Bug 174923 - ScopedArguments overflow storage needs to be in the JSValue gigacage
Summary: ScopedArguments overflow storage needs to be in the JSValue gigacage
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords: InRadar
Depends on: 174919
Blocks: 174917
  Show dependency treegraph
 
Reported: 2017-07-27 19:46 PDT by Filip Pizlo
Modified: 2017-08-12 12:07 PDT (History)
8 users (show)

See Also:


Attachments
the patch (4.57 KB, patch)
2017-08-11 18:08 PDT, Filip Pizlo
sbarati: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2017-07-27 19:46:22 PDT
...
Comment 1 Filip Pizlo 2017-08-11 18:08:35 PDT
Created attachment 317982 [details]
the patch
Comment 2 Saam Barati 2017-08-12 11:13:21 PDT
Comment on attachment 317982 [details]
the patch

r=me
Does polymorphic access also access scoped arguments for “length”?
Comment 3 Filip Pizlo 2017-08-12 11:39:28 PDT
(In reply to Saam Barati from comment #2)
> Comment on attachment 317982 [details]
> the patch
> 
> r=me
> Does polymorphic access also access scoped arguments for “length”?

Yeah.  Since that's not an indexed access, we don't have to do caging there.  We could do it, but then we'd be wagging the dog.

The objective here is to make indexed accesses never go outside of a cage.

Therefore, we but the object being accessed into a cage.

This does not mean that all non-indexed accesses to that object need caging.  I don't think that the upside of doing that would be worth the perf.
Comment 4 Filip Pizlo 2017-08-12 11:40:24 PDT
Landed in https://trac.webkit.org/changeset/220624/webkit
Comment 5 Radar WebKit Bug Importer 2017-08-12 11:41:02 PDT
<rdar://problem/33864284>
Comment 6 Saam Barati 2017-08-12 12:07:13 PDT
(In reply to Filip Pizlo from comment #3)
> (In reply to Saam Barati from comment #2)
> > Comment on attachment 317982 [details]
> > the patch
> > 
> > r=me
> > Does polymorphic access also access scoped arguments for “length”?
> 
> Yeah.  Since that's not an indexed access, we don't have to do caging there.
> We could do it, but then we'd be wagging the dog.
> 
> The objective here is to make indexed accesses never go outside of a cage.
> 
> Therefore, we but the object being accessed into a cage.
> 
> This does not mean that all non-indexed accesses to that object need caging.
> I don't think that the upside of doing that would be worth the perf.

Makes sense. We had this conversation before in a different context, I just forgot :)