PROT_READ | PROT_WRITE)) { >+ if (mprotect(memory(), Memory::fastMappedBytes(), PROT_READ | PROT_WRITE)) { > dataLog("mprotect failed: ", strerror(errno), "\n"); > RELEASE_ASSERT_NOT_REACHED(); > } >- memoryManager().freeFastMemory(m_memory); >+ memoryManager().freeFastMemory(memory()); > break; > case MemoryMode::BoundsChecking: >- Gigacage::freeVirtualPages(Gigacage::Primitive, m_memory, m_size); >+ Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size); > break; > } > } >@@ -419,25 +421,28 @@ Expected<PageCount, Memory::GrowFailReason> Memory::grow(PageCount delta) > if (!newMemory) > return makeUnexpected(GrowFailReason::OutOfMemory); > >- memcpy(newMemory, m_memory, m_size); >+ memcpy(newMemory, memory(), m_size); > if (m_memory) >- Gigacage::freeVirtualPages(Gigacage::Primitive, m_memory, m_size); >- m_memory = newMemory; >+ Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size); >+ m_memory = TaggedArrayStoragePtr<void>(newMemory, desiredSize); > m_mappedCapacity = desiredSize; > m_size = desiredSize; >+ ASSERT(memory() == newMemory); > return success(); > } > case MemoryMode::Signaling: { >- RELEASE_ASSERT(m_memory); >+ RELEASE_ASSERT(memory()); > // Signaling memory must have been pre-allocated virtually. >- uint8_t* startAddress = static_cast<uint8_t*>(m_memory) + m_size; >+ uint8_t* startAddress = static_cast<uint8_t*>(memory()) + m_size; > >- dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(m_memory), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")"); >+ dataLogLnIf(verbose, "Marking WebAssembly memory's ", RawPointer(memory()), " as read+write in range [", RawPointer(startAddress), ", ", RawPointer(startAddress + extraBytes), ")"); > if (mprotect(startAddress, extraBytes, PROT_READ | PROT_WRITE)) { > dataLog("mprotect failed: ", strerror(errno), "\n"); > RELEASE_ASSERT_NOT_REACHED(); > } >+ m_memory.resize(m_size, desiredSize); > m_size = desiredSize; >+ memory(); > return success(); > } > } >@@ -460,7 +465,7 @@ void Memory::registerInstance(Instance* instance) > > void Memory::dump(PrintStream& out) const > { >- out.print("Memory at ", RawPointer(m_memory), ", size ", m_size, "B capacity ", m_mappedCapacity, "B, initial ", m_initial, " maximum ", m_maximum, " mode ", makeString(m_mode)); >+ out.print("Memory at ", RawPointer(memory()), ", size ", m_size, "B capacity ", m_mappedCapacity, "B, initial ", m_initial, " maximum ", m_maximum, " mode ", makeString(m_mode)); > } > > } // namespace JSC >diff --git a/Source/JavaScriptCore/wasm/WasmMemory.h b/Source/JavaScriptCore/wasm/WasmMemory.h >index 00737fc1e65e2b28d0b008a9e3953dc772c99111..194ab2ac67c4f41d061168cd6a06bc46b6f67ea2 100644 >--- a/Source/JavaScriptCore/wasm/WasmMemory.h >+++ b/Source/JavaScriptCore/wasm/WasmMemory.h >@@ -32,6 +32,7 @@ > > #include <wtf/Expected.h> > #include <wtf/Function.h> >+#include <wtf/TaggedArrayStoragePtr.h> > #include <wtf/RefCounted.h> > #include <wtf/RefPtr.h> > #include <wtf/Vector.h> >@@ -68,7 +69,7 @@ public: > static size_t fastMappedBytes(); // Includes redzone. > static bool addressIsInActiveFastMemory(void*); > >- void* memory() const { return m_memory; } >+ void* memory() const { ASSERT(m_memory.get(size()) == m_memory.getUnsafe()); return m_memory.get(size()); } > size_t size() const { return m_size; } > PageCount sizeInPages() const { return PageCount::fromBytes(m_size); } > >@@ -96,7 +97,7 @@ private: > Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback); > Memory(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback); > >- void* m_memory { nullptr }; >+ TaggedArrayStoragePtr<void> m_memory; > size_t m_size { 0 }; > PageCount m_initial; > PageCount m_maximum; >diff --git a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >index e0b821bacf2542aa1edcfc5b4d876e51916825d8..29e93f8407edb39df0c9946b4051a6991e8e61d1 100644 >--- a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >+++ b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >@@ -29,6 +29,7 @@ > #if