Changeset 270686 in webkit
- Timestamp:
- Dec 11, 2020 10:49:31 AM (3 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 10 edited
-
ChangeLog (modified) (1 diff)
-
assembler/AbstractMacroAssembler.h (modified) (3 diffs)
-
assembler/MacroAssemblerARM64E.h (modified) (3 diffs)
-
dfg/DFGOSRExitCompilerCommon.cpp (modified) (1 diff)
-
ftl/FTLThunks.cpp (modified) (2 diffs)
-
jit/CCallHelpers.h (modified) (2 diffs)
-
jit/CallFrameShuffler.cpp (modified) (2 diffs)
-
jit/ThunkGenerators.cpp (modified) (3 diffs)
-
llint/LLIntThunks.cpp (modified) (3 diffs)
-
wasm/js/WebAssemblyFunction.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r270665 r270686 1 2020-12-11 Mark Lam <mark.lam@apple.com> 2 3 Add extra validation after untagging code pointers. 4 https://bugs.webkit.org/show_bug.cgi?id=219765 5 rdar://72069920 6 7 Reviewed by Robin Morisset. 8 9 * assembler/AbstractMacroAssembler.h: 10 (JSC::AbstractMacroAssembler::untagReturnAddress): 11 (JSC::AbstractMacroAssembler::validateUntaggedPtr): 12 * assembler/MacroAssemblerARM64E.h: 13 (JSC::MacroAssemblerARM64E::untagReturnAddress): 14 (JSC::MacroAssemblerARM64E::validateUntaggedPtr): 15 * dfg/DFGOSRExitCompilerCommon.cpp: 16 (JSC::DFG::reifyInlinedCallFrames): 17 * ftl/FTLThunks.cpp: 18 (JSC::FTL::genericGenerationThunkGenerator): 19 * jit/CCallHelpers.h: 20 (JSC::CCallHelpers::prepareForTailCallSlow): 21 * jit/CallFrameShuffler.cpp: 22 (JSC::CallFrameShuffler::prepareForTailCall): 23 * jit/ThunkGenerators.cpp: 24 (JSC::emitPointerValidation): 25 (JSC::arityFixupGenerator): 26 * llint/LLIntThunks.cpp: 27 (JSC::LLInt::createTailCallGate): 28 (JSC::LLInt::untagGateThunk): 29 * wasm/js/WebAssemblyFunction.cpp: 30 (JSC::WebAssemblyFunction::jsCallEntrypointSlow): 31 1 32 2020-12-10 Tadeu Zagallo <tzagallo@apple.com> 2 33 -
trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h
r270377 r270686 1 1 /* 2 * Copyright (C) 2008-20 18Apple Inc. All rights reserved.2 * Copyright (C) 2008-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 995 995 996 996 ALWAYS_INLINE void tagReturnAddress() { } 997 ALWAYS_INLINE void untagReturnAddress( ) { }997 ALWAYS_INLINE void untagReturnAddress(RegisterID = RegisterID::InvalidGPRReg) { } 998 998 999 999 ALWAYS_INLINE void tagPtr(PtrTag, RegisterID) { } … … 1002 1002 ALWAYS_INLINE void untagPtr(RegisterID, RegisterID) { } 1003 1003 ALWAYS_INLINE void removePtrTag(RegisterID) { } 1004 ALWAYS_INLINE void validateUntaggedPtr(RegisterID, RegisterID = RegisterID::InvalidGPRReg) { } 1004 1005 1005 1006 protected: -
trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
r270214 r270686 1 1 /* 2 * Copyright (C) 2018-20 19Apple Inc. All rights reserved.2 * Copyright (C) 2018-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 51 51 } 52 52 53 ALWAYS_INLINE void untagReturnAddress( )53 ALWAYS_INLINE void untagReturnAddress(RegisterID scratch = InvalidGPR) 54 54 { 55 55 untagPtr(ARM64Registers::sp, ARM64Registers::lr); 56 validateUntaggedPtr(ARM64Registers::lr, scratch); 56 57 } 57 58 … … 77 78 move(TrustedImm64(tag), tagGPR); 78 79 m_assembler.autib(target, tagGPR); 80 } 81 82 ALWAYS_INLINE void validateUntaggedPtr(RegisterID target, RegisterID scratch = InvalidGPR) 83 { 84 if (scratch == InvalidGPR) 85 scratch = getCachedDataTempRegisterIDAndInvalidate(); 86 load8(Address(target), scratch); 79 87 } 80 88 -
trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
r269349 r270686 285 285 jit.untagPtr(GPRInfo::regT2, GPRInfo::regT3); 286 286 jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->returnPCOffset() + sizeof(void*)), GPRInfo::callFrameRegister, GPRInfo::regT2); 287 jit.validateUntaggedPtr(GPRInfo::regT3, GPRInfo::nonArgGPR0); 287 288 jit.tagPtr(GPRInfo::regT2, GPRInfo::regT3); 288 289 #endif -
