Changeset 245168 in webkit


Ignore:
Timestamp:
May 9, 2019 7:02:31 PM (5 years ago)
Author:
keith_miller@apple.com
Message:

Fix crashes related to pointer authentication for primitive gigacage
https://bugs.webkit.org/show_bug.cgi?id=197763
<rdar://problem/50629257>

Reviewed by Saam Barati.

This fixes two bugs related to PAC for caging. The first is that
we didn't clear the high bits of the size register going into the
patchpoint to tag the new buffer for NewArrayBuffer. The second is
that the GC needs to strip all stack pointers when considering
them as a conservative root.

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):

  • heap/ConservativeRoots.cpp:

(JSC::ConservativeRoots::genericAddPointer):

Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r245152 r245168  
     12019-05-09  Keith Miller  <keith_miller@apple.com>
     2
     3        Fix crashes related to pointer authentication for primitive gigacage
     4        https://bugs.webkit.org/show_bug.cgi?id=197763
     5        <rdar://problem/50629257>
     6
     7        Reviewed by Saam Barati.
     8
     9        This fixes two bugs related to PAC for caging. The first is that
     10        we didn't clear the high bits of the size register going into the
     11        patchpoint to tag the new buffer for NewArrayBuffer. The second is
     12        that the GC needs to strip all stack pointers when considering
     13        them as a conservative root.
     14
     15        * ftl/FTLLowerDFGToB3.cpp:
     16        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
     17        * heap/ConservativeRoots.cpp:
     18        (JSC::ConservativeRoots::genericAddPointer):
     19
    1202019-05-09  Keith Miller  <keith_miller@apple.com>
    221

  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r245064 r245168  
    64696469
    64706470#if !GIGACAGE_ENABLED && CPU(ARM64E)
    6471             PatchpointValue* authenticate = m_out.patchpoint(pointerType());
    6472             authenticate->appendSomeRegister(storage);
    6473             authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
    6474             authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
    6475                 jit.move(params[1].gpr(), params[0].gpr());
    6476                 jit.tagArrayPtr(params[2].gpr(), params[0].gpr());
    6477             });
    6478             storage = authenticate;
     6471            {
     6472                LValue sizePtr = m_out.zeroExtPtr(size);
     6473                PatchpointValue* authenticate = m_out.patchpoint(pointerType());
     6474                authenticate->appendSomeRegister(storage);
     6475                authenticate->append(sizePtr, B3::ValueRep(B3::ValueRep::SomeLateRegister));
     6476                authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
     6477                    jit.move(params[1].gpr(), params[0].gpr());
     6478                    jit.tagArrayPtr(params[2].gpr(), params[0].gpr());
     6479                });
     6480                storage = authenticate;
     6481            }
    64796482#endif
    64806483

  • trunk/Source/JavaScriptCore/heap/ConservativeRoots.cpp

    r233236 r245168  
    6969inline void ConservativeRoots::genericAddPointer(void* p, HeapVersion markingVersion, HeapVersion newlyAllocatedVersion, TinyBloomFilter filter, MarkHook& markHook)
    7070{
     71    p = removeArrayPtrTag(p);
    7172    markHook.mark(p);
    7273
Note: See TracChangeset for help on using the changeset viewer.