Changeset 294287 in webkit

Timestamp:

May 16, 2022, 10:21:53 PM (3 years ago)

Author:

mark.lam@apple.com

Message:

Add ARM64 disassembler support for symbolic dumping of some well known constants.
​https://bugs.webkit.org/show_bug.cgi?id=240443

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

1. Added a Options::needDisassemblySupport() option. This option is true if any of the JSC disassembly options are enabled. This allows us to trivially check if we need to enable additional infrastructure (like those added in this patch) to support disassembly.

2. Refactor the Disassembler's thunkLabelMap into a more generic labelMap. It can now map a pointer to a CString or a const char* label.

3. Enable JITOperationList infrastructure when ENABLE(JIT_OPERATION_DISASSEMBLY) is true. This adds a name to the JITOperationAnnotation record. Since this is guarded by ENABLE(JIT_OPERATION_DISASSEMBLY), we can trivially turn this part off later if adding this name adds too much size burden (or if any unexpected issues arise). Turning this off will only disable disassembly of JIT operation names. Disassembly of other constants (see below) will still be supported.

If Options::needDisassemblySupport() is true, the JITOperationList will
register all JIT operations (and the LLInt ones as well) with the Disassembler
labelMap.

4. Removed the < > brackets around branch target labels except for internal pc index labels (e.g. <716>) and <unknown> (when we don't know what the branch target is). The < > notation takes up space and doesn't add any info. The branch targets now look like this:

<32> 0x1180102c0: b.ne 0x1180101c0 -> thunk: native Tail With Saved Tags Call trampoline
<92> 0x11801c87c: b 0x118008980 -> thunk: LLInt function for call jump to prologue thunk

<3508> 0x1198e16b4: b 0x1198bc1a0 -> JIT PC

Internal pc index labels will still use the < > brackets:

<3476> 0x1198e1694: b.eq 0x1198e16a0 -> <3488>

5. Added ARM64 disassembler support to compute the value of a constant being loaded into a register using "MoveWide" instructions e.g. movz and movk.

When the disassembler sees a movz or movn or mov (of the MoveWide variety),
the disassembler initializes a m_builtConstant value. With each subsequent
movk instruction with the same destination register, the disassembler splices
in the corresponding 16-bit immediate.

After disassembling a MoveWide instruction, it will check if the next
instruction is also a MoveWide instruction targeting the same destination
register. If so, the constant is still being build: hence, it does nothing and
continues.

If the next instruction is (a) a MoveWide instruction targeting a different
register, (b) not a MoveWide instruction, or (c) we've reached the end of the
LinkBuffer (i.e. there's no next instruction), then the constant building for
the current target register is complete.

6. Added ARM64 disassembler support for looking up constants (built in (5) above) and printing symbolic info / names of those constants.

With ENABLE(JIT_OPERATION_DISASSEMBLY), we now have JIT operation names e.g.

<176> 0x118010270: movk x3, #0x9f6e, lsl #48 -> 0x102dc8950 operationVMHandleException
<164> 0x1180180a4: movk x8, #0xe5c, lsl #48 -> 0x102db9420 operationVirtualCall

Apart from looking up the constant in the Disassembler labelMap, it also looks
up some commonly used constants e.g.

1. VM pointers:

<156> 0x11801105c: movk x0, #0x1, lsl #32 -> 0x139435000 vm

2. Some VM internal pointers (more can be added later as needed):

<24> 0x118014d18: movk x17, #0x1, lsl #32 -> 0x13943ee78 vm +40568: vm.topCallFrame
<76> 0x118014d4c: movk x17, #0x1, lsl #32 -> 0x139441a10 vm +51728: vm.m_exception

<196> 0x118011244: movk x17, #0x1, lsl #32 -> 0x1394417d0 vm +51152: vm.targetMachinePCForThrow
<208> 0x1198e09d0: movk x17, #0x1, lsl #32 -> 0x104432cc0 vm +52416: vm.m_doesGC

3. VM related pointers (only 1 for now; not VM fields, but hangs off of VM):

<12> 0x11801938c: movk x1, #0x1, lsl #32 -> 0x1052cd3c8 vm scratchBuffer.m_buffer

4. Well known PtrTags:

<204> 0x11801124c: movz x16, #0x6f9b -> 0x6f9b ExceptionHandlerPtrTag ?
<212> 0x1180150d4: movz x16, #0x593 -> 0x593 JSEntryPtrTag ?
<168> 0x1180183a8: movz lr, #0xb389 -> 0xb389 OperationPtrTag ?

• the ? is because we cannot be certain that the 16-bit constant is a PtrTag. It may just be a coincidence that the value is the same. However, the user can trivially look at the surrounding disassembled code, and be able to tell if the value is used as a PtrTag.

For constants that are not found in the known sets:

5. Small 16-bit constant (prints decimal value for convenience):

<200> 0x1198e09c8: movz x17, #0x2cc0 -> 11456

6. Unknown pointers that aren't in the JIT and LLINT regions will simply print the pointer / constant:

<88> 0x1198e0958: movz x17, #0x2088
<92> 0x1198e095c: movk x17, #0x30d, lsl #16
<96> 0x1198e0960: movk x17, #0x1, lsl #32 -> 0x1030d2088

<unknown> is only used in relative branches.

7. Enhanced the Integrity::isSanePointer() check to reject pointer values that are less than 4G on CPU(ADDRESS64) targets for OS(DARWIN). No sane pointer should be in the lowest 4G address region.

This also helps the disassembler more quickly filter out constant values that
aren't pointers.

This change affects DFG's speculationFromCell(), which is the only place that
may affect user facing performance. However, I think the impact should be
insignificant (since the added check is cheap).

• assembler/JITOperationList.cpp:

(JSC::JITOperationList::populatePointersInJavaScriptCore):
(JSC::llintOperations):
(JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):
(JSC::JITOperationList::addDisassemblyLabels):
(JSC::JITOperationList::populateDisassemblyLabelsInJavaScriptCore):
(JSC::JITOperationList::populateDisassemblyLabelsInJavaScriptCoreForLLInt):
(JSC::JITOperationList::populateDisassemblyLabelsInEmbedder):

• assembler/JITOperationList.h:

(JSC::JITOperationList::populatePointersInJavaScriptCore):
(JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):

• assembler/JITOperationValidation.h:
• assembler/LinkBuffer.cpp:

(JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):

• b3/testb3_1.cpp:

(main):

• disassembler/ARM64/A64DOpcode.cpp:

(JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
(JSC::ARM64Disassembler::MoveWideFormatTrait::rejectedResult):
(JSC::ARM64Disassembler::MoveWideFormatTrait::acceptedResult):
(JSC::ARM64Disassembler::MoveWideIsValidTrait::rejectedResult):
(JSC::ARM64Disassembler::MoveWideIsValidTrait::acceptedResult):
(JSC::ARM64Disassembler::A64DOpcodeMoveWide::handlePotentialDataPointer):
(JSC::ARM64Disassembler::A64DOpcodeMoveWide::handlePotentialPtrTag):
(JSC::ARM64Disassembler::A64DOpcodeMoveWide::parse):
(JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
(JSC::ARM64Disassembler::A64DOpcodeMoveWide::isValid):

• disassembler/ARM64/A64DOpcode.h:

(JSC::ARM64Disassembler::A64DOpcodeMoveWide::baseFormat):
(JSC::ARM64Disassembler::A64DOpcodeMoveWide::formatBuffer):

• disassembler/Disassembler.cpp:

(JSC::Disassembler::ensureLabelMap):
(JSC::registerLabel):
(JSC::labelFor):
(JSC::ensureThunkLabelMap): Deleted.
(JSC::registerThunkLabel): Deleted.
(JSC::labelForThunk): Deleted.

