Bug 182652

Summary: Lock down JSFunction
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
work in progress
none
more
none
the patch
none
the patch
none
the patch
ews-watchlist: commit-queue-
Archive of layout-test-results from ews112 for mac-sierra
none
the patch saam: review+

Description Filip Pizlo 2018-02-09 14:59:27 PST 
- Put it in an isospace

- Poison its outgoing pointers
Comment 1 Filip Pizlo 2018-02-09 15:00:34 PST 
Created attachment 333521 [details]
work in progress
Comment 2 Filip Pizlo 2018-02-10 16:54:22 PST 
Created attachment 333562 [details]
more
Comment 3 Filip Pizlo 2018-02-10 18:04:56 PST 
Created attachment 333564 [details]
the patch
Comment 4 Radar WebKit Bug Importer 2018-02-10 18:05:40 PST 
<rdar://problem/37429153>
Comment 5 Filip Pizlo 2018-02-10 19:07:15 PST 
Created attachment 333565 [details]
the patch
Comment 6 Filip Pizlo 2018-02-10 19:24:13 PST 
Created attachment 333566 [details]
the patch

Fixed builds
Comment 7 EWS Watchlist 2018-02-10 21:17:05 PST 
Comment on attachment 333566 [details]
the patch

Attachment 333566 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/6450921

New failing tests:
js/repeat-cached-vm-reentry.html
Comment 8 EWS Watchlist 2018-02-10 21:17:07 PST 
Created attachment 333568 [details]
Archive of layout-test-results from ews112 for mac-sierra

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-sierra  Platform: Mac OS X 10.12.6
Comment 9 Filip Pizlo 2018-02-12 11:11:13 PST 
earley                  0.30123+-0.00176    !    43.34337+-1.07163       ! definitely 143.8868x slower


OOOOOPS
Comment 10 Filip Pizlo 2018-02-12 14:25:44 PST 
Created attachment 333632 [details]
the patch

Fixed a nasty bug in Repatch.
Comment 11 Saam Barati 2018-02-12 15:09:49 PST 
Comment on attachment 333632 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=333632&action=review

r=me

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164
> +            return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key());

Style: uintptr_t instead of size_t?

> Source/JavaScriptCore/runtime/JSBoundFunction.h:44
> +    template<typename CellType>

Should we also poison JSBoundFunction's other fields? Or perhaps open a bug for that work?
Comment 12 Filip Pizlo 2018-02-12 15:12:03 PST 
(In reply to Saam Barati from comment #11)
> Comment on attachment 333632 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=333632&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164
> > +            return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key());
> 
> Style: uintptr_t instead of size_t?
> 

The other weakPointer function does size_t.

> > Source/JavaScriptCore/runtime/JSBoundFunction.h:44
> > +    template<typename CellType>
> 
> Should we also poison JSBoundFunction's other fields? Or perhaps open a bug
> for that work?

Since those point to JSObject-like things, maybe we don't have to poison them.
Comment 13 Filip Pizlo 2018-02-13 09:03:02 PST 
Landed in http://trac.webkit.org/changeset/228420/webkit