| Summary: | Use address diversified PAC to ensure the integrity of opcode maps. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Lam <mark.lam> | ||||
| Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, keith_miller, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Mark Lam
2020-11-05 21:05:56 PST
Created attachment 413403 [details]
proposed patch.
The following LLInt asm:
macro nextInstruction()
loadb [PB, PC, 1], t0 // line 331 or 332
leap _g_opcodeMap, t1
jmp [t1, t0, PtrSize], BytecodePtrTag, AddressDiversified // line 333 or 334
end
... used to compile to:
// JavaScriptCore/llint/LowLevelInterpreter.asm:331
"\tadd x16, x26, x4, lsl #0\n"
"\tldrb w0, [x16, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:331
#if OS(DARWIN)
"\tL_offlineasm_loh_adrp_7:\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:1
"\tadrp x16, " LOCAL_REFERENCE(g_config) "@GOTPAGE\n"
"\tL_offlineasm_loh_ldr_7:\n"
"\tldr x16, [x16, " LOCAL_REFERENCE(g_config) "@GOTPAGEOFF]\n"
#elif OS(LINUX)
"\tadrp x16, :got:" LOCAL_REFERENCE(g_config) "\n"
"\tldr x16, [x16, :got_lo12:" LOCAL_REFERENCE(g_config) "]\n"
#else
#error Missing globaladdr implementation
#endif
"\tadd x1, x16, #2848\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:1
"\tmovz x16, #6578, lsl #0\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:333
"\tadd x13, x1, x0, lsl #3\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:333
"\tldr x17, [x13, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:333
"\tmov x13, x16\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:333
"\tbrab x17, x13\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:333
... now compiles to:
"\tadd x13, x26, x4, lsl #0\n"
"\tldrb w0, [x13, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:332
#if OS(DARWIN)
"\tL_offlineasm_loh_adrp_8:\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:1
"\tadrp x1, " LOCAL_REFERENCE(g_opcodeMap) "@GOTPAGE\n"
"\tL_offlineasm_loh_ldr_8:\n"
"\tldr x1, [x1, " LOCAL_REFERENCE(g_opcodeMap) "@GOTPAGEOFF]\n"
#elif OS(LINUX)
"\tadrp x1, :got:" LOCAL_REFERENCE(g_opcodeMap) "\n"
"\tldr x1, [x1, :got_lo12:" LOCAL_REFERENCE(g_opcodeMap) "]\n"
#else
#error Missing globaladdr implementation
#endif
"\tadd x13, x1, x0, lsl #3\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:334
"\tldr x17, [x13, #0]\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:334
"\tmovz x16, #6578, lsl #48\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:334
"\teor x16, x16, x13\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:334
"\tbrab x17, x16\n" // JavaScriptCore/llint/LowLevelInterpreter.asm:334
Comment on attachment 413403 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=413403&action=review r=me > Source/JavaScriptCore/ChangeLog:13 > + Yes. For example, we need to add bunch of wasm opcodes more. And this soon exceeds the size of JSC::Config even in macOS. And increasing this size immediately becomes 1% regression in RAMiciation. Committed r269511: <https://trac.webkit.org/changeset/269511> All reviewed patches have been landed. Closing bug and clearing flags on attachment 413403 [details]. |