Bug 200139

Summary: [JSC] Ensure PackedCellPtr only takes non-large-allocation pointers
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch mark.lam: review+

Yusuke Suzuki
Reported 2019-07-25 15:05:37 PDT
[JSC] Ensure PackedCellPtr only takes non-large-allocation pointers
Attachments
Patch (9.33 KB, patch)
2019-07-25 15:15 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (9.34 KB, patch)
2019-07-25 15:18 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (9.33 KB, patch)
2019-07-25 15:19 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (9.07 KB, patch)
2019-07-25 15:37 PDT, Yusuke Suzuki 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-07-25 15:15:43 PDT
Created attachment 374910 [details] Patch
Yusuke Suzuki
Comment 2 2019-07-25 15:18:01 PDT
Created attachment 374911 [details] Patch
Saam Barati
Comment 3 2019-07-25 15:18:19 PDT
Comment on attachment 374910 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374910&action=review > Source/JavaScriptCore/ChangeLog:9 > + But this fact only meets when the JSCell is not large allocation. Currently, we are using PackedCellPtr really? We don't round large allocations?
Yusuke Suzuki
Comment 4 2019-07-25 15:19:14 PDT
Created attachment 374912 [details] Patch
Keith Miller
Comment 5 2019-07-25 15:27:08 PDT
Comment on attachment 374910 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374910&action=review >> Source/JavaScriptCore/ChangeLog:9 >> + But this fact only meets when the JSCell is not large allocation. Currently, we are using PackedCellPtr > > really? We don't round large allocations? grammar: only meets => only holds.
Yusuke Suzuki
Comment 6 2019-07-25 15:36:12 PDT
Comment on attachment 374910 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374910&action=review >>> Source/JavaScriptCore/ChangeLog:9 >>> + But this fact only meets when the JSCell is not large allocation. Currently, we are using PackedCellPtr >> >> really? We don't round large allocations? > > grammar: only meets => only holds. Fixed the grammar part, thanks. Let's see LargeAllocation::isLargeAllocation implementation. https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/heap/LargeAllocation.h#L58-L61 https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/heap/LargeAllocation.h#L148-L149 LargeAllocation's HeapCell is intentionally not 16-byte aligned to encode this information into the cell pointer.
Yusuke Suzuki
Comment 7 2019-07-25 15:37:46 PDT
Created attachment 374915 [details] Patch
Mark Lam
Comment 8 2019-07-25 15:41:44 PDT
Comment on attachment 374915 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374915&action=review r=me > Source/JavaScriptCore/ChangeLog:9 > + But this fact only meets when the JSCell is not large allocation. Currently, we are using PackedCellPtr still not fixed: /meet/holds/ > Source/JavaScriptCore/ChangeLog:10 > + only for the cell types which holds the above requirement. But we would like to ensure that statically. this one should be 'meet' instead of 'holds'.
Saam Barati
Comment 9 2019-07-25 15:42:55 PDT
Comment on attachment 374915 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374915&action=review > Source/JavaScriptCore/heap/PackedCellPtr.h:43 > + ASSERT(!pointer || !pointer->isLargeAllocation()); Can you just assert that it's 16 byte aligned? Seems more straight forward
Yusuke Suzuki
Comment 10 2019-07-25 15:43:03 PDT
Comment on attachment 374915 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374915&action=review Thanks, fixed. >> Source/JavaScriptCore/ChangeLog:9 >> + But this fact only meets when the JSCell is not large allocation. Currently, we are using PackedCellPtr > > still not fixed: /meet/holds/ Oops, fixed. >> Source/JavaScriptCore/ChangeLog:10 >> + only for the cell types which holds the above requirement. But we would like to ensure that statically. > > this one should be 'meet' instead of 'holds'. Fixed.
Yusuke Suzuki
Comment 11 2019-07-25 15:43:31 PDT
Comment on attachment 374915 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374915&action=review >> Source/JavaScriptCore/heap/PackedCellPtr.h:43 >> + ASSERT(!pointer || !pointer->isLargeAllocation()); > > Can you just assert that it's 16 byte aligned? Seems more straight forward Sounds nice. Fixed.
Yusuke Suzuki
Comment 12 2019-07-25 15:51:43 PDT
Committed r247843: <https://trac.webkit.org/changeset/247843>
Radar WebKit Bug Importer
Comment 13 2019-07-25 15:54:24 PDT
<rdar://problem/53564083>
Yusuke Suzuki
Comment 14 2019-07-25 16:04:06 PDT
It seems that std::invoke_result_t is missing in some clang environments. I think it is C++17 features, and possibly it is not implemented yet. Use std::result_of instead, while it is deprecated in C++17 and removed in C++20, because we are now using std::result_of in the other places.
Yusuke Suzuki
Comment 15 2019-07-25 16:16:03 PDT
Committed r247844: <https://trac.webkit.org/changeset/247844>
Note You need to log in before you can comment on or make changes to this bug.