• disassembler/Disassembler.h:
• jsc.cpp:

(jscmain):

• runtime/Gate.h:
• runtime/JSCPtrTag.cpp:

(JSC::ptrTagName):

• runtime/JSCPtrTag.h:
• runtime/Options.cpp:

(JSC::Options::recomputeDependentOptions):

• runtime/OptionsList.h:
• runtime/VM.cpp:

(JSC::VM::isScratchBuffer):

• runtime/VM.h:
• tools/Integrity.h:

(JSC::Integrity::isSanePointer):

Source/WebCore:

• bindings/js/WebCoreJITOperations.cpp:

(WebCore::populateJITOperations):
(WebCore::populateDisassemblyLabels):

• bindings/js/WebCoreJITOperations.h:

(WebCore::populateDisassemblyLabels):
(WebCore::populateJITOperations):

• testing/js/WebCoreTestSupport.cpp:

(WebCoreTestSupport::populateJITOperations):
(WebCoreTestSupport::populateDisassemblyLabels):

• testing/js/WebCoreTestSupport.h:

(WebCoreTestSupport::populateDisassemblyLabels):
(WebCoreTestSupport::populateJITOperations):

Source/WTF:

1. Added a ENABLE(JIT_OPERATION_DISASSEMBLY) flag. Currently, this feature relies on an USE(APPLE_INTERNAL_SDK) for enumerating JIT operations similar to ENABLE(JIT_OPERATION_VALIDATION). It is also restricted to ENABLE(DISASSEMBLER) && CPU(ARM64E).

• wtf/PlatformCallingConventions.h:
• wtf/PlatformEnable.h:

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/assembler/JITOperationList.cpp (modified) (8 diffs)
• JavaScriptCore/assembler/JITOperationList.h (modified) (9 diffs)
• JavaScriptCore/assembler/JITOperationValidation.h (modified) (2 diffs)
• JavaScriptCore/assembler/LinkBuffer.cpp (modified) (1 diff)
• JavaScriptCore/b3/testb3_1.cpp (modified) (3 diffs)
• JavaScriptCore/disassembler/ARM64/A64DOpcode.cpp (modified) (5 diffs)
• JavaScriptCore/disassembler/ARM64/A64DOpcode.h (modified) (4 diffs)
• JavaScriptCore/disassembler/Disassembler.cpp (modified) (3 diffs)
• JavaScriptCore/disassembler/Disassembler.h (modified) (1 diff)
• JavaScriptCore/jsc.cpp (modified) (2 diffs)
• JavaScriptCore/runtime/ArrayBuffer.h (modified) (1 diff)
• JavaScriptCore/runtime/Gate.h (modified) (3 diffs)
• JavaScriptCore/runtime/JSCPtrTag.cpp (modified) (4 diffs)
• JavaScriptCore/runtime/JSCPtrTag.h (modified) (2 diffs)
• JavaScriptCore/runtime/Options.cpp (modified) (1 diff)
• JavaScriptCore/runtime/OptionsList.h (modified) (1 diff)
• JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
• JavaScriptCore/runtime/VM.h (modified) (1 diff)
• JavaScriptCore/tools/Integrity.h (modified) (2 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/PlatformCallingConventions.h (modified) (3 diffs)
• WTF/wtf/PlatformEnable.h (modified) (2 diffs)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/WebCoreJITOperations.cpp (modified) (3 diffs)
• WebCore/bindings/js/WebCoreJITOperations.h (modified) (2 diffs)
• WebCore/testing/js/WebCoreTestSupport.cpp (modified) (3 diffs)
• WebCore/testing/js/WebCoreTestSupport.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2022-05-16  Mark Lam  <mark.lam@apple.com>
+
+        Add ARM64 disassembler support for symbolic dumping of some well known constants.
+        https://bugs.webkit.org/show_bug.cgi?id=240443
+
+        Reviewed by Yusuke Suzuki.
+
+        1. Added a Options::needDisassemblySupport() option.  This option is true if
+           any of the JSC disassembly options are enabled.  This allows us to trivially
+           check if we need to enable additional infrastructure (like those added in this
+           patch) to support disassembly.
+
+        2. Refactor the Disassembler's thunkLabelMap into a more generic labelMap.  It
+           can now map a pointer to a CString or a const char* label.
+
+        3. Enable JITOperationList infrastructure when ENABLE(JIT_OPERATION_DISASSEMBLY)
+           is true.  This adds a name to the JITOperationAnnotation record.  Since this is
+           guarded by ENABLE(JIT_OPERATION_DISASSEMBLY), we can trivially turn this part
+           off later if adding this name adds too much size burden (or if any unexpected
+           issues arise).  Turning this off will only disable disassembly of JIT operation
+           names.  Disassembly of other constants (see below) will still be supported.
+
+           If Options::needDisassemblySupport() is true, the JITOperationList will
+           register all JIT operations (and the LLInt ones as well) with the Disassembler
+           labelMap.
+
+        4. Removed the < > brackets around branch target labels except for internal pc
+           index labels (e.g. <716>) and <unknown> (when we don't know what the branch
+           target is).  The < > notation takes up space and doesn't add any info.  The
+           branch targets now look like this:
+
+              <32> 0x1180102c0:    b.ne     0x1180101c0 -> thunk: native Tail With Saved Tags Call trampoline
+              <92> 0x11801c87c:    b        0x118008980 -> thunk: LLInt function for call jump to prologue thunk
+            <3508> 0x1198e16b4:    b        0x1198bc1a0 -> JIT PC
+
+           Internal pc index labels will still use the < > brackets:
+
+            <3476> 0x1198e1694:    b.eq     0x1198e16a0 -> <3488>
+
+        5. Added ARM64 disassembler support to compute the value of a constant being
+           loaded into a register using "MoveWide" instructions e.g. movz and movk.
+
+           When the disassembler sees a movz or movn or mov (of the MoveWide variety),
+           the disassembler initializes a m_builtConstant value.  With each subsequent
+           movk instruction with the same destination register, the disassembler splices
+           in the corresponding 16-bit immediate.
+
+           After disassembling a MoveWide instruction, it will check if the next
+           instruction is also a MoveWide instruction targeting the same destination
+           register.  If so, the constant is still being build: hence, it does nothing and
+           continues.
+
+           If the next instruction is (a) a MoveWide instruction targeting a different
+           register, (b) not a MoveWide instruction, or (c) we've reached the end of the
+           LinkBuffer (i.e. there's no next instruction), then the constant building for
+           the current target register is complete.
+
+        6. Added ARM64 disassembler support for looking up constants (built in (5) above)
+           and printing symbolic info / names of those constants.
+
+           With ENABLE(JIT_OPERATION_DISASSEMBLY), we now have JIT operation names e.g.
+
+             <176> 0x118010270:    movk     x3, #0x9f6e, lsl #48 -> 0x102dc8950 operationVMHandleException
+             <164> 0x1180180a4:    movk     x8, #0xe5c, lsl #48 -> 0x102db9420 operationVirtualCall
+
+           Apart from looking up the constant in the Disassembler labelMap, it also looks
+           up some commonly used constants e.g.
+
+           a. VM pointers:
+
+             <156> 0x11801105c:    movk     x0, #0x1, lsl #32 -> 0x139435000 vm
+
+           b. Some VM internal pointers (more can be added later as needed):
+
+              <24> 0x118014d18:    movk     x17, #0x1, lsl #32 -> 0x13943ee78 vm +40568: vm.topCallFrame
+              <76> 0x118014d4c:    movk     x17, #0x1, lsl #32 -> 0x139441a10 vm +51728: vm.m_exception
+             <196> 0x118011244:    movk     x17, #0x1, lsl #32 -> 0x1394417d0 vm +51152: vm.targetMachinePCForThrow
+             <208> 0x1198e09d0:    movk     x17, #0x1, lsl #32 -> 0x104432cc0 vm +52416: vm.m_doesGC
+
+           c. VM related pointers (only 1 for now; not VM fields, but hangs off of VM):
+
+              <12> 0x11801938c:    movk     x1, #0x1, lsl #32 -> 0x1052cd3c8 vm scratchBuffer.m_buffer
+
+           d. Well known PtrTags:
+
+             <204> 0x11801124c:    movz     x16, #0x6f9b -> 0x6f9b ExceptionHandlerPtrTag ?
+             <212> 0x1180150d4:    movz     x16, #0x593 -> 0x593 JSEntryPtrTag ?
+             <168> 0x1180183a8:    movz     lr, #0xb389 -> 0xb389 OperationPtrTag ?
+
+             * the ? is because we cannot be certain that the 16-bit constant is a PtrTag.
+               It may just be a coincidence that the value is the same.  However, the user
+               can trivially look at the surrounding disassembled code, and be able to
+               tell if the value is used as a PtrTag.
+
+           For constants that are not found in the known sets:
+
+           e. Small 16-bit constant (prints decimal value for convenience):
+
+             <200> 0x1198e09c8:    movz     x17, #0x2cc0 -> 11456
+
+           f. Unknown pointers that aren't in the JIT and LLINT regions will simply print
+              the pointer / constant:
+
+              <88> 0x1198e0958:    movz     x17, #0x2088
+              <92> 0x1198e095c:    movk     x17, #0x30d, lsl #16
+              <96> 0x1198e0960:    movk     x17, #0x1, lsl #32 -> 0x1030d2088
+
+              <unknown> is only used in relative branches.
+
+        7. Enhanced the Integrity::isSanePointer() check to reject pointer values that
+           are less than 4G on CPU(ADDRESS64) targets for OS(DARWIN).  No sane pointer
+           should be in the lowest 4G address region.
+
+           This also helps the disassembler more quickly filter out constant values that
+           aren't pointers.
+
+           This change affects DFG's speculationFromCell(), which is the only place that
+           may affect user facing performance.  However, I think the impact should be
+           insignificant (since the added check is cheap).
+
+        * assembler/JITOperationList.cpp:
+        (JSC::JITOperationList::populatePointersInJavaScriptCore):
+        (JSC::llintOperations):
+        (JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):
+        (JSC::JITOperationList::addDisassemblyLabels):
+        (JSC::JITOperationList::populateDisassemblyLabelsInJavaScriptCore):
+        (JSC::JITOperationList::populateDisassemblyLabelsInJavaScriptCoreForLLInt):
+        (JSC::JITOperationList::populateDisassemblyLabelsInEmbedder):
+        * assembler/JITOperationList.h:
+        (JSC::JITOperationList::populatePointersInJavaScriptCore):
+        (JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):
+        * assembler/JITOperationValidation.h:
+        * assembler/LinkBuffer.cpp:
+        (JSC::LinkBuffer::finalizeCodeWithDisassemblyImpl):
+        * b3/testb3_1.cpp:
+        (main):
+        * disassembler/ARM64/A64DOpcode.cpp:
+        (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
+        (JSC::ARM64Disassembler::MoveWideFormatTrait::rejectedResult):
+        (JSC::ARM64Disassembler::MoveWideFormatTrait::acceptedResult):
+        (JSC::ARM64Disassembler::MoveWideIsValidTrait::rejectedResult):
+        (JSC::ARM64Disassembler::MoveWideIsValidTrait::acceptedResult):
+        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::handlePotentialDataPointer):
+        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::handlePotentialPtrTag):
+        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::parse):
+        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::format):
+        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::isValid):
+        * disassembler/ARM64/A64DOpcode.h:
+        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::baseFormat):
+        (JSC::ARM64Disassembler::A64DOpcodeMoveWide::formatBuffer):
+        * disassembler/Disassembler.cpp:
+        (JSC::Disassembler::ensureLabelMap):
+        (JSC::registerLabel):
+        (JSC::labelFor):
+        (JSC::ensureThunkLabelMap): Deleted.
+        (JSC::registerThunkLabel): Deleted.
+        (JSC::labelForThunk): Deleted.
+        * disassembler/Disassembler.h:
+        * jsc.cpp:
+        (jscmain):
+        * runtime/Gate.h:
+        * runtime/JSCPtrTag.cpp:
+        (JSC::ptrTagName):
+        * runtime/JSCPtrTag.h:
+        * runtime/Options.cpp:
+        (JSC::Options::recomputeDependentOptions):
+        * runtime/OptionsList.h:
+        * runtime/VM.cpp:
+        (JSC::VM::isScratchBuffer):
+        * runtime/VM.h:
+        * tools/Integrity.h:
+        (JSC::Integrity::isSanePointer):
+
 2022-05-16  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/assembler/JITOperationList.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2020-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2020-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -27 +27 @@
 #include "JITOperationList.h"
 