trunk/Source/JavaScriptCore/ftl/FTLThunks.cpp
r261755 r270686 1 1 /* 2 * Copyright (C) 2013-20 19Apple Inc. All rights reserved.2 * Copyright (C) 2013-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 118 118 #if CPU(ARM64E) 119 119 jit.untagPtr(resultTag, AssemblyHelpers::linkRegister); 120 jit.validateUntaggedPtr(AssemblyHelpers::linkRegister); 120 121 jit.tagReturnAddress(); 121 122 #else -
trunk/Source/JavaScriptCore/jit/CCallHelpers.h
r261797 r270686 1 1 /* 2 * Copyright (C) 2011-20 19Apple Inc. All rights reserved.2 * Copyright (C) 2011-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 783 783 addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister, tempGPR); 784 784 untagPtr(tempGPR, linkRegister); 785 validateUntaggedPtr(linkRegister, tempGPR); 785 786 #endif 786 787 #elif CPU(MIPS) -
trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp
r254735 r270686 1 1 /* 2 * Copyright (C) 2015-20 19Apple Inc. All rights reserved.2 * Copyright (C) 2015-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 447 447 m_jit.untagPtr(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister); 448 448 m_jit.subPtr(MacroAssembler::TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister); 449 m_jit.validateUntaggedPtr(MacroAssembler::linkRegister); 449 450 #endif 450 451 -
trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp
r269349 r270686 51 51 jit.pushToSave(pointerGPR); 52 52 jit.untagPtr(tag, pointerGPR); 53 jit. load8(pointerGPR, pointerGPR);53 jit.validateUntaggedPtr(pointerGPR, pointerGPR); 54 54 jit.popToRestore(pointerGPR); 55 55 } … … 397 397 jit.addPtr(JSInterfaceJIT::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, extraTemp); 398 398 jit.untagPtr(extraTemp, GPRInfo::regT3); 399 jit.validateUntaggedPtr(GPRInfo::regT3, extraTemp); 399 400 PtrTag tempReturnPCTag = static_cast<PtrTag>(random()); 400 401 jit.move(JSInterfaceJIT::TrustedImmPtr(tempReturnPCTag), extraTemp); … … 453 454 jit.move(JSInterfaceJIT::TrustedImmPtr(tempReturnPCTag), extraTemp); 454 455 jit.untagPtr(extraTemp, GPRInfo::regT3); 456 jit.validateUntaggedPtr(GPRInfo::regT3, extraTemp); 455 457 jit.addPtr(JSInterfaceJIT::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, extraTemp); 456 458 jit.tagPtr(extraTemp, GPRInfo::regT3); -
trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp
r269349 r270686 1 1 /* 2 * Copyright (C) 2012-20 18Apple Inc. All rights reserved.2 * Copyright (C) 2012-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 374 374 375 375 jit.untagPtr(GPRInfo::argumentGPR2, ARM64Registers::lr); 376 jit.validateUntaggedPtr(ARM64Registers::lr, GPRInfo::argumentGPR2); 376 377 jit.farJump(GPRInfo::regT0, tag); 377 378 … … 478 479 jit.addPtr(CCallHelpers::TrustedImm32(16), GPRInfo::callFrameRegister, GPRInfo::regT3); 479 480 jit.untagPtr(GPRInfo::regT3, ARM64Registers::lr); 481 jit.validateUntaggedPtr(ARM64Registers::lr, GPRInfo::regT3); 480 482 jit.move(CCallHelpers::TrustedImmPtr(pointer), GPRInfo::regT3); 481 483 jit.farJump(GPRInfo::regT3, OperationPtrTag); -
trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
r269974 r270686 1 1 /* 2 * Copyright (C) 2016-20 19Apple Inc. All rights reserved.2 * Copyright (C) 2016-2020 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 417 417 jit.emitFunctionEpilogue(); 418 418 #if CPU(ARM64E) 419 jit.untagReturnAddress( );419 jit.untagReturnAddress(scratchGPR); 420 420 #endif 421 421 auto jumpToHostCallThunk = jit.jump();
Note: See TracChangeset
for help on using the changeset viewer.
