RESOLVED FIXED182652
Lock down JSFunction 
https://bugs.webkit.org/show_bug.cgi?id=182652
Summary Lock down JSFunction
Filip Pizlo
Reported 2018-02-09 14:59:27 PST
- Put it in an isospace - Poison its outgoing pointers
Attachments
work in progress (25.59 KB, patch)
2018-02-09 15:00 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
more (36.14 KB, patch)
2018-02-10 16:54 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (38.84 KB, patch)
2018-02-10 18:04 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (39.30 KB, patch)
2018-02-10 19:07 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (39.37 KB, patch)
2018-02-10 19:24 PST, Filip Pizlo 		ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews112 for mac-sierra (3.30 MB, application/zip)
2018-02-10 21:17 PST, EWS Watchlist 		no flags
Details
the patch (39.92 KB, patch)
2018-02-12 14:25 PST, Filip Pizlo 		saam: review+
DetailsFormatted DiffDiff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2018-02-09 15:00:34 PST
Created attachment 333521 [details] work in progress
Filip Pizlo
Comment 2 2018-02-10 16:54:22 PST
Created attachment 333562 [details] more
Filip Pizlo
Comment 3 2018-02-10 18:04:56 PST
Created attachment 333564 [details] the patch
Radar WebKit Bug Importer
Comment 4 2018-02-10 18:05:40 PST
<rdar://problem/37429153>
Filip Pizlo
Comment 5 2018-02-10 19:07:15 PST
Created attachment 333565 [details] the patch
Filip Pizlo
Comment 6 2018-02-10 19:24:13 PST
Created attachment 333566 [details] the patch Fixed builds
EWS Watchlist
Comment 7 2018-02-10 21:17:05 PST
Comment on attachment 333566 [details] the patch Attachment 333566 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/6450921 New failing tests: js/repeat-cached-vm-reentry.html
EWS Watchlist
Comment 8 2018-02-10 21:17:07 PST
Created attachment 333568 [details] Archive of layout-test-results from ews112 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-sierra Platform: Mac OS X 10.12.6
Filip Pizlo
Comment 9 2018-02-12 11:11:13 PST
earley 0.30123+-0.00176 ! 43.34337+-1.07163 ! definitely 143.8868x slower OOOOOPS
Filip Pizlo
Comment 10 2018-02-12 14:25:44 PST
Created attachment 333632 [details] the patch Fixed a nasty bug in Repatch.
Saam Barati
Comment 11 2018-02-12 15:09:49 PST
Comment on attachment 333632 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=333632&action=review r=me > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164 > + return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key()); Style: uintptr_t instead of size_t? > Source/JavaScriptCore/runtime/JSBoundFunction.h:44 > + template<typename CellType> Should we also poison JSBoundFunction's other fields? Or perhaps open a bug for that work?
Filip Pizlo
Comment 12 2018-02-12 15:12:03 PST
(In reply to Saam Barati from comment #11) > Comment on attachment 333632 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333632&action=review > > r=me > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164 > > + return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key()); > > Style: uintptr_t instead of size_t? > The other weakPointer function does size_t. > > Source/JavaScriptCore/runtime/JSBoundFunction.h:44 > > + template<typename CellType> > > Should we also poison JSBoundFunction's other fields? Or perhaps open a bug > for that work? Since those point to JSObject-like things, maybe we don't have to poison them.
Filip Pizlo
Comment 13 2018-02-13 09:03:02 PST
Landed in http://trac.webkit.org/changeset/228420/webkit
Note You need to log in before you can comment on or make changes to this bug.