+#include "Disassembler.h"
 #include "Gate.h"
 #include "JITOperationValidation.h"
 #include "LLIntData.h"
 #include "Opcode.h"
+#include "Options.h"
 
 namespace JSC {
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
 
 LazyNeverDestroyed<JITOperationList> jitOperationList;
@@ -45 +47 @@
     jitOperationList.construct();
 }
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
 
 #if JIT_OPERATION_VALIDATION_ASSERT_ENABLED
@@ -86 +90 @@
         if (Options::useJIT())
             jitOperationList->addPointers(&startOfJITOperationsInJSC, &endOfJITOperationsInJSC);
-    });
-}
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+        if (UNLIKELY(Options::needDisassemblySupport()))
+            populateDisassemblyLabelsInJavaScriptCore();
+#endif
+    });
+}
+
+#endif // ENABLE(JIT_OPERATION_VALIDATION)
 
 LLINT_DECLARE_ROUTINE_VALIDATE(llint_function_for_call_prologue);
@@ -105 +115 @@
 LLINT_DECLARE_ROUTINE_VALIDATE(fuzzer_return_early_from_loop_hint);
 
-void JITOperationList::populatePointersInJavaScriptCoreForLLInt()
-{
-    static std::once_flag onceKey;
-    std::call_once(onceKey, [] {
+#if ENABLE(JIT_OPERATION_VALIDATION) && ENABLE(JIT_OPERATION_DISASSEMBLY)
+#define LLINT_OP_EXTRAS(validateLabel, nameStr) bitwise_cast<void*>(validateLabel), nameStr
+#elif ENABLE(JIT_OPERATION_VALIDATION)
+#define LLINT_OP_EXTRAS(validateLabel, nameStr) bitwise_cast<void*>(validateLabel)
+#else // ENABLE(JIT_OPERATION_DISASSEMBLY)
+#define LLINT_OP_EXTRAS(validateLabel, nameStr) nameStr
+#endif
 
 #define LLINT_ROUTINE(functionName) { \
         bitwise_cast<void*>(LLInt::getCodeFunctionPtr<CFunctionPtrTag>(functionName)), \
-        bitwise_cast<void*>(LLINT_ROUTINE_VALIDATE(functionName)) \
+        LLINT_OP_EXTRAS(LLINT_ROUTINE_VALIDATE(functionName), #functionName) \
     },
 
 #define LLINT_OP(name) { \
         bitwise_cast<void*>(LLInt::getCodeFunctionPtr<CFunctionPtrTag>(name)), \
-        bitwise_cast<void*>(LLINT_RETURN_VALIDATE(name)) \
+        LLINT_OP_EXTRAS(LLINT_RETURN_VALIDATE(name), #name) \
     }, { \
         bitwise_cast<void*>(LLInt::getWide16CodeFunctionPtr<CFunctionPtrTag>(name)), \
-        bitwise_cast<void*>(LLINT_RETURN_WIDE16_VALIDATE(name)) \
+        LLINT_OP_EXTRAS(LLINT_RETURN_WIDE16_VALIDATE(name), #name " [wide16]") \
     }, { \
         bitwise_cast<void*>(LLInt::getWide32CodeFunctionPtr<CFunctionPtrTag>(name)), \
-        bitwise_cast<void*>(LLINT_RETURN_WIDE32_VALIDATE(name)) \
+        LLINT_OP_EXTRAS(LLINT_RETURN_WIDE32_VALIDATE(name), #name " [wide32]") \
     },
 
