Bug 176669

Summary: [JSC] Fold gigacage address into 32bit
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WONTFIX    
Severity: Normal CC: fpizlo, ggaren, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Yusuke Suzuki 2017-09-10 04:17:36 PDT
We access caged area by doing `base + (target & mask)`.
At that time, target is 64bit pointer.

This is rough idea: If we can discard alignment part we can make this target address within 32bit.
If the memory area is 8byte aligned, our 32bit offset can represent 32GB (4 * 8), which matches to the current gigacage area.
Computation becomes like, `base + (target << alignment)`.
Comment 1 Filip Pizlo 2017-09-10 12:33:22 PDT
(In reply to Yusuke Suzuki from comment #0)
> We access caged area by doing `base + (target & mask)`.
> At that time, target is 64bit pointer.
> 
> This is rough idea: If we can discard alignment part we can make this target
> address within 32bit.
> If the memory area is 8byte aligned, our 32bit offset can represent 32GB (4
> * 8), which matches to the current gigacage area.
> Computation becomes like, `base + (target << alignment)`.

Caging relies on the fact that it’s an identity operation for valid pointers. This breaks that property. I suggest not doing this.
Comment 2 Filip Pizlo 2017-09-10 12:35:18 PDT
Also, I want cage size to be tunable. We do not want to become married to a 32GB size limit.
Comment 3 Yusuke Suzuki 2017-10-02 07:40:56 PDT
(In reply to Filip Pizlo from comment #2)
> Also, I want cage size to be tunable. We do not want to become married to a
> 32GB size limit.

(In reply to Filip Pizlo from comment #1)
> (In reply to Yusuke Suzuki from comment #0)
> > We access caged area by doing `base + (target & mask)`.
> > At that time, target is 64bit pointer.
> > 
> > This is rough idea: If we can discard alignment part we can make this target
> > address within 32bit.
> > If the memory area is 8byte aligned, our 32bit offset can represent 32GB (4
> > * 8), which matches to the current gigacage area.
> > Computation becomes like, `base + (target << alignment)`.
> 
> Caging relies on the fact that it’s an identity operation for valid
> pointers. This breaks that property. I suggest not doing this.

That sounds reasonable.