Attachment 371113 Details for Bug 198453 – Patch

[patch] Patch

bug-198453-20190601194754.patch (text/plain), 11.04 KB, created by Keith Miller on 2019-06-01 10:47:57 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Keith Miller

Created: 2019-06-01 10:47:57 PDT

Size: 11.04 KB

patch

obsolete

>Subversion Revision: 246011
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 038e6d0a295721eda8d9c8a90627f07d1e5841e0..5338bab4ccd6171bfaf74d5d707d55a674f3d63a 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,26 @@
>+2019-06-01  Keith Miller  <keith_miller@apple.com>
>+
>+        Reenable Gigacage on ARM64.
>+        https://bugs.webkit.org/show_bug.cgi?id=198453
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the
>+        old Gigacage however, arm64e uses both Gigacaging and PAC. Since
>+        Gigacaging would otherwise strip a PAC failed authenticate bit we
>+        force a load of the pointer into some garbage register.
>+
>+        * dfg/DFGSpeculativeJIT.cpp:
>+        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
>+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
>+        * ftl/FTLLowerDFGToB3.cpp:
>+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
>+        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
>+        (JSC::FTL::DFG::LowerDFGToB3::caged):
>+        * jit/AssemblyHelpers.h:
>+        (JSC::AssemblyHelpers::cageConditionally):
>+        * llint/LowLevelInterpreter64.asm:
>+
> 2019-05-31  Yusuke Suzuki  <ysuzuki@apple.com>
> 
>         Unreviewed, fix setEntryAddressCommon register usage in LLInt ASM Windows 64
>diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog
>index 1289c8b9149c1c76b5b7daa32aa1cbffb592f4a2..2ba176b50c2a23fcea2b3627a4fb8afd0c1334a3 100644
>--- a/Source/WTF/ChangeLog
>+++ b/Source/WTF/ChangeLog
>@@ -1,3 +1,15 @@
>+2019-06-01  Keith Miller  <keith_miller@apple.com>
>+
>+        Reenable Gigacage on ARM64.
>+        https://bugs.webkit.org/show_bug.cgi?id=198453
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * wtf/CagedPtr.h:
>+        (WTF::CagedPtr::authenticatingLoad):
>+        (WTF::CagedPtr::get const):
>+        (WTF::CagedPtr::getMayBeNull const):
>+
> 2019-05-31  Alex Christensen  <achristensen@webkit.org>
> 
>         URLParser::parseIPv6Host should properly parse 0's around compression
>diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog
>index f5ce05be348d18c8884ceb4eced2579d4592ec65..f72b4e210d412f319ed6a985482f7ea9556f0c01 100644
>--- a/Source/bmalloc/ChangeLog
>+++ b/Source/bmalloc/ChangeLog
>@@ -1,3 +1,12 @@
>+2019-06-01  Keith Miller  <keith_miller@apple.com>
>+
>+        Reenable Gigacage on ARM64.
>+        https://bugs.webkit.org/show_bug.cgi?id=198453
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        * bmalloc/Gigacage.h:
>+
> 2019-05-30  Don Olmstead  <don.olmstead@sony.com>
> 
>         [CMake] Add WEBKIT_FRAMEWORK_TARGET macro
>diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
>index d0410b35d39017f80db5905ed492d3e33868bc5c..522214a704c61b4708d7df45d141321da95c373b 100644
>--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
>+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
>@@ -2873,7 +2873,7 @@ JITCompiler::Jump SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds(Node*
>                 TrustedImm32(WastefulTypedArray));
> 
>             JITCompiler::Jump hasNullVector;
>-#if !GIGACAGE_ENABLED && CPU(ARM64E)
>+#if CPU(ARM64E)
>             {
>                 GPRReg scratch = m_jit.scratchRegister();
>                 DisallowMacroScratchRegisterUsage disallowScratch(m_jit);
>@@ -2882,7 +2882,7 @@ JITCompiler::Jump SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds(Node*
>                 m_jit.removeArrayPtrTag(scratch);