@@ -129 +142 @@
     LLINT_OP(name##_return_location)
 
-        const JITOperationAnnotation operations[] = {
+struct LLIntOperations {
+    const JITOperationAnnotation* operations;
+    size_t numberOfOperations;
+};
+
+static LLIntOperations llintOperations()
+{
+    static const JITOperationAnnotation* operations = nullptr;
+    static size_t numberOfOperations = 0;
+    static std::once_flag onceKey;
+    std::call_once(onceKey, [&] {
+        static const JITOperationAnnotation operationsStorage[] = {
             LLINT_ROUTINE(llint_function_for_call_prologue)
             LLINT_ROUTINE(llint_function_for_construct_prologue)
@@ -161 +185 @@
             JSC_WASM_GATE_OPCODES(LLINT_RETURN_LOCATION)
         };
-        if (Options::useJIT())
-            jitOperationList->addPointers(operations, operations + WTF_ARRAY_LENGTH(operations));
+        operations = operationsStorage;
+        numberOfOperations = WTF_ARRAY_LENGTH(operationsStorage);
+    });
+    return { operations, numberOfOperations };
+}
+
 #undef LLINT_ROUTINE
 #undef LLINT_OP
 #undef LLINT_RETURN_LOCATION
-    });
-}
-
+#undef LLINT_OP_EXTRAS
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
+
+void JITOperationList::populatePointersInJavaScriptCoreForLLInt()
+{
+    static std::once_flag onceKey;
+    std::call_once(onceKey, [] {
+        if (Options::useJIT()) {
+            auto list = llintOperations();
+            jitOperationList->addPointers(list.operations, list.operations + list.numberOfOperations);
+        }
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+        if (UNLIKELY(Options::needDisassemblySupport()))
+            JITOperationList::populateDisassemblyLabelsInJavaScriptCoreForLLInt();
+#endif
+    });
+}
 
 void JITOperationList::populatePointersInEmbedder(const JITOperationAnnotation* beginOperations, const JITOperationAnnotation* endOperations)
@@ -178 +221 @@
 #endif // ENABLE(JIT_OPERATION_VALIDATION)
 
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+SUPPRESS_ASAN void JITOperationList::addDisassemblyLabels(const JITOperationAnnotation* begin, const JITOperationAnnotation* end)
+{
+    RELEASE_ASSERT(Options::needDisassemblySupport());
+    for (const auto* current = begin; current != end; ++current) {
+#if ENABLE(JIT_OPERATION_VALIDATION)
+        auto* operation = current->operationWithValidation;
+#else
+        auto* operation = current->operation;
+#endif
+        registerLabel(removeCodePtrTag(operation), current->name);
+    }
+}
+
+void JITOperationList::populateDisassemblyLabelsInJavaScriptCore()
+{
+    ASSERT(Options::needDisassemblySupport());
+    static std::once_flag onceKey;
+    std::call_once(onceKey, [] {
+        if (Options::useJIT())
+            addDisassemblyLabels(&startOfJITOperationsInJSC, &endOfJITOperationsInJSC);
+    });
+}
+
+void JITOperationList::populateDisassemblyLabelsInJavaScriptCoreForLLInt()
+{
+    ASSERT(Options::needDisassemblySupport());
+    static std::once_flag onceKey;
+    std::call_once(onceKey, [] {
+        if (Options::useJIT()) {
+            auto list = llintOperations();
+            addDisassemblyLabels(list.operations, list.operations + list.numberOfOperations);
+        }
+    });
+}
+
+void JITOperationList::populateDisassemblyLabelsInEmbedder(const JITOperationAnnotation* beginOperations, const JITOperationAnnotation* endOperations)
+{
+    if (LIKELY(!Options::needDisassemblySupport()))
+        return;
+    if (Options::useJIT())
+        addDisassemblyLabels(beginOperations, endOperations);
+}
+
+#endif // ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
 } // namespace JSC

trunk/Source/JavaScriptCore/assembler/JITOperationList.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2020-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2020-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -33 +33 @@
 namespace JSC {
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
 
 // This indirection is provided so that we can manually force on assertions for
@@ -46 +46 @@
     static void initialize();
 
+#if ENABLE(JIT_OPERATION_VALIDATION)
     template<typename PtrType>
     void* map(PtrType pointer) const
@@ -59 +60 @@
     }
 #endif
+#endif // ENABLE(JIT_OPERATION_VALIDATION)
 
     static void populatePointersInJavaScriptCore();
@@ -64 +66 @@
 
     JS_EXPORT_PRIVATE static void populatePointersInEmbedder(const JITOperationAnnotation* beginOperations, const JITOperationAnnotation* endOperations);
+
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+    JS_EXPORT_PRIVATE static void populateDisassemblyLabelsInEmbedder(const JITOperationAnnotation* beginOperations, const JITOperationAnnotation* endOperations);
+#endif
 
     template<typename T> static void assertIsJITOperation(T function)
@@ -82 +88 @@
 
 private:
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+    static void populateDisassemblyLabelsInJavaScriptCore();
+    static void populateDisassemblyLabelsInJavaScriptCoreForLLInt();
+    static void addDisassemblyLabels(const JITOperationAnnotation* begin, const JITOperationAnnotation* end);
+#endif
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
     ALWAYS_INLINE void addPointers(const JITOperationAnnotation* begin, const JITOperationAnnotation* end);
 
@@ -92 +105 @@
     HashMap<void*, void*> m_validatedOperationsInverseMap;
 #endif
+#endif // ENABLE(JIT_OPERATION_VALIDATION)
 };
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
 
 JS_EXPORT_PRIVATE extern LazyNeverDestroyed<JITOperationList> jitOperationList;
@@ -102 +118 @@
 
 #else // not ENABLE(JIT_OPERATION_VALIDATION)
+
+ALWAYS_INLINE void JITOperationList::populatePointersInJavaScriptCore()
+{
+    if (UNLIKELY(Options::needDisassemblySupport()))
+        populateDisassemblyLabelsInJavaScriptCore();
+}
+
+ALWAYS_INLINE void JITOperationList::populatePointersInJavaScriptCoreForLLInt()
+{
+    if (UNLIKELY(Options::needDisassemblySupport()))
+        populateDisassemblyLabelsInJavaScriptCoreForLLInt();
+}
+
+#endif // ENABLE(JIT_OPERATION_VALIDATION)
+
+#else // not ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
 
 class JITOperationList {
@@ -114 +146 @@
 };
 
-#endif // ENABLE(JIT_OPERATION_VALIDATION)
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
 
 } // namespace JSC

trunk/Source/JavaScriptCore/assembler/JITOperationValidation.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2021-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48 +48 @@
 namespace JSC {
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
-
 struct JITOperationAnnotation {
     void* operation;
+#if ENABLE(JIT_OPERATION_VALIDATION)
     void* operationWithValidation;
+#endif
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+    const char* name;
+#endif
 };
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
 
 #ifndef JSC_DECLARE_JIT_OPERATION_VALIDATION

trunk/Source/JavaScriptCore/assembler/LinkBuffer.cpp

@@ -83 +83 @@
         va_end(preflightArgs);
 
+        const char prefix[] = "thunk: ";
         char* buffer = 0;
-        CString label = CString::newUninitialized(stringLength + 1, buffer);
-        vsnprintf(buffer, stringLength + 1, format, argList);
-        buffer[stringLength] = '\0';
+        size_t length = stringLength + sizeof(prefix);
+        CString label = CString::newUninitialized(length, buffer);
+        snprintf(buffer, length, "%s", prefix);
+        vsnprintf(buffer + sizeof(prefix) - 1, stringLength + 1, format, argList);
         out.printf("%s", buffer);
 
