Changeset 260223 in webkit

Timestamp:

Apr 16, 2020 3:35:23 PM (4 years ago)

Author:

mark.lam@apple.com

Message:

[Re-landing] Use more PAC diversity for JIT probe code.
​https://bugs.webkit.org/show_bug.cgi?id=210252
<rdar://problem/54490367>

Reviewed by Keith Miller.

Introducing new PtrTags:

JITProbePtrTag - for the client probe function.
JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline.
JITProbeExecutorPtrTag - for calling the probe executor.

Currently, this is only the Probe::executeProbe().

JITProbeStackInitializationFunctionPtrTag - for calling the optional stack

initialization function that the client probe function may set.

We'll now use these in the JIT probe mechanism instead of adopting the default
CFunctionPtrTag.

Fixed an assert in MacroAssemblerARM64.cpp which does not apply to non ARM64E
builds.

• assembler/MacroAssembler.cpp:

(JSC::MacroAssembler::probe):

• assembler/MacroAssemblerARM64.cpp:

(JSC::MacroAssembler::probe):

• assembler/MacroAssemblerPrinter.h:

(JSC::MacroAssembler::print):

• assembler/ProbeContext.h:
• runtime/JSCPtrTag.h:
• tools/JSDollarVM.cpp:

(JSC::callWithStackSizeProbeFunction):

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/MacroAssembler.cpp (modified) (2 diffs)
• assembler/MacroAssemblerARM64.cpp (modified) (6 diffs)
• assembler/MacroAssemblerPrinter.h (modified) (2 diffs)
• assembler/ProbeContext.h (modified) (1 diff)
• runtime/JSCPtrTag.h (modified) (1 diff)
• tools/JSDollarVM.cpp (modified) (2 diffs)
• wasm/WasmAirIRGenerator.cpp (modified) (2 diffs)
• wasm/WasmB3IRGenerator.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-16  Mark Lam  <mark.lam@apple.com>
+
+        [Re-landing] Use more PAC diversity for JIT probe code.
+        https://bugs.webkit.org/show_bug.cgi?id=210252
+        <rdar://problem/54490367>
+
+        Reviewed by Keith Miller.
+
+        Introducing new PtrTags:
+            JITProbePtrTag - for the client probe function.
+            JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline.
+            JITProbeExecutorPtrTag - for calling the probe executor.
+                Currently, this is only the Probe::executeProbe().
+            JITProbeStackInitializationFunctionPtrTag - for calling the optional stack
+                initialization function that the client probe function may set.
+
+        We'll now use these in the JIT probe mechanism instead of adopting the default
+        CFunctionPtrTag.
+
+        Fixed an assert in MacroAssemblerARM64.cpp which does not apply to non ARM64E
+        builds.
+
+        * assembler/MacroAssembler.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerPrinter.h:
+        (JSC::MacroAssembler::print):
+        * assembler/ProbeContext.h:
+        * runtime/JSCPtrTag.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::callWithStackSizeProbeFunction):
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
+
 2020-04-16  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/assembler/MacroAssembler.cpp

@@ -29 +29 @@
 #if ENABLE(ASSEMBLER)
 
+#include "JSCPtrTag.h"
 #include "Options.h"
 #include "ProbeContext.h"
@@ -56 +57 @@
 void MacroAssembler::probe(Function<void(Probe::Context&)> func)
 {
-    probe(stdFunctionCallback, new Function<void(Probe::Context&)>(WTFMove(func)));
+    probe(tagCFunction<JITProbePtrTag>(stdFunctionCallback), new Function<void(Probe::Context&)>(WTFMove(func)));
 }
+
 #endif // ENABLE(MASM_PROBE)
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.cpp

@@ -29 +29 @@
 #include "MacroAssembler.h"
 
+#include "JSCPtrTag.h"
 #include "ProbeContext.h"
 #include <wtf/InlineASM.h>
@@ -298 +299 @@
 static_assert(!(sizeof(LRRestorationRecord) & 0xf), "LRRestorationRecord must be 16-byte aligned");
 