ENABLE(WEBASSEMBLY) > > #include "CCallHelpers.h" >+#include "DisallowMacroScratchRegisterUsage.h" > #include "JSWebAssemblyInstance.h" > #include "JSWebAssemblyRuntimeError.h" > #include "MaxFrameExtentForSlowPathCall.h" >@@ -37,6 +38,8 @@ > #include "WasmSignatureInlines.h" > #include "WasmToJS.h" > >+#include "ProbeContext.h" >+ > namespace JSC { namespace Wasm { > > std::unique_ptr<InternalFunction> createJSToWasmWrapper(CompilationContext& compilationContext, const Signature& signature, Vector<UnlinkedWasmToWasmCall>* unlinkedWasmToWasmCalls, const ModuleInformation& info, MemoryMode mode, unsigned functionIndex) >@@ -213,10 +216,24 @@ std::unique_ptr<InternalFunction> createJSToWasmWrapper(CompilationContext& comp > jit.loadWasmContextInstance(baseMemory); > > GPRReg currentInstanceGPR = Context::useFastTLS() ? baseMemory : wasmContextInstanceGPR; >- if (mode != MemoryMode::Signaling) >+ if (mode != MemoryMode::Signaling) { > jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); >- >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+#if CPU(ARM64E) >+ jit.removeArrayPtrTag(baseMemory); >+#endif >+ } else { >+#if CPU(ARM64E) >+ GPRReg scratch = jit.scratchRegister(); >+ DisallowMacroScratchRegisterUsage disallowScratch(jit); >+ >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch); >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+ jit.removeArrayPtrTag(baseMemory); >+#else >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+#endif >+ } > } > > CCallHelpers::Call call = jit.threadSafePatchableNearCall(); >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >index 02ef41e43ef30bdacf8f156b9de4c9c5134940b0..243047df78a21d5a73a61b6891d1d851475d3b13 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >@@ -29,6 +29,7 @@ > #if ENABLE(WEBASSEMBLY) > > #include "B3Compilation.h" >+#include "DisallowMacroScratchRegisterUsage.h" > #include "JSCInlines.h" > #include "JSFunctionInlines.h" > #include "JSObject.h" >@@ -397,11 +398,23 @@ MacroAssemblerCodePtr<JSEntryPtrTag> WebAssemblyFunction::jsCallEntrypointSlow() > GPRReg baseMemory = pinnedRegs.baseMemoryPointer; > > if (instance()->memoryMode() != Wasm::MemoryMode::Signaling) { >- ASSERT(pinnedRegs.sizeRegister != scratchGPR); > jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+#if CPU(ARM64E) >+ jit.untagArrayPtr(baseMemory, pinnedRegs.sizeRegister); >+#endif >+ } else { >+#if CPU(ARM64E) >+ GPRReg scratch = jit.scratchRegister(); >+ DisallowMacroScratchRegisterUsage disallowScratch(jit); >+ >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch); >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+ jit.untagArrayPtr(baseMemory, scratch); >+#else >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+#endif > } >- >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); > } > > // We use this callee to indicate how to unwind past these types of frames: >diff --git a/Source/WTF/WTF.xcodeproj/project.pbxproj b/Source/WTF/WTF.xcodeproj/project.pbxproj >index 6c0d951ab89c2ece02f173849f5192b2c0754a2b..e1467f89b476e85db4834fbac2004da3b69c954a 100644 >--- a/Source/WTF/WTF.xcodeproj/project.pbxproj >+++ b/Source/WTF/WTF.xcodeproj/project.pbxproj >@@ -651,6 +651,7 @@ > DCEE21FC1CEA7551000C2396 /* BlockObjCExceptions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BlockObjCExceptions.h; sourceTree = "<group>"; }; > DCEE21FD1CEA7551000C2396 /* BlockObjCExceptions.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = BlockObjCExceptions.mm; sourceTree = "<group>"; }; > DCEE22041CEB9869000C2396 /* BackwardsGraph.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = BackwardsGraph.h; sourceTree = "<group>"; }; >+ DEF7FE5F22581AC800C15129 /* TaggedArrayStoragePtr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TaggedArrayStoragePtr.h; sourceTree = "<group>"; }; > E15556F318A0CC18006F48FB /* CryptographicUtilities.