-        registerThunkLabel(result.code().untaggedExecutableAddress(), WTFMove(label));
+        registerLabel(result.code().untaggedExecutableAddress(), WTFMove(label));
     } else
         out.vprintf(format, argList);

trunk/Source/JavaScriptCore/b3/testb3_1.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -904 +904 @@
 #endif // ENABLE(B3_JIT)
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
 extern const JSC::JITOperationAnnotation startOfJITOperationsInTestB3 __asm("section$start$__DATA_CONST$__jsc_ops");
 extern const JSC::JITOperationAnnotation endOfJITOperationsInTestB3 __asm("section$end$__DATA_CONST$__jsc_ops");
@@ -931 +931 @@
     JSC::JITOperationList::populatePointersInEmbedder(&startOfJITOperationsInTestB3, &endOfJITOperationsInTestB3);
 #endif
-    
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+    if (UNLIKELY(JSC::Options::needDisassemblySupport()))
+        JSC::JITOperationList::populateDisassemblyLabelsInEmbedder(&startOfJITOperationsInTestB3, &endOfJITOperationsInTestB3);
+#endif
+
     for (unsigned i = 0; i <= 2; ++i) {
         JSC::Options::defaultB3OptLevel() = i;

trunk/Source/JavaScriptCore/disassembler/ARM64/A64DOpcode.cpp

@@ -33 +33 @@
 #include "ExecutableAllocator.h"
 #include "GPRInfo.h"
+#include "Integrity.h"
+#include "JSCJSValue.h"
 #include "LLIntPCRanges.h"
+#include "PureNaN.h"
+#include "VMInspector.h"
 #include <stdarg.h>
 #include <stdint.h>
 #include <stdio.h>
+#include <wtf/PtrTag.h>
+#include <wtf/Range.h>
 
 namespace JSC { namespace ARM64Disassembler {
@@ -202 +208 @@
     else if (targetPC >= m_startPC && targetPC < m_endPC)
         snprintf(buffer, bufferSize - 1, " -> <%u>", static_cast<unsigned>((targetPC - m_startPC) * sizeof(uint32_t)));
-    else if (const char* thunkLabel = labelForThunk(targetPC))
-        snprintf(buffer, bufferSize - 1, " -> <thunk: %s>", thunkLabel);
+    else if (const char* label = labelFor(targetPC))
+        snprintf(buffer, bufferSize - 1, " -> %s", label);
     else if (isJITPC(targetPC))
-        targetInfo = " -> <JIT PC>";
+        targetInfo = " -> JIT PC";
     else if (LLInt::isLLIntPC(targetPC))
-        targetInfo = " -> <LLInt PC>";
+        targetInfo = " -> LLInt PC";
     else
         targetInfo = " -> <unknown>";
@@ -1571 +1577 @@
 const char* const A64DOpcodeMoveWide::s_opNames[4] = { "movn", 0, "movz", "movk" };
 
-const char* A64DOpcodeMoveWide::format()
+class MoveWideFormatTrait {
+public:
+    using ResultType = const char*;
+    static constexpr bool returnEarlyIfAccepted = false;
+
+    ALWAYS_INLINE static const char* rejectedResult(A64DOpcodeMoveWide* opcode) { return opcode->baseFormat(); }
+    ALWAYS_INLINE static const char* acceptedResult(A64DOpcodeMoveWide* opcode) { return opcode->formatBuffer(); }
+};
+
+class MoveWideIsValidTrait {
+public:
+    using ResultType = bool;
+    static constexpr bool returnEarlyIfAccepted = true;
+
+    static constexpr bool rejectedResult(A64DOpcodeMoveWide*) { return false; }
+    static constexpr bool acceptedResult(A64DOpcodeMoveWide*) { return true; }
+};
+
+bool A64DOpcodeMoveWide::handlePotentialDataPointer(void* ptr)
+{
+    ASSERT(Integrity::isSanePointer(ptr));
+
+    bool handled = false;
+    VMInspector::forEachVM([&] (VM& vm) {
+        if (ptr == &vm) {
+            bufferPrintf(" vm");
+            handled = true;
+            return IterationStatus::Done;
+        }
+
+        if (!vm.isInService())
+            return IterationStatus::Continue;
+
+        auto* vmStart = reinterpret_cast<uint8_t*>(&vm);
+        auto* vmEnd = vmStart + sizeof(VM);
+        auto* u8Ptr = reinterpret_cast<uint8_t*>(ptr);
+        Range vmRange(vmStart, vmEnd);
+        if (vmRange.contains(u8Ptr)) {
+            unsigned offset = u8Ptr - vmStart;
+            bufferPrintf(" vm +%u", offset);
+
+            const char* description = nullptr;
+            if (ptr == &vm.topCallFrame)
+                description = "vm.topCallFrame";
+            else if (offset == VM::topEntryFrameOffset())
+                description = "vm.topEntryFrame";
+            else if (offset == VM::exceptionOffset())
+                description = "vm.m_exception";
+            else if (offset == VM::offsetOfHeapBarrierThreshold())
+                description = "vm.heap.m_barrierThreshold";
+            else if (offset == VM::callFrameForCatchOffset())
+                description = "vm.callFrameForCatch";
+            else if (ptr == vm.addressOfSoftStackLimit())
+                description = "vm.m_softStackLimit";
+            else if (ptr == &vm.osrExitIndex)
+                description = "vm.osrExitIndex";
+            else if (ptr == &vm.osrExitJumpDestination)
+                description = "vm.osrExitJumpDestination";
+            else if (ptr == vm.smallStrings.singleCharacterStrings())
+                description = "vm.smallStrings.m_singleCharacterStrings";
+            else if (ptr == &vm.targetMachinePCForThrow)
+                description = "vm.targetMachinePCForThrow";
+            else if (ptr == vm.traps().trapBitsAddress())
+                description = "vm.m_traps.m_trapBits";
+#if ENABLE(DFG_DOES_GC_VALIDATION)
+            else if (ptr == vm.addressOfDoesGC())
+                description = "vm.m_doesGC";
+#endif
+            if (description)
+                bufferPrintf(": %s", description);
+
+            handled = true;
+            return IterationStatus::Done;
+        }
+
+        if (vm.isScratchBuffer(ptr)) {
+            bufferPrintf(" vm scratchBuffer.m_buffer");
+            handled = true;
+            return IterationStatus::Done;
+        }
+        return IterationStatus::Continue;
+    });
+    return handled;
+}
+
+#if CPU(ARM64E)
+bool A64DOpcodeMoveWide::handlePotentialPtrTag(uintptr_t value)
+{
+    if (!value || value > 0xffff)
+        return false;
+
+    PtrTag tag = static_cast<PtrTag>(value);
+#if ENABLE(PTRTAG_DEBUGGING)
+    const char* name = WTF::ptrTagName(tag);
+    if (name[0] == '<')
+        return false; // Only result that starts with '<' is "<unknown>".
+#else
+    // Without ENABLE(PTRTAG_DEBUGGING), not all PtrTags are registeredf for
+    // printing. So, we'll just do the minimum with only the JSC specific tags.
+    const char* name = ptrTagName(tag);
+    if (!name)
+        return false;
+#endif
+
+    // Also print '?' to indicate that this is a maybe. We do not know for certain
+    // if the constant is meant to be used as a PtrTag.
+    bufferPrintf(" -> %p %s ?", reinterpret_cast<void*>(value), name);
+    return true;
+}
+#endif
+
+template<typename Trait>
+typename Trait::ResultType A64DOpcodeMoveWide::parse()
 {
     if (opc() == 1)
-        return A64DOpcode::format();
+        return Trait::rejectedResult(this);
     if (!is64Bit() && hw() >= 2)
-        return A64DOpcode::format();
+        return Trait::rejectedResult(this);
+
+    if constexpr (Trait::returnEarlyIfAccepted)
+        return Trait::acceptedResult(this);
 
