WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WONTFIX
176669
[JSC] Fold gigacage address into 32bit
https://bugs.webkit.org/show_bug.cgi?id=176669
Summary
[JSC] Fold gigacage address into 32bit
Yusuke Suzuki
Reported
2017-09-10 04:17:36 PDT
We access caged area by doing `base + (target & mask)`. At that time, target is 64bit pointer. This is rough idea: If we can discard alignment part we can make this target address within 32bit. If the memory area is 8byte aligned, our 32bit offset can represent 32GB (4 * 8), which matches to the current gigacage area. Computation becomes like, `base + (target << alignment)`.
Attachments
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2017-09-10 12:33:22 PDT
(In reply to Yusuke Suzuki from
comment #0
)
> We access caged area by doing `base + (target & mask)`. > At that time, target is 64bit pointer. > > This is rough idea: If we can discard alignment part we can make this target > address within 32bit. > If the memory area is 8byte aligned, our 32bit offset can represent 32GB (4 > * 8), which matches to the current gigacage area. > Computation becomes like, `base + (target << alignment)`.
Caging relies on the fact that it’s an identity operation for valid pointers. This breaks that property. I suggest not doing this.
Filip Pizlo
Comment 2
2017-09-10 12:35:18 PDT
Also, I want cage size to be tunable. We do not want to become married to a 32GB size limit.
Yusuke Suzuki
Comment 3
2017-10-02 07:40:56 PDT
(In reply to Filip Pizlo from
comment #2
)
> Also, I want cage size to be tunable. We do not want to become married to a > 32GB size limit.
(In reply to Filip Pizlo from
comment #1
)
> (In reply to Yusuke Suzuki from
comment #0
) > > We access caged area by doing `base + (target & mask)`. > > At that time, target is 64bit pointer. > > > > This is rough idea: If we can discard alignment part we can make this target > > address within 32bit. > > If the memory area is 8byte aligned, our 32bit offset can represent 32GB (4 > > * 8), which matches to the current gigacage area. > > Computation becomes like, `base + (target << alignment)`. > > Caging relies on the fact that it’s an identity operation for valid > pointers. This breaks that property. I suggest not doing this.
That sounds reasonable.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug