Bug 208671

Summary: [JSC] Cage JIT pointers to the JIT region
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: ASSIGNED ---    
Severity: Normal CC: allan.jensen, benjamin, calvaris, cdumez, cmarcelo, dino, esprehn+autocc, ews-watchlist, fmalita, glenn, gyuyoung.kim, hi, joepeck, kangil.han, keith_miller, macpherson, mark.lam, menard, pdr, saam, sabouhallawa, schenney, sergio, tzagallo, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Draft patch
none
Work in progress patch ews-feeder: commit-queue-

Description Michael Saboff 2020-03-05 15:54:21 PST 
The idea here is that we emit code that cages code pointers to the JIT region so that JIT execution does not escape to not-JIT'ed regions except to known destinations.  For functions that the JIT'ed code needs to call out to in C++ code space, provide a whitelist of allowable entry points.  Finally, verify that the emitted instructions follow the designed restrictions.

This change is currently only implemented for ARM64 hardware.
Comment 1 Michael Saboff 2020-03-05 15:54:38 PST 
<rdar://problem/56044895>
Comment 2 Michael Saboff 2020-03-05 17:03:36 PST 
Created attachment 392652 [details]
Draft patch

This patch does not build for non-ARM64 platforms.  It also doesn't generate the WebKit and WebCore whitelists.
Comment 3 Michael Saboff 2020-09-22 20:18:16 PDT 
Created attachment 409448 [details]
Work in progress patch