     if (!opc() && (!immediate16() || !hw()) && (is64Bit() || immediate16() != 0xffff)) {
@@ -1588 +1709 @@
             amount = ~amount;
             appendSignedImmediate64(amount);
+            m_builtConstant = static_cast<intptr_t>(amount);
         } else {
             int32_t amount = immediate16() << (hw() * 16);
             amount = ~amount;
             appendSignedImmediate(amount);
+            m_builtConstant = static_cast<intptr_t>(amount);
         }
     } else {
@@ -1602 +1725 @@
             appendShiftAmount(hw());
         }
-    }
-
-    return m_formatBuffer;
-}
+
+        if (opc() == 2) // Encoding for movz
+            m_builtConstant = 0;
+
+        unsigned shift = hw() * 16;
+        uintptr_t value = static_cast<uintptr_t>(immediate16()) << shift;
+        uintptr_t mask = ~(static_cast<uintptr_t>(0xffff) << shift);
+        m_builtConstant &= mask;
+        m_builtConstant |= value;
+    }
+
+    auto dumpConstantData = [&] {
+        uint32_t* nextPC = m_currentPC + 1;
+        bool doneBuildingConstant = false;
+
+        if (nextPC >= m_endPC)
+            doneBuildingConstant = true;
+        else {
+            A64DOpcode nextOpcodeBase(m_startPC, m_endPC);
+            A64DOpcodeMoveWide& nextOpcode = *reinterpret_cast<A64DOpcodeMoveWide*>(&nextOpcodeBase);
+            nextOpcode.setPCAndOpcode(nextPC, *nextPC);
+
+            bool nextIsMoveWideGroup = opcodeGroupNumber(m_opcode) == opcodeGroupNumber(*nextPC);
+
+            if (!nextIsMoveWideGroup || !nextOpcode.isValid() || nextOpcode.rd() != rd())
+                doneBuildingConstant = true;
+        }
+        if (!doneBuildingConstant)
+            return;
+
+        void* ptr = removeCodePtrTag(bitwise_cast<void*>(m_builtConstant));
+        if (!ptr)
+            return;
+
+        if (Integrity::isSanePointer(ptr)) {
+            bufferPrintf(" -> %p", ptr);
+            if (const char* label = labelFor(ptr))
+                return bufferPrintf(" %s", label);
+            if (isJITPC(ptr))
+                return bufferPrintf(" JIT PC");
+            if (LLInt::isLLIntPC(ptr))
+                return bufferPrintf(" LLInt PC");
+            handlePotentialDataPointer(ptr);
+            return;
+        }
+#if CPU(ARM64E)
+        if (handlePotentialPtrTag(m_builtConstant))
+            return;
+#endif
+        if (m_builtConstant < 0x10000)
+            bufferPrintf(" -> %u", static_cast<unsigned>(m_builtConstant));
+        else
+            bufferPrintf(" -> %p", reinterpret_cast<void*>(m_builtConstant));
+    };
+
+    if (m_startPC)
+        dumpConstantData();
+
+    return Trait::acceptedResult(this);
+}
+
+const char* A64DOpcodeMoveWide::format() { return parse<MoveWideFormatTrait>(); }
+bool A64DOpcodeMoveWide::isValid() { return parse<MoveWideIsValidTrait>(); }
 
 const char* A64DOpcodeTestAndBranchImmediate::format()

trunk/Source/JavaScriptCore/disassembler/ARM64/A64DOpcode.h

@@ -195 +195 @@
     }
 
-    static constexpr int bufferSize = 81;
+    static constexpr int bufferSize = 101;
 
     char m_formatBuffer[bufferSize];
@@ -203 +203 @@
     uint32_t m_opcode;
     int m_bufferOffset;
+    uintptr_t m_builtConstant { 0 };
 
 private:
@@ -873 +874 @@
 
     const char* format();
+    bool isValid();
 
     const char* opName() { return s_opNames[opc()]; }
@@ -878 +880 @@
     unsigned hw() { return (m_opcode >> 21) & 0x3; }
     unsigned immediate16() { return (m_opcode >> 5) & 0xffff; }
+
+private:
+    template<typename Trait> typename Trait::ResultType parse();
+    bool handlePotentialDataPointer(void*);
+    bool handlePotentialPtrTag(uintptr_t);
+
+    // These forwarding functions are needed for MoveWideFormatTrait only.
+    const char* baseFormat() { return A64DOpcode::format(); }
+    const char* formatBuffer() { return m_formatBuffer; }
+
+    friend class MoveWideFormatTrait;
+    friend class MoveWideIsValidTrait;
 };
 

trunk/Source/JavaScriptCore/disassembler/Disassembler.cpp

@@ -28 +28 @@
 
 #include "MacroAssemblerCodeRef.h"
+#include <variant>
 #include <wtf/Condition.h>
 #include <wtf/DataLog.h>
@@ -37 +38 @@
 namespace JSC {
 
-using ThunkLabelMap = HashMap<void*, CString>;
-LazyNeverDestroyed<ThunkLabelMap> thunkLabelMap;
+namespace Disassembler {
+
+Lock labelMapLock;
+
+using LabelMap = HashMap<void*, std::variant<CString, const char*>>;
+LazyNeverDestroyed<LabelMap> labelMap;
+
+static LabelMap& ensureLabelMap() WTF_REQUIRES_LOCK(labelMapLock)
+{
+    static std::once_flag onceKey;
+    std::call_once(onceKey, [] {
+        labelMap.construct();
+    });
+    return labelMap.get();
+}
+
+} // namespace Disassembler
 
 void disassemble(const MacroAssemblerCodePtr<DisassemblyPtrTag>& codePtr, size_t size, void* codeStart, void* codeEnd, const char* prefix, PrintStream& out)
@@ -158 +174 @@
 }
 
-static ThunkLabelMap& ensureThunkLabelMap()
-{
-    static std::once_flag onceKey;
-    std::call_once(onceKey, [] {
-        thunkLabelMap.construct();
-    });
-    return thunkLabelMap.get();
-}
-
-void registerThunkLabel(void* thunkAddress, CString&& label)
-{
-    ensureThunkLabelMap().add(thunkAddress, WTFMove(label));
-}
-
-const char* labelForThunk(void* thunkAddress)
-{
-    auto& map = ensureThunkLabelMap();
+void registerLabel(void* thunkAddress, CString&& label)
+{
+    Locker lock { Disassembler::labelMapLock };
+    Disassembler::ensureLabelMap().add(thunkAddress, WTFMove(label));
+}
+
+void registerLabel(void* address, const char* label)
+{
+    Locker lock { Disassembler::labelMapLock };
+    Disassembler::ensureLabelMap().add(address, label);
+}
+
+const char* labelFor(void* thunkAddress)
+{
+    Locker lock { Disassembler::labelMapLock };
+    auto& map = Disassembler::ensureLabelMap();
     auto it = map.find(thunkAddress);
     if (it == map.end())
         return nullptr;
-    return it->value.data();
+    if (std::holds_alternative<CString>(it->value))
+        return std::get<CString>(it->value).data();
+    return std::get<const char*>(it->value);
 }
 

trunk/Source/JavaScriptCore/disassembler/Disassembler.h

@@ -62 +62 @@
 JS_EXPORT_PRIVATE void waitForAsynchronousDisassembly();
 
-void registerThunkLabel(void* thunkAddress, CString&& label);
-const char* labelForThunk(void* thunkAddress);
+void registerLabel(void* thunkAddress, CString&& label);
+void registerLabel(void* thunkAddress, const char* label);
+const char* labelFor(void* thunkAddress);
 
