RESOLVED FIXED 179202
Only cage double butterfly accesses 
https://bugs.webkit.org/show_bug.cgi?id=179202
Summary Only cage double butterfly accesses
Saam Barati
Reported 2017-11-02 14:55:39 PDT
...
Attachments
patch (30.09 KB, patch)
2017-11-07 12:43 PST, Saam Barati 		mark.lam: review+
DetailsFormatted DiffDiff
patch for landing (31.54 KB, patch)
2017-11-07 20:47 PST, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2017-11-07 12:43:47 PST
Created attachment 326240 [details] patch
Mark Lam
Comment 2 2017-11-07 16:50:44 PST
Comment on attachment 326240 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=326240&action=review r=me with issues addressed. > Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:1238 > macro storePropertyAtVariableOffset(propertyOffsetAsInt, objectAndStorage, value, scratch) It doesn't hurt to leave it but scratch is now unused. > Source/JavaScriptCore/runtime/JSObject.cpp:3250 > + return Butterfly::createOrGrowPropertyStorage(butterfly(), vm, this, structure(vm), oldSize, newSize); Why is this case not caged? I see that Butterfly::createOrGrowPropertyStorage() does mem copying. Either Butterfly::createOrGrowPropertyStorage() should always cage the butterfly if not null, or it we should do a null check + caging here.
Saam Barati
Comment 3 2017-11-07 20:47:38 PST
Created attachment 326298 [details] patch for landing Thanks for the review. I've removed the scratch register and I've made Butterfly:createOrGrowPropertyStorage cage when oldButterfly is non-null.
WebKit Commit Bot
Comment 4 2017-11-07 22:29:34 PST
Comment on attachment 326298 [details] patch for landing Clearing flags on attachment: 326298 Committed r224564: <https://trac.webkit.org/changeset/224564>
WebKit Commit Bot
Comment 5 2017-11-07 22:29:36 PST
All reviewed patches have been landed. Closing bug.
Yusuke Suzuki
Comment 6 2017-11-08 05:04:12 PST
Oh, this improves ARES-6 by 4.4% at AWFY.
Radar WebKit Bug Importer
Comment 7 2017-11-15 12:20:32 PST
<rdar://problem/35567338>
Note You need to log in before you can comment on or make changes to this bug.