+#if CPU(ARM64E)
+#define JIT_PROBE_EXECUTOR_PTR_TAG 0x28de
+#define JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG 0x315c
+static_assert(JIT_PROBE_EXECUTOR_PTR_TAG == JITProbeExecutorPtrTag);
+static_assert(JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG == JITProbeStackInitializationFunctionPtrTag);
+#endif
+
 // We use x29 and x30 instead of fp and lr because GCC's inline assembler does not recognize fp and lr.
 // See https://bugs.webkit.org/show_bug.cgi?id=175512 for details.
@@ -383 +391 @@
     "mov       x0, sp" "\n" // Set the Probe::State* arg.
 #if CPU(ARM64E)
-    "blraaz    x28" "\n" // Call the probe handler.
+    "movz      lr, #" STRINGIZE_VALUE_OF(JIT_PROBE_EXECUTOR_PTR_TAG) "\n"
+    "blrab     x28, lr" "\n" // Call the probe handler.
 #else
     "blr       x28" "\n" // Call the probe handler.
@@ -423 +432 @@
     "mov       x0, x27" "\n" // Set the Probe::State* arg.
 #if CPU(ARM64E)
-    "blraaz    x2" "\n" // Call the initializeStackFunction (loaded into x2 above).
+    "movz      lr, #" STRINGIZE_VALUE_OF(JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG) "\n"
+    "blrab     x2, lr" "\n" // Call the initializeStackFunction (loaded into x2 above).all the probe handler.
 #else
     "blr       x2" "\n" // Call the initializeStackFunction (loaded into x2 above).
@@ -532 +542 @@
     storePair64(x26, x27, sp, TrustedImm32(offsetof(IncomingProbeRecord, x26)));
     storePair64(x28, x30, sp, TrustedImm32(offsetof(IncomingProbeRecord, x28))); // Note: x30 is lr.
-    move(TrustedImmPtr(reinterpret_cast<void*>(ctiMasmProbeTrampoline)), x26);
-    move(TrustedImmPtr(reinterpret_cast<void*>(Probe::executeProbe)), x28);
+    move(TrustedImmPtr(tagCFunction<JITProbeTrampolinePtrTag>(ctiMasmProbeTrampoline)), x26);
+    move(TrustedImmPtr(tagCFunction<JITProbeExecutorPtrTag>(Probe::executeProbe)), x28);
+#if CPU(ARM64E)
+    ASSERT(isTaggedWith(function, JITProbePtrTag));
+#endif
     move(TrustedImmPtr(reinterpret_cast<void*>(function)), x24);
     move(TrustedImmPtr(arg), x25);
-    call(x26, CFunctionPtrTag);
+    call(x26, JITProbeTrampolinePtrTag);
 
     // ctiMasmProbeTrampoline should have restored every register except for lr and the sp.
@@ -578 +591 @@
 
 #endif // ENABLE(ASSEMBLER) && CPU(ARM64)
-

trunk/Source/JavaScriptCore/assembler/MacroAssemblerPrinter.h

@@ -26 +26 @@
 #pragma once
 
+#include "JSCPtrTag.h"
 #include "MacroAssembler.h"
 #include "Printer.h"
@@ -233 +234 @@
 {
     auto printRecordList = Printer::makePrintRecordList(std::forward<Arguments>(arguments)...);
-    probe(Printer::printCallback, printRecordList);
+    probe(tagCFunction<JITProbePtrTag>(Printer::printCallback), printRecordList);
 }
 
 inline void MacroAssembler::print(Printer::PrintRecordList* printRecordList)
 {
-    probe(Printer::printCallback, printRecordList);
+    probe(tagCFunction<JITProbePtrTag>(Printer::printCallback), printRecordList);
 }
 

trunk/Source/JavaScriptCore/assembler/ProbeContext.h

@@ -176 +176 @@
 typedef void (*StackInitializationFunction)(State*);
 
+#if CPU(ARM64E)
+#define PROBE_FUNCTION_PTRAUTH __ptrauth(ptrauth_key_process_dependent_code, 0, JITProbePtrTag)
+#define PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH __ptrauth(ptrauth_key_process_dependent_code, 0, JITProbeStackInitializationFunctionPtrTag)
+#else
+#define PROBE_FUNCTION_PTRAUTH
+#define PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH
+#endif
+
 struct State {
-    Probe::Function probeFunction;
+    Probe::Function PROBE_FUNCTION_PTRAUTH probeFunction;
     void* arg;
-    StackInitializationFunction initializeStackFunction;
+    StackInitializationFunction PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH initializeStackFunction;
     void* initializeStackArg;
     CPUState cpu;

trunk/Source/JavaScriptCore/runtime/JSCPtrTag.h

@@ -40 +40 @@
     v(ExceptionHandlerPtrTag) \
     v(ExecutableMemoryPtrTag) \
+    v(JITProbePtrTag) \
+    v(JITProbeTrampolinePtrTag) \
+    v(JITProbeExecutorPtrTag) \
+    v(JITProbeStackInitializationFunctionPtrTag) \
     v(JITThunkPtrTag) \
     v(JITStubRoutinePtrTag) \

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -2137 +2137 @@
 {
     JSGlobalObject* globalObject = bitwise_cast<JSGlobalObject*>(state->arg);
-    JSFunction* function = bitwise_cast<JSFunction*>(state->probeFunction);
+    // The bits loaded from state->probeFunction will be tagged like
+    // a C function. So, we'll need to untag it to extract the bits
+    // for the JSFunction*.
+    JSFunction* function = bitwise_cast<JSFunction*>(untagCodePtr<CFunctionPtrTag>(state->probeFunction));
     state->initializeStackFunction = nullptr;
     state->initializeStackArg = nullptr;

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -1827 +1827 @@
             tierUp.link(&jit);
 
-            jit.probe(operationWasmTriggerOSREntryNow, osrEntryDataPtr);
+            jit.probe(tagCFunction<JITProbePtrTag>(operationWasmTriggerOSREntryNow), osrEntryDataPtr);
             jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::argumentGPR0).linkTo(tierUpResume, &jit);
             jit.farJump(GPRInfo::argumentGPR1, WasmEntryPtrTag);

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -1339 +1339 @@
             tierUp.link(&jit);
 
-            jit.probe(operationWasmTriggerOSREntryNow, osrEntryDataPtr);
+            jit.probe(tagCFunction<JITProbePtrTag>(operationWasmTriggerOSREntryNow), osrEntryDataPtr);
             jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::argumentGPR0).linkTo(tierUpResume, &jit);
             jit.farJump(GPRInfo::argumentGPR1, WasmEntryPtrTag);