 } // namespace JSC

trunk/Source/JavaScriptCore/jsc.cpp

@@ -3757 +3757 @@
 }
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
 extern const JITOperationAnnotation startOfJITOperationsInShell __asm("section$start$__DATA_CONST$__jsc_ops");
 extern const JITOperationAnnotation endOfJITOperationsInShell __asm("section$end$__DATA_CONST$__jsc_ops");
@@ -3784 +3784 @@
     JSC::JITOperationList::populatePointersInEmbedder(&startOfJITOperationsInShell, &endOfJITOperationsInShell);
 #endif
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+    if (UNLIKELY(Options::needDisassemblySupport()))
+        JSC::JITOperationList::populateDisassemblyLabelsInEmbedder(&startOfJITOperationsInShell, &endOfJITOperationsInShell);
+#endif
+
     initializeTimeoutIfNeeded();
 

trunk/Source/JavaScriptCore/runtime/ArrayBuffer.h

@@ -73 +73 @@
 };
 
-class ArrayBufferContents {
+class   ArrayBufferContents {
     WTF_MAKE_NONCOPYABLE(ArrayBufferContents);
 public:

trunk/Source/JavaScriptCore/runtime/Gate.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2020-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 namespace JSC {
 
-#if ENABLE(JIT_OPERATION_VALIDATION) || CPU(ARM64E)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY) || CPU(ARM64E)
 
 #define JSC_UTILITY_GATES(v) \
@@ -92 +92 @@
 #undef JSC_COUNT
 #undef JSC_OPCODE_COUNT
-#else
+
+#else // not (ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY) || CPU(ARM64E))
+
 // Keep it non-zero to make JSCConfig's array not [0].
 static constexpr unsigned numberOfGates = 1;
-#endif
 
-}
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY) || CPU(ARM64E)
+
+} // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSCPtrTag.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -37 +37 @@
 namespace JSC {
 
-#if CPU(ARM64E) && ENABLE(PTRTAG_DEBUGGING)
+#if ENABLE(JIT_OPERATION_DISASSEMBLY) || (CPU(ARM64E) && ENABLE(PTRTAG_DEBUGGING))
 
+const char* ptrTagName(PtrTag tag)
+{
+#define RETURN_PTRTAG_NAME(_tagName, calleeType, callerType) case _tagName: return #_tagName;
+    switch (static_cast<unsigned>(tag)) {
+        FOR_EACH_JSC_PTRTAG(RETURN_PTRTAG_NAME)
+    }
+#undef RETURN_PTRTAG_NAME
+    return nullptr; // Matching tag not found.
+}
+
+#if ENABLE(PTRTAG_DEBUGGING)
 static const char* tagForPtr(const void* ptr)
 {
@@ -51 +62 @@
 }
 
-static const char* ptrTagName(PtrTag tag)
-{
-#define RETURN_PTRTAG_NAME(_tagName, calleeType, callerType) case _tagName: return #_tagName;
-    switch (static_cast<unsigned>(tag)) {
-        FOR_EACH_JSC_PTRTAG(RETURN_PTRTAG_NAME)
-    }
-#undef RETURN_PTRTAG_NAME
-    return nullptr; // Matching tag not found.
-}
-
 void initializePtrTagLookup()
 {
@@ -67 +68 @@
     WTF::registerPtrTagLookup(&lookup);
 }
-
-#endif // CPU(ARM64E) && ENABLE(PTRTAG_DEBUGGING)
+#endif // ENABLE(PTRTAG_DEBUGGING)
+#endif // ENABLE(JIT_OPERATION_DISASSEMBLY) || (CPU(ARM64E) && ENABLE(PTRTAG_DEBUGGING))
 
 #if CPU(ARM64E)

trunk/Source/JavaScriptCore/runtime/JSCPtrTag.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2018-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -249 +249 @@
 #endif
 
+#if ENABLE(JIT_OPERATION_DISASSEMBLY) || (CPU(ARM64E) && ENABLE(PTRTAG_DEBUGGING))
+const char* ptrTagName(PtrTag);
+#endif
+
 } // namespace JSC
 namespace WTF {

trunk/Source/JavaScriptCore/runtime/Options.cpp

@@ -466 +466 @@
         Options::useFastTLSForWasmContext() = false;
     
-    if (Options::logJIT()
-        || Options::dumpDisassembly()
+    if (Options::dumpDisassembly()
+        || Options::asyncDisassembly()
         || Options::dumpDFGDisassembly()
         || Options::dumpFTLDisassembly()
+        || Options::dumpRegExpDisassembly()
+        || Options::dumpWasmDisassembly()
+        || Options::dumpBBQDisassembly()
+        || Options::dumpOMGDisassembly())
+        Options::needDisassemblySupport() = true;
+
+    if (Options::logJIT()
+        || Options::needDisassemblySupport()
         || Options::dumpBytecodeAtDFGTime()
         || Options::dumpGraphAtEachPhase()

trunk/Source/JavaScriptCore/runtime/OptionsList.h

@@ -128 +128 @@
     v(Bool, useOSLog, false, Normal, "Log dataLog()s to os_log instead of stderr") \
     /* dumpDisassembly implies dumpDFGDisassembly. */ \
+    v(Bool, needDisassemblySupport, false, Normal, nullptr) \
     v(Bool, dumpDisassembly, false, Normal, "dumps disassembly of all JIT compiled code upon compilation") \
     v(Bool, asyncDisassembly, false, Normal, nullptr) \

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -1410 +1410 @@
 }
 
+bool VM::isScratchBuffer(void* ptr)
+{
+    Locker locker { m_scratchBufferLock };
+    for (auto* scratchBuffer : m_scratchBuffers) {
+        if (scratchBuffer->dataBuffer() == ptr)
+            return true;
+    }
+    return false;
+}
+
 void VM::ensureShadowChicken()
 {

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -686 +686 @@
     ScratchBuffer* scratchBufferForSize(size_t size);
     void clearScratchBuffers();
+    bool isScratchBuffer(void*);
 
     EncodedJSValue* exceptionFuzzingBuffer(size_t size)

trunk/Source/JavaScriptCore/tools/Integrity.h

@@ -95 +95 @@
 #if CPU(ADDRESS64)
     uintptr_t pointerAsInt = bitwise_cast<uintptr_t>(pointer);
+#if OS(DARWIN)
+    constexpr uintptr_t oneAbove4G = (static_cast<uintptr_t>(1) << 32);
+    if (pointerAsInt < oneAbove4G)
+        return false;
+#endif
     uintptr_t canonicalPointerBits = pointerAsInt << (64 - OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH));
     uintptr_t nonCanonicalPointerBits = pointerAsInt >> OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH);
@@ -101 +106 @@
     UNUSED_PARAM(pointer);
     return true;
-#endif
+#endif // CPU(ADDRESS64)
 }
 

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2022-05-16  Mark Lam  <mark.lam@apple.com>
+
+        Add ARM64 disassembler support for symbolic dumping of some well known constants.
+        https://bugs.webkit.org/show_bug.cgi?id=240443
+
+        Reviewed by Yusuke Suzuki.
+
+        1. Added a ENABLE(JIT_OPERATION_DISASSEMBLY) flag.
+           Currently, this feature relies on an USE(APPLE_INTERNAL_SDK) for enumerating
+           JIT operations similar to ENABLE(JIT_OPERATION_VALIDATION).  It is also
+           restricted to ENABLE(DISASSEMBLER) && CPU(ARM64E).
+
+        * wtf/PlatformCallingConventions.h:
+        * wtf/PlatformEnable.h:
+
 2022-05-16  Brent Fulgham  <bfulgham@apple.com>
 

trunk/Source/WTF/wtf/PlatformCallingConventions.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2022 Apple Inc. All rights reserved.
  * Copyright (C) 2007-2009 Torch Mobile, Inc.
  * Copyright (C) 2010, 2011 Research In Motion Limited. All rights reserved.
@@ -85 +85 @@
 #endif
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+#if ENABLE(JIT_OPERATION_VALIDATION) && ENABLE(JIT_OPERATION_DISASSEMBLY)
+#define JSC_ANNOTATE_JIT_OPERATION_EXTRAS(validateFunction, name) (void*)validateFunction, name
+#elif ENABLE(JIT_OPERATION_VALIDATION)
+#define JSC_ANNOTATE_JIT_OPERATION_EXTRAS(validateFunction, name) (void*)validateFunction
+#else // ENABLE(JIT_OPERATION_DISASSEMBLY)
+#define JSC_ANNOTATE_JIT_OPERATION_EXTRAS(validateFunction, name) name
+#endif
+
 #define JSC_ANNOTATE_JIT_OPERATION_INTERNAL(function) \
-    constexpr JSC::JITOperationAnnotation _JITTargetID_##function __attribute__((used, section("__DATA_CONST,__jsc_ops"))) = { (void*)function, (void*)function##Validate };
+    constexpr JSC::JITOperationAnnotation _JITTargetID_##function __attribute__((used, section("__DATA_CONST,__jsc_ops"))) = { (void*)function, JSC_ANNOTATE_JIT_OPERATION_EXTRAS(function##Validate, #function) };
 
