Changeset 246022 in webkit
- Timestamp:
- Jun 2, 2019 1:02:00 PM (5 years ago)
- Location:
- trunk/Source
- Files:
-
- 9 edited
-
JavaScriptCore/ChangeLog (modified) (1 diff)
-
JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (4 diffs)
-
JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (4 diffs)
-
JavaScriptCore/jit/AssemblyHelpers.h (modified) (2 diffs)
-
JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
-
WTF/ChangeLog (modified) (1 diff)
-
WTF/wtf/CagedPtr.h (modified) (3 diffs)
-
bmalloc/ChangeLog (modified) (1 diff)
-
bmalloc/bmalloc/Gigacage.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r246021 r246022 1 2019-06-02 Keith Miller <keith_miller@apple.com> 2 3 Reenable Gigacage on ARM64. 4 https://bugs.webkit.org/show_bug.cgi?id=198453 5 6 Reviewed by Filip Pizlo. 7 8 This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the 9 old Gigacage however, arm64e uses both Gigacaging and PAC. Since 10 Gigacaging would otherwise strip a PAC failed authenticate bit we 11 force a load of the pointer into some garbage register. 12 13 * dfg/DFGSpeculativeJIT.cpp: 14 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): 15 (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): 16 * ftl/FTLLowerDFGToB3.cpp: 17 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): 18 (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): 19 (JSC::FTL::DFG::LowerDFGToB3::caged): 20 * jit/AssemblyHelpers.h: 21 (JSC::AssemblyHelpers::cageConditionally): 22 * llint/LowLevelInterpreter64.asm: 23 1 24 2019-06-02 Tadeu Zagallo <tzagallo@apple.com> 2 25 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r245658 r246022 2874 2874 2875 2875 JITCompiler::Jump hasNullVector; 2876 #if !GIGACAGE_ENABLED &&CPU(ARM64E)2876 #if CPU(ARM64E) 2877 2877 { 2878 2878 GPRReg scratch = m_jit.scratchRegister(); … … 2883 2883 hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); 2884 2884 } 2885 #else // !GIGACAGE_ENABLED &&CPU(ARM64E)2885 #else // CPU(ARM64E) 2886 2886 hasNullVector = m_jit.branchTestPtr( 2887 2887 MacroAssembler::Zero, … … 6720 6720 void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) 6721 6721 { 6722 #if CPU(ARM64E) 6723 m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); 6724 m_jit.loadPtr(storageReg, m_jit.scratchRegister()); 6725 #else 6726 UNUSED_PARAM(baseReg); 6727 UNUSED_PARAM(storageReg); 6728 #endif 6729 6722 6730 #if GIGACAGE_ENABLED 6723 6731 UNUSED_PARAM(baseReg); … … 6733 6741 6734 6742 m_jit.cage(Gigacage::Primitive, storageReg); 6735 #elif CPU(ARM64E)6736 m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);6737 #else6738 UNUSED_PARAM(baseReg);6739 UNUSED_PARAM(storageReg);6740 6743 #endif 6741 6744 } -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r245313 r246022 6464 6464 m_heaps.typedArrayProperties); 6465 6465 6466 #if !GIGACAGE_ENABLED &&CPU(ARM64E)6466 #if CPU(ARM64E) 6467 6467 { 6468 6468 LValue sizePtr = m_out.zeroExtPtr(size); … … 14109 14109 authenticate->appendSomeRegister(ptr); 14110 14110 authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister)); 14111 authenticate->numGPScratchRegisters = 1; 14111 14112 authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { 14112 14113 jit.move(params[1].gpr(), params[0].gpr()); 14113 14114 jit.untagArrayPtr(params[2].gpr(), params[0].gpr()); 14115 // Force a load to check authentication. before it is cleared by Gigacaging later. 14116 jit.loadPtr(params[0].gpr(), params.gpScratch(0)); 14114 14117 }); 14115 14118 return authenticate; … … 14136 14139 LValue caged(Gigacage::Kind kind, LValue ptr, LValue base) 14137 14140 { 14141 #if CPU(ARM64E) 14142 if (kind == Gigacage::Primitive) { 14143 LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); 14144 ptr = untagArrayPtr(ptr, size); 14145 } 14146 #else 14147 UNUSED_PARAM(kind); 14148 UNUSED_PARAM(base); 14149 #endif 14150 14138 14151 #if GIGACAGE_ENABLED 14139 14152 UNUSED_PARAM(base); … … 14166 14179 // https://bugs.webkit.org/show_bug.cgi?id=175493 14167 14180 return m_out.opaque(result); 14168 #elif CPU(ARM64E)14169 if (kind == Gigacage::Primitive) {14170 LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);14171 return untagArrayPtr(ptr, size);14172 }14173 14174 return ptr;14175 #else14176 UNUSED_PARAM(kind);14177 UNUSED_PARAM(base);14178 return ptr;14179 14181 #endif 14180 14182 } -
trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h
r245064 r246022 1572 1572 void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength) 1573 1573 { 1574 #if CPU(ARM64E) 1575 if (kind == Gigacage::Primitive) { 1576 untagArrayPtr(scratchOrLength, storage); 1577 // Force a load to trap on authentication failure. storage shouldn't be null here. 1578 loadPtr(storage, scratchOrLength); 1579 } 1580 #else 1581 UNUSED_PARAM(kind); 1582 UNUSED_PARAM(storage); 1583 UNUSED_PARAM(scratchOrLength); 1584 #endif 1585 1574 1586 #if GIGACAGE_ENABLED 1575 1587 if (!Gigacage::isEnabled(kind)) … … 1584 1596 addPtr(scratchOrLength, storage); 1585 1597 done.link(this); 1586 #elif CPU(ARM64E)1587 if (kind == Gigacage::Primitive)1588 untagArrayPtr(scratchOrLength, storage);1589 #else1590 UNUSED_PARAM(kind);1591 UNUSED_PARAM(storage);1592 UNUSED_PARAM(scratchOrLength);1593 1598 #endif 1594 1599 } -
trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
r245906 r246022 435 435 macro loadCagedPrimitive(source, dest, scratchOrLength) 436 436 loadp source, dest 437 if ARM64E 438 untagArrayPtr scratchOrLength, dest 439 # Force a load to check PAC before we clear it below. 440 loadp [dest], scratchOrLength 441 end 437 442 if GIGACAGE_ENABLED 438 443 uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength) 439 elsif ARM64E440 untagArrayPtr scratchOrLength, dest441 444 end 442 445 end -
trunk/Source/WTF/ChangeLog
r245983 r246022 1 2019-06-02 Keith Miller <keith_miller@apple.com> 2 3 Reenable Gigacage on ARM64. 4 https://bugs.webkit.org/show_bug.cgi?id=198453 5 6 Reviewed by Filip Pizlo. 7 8 * wtf/CagedPtr.h: 9 (WTF::CagedPtr::authenticatingLoad): 10 (WTF::CagedPtr::get const): 11 (WTF::CagedPtr::getMayBeNull const): 12 1 13 2019-05-31 Alex Christensen <achristensen@webkit.org> 2 14 -
trunk/Source/WTF/wtf/CagedPtr.h
r245432 r246022 36 36 template<Gigacage::Kind passedKind, typename T, bool shouldTag = false, typename PtrTraits = DumbPtrTraits<T>> 37 37 class CagedPtr { 38 #if CPU(ARM64E) 39 static void authenticatingLoad(T* ptr) 40 { 41 double result; 42 asm volatile("ldr %[out], [%[in]]" 43 : [out] "=&r"(result) 44 : [in] "r"(ptr) :); 45 } 46 #else 47 static void authenticatingLoad(T*) { } 48 #endif 49 38 50 public: 39 51 static constexpr Gigacage::Kind kind = passedKind; … … 53 65 ASSERT(m_ptr); 54 66 T* ptr = PtrTraits::unwrap(m_ptr); 55 if (shouldTag) 67 if (shouldTag) { 56 68 ptr = untagArrayPtr(ptr, size); 69 authenticatingLoad(ptr); 70 } 57 71 return Gigacage::caged(kind, ptr); 58 72 } … … 61 75 { 62 76 T* ptr = PtrTraits::unwrap(m_ptr); 63 if (shouldTag) 77 if (shouldTag) { 64 78 ptr = untagArrayPtr(ptr, size); 79 if (ptr) 80 authenticatingLoad(ptr); 81 } 65 82 return Gigacage::cagedMayBeNull(kind, ptr); 66 83 } -
trunk/Source/bmalloc/ChangeLog
r245940 r246022 1 2019-06-02 Keith Miller <keith_miller@apple.com> 2 3 Reenable Gigacage on ARM64. 4 https://bugs.webkit.org/show_bug.cgi?id=198453 5 6 Reviewed by Filip Pizlo. 7 8 * bmalloc/Gigacage.h: 9 1 10 2019-05-30 Don Olmstead <don.olmstead@sony.com> 2 11 -
trunk/Source/bmalloc/bmalloc/Gigacage.h
r245432 r246022 35 35 #include <inttypes.h> 36 36 37 #if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64)) 37 #if ((BOS(DARWIN) || BOS(LINUX)) && \ 38 (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS))))) 38 39 #define GIGACAGE_ENABLED 1 39 40 #else
Note: See TracChangeset
for help on using the changeset viewer.
