Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6eac446be4449cb0c94d52b8ee43926a53bbb180
https://github.com/WebKit/WebKit/commit/6eac446be4449cb0c94d52b8ee43926a53bbb180
Author: Mark Lam <[email protected]>
Date: 2025-12-11 (Thu, 11 Dec 2025)
Changed paths:
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
M Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp
M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
M Source/JavaScriptCore/llint/LLIntOfflineAsmConfig.h
M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
M Source/JavaScriptCore/runtime/JSCConfig.h
M Source/JavaScriptCore/runtime/MegamorphicCache.h
M Source/JavaScriptCore/runtime/OptionsList.h
M Source/JavaScriptCore/runtime/Structure.cpp
M Source/JavaScriptCore/runtime/Structure.h
M Source/JavaScriptCore/runtime/StructureID.h
M Source/JavaScriptCore/tools/IntegrityInlines.h
M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
Log Message:
-----------
Simplify StructureID encoding scheme.
https://bugs.webkit.org/show_bug.cgi?id=304017
rdar://166322205
Reviewed by Dan Hecht and Yusuke Suzuki.
We can just use a base + offset encoding scheme for all CPU(ADDRESS64)
platforms. Here are the
details:
1. There's no need to mask the StructureID before adding it to the base
address. This was
originally introduced as a caging security mitigation.
However, it only worked if the Structure heap size if 4GB. On iOS (and
other embedded
platforms), this caging was never done, and cannot be done because of the
STRUCTURE_ID_WITH_SHIFT
encoding. The caging is also of very low value as a security mitigation.
Since it does not
add much value, we'll remove it to simplify things.
2. Previously, for macOS, we encode StructureID as a 32-bit offset from the
start of that 4G
aligned region.
Instead of doing this, we now encode StructureID as the bottom 32-bits of
the 64-bit Structure
address. This is partially made possible by the removal of masking in (1),
and it simplifies
the code a lot. To decode a StructureID, we simple add structureIDBase to
the StructureID,
where structureIDBase is startOfStructureHeap with the lower 32-bits masked
to 0.
3. Previously, to enable the StructureID encoding scheme in (2), we always
require that the
structure heap start address be 4GB aligned.
Now that StructureID is just the lower 32-bits of the address, the structure
heap does not
need to start on a 4GB region. We only require that the upper 32-bits of
the entire structure
heap region be constant. To achieve this, we require that the structure
heap size be a power
of 2 (which was always the case), and that the structure heap start address
be aligned on the
structure heap size. With that we guarantee that the structure heap will
never span across
two 4GB granules i.e. the top 32-bits of the Structure address is guaranteed
to be the same
for any address in the structure heap.
4. Previously, iOS (and other embedded platforms), we needed to use the
STRUCTURE_ID_WITH_SHIFT
encoding for StructureID. This is because on these platforms, it is not
always possible to
allocate the structure heap starting at a 4G boundary. The number of
available 4G boundaries
are few.
However, with (3), the structure heap only need to be aligned on the heap
size. Since it is
reasonable for the heap size to be smaller on embedded platforms, the number
of such aligned
boundaries are significantly increases, and we should be able to
successfully allocate the
structure heap on the needed boundary. Hence, we can now switch all
embedded platforms over
to using the same StructureID encoding as macOS. The
STRUCTURE_ID_WITH_SHIFT can now be
completely removed.
5. This also allows us to shrink Structure's atomSize back to 16 bytes.
Currently, that doesn't
make a difference, but it opens the door for potential size optimzations.
6. Add Options::structureHeapSizeInKB() to allow us to more easily test and
experiment with
different structure heap sizes.
7. Added more dump info to the RELEASE_ASSERTs in the StructureMemoryManager
constructor.
These will help us diagnose crashes, should we get crashes due to failed
structure heap
memory reservation.
This functionality should be covered by existing JSC and WebKit tests as
Structures are used
prolifically. This patch also adds more ASSERTs and RELEASE_ASSERTs to help
catch issues
sooner in those tests.
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
* Source/JavaScriptCore/heap/StructureAlignedMemoryAllocator.cpp:
(JSC::StructureMemoryManager::StructureMemoryManager):
(JSC::StructureAlignedMemoryAllocator::initializeStructureAddressSpace):
* Source/JavaScriptCore/jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitNonNullDecodeZeroExtendedStructureID):
(JSC::AssemblyHelpers::emitEncodeStructureID):
* Source/JavaScriptCore/llint/LLIntOfflineAsmConfig.h:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/JSCConfig.h:
(JSC::structureIDBase):
* Source/JavaScriptCore/runtime/MegamorphicCache.h:
* Source/JavaScriptCore/runtime/OptionsList.h:
* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::Structure::Structure):
* Source/JavaScriptCore/runtime/Structure.h:
* Source/JavaScriptCore/runtime/StructureID.h:
(JSC::StructureID::decode const):
(JSC::StructureID::tryDecode const):
(JSC::StructureID::encode):
* Source/JavaScriptCore/tools/IntegrityInlines.h:
(JSC::Integrity::auditStructureID):
* Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp:
(JSC::Wasm::OMGIRGenerator::decodeNonNullStructure):
(JSC::Wasm::OMGIRGenerator::encodeStructureID):
Canonical link: https://commits.webkit.org/304344@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