 #define JSC_ANNOTATE_JIT_OPERATION(function) \
@@ -101 +110 @@
     JSC_ANNOTATE_JIT_OPERATION_INTERNAL(function)
 
-#else
+#else // not (ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY))
+
 #define JSC_ANNOTATE_JIT_OPERATION(function)
 #define JSC_ANNOTATE_JIT_OPERATION_PROBE(function)
 #define JSC_ANNOTATE_JIT_OPERATION_RETURN(function)
-#endif
 
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
 
 #define JSC_DEFINE_JIT_OPERATION_WITHOUT_VARIABLE(functionName, returnType, parameters) \

trunk/Source/WTF/wtf/PlatformEnable.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2006-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2006-2022 Apple Inc. All rights reserved.
  * Copyright (C) 2007-2009 Torch Mobile, Inc.
  * Copyright (C) 2010, 2011 Research In Motion Limited. All rights reserved.
@@ -850 +850 @@
 #endif
 
+#if USE(APPLE_INTERNAL_SDK) && ENABLE(DISASSEMBLER) && CPU(ARM64E)
+#define ENABLE_JIT_OPERATION_DISASSEMBLY 1
+#endif
+
 #if !defined(ENABLE_BINDING_INTEGRITY) && !OS(WINDOWS)
 #define ENABLE_BINDING_INTEGRITY 1

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2022-05-16  Mark Lam  <mark.lam@apple.com>
+
+        Add ARM64 disassembler support for symbolic dumping of some well known constants.
+        https://bugs.webkit.org/show_bug.cgi?id=240443
+
+        Reviewed by Yusuke Suzuki.
+
+        * bindings/js/WebCoreJITOperations.cpp:
+        (WebCore::populateJITOperations):
+        (WebCore::populateDisassemblyLabels):
+        * bindings/js/WebCoreJITOperations.h:
+        (WebCore::populateDisassemblyLabels):
+        (WebCore::populateJITOperations):
+        * testing/js/WebCoreTestSupport.cpp:
+        (WebCoreTestSupport::populateJITOperations):
+        (WebCoreTestSupport::populateDisassemblyLabels):
+        * testing/js/WebCoreTestSupport.h:
+        (WebCoreTestSupport::populateDisassemblyLabels):
+        (WebCoreTestSupport::populateJITOperations):
+
 2022-05-16  Gabriel Nava Marino  <gnavamarino@apple.com>
 

trunk/Source/WebCore/bindings/js/WebCoreJITOperations.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2020-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2020-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31 +31 @@
 namespace WebCore {
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
 extern const JSC::JITOperationAnnotation startOfJITOperationsInWebCore __asm("section$start$__DATA_CONST$__jsc_ops");
 extern const JSC::JITOperationAnnotation endOfJITOperationsInWebCore __asm("section$end$__DATA_CONST$__jsc_ops");
 
+#if ENABLE(JIT_OPERATION_VALIDATION)
 void populateJITOperations()
 {
@@ -41 +43 @@
         JSC::JITOperationList::populatePointersInEmbedder(&startOfJITOperationsInWebCore, &endOfJITOperationsInWebCore);
     });
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+    if (UNLIKELY(JSC::Options::needDisassemblySupport()))
+        populateDisassemblyLabels();
+#endif
 }
 #endif // ENABLE(JIT_OPERATION_VALIDATION)
 
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+void populateDisassemblyLabels()
+{
+    static std::once_flag onceKey;
+    std::call_once(onceKey, [] {
+        JSC::JITOperationList::populateDisassemblyLabelsInEmbedder(&startOfJITOperationsInWebCore, &endOfJITOperationsInWebCore);
+    });
 }
+#endif // ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+}

trunk/Source/WebCore/bindings/js/WebCoreJITOperations.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2020-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2020-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 namespace WebCore {
 
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+WEBCORE_EXPORT void populateDisassemblyLabels();
+#else
+inline void populateDisassemblyLabels() { }
+#endif
+
 #if ENABLE(JIT_OPERATION_VALIDATION)
 WEBCORE_EXPORT void populateJITOperations();
 #else
-inline void populateJITOperations() { }
+inline void populateJITOperations() { populateDisassemblyLabels(); }
 #endif
 
+#else
+inline void populateJITOperations() { }
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
 }

trunk/Source/WebCore/testing/js/WebCoreTestSupport.cpp

@@ -1 +1 @@
 /*
  * Copyright (C) 2011, 2015 Google Inc. All rights reserved.
- * Copyright (C) 2016-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -242 +242 @@
 #endif
 
-#if ENABLE(JIT_OPERATION_VALIDATION)
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
 extern const JSC::JITOperationAnnotation startOfJITOperationsInWebCoreTestSupport __asm("section$start$__DATA_CONST$__jsc_ops");
 extern const JSC::JITOperationAnnotation endOfJITOperationsInWebCoreTestSupport __asm("section$end$__DATA_CONST$__jsc_ops");
+
+#if ENABLE(JIT_OPERATION_VALIDATION)
 
 void populateJITOperations()
@@ -252 +255 @@
         JSC::JITOperationList::populatePointersInEmbedder(&startOfJITOperationsInWebCoreTestSupport, &endOfJITOperationsInWebCoreTestSupport);
     });
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+    if (UNLIKELY(JSC::Options::needDisassemblySupport()))
+        populateDisassemblyLabels();
+#endif
 }
 #endif // ENABLE(JIT_OPERATION_VALIDATION)
 
-}
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+void populateDisassemblyLabels()
+{
+    static std::once_flag onceKey;
+    std::call_once(onceKey, [] {
+        JSC::JITOperationList::populateDisassemblyLabelsInEmbedder(&startOfJITOperationsInWebCoreTestSupport, &endOfJITOperationsInWebCoreTestSupport);
+    });
+}
+#endif // ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
+} // namespace WebCoreTestSupport

trunk/Source/WebCore/testing/js/WebCoreTestSupport.h

@@ -1 +1 @@
 /*
  * Copyright (C) 2011, 2015 Google Inc. All rights reserved.
- * Copyright (C) 2016-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2022 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -68 +68 @@
 void setAdditionalSupportedImageTypesForTesting(const String&) TEST_SUPPORT_EXPORT;
 
+#if ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+#if ENABLE(JIT_OPERATION_DISASSEMBLY)
+void populateDisassemblyLabels() TEST_SUPPORT_EXPORT;
+#else
+inline void populateDisassemblyLabels() { }
+#endif
+
 #if ENABLE(JIT_OPERATION_VALIDATION)
 void populateJITOperations() TEST_SUPPORT_EXPORT;
 #else
-inline void populateJITOperations() { }
+inline void populateJITOperations() { populateDisassemblyLabels(); }
 #endif
 
+#else
+inline void populateJITOperations() { }
+#endif // ENABLE(JIT_OPERATION_VALIDATION) || ENABLE(JIT_OPERATION_DISASSEMBLY)
+
 } // namespace WebCoreTestSupport