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CryptographicUtilities.cpp; sourceTree = "<group>"; }; > E15556F418A0CC18006F48FB /* CryptographicUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptographicUtilities.h; sourceTree = "<group>"; }; > E300E521203D645F00DA79BE /* UniqueArray.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UniqueArray.h; sourceTree = "<group>"; }; >@@ -1154,6 +1155,7 @@ > 5597F82C1D94B9970066BC21 /* SynchronizedFixedQueue.h */, > E3E158251EADA53C004A079D /* SystemFree.h */, > 0FB317C31C488001007E395A /* SystemTracing.h */, >+ DEF7FE5F22581AC800C15129 /* TaggedArrayStoragePtr.h */, > E311FB151F0A568B003C08DE /* ThreadGroup.cpp */, > E311FB161F0A568B003C08DE /* ThreadGroup.h */, > A8A47332151A825B004123FF /* Threading.cpp */, >@@ -1535,7 +1537,6 @@ > A8A473C3151A825B004123FF /* FastMalloc.cpp in Sources */, > 0F9D3360165DBA73005AD387 /* FilePrintStream.cpp in Sources */, > A331D95B21F24992009F02AA /* FileSystem.cpp in Sources */, >- FE1E2C42224187C600F6B729 /* PlatformRegisters.cpp in Sources */, > A331D95D21F249E4009F02AA /* FileSystemCF.cpp in Sources */, > A331D95F21F249F6009F02AA /* FileSystemCocoa.mm in Sources */, > A331D96121F24A0A009F02AA /* FileSystemMac.mm in Sources */, >@@ -1577,8 +1578,10 @@ > 51F1752B1F3D486000C74950 /* PersistentCoders.cpp in Sources */, > 51F1752C1F3D486000C74950 /* PersistentDecoder.cpp in Sources */, > 51F1752D1F3D486000C74950 /* PersistentEncoder.cpp in Sources */, >+ FE1E2C42224187C600F6B729 /* PlatformRegisters.cpp in Sources */, > 0F9D3362165DBA73005AD387 /* PrintStream.cpp in Sources */, > 7AF023B52061E17000A8EFD6 /* ProcessPrivilege.cpp in Sources */, >+ FE1E2C3B2240C06600F6B729 /* PtrTag.cpp in Sources */, > 143F611F1565F0F900DB514A /* RAMSize.cpp in Sources */, > A3B725EC987446AD93F1A440 /* RandomDevice.cpp in Sources */, > A8A47414151A825B004123FF /* RandomNumber.cpp in Sources */, >@@ -1629,7 +1632,6 @@ > 1C181C8F1D307AB800F5FA16 /* UTextProvider.cpp in Sources */, > 1C181C911D307AB800F5FA16 /* UTextProviderLatin1.cpp in Sources */, > 1C181C931D307AB800F5FA16 /* UTextProviderUTF16.cpp in Sources */, >- FE1E2C3B2240C06600F6B729 /* PtrTag.cpp in Sources */, > A8A47469151A825B004123FF /* UTF8Conversion.cpp in Sources */, > 7AFEC6B11EB22B5900DADE36 /* UUID.cpp in Sources */, > 0F66B2921DC97BAB004A1D3F /* WallTime.cpp in Sources */, >diff --git a/Source/WTF/wtf/PtrTag.h b/Source/WTF/wtf/PtrTag.h >index 342a40faf104c23f9c334a22c2911ec4ea717c13..41e3f669a0aac95e3b4e79b163c2e5e2147df37d 100644 >--- a/Source/WTF/wtf/PtrTag.h >+++ b/Source/WTF/wtf/PtrTag.h >@@ -121,6 +121,39 @@ constexpr bool enablePtrTagDebugAssert = true; > } \ > } while (false) > >+ >+template<typename T> >+inline T* tagArrayPtr(nullptr_t ptr, size_t length) >+{ >+ ASSERT(!length); >+ return ptrauth_sign_unauthenticated(static_cast<T*>(ptr), ptrauth_key_process_dependent_data, length); >+} >+ >+ >+template<typename T> >+inline T* tagArrayPtr(T* ptr, size_t length) >+{ >+ return ptrauth_sign_unauthenticated(ptr, ptrauth_key_process_dependent_data, length); >+} >+ >+template<typename T> >+inline T* untagArrayPtr(T* ptr, size_t length) >+{ >+ return ptrauth_auth_data(ptr, ptrauth_key_process_dependent_data, length); >+} >+ >+template<typename T> >+inline T* removeArrayPtrTag(T* ptr) >+{ >+ return ptrauth_strip(ptr, ptrauth_key_process_dependent_data); >+} >+ >+template<typename T> >+inline T* retagArrayPtr(T* ptr, size_t oldLength, size_t newLength) >+{ >+ return ptrauth_auth_and_resign(ptr, ptrauth_key_process_dependent_data, oldLength, ptrauth_key_process_dependent_data, newLength); >+} >+ > template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>> > inline constexpr T removeCodePtrTag(PtrType ptr) > { >@@ -394,6 +427,38 @@ inline bool usesPointerTagging() { return true; } > inline void registerPtrTagLookup(PtrTagLookup*) { } > inline void reportBadTag(const void*, PtrTag) { } > >+template<typename T> >+inline T* tagArrayPtr(nullptr_t, size_t size) >+{ >+ ASSERT(!size); >+ return nullptr; >+} >+ >+template<typename T> >+inline T* tagArrayPtr(T* ptr, size_t) >+{ >+ return ptr; >+} >+ >+template<typename T> >+inline T* untagArrayPtr(T* ptr, size_t) >+{ >+ return ptr; >+} >+ >+template<typename T> >+inline T* removeArrayPtrTag(T* ptr) >+{ >+ return ptr; >+} >+ >+template<typename T> >+inline T* retagArrayPtr(T* ptr, size_t, size_t) >+{ >+ return ptr; >+} >+ >+ > template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>> > constexpr T tagCodePtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); } > >diff --git a/Source/WTF/wtf/TaggedArrayStoragePtr.h b/Source/WTF/wtf/TaggedArrayStoragePtr.h >new file mode 100644 >index 0000000000000000000000000000000000000000..7247d5d5a3d4eb750a78ddd30bc7aa8d083ba087 >--- /dev/null >+++ b/Source/WTF/wtf/TaggedArrayStoragePtr.h >@@ -0,0 +1,34 @@ >+ >+#pragma once >+ >+#include <wtf/PtrTag.h> >+ >+namespace WTF { >+ >+template<typename PtrType> >+class TaggedArrayStoragePtr { >+public: >+ TaggedArrayStoragePtr() >+ : m_ptr(tagArrayPtr<PtrType>(nullptr, 0)) >+ { } >+ >+ TaggedArrayStoragePtr(PtrType* ptr, unsigned length) >+ : m_ptr(tagArrayPtr(ptr, length)) >+ { } >+ >+ PtrType* get(unsigned length) const { return untagArrayPtr(m_ptr, length); } >+ PtrType* getUnsafe() const { return removeArrayPtrTag(m_ptr); } >+ >+ void resize(unsigned oldLength, unsigned newLength) { >+ m_ptr = retagArrayPtr(m_ptr, oldLength, newLength); >+ } >+ >+ explicit operator bool() const { return !!getUnsafe(); } >+ >+private: >+ PtrType* m_ptr; >+}; >+ >+} >+ >+using WTF::TaggedArrayStoragePtr; >diff --git a/Source/bmalloc/bmalloc/Gigacage.h b/Source/bmalloc/bmalloc/Gigacage.h >index 70cce67a245b43395132bfddaa4166a3be833b42..0abce083696637eeade1ec9e87ea2e7f18ee0e5c 100644 >--- a/Source/bmalloc/bmalloc/Gigacage.h >+++ b/Source/bmalloc/bmalloc/Gigacage.h >@@ -34,8 +34,7 @@ > #include <cstddef> > #include <inttypes.h> > >-#if ((BOS(DARWIN) || BOS(LINUX)) && \ >-(BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS))))) >+#if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64)) > #define GIGACAGE_ENABLED 1 > #else > #define GIGACAGE_ENABLED 0 >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index a1f2bedbd71ab2ea6debec21e1b8f8756eece640..4656c8f70557f6e89562d5f4dd7aea5009fe6272 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,13 @@ >+2019-04-25 Keith Miller <keith_miller@apple.com> >+ >+ Remove Gigacage from arm64 and use PAC for arm64e instead >+ https://bugs.webkit.org/show_bug.cgi?id=197110 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/create-error-out-of-memory-rope-string-2.js: >+ * stress/create-error-out-of-memory-rope-string.js: >+ > 2019-04-05 Caitlin Potter <caitp@igalia.com> > > [JSC] throw if 'ownKeys' Proxy trap result contains duplicate keys >diff --git a/JSTests/stress/create-error-out-of-memory-rope-string-2.js b/JSTests/stress/create-error-out-of-memory-rope-string-2.js >index 45af68d516305b03452a8128a5fdccabdc22ab56..845116f60b6378b05ddff0fea3acd86e2fe6f540 100644 >--- a/JSTests/stress/create-error-out-of-memory-rope-string-2.js >+++ b/JSTests/stress/create-error-out-of-memory-rope-string-2.js >@@ -1,3 +1,5 @@ >+//@ skip if $memoryLimited >+ > function assert(a, message) { > if (!a) > throw new Error(message); >diff --git a/JSTests/stress/create-error-out-of-memory-rope-string.js b/JSTests/stress/create-error-out-of-memory-rope-string.js >index 33fff7c1ab92b6c09c31c168d6ca810c19cb29bd..5ff72ac8efd670c4347e797845facb99d03ba5e9 100644 >--- a/JSTests/stress/create-error-out-of-memory-rope-string.js >+++ b/JSTests/stress/create-error-out-of-memory-rope-string.js >@@ -1,3 +1,5 @@ >+//@ skip if $memoryLimited >+ > function assert(a, message) { > if (!a) > throw new Error(message);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=368301">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197110
:
367808
|
368301
|
368517
|
369032
|
369130
|
369131
|
369141
|
369144
|
369145
|
369146
|
369150
|
369158
|
369159
|
369162
|
369164
|
369167
|
369177
|
369183
|
369186
|
369191
|
369192
|
369217
|
369235
|
369405