>                 hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch);
>             }
>-#else // !GIGACAGE_ENABLED && CPU(ARM64E)
>+#else // CPU(ARM64E)
>             hasNullVector = m_jit.branchTestPtr(
>                 MacroAssembler::Zero,
>                 MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector()));
>@@ -6719,6 +6719,14 @@ void SpeculativeJIT::compileConstantStoragePointer(Node* node)
> 
> void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
> {
>+#if CPU(ARM64E)
>+    m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
>+    m_jit.loadPtr(storageReg, m_jit.scratchRegister());
>+#else
>+    UNUSED_PARAM(baseReg);
>+    UNUSED_PARAM(storageReg);
>+#endif
>+
> #if GIGACAGE_ENABLED
>     UNUSED_PARAM(baseReg);
>     if (!Gigacage::shouldBeEnabled())
>@@ -6732,11 +6740,6 @@ void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
>     }
>     
>     m_jit.cage(Gigacage::Primitive, storageReg);
>-#elif CPU(ARM64E)
>-    m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
>-#else
>-    UNUSED_PARAM(baseReg);
>-    UNUSED_PARAM(storageReg);
> #endif
> }
> 
>diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
>index 5e28a1a232b1771b5a8291234f476cfb31b28f95..145132f023d21536a707629368bf356dedfaaee5 100644
>--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
>+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
>@@ -6463,7 +6463,7 @@ private:
>                 m_out.int64Zero,
>                 m_heaps.typedArrayProperties);
> 
>-#if !GIGACAGE_ENABLED && CPU(ARM64E)
>+#if CPU(ARM64E)
>             {
>                 LValue sizePtr = m_out.zeroExtPtr(size);
>                 PatchpointValue* authenticate = m_out.patchpoint(pointerType());
>@@ -14108,9 +14108,12 @@ private:
>         PatchpointValue* authenticate = m_out.patchpoint(pointerType());
>         authenticate->appendSomeRegister(ptr);
>         authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
>+        authenticate->numGPScratchRegisters = 1;
>         authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
>             jit.move(params[1].gpr(), params[0].gpr());
>             jit.untagArrayPtr(params[2].gpr(), params[0].gpr());
>+            // Force a load to check authentication. before it is cleared by Gigacaging later.
>+            jit.loadPtr(params[0].gpr(), params.gpScratch(0));
>         });
>         return authenticate;
> #else
>@@ -14135,6 +14138,16 @@ private:
> 
>     LValue caged(Gigacage::Kind kind, LValue ptr, LValue base)
>     {
>+#if CPU(ARM64E)
>+        if (kind == Gigacage::Primitive) {
>+            LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
>+            ptr = untagArrayPtr(ptr, size);
>+        }
>+#else
>+        UNUSED_PARAM(kind);
>+        UNUSED_PARAM(base);
>+#endif
>+
> #if GIGACAGE_ENABLED
>         UNUSED_PARAM(base);
>         if (!Gigacage::isEnabled(kind))
>@@ -14165,17 +14178,6 @@ private:
>         // and possibly other smart things if we want to be able to remove this opaque.
>         // https://bugs.webkit.org/show_bug.cgi?id=175493
>         return m_out.opaque(result);
>-#elif CPU(ARM64E)
>-        if (kind == Gigacage::Primitive) {
>-            LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
>-            return untagArrayPtr(ptr, size);
>-        }
>-
>-        return ptr;
>-#else
>-        UNUSED_PARAM(kind);
>-        UNUSED_PARAM(base);
>-        return ptr;
> #endif
>     }
>     
>diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.h b/Source/JavaScriptCore/jit/AssemblyHelpers.h
>index d9268e83691421ffedc1541217c867f351edb8d4..6075071ddf08da3d0e5b312d1f48815b83bfb249 100644
>--- a/Source/JavaScriptCore/jit/AssemblyHelpers.h
>+++ b/Source/JavaScriptCore/jit/AssemblyHelpers.h
>@@ -1571,6 +1571,18 @@ public:
>     
>     void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength)
>     {
>+#if CPU(ARM64E)
>+        if (kind == Gigacage::Primitive) {
>+            untagArrayPtr(scratchOrLength, storage);
>+            // Force a load to trap on authentication failure. storage shouldn't be null here.
>+            loadPtr(storage, scratchOrLength);
>+        }
>+#else
>+        UNUSED_PARAM(kind);
>+        UNUSED_PARAM(storage);
>+        UNUSED_PARAM(scratchOrLength);
>+#endif
>+
> #if GIGACAGE_ENABLED
>         if (!Gigacage::isEnabled(kind))
>             return;
>@@ -1583,13 +1595,6 @@ public:
>         andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
>         addPtr(scratchOrLength, storage);
>         done.link(this);
>-#elif CPU(ARM64E)
>-        if (kind == Gigacage::Primitive)
>-            untagArrayPtr(scratchOrLength, storage);
>-#else
>-        UNUSED_PARAM(kind);
>-        UNUSED_PARAM(storage);
>-        UNUSED_PARAM(scratchOrLength);
> #endif
>     }
> 
>diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>index 6aaf0dd10c3eb8af6b277713419ac40e3d878397..4ce82d8e619ae2146bed15e175e0036b6945a2e4 100644
>--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
>@@ -434,10 +434,13 @@ end
> 
> macro loadCagedPrimitive(source, dest, scratchOrLength)
>     loadp source, dest
>+    if ARM64E
>+        untagArrayPtr scratchOrLength, dest
>+        # Force a load to check PAC before we clear it below.
>+        loadp [dest], scratchOrLength
>+    end
>     if GIGACAGE_ENABLED
>         uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength)
>-    elsif ARM64E
>-        untagArrayPtr scratchOrLength, dest
>     end
> end
> 
>diff --git a/Source/WTF/wtf/CagedPtr.h b/Source/WTF/wtf/CagedPtr.h
>index 71ec51e2947b5b2ca06ea2c4056dadceb938df6e..ecc9e00407a9227153240523eec5d7a6fb9230ff 100644
>--- a/Source/WTF/wtf/CagedPtr.h
>+++ b/Source/WTF/wtf/CagedPtr.h
>@@ -35,6 +35,18 @@ constexpr bool tagCagedPtr = true;
> 
> template<Gigacage::Kind passedKind, typename T, bool shouldTag = false, typename PtrTraits = DumbPtrTraits<T>>
> class CagedPtr {
>+#if CPU(ARM64E)
>+    static void authenticatingLoad(T* ptr)
>+    {
>+        double result;
>+        asm volatile("ldr %[out], [%[in]]"
>+            : [out] "=&r"(result)
>+            : [in] "r"(ptr) :);
>+    }
>+#else
>+    static void authenticatingLoad(T*) { }
>+#endif
>+
> public:
>     static constexpr Gigacage::Kind kind = passedKind;
> 
>@@ -52,16 +64,21 @@ public:
>     {
>         ASSERT(m_ptr);
>         T* ptr = PtrTraits::unwrap(m_ptr);
>-        if (shouldTag)
>+        if (shouldTag) {
>             ptr = untagArrayPtr(ptr, size);
>+            authenticatingLoad(ptr);
>+        }
>         return Gigacage::caged(kind, ptr);
>     }
> 
>     T* getMayBeNull(unsigned size) const
>     {
>         T* ptr = PtrTraits::unwrap(m_ptr);
>-        if (shouldTag)
>+        if (shouldTag) {
>             ptr = untagArrayPtr(ptr, size);
>+            if (ptr)
>+                authenticatingLoad(ptr);
>+        }
>         return Gigacage::cagedMayBeNull(kind, ptr);
>     }
> 
>diff --git a/Source/bmalloc/bmalloc/Gigacage.h b/Source/bmalloc/bmalloc/Gigacage.h
>index 76d72df74a136f0219155cf208f7c77958c4e996..a37d0baf9979deecc2e9e2542a8c2958ddf86b57 100644
>--- a/Source/bmalloc/bmalloc/Gigacage.h
>+++ b/Source/bmalloc/bmalloc/Gigacage.h
>@@ -34,7 +34,8 @@
> #include <cstddef>
> #include <inttypes.h>
> 
>-#if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64))
>+#if ((BOS(DARWIN) || BOS(LINUX)) && \
>+    (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS)))))
> #define GIGACAGE_ENABLED 1
> #else
> #define GIGACAGE_ENABLED 0

Actions: View | Formatted Diff | Diff

Attachments on bug 198453: 371113 | 371487 | 371488 | 371490