Changeset 246150 in webkit
- Timestamp:
- Jun 6, 2019 6:20:56 AM (5 years ago)
- Location:
- trunk/Source
- Files:
-
- 20 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r246147 r246150 1 2019-06-06 Keith Miller <keith_miller@apple.com> 2 3 Reenable Gigacage on ARM64. 4 https://bugs.webkit.org/show_bug.cgi?id=198453 5 6 Reviewed by Michael Saboff. 7 8 This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the 9 old Gigacage however, arm64e uses both Gigacaging and PAC. In 10 order to ensure the PAC bits are not stripped in the caging 11 process we use the bit field insert instruction to take the low 12 bits from caging and the high bits from the PAC authentication. 13 14 * assembler/MacroAssemblerARM64.h: 15 (JSC::MacroAssemblerARM64::bitFieldInsert64): 16 * assembler/MacroAssemblerARM64E.h: 17 * assembler/testmasm.cpp: 18 (JSC::testCagePreservesPACFailureBit): 19 (JSC::run): 20 * dfg/DFGSpeculativeJIT.cpp: 21 (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): 22 (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): 23 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): 24 (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): 25 * ftl/FTLLowerDFGToB3.cpp: 26 (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): 27 (JSC::FTL::DFG::LowerDFGToB3::caged): 28 * jit/AssemblyHelpers.h: 29 (JSC::AssemblyHelpers::cageWithoutUntaging): 30 (JSC::AssemblyHelpers::cageConditionally): 31 (JSC::AssemblyHelpers::cage): Deleted. 32 * jit/JITPropertyAccess.cpp: 33 (JSC::JIT::emitIntTypedArrayGetByVal): 34 (JSC::JIT::emitFloatTypedArrayGetByVal): 35 (JSC::JIT::emitIntTypedArrayPutByVal): 36 (JSC::JIT::emitFloatTypedArrayPutByVal): 37 * llint/LowLevelInterpreter.asm: 38 * llint/LowLevelInterpreter64.asm: 39 * offlineasm/arm64.rb: 40 * offlineasm/instructions.rb: 41 * offlineasm/registers.rb: 42 * wasm/WasmAirIRGenerator.cpp: 43 (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): 44 (JSC::Wasm::AirIRGenerator::addCallIndirect): 45 * wasm/WasmB3IRGenerator.cpp: 46 (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): 47 (JSC::Wasm::B3IRGenerator::addCallIndirect): 48 * wasm/WasmBinding.cpp: 49 (JSC::Wasm::wasmToWasm): 50 * wasm/js/JSToWasm.cpp: 51 (JSC::Wasm::createJSToWasmWrapper): 52 * wasm/js/WebAssemblyFunction.cpp: 53 (JSC::WebAssemblyFunction::jsCallEntrypointSlow): 54 1 55 2019-06-06 Michael Saboff <msaboff@apple.com> 2 56 -
trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h
r246134 r246150 2527 2527 } 2528 2528 2529 // Bit field operations: 2530 2531 // destBitOffset is the top bit of the destination where the bits should be copied to. Zero is the lowest order bit. 2532 void bitFieldInsert64(RegisterID source, unsigned destBitOffset, unsigned width, RegisterID dest) 2533 { 2534 ASSERT(width <= 64 - destBitOffset && destBitOffset < 64); 2535 m_assembler.bfi<64>(dest, source, destBitOffset, width); 2536 } 2537 2529 2538 // Forwards / external control flow operations: 2530 2539 // -
trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h
r245251 r246150 40 40 class MacroAssemblerARM64E : public MacroAssemblerARM64 { 41 41 public: 42 static constexpr unsigned numberOfPACBits = 25; 43 42 44 ALWAYS_INLINE void tagReturnAddress() 43 45 { -
trunk/Source/JavaScriptCore/assembler/testmasm.cpp
r246134 r246150 40 40 #include <wtf/Lock.h> 41 41 #include <wtf/NumberOfCores.h> 42 #include <wtf/PtrTag.h> 42 43 #include <wtf/Threading.h> 43 44 #include <wtf/text/StringCommon.h> … … 107 108 dataLog("FAILED while testing " #_actual ": expected: ", _expected, ", actual: ", _actual, "\n"); \ 108 109 WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_EQ("#_actual ", " #_expected ")"); \ 110 CRASH(); \ 111 } while (false) 112 113 #define CHECK_NOT_EQ(_actual, _expected) do { \ 114 if ((_actual) != (_expected)) \ 115 break; \ 116 crashLock.lock(); \ 117 dataLog("FAILED while testing " #_actual ": expected not: ", _expected, ", actual: ", _actual, "\n"); \ 118 WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_NOT_EQ("#_actual ", " #_expected ")"); \ 109 119 CRASH(); \ 110 120 } while (false) … … 1002 1012 1003 1013 #endif 1014 } 1015 1016 static void testCagePreservesPACFailureBit() 1017 { 1018 auto cage = compile([] (CCallHelpers& jit) { 1019 jit.emitFunctionPrologue(); 1020 jit.cageConditionally(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2); 1021 jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR); 1022 jit.emitFunctionEpilogue(); 1023 jit.ret(); 1024 }); 1025 1026 void* ptr = Gigacage::tryMalloc(Gigacage::Primitive, 1); 1027 void* taggedPtr = tagArrayPtr(ptr, 1); 1028 dataLogLn("starting test"); 1029 if (isARM64E()) { 1030 // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now. 1031 CHECK_NOT_EQ(invoke<void*>(cage, taggedPtr, 2), ptr); 1032 } else 1033 CHECK_EQ(invoke<void*>(cage, taggedPtr, 2), ptr); 1034 1035 CHECK_EQ(invoke<void*>(cage, taggedPtr, 1), ptr); 1036 1037 auto cageWithoutAuthentication = compile([] (CCallHelpers& jit) { 1038 jit.emitFunctionPrologue(); 1039 jit.cageWithoutUntaging(Gigacage::Primitive, GPRInfo::argumentGPR0); 1040 jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR); 1041 jit.emitFunctionEpilogue(); 1042 jit.ret(); 1043 }); 1044 1045 if (isARM64E()) { 1046 // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now. 1047 CHECK_NOT_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr); 1048 } else 1049 CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr); 1050 1051 CHECK_EQ(untagArrayPtr(taggedPtr, 1), ptr); 1052 CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 1)), ptr); 1053 1054 Gigacage::free(Gigacage::Primitive, ptr); 1004 1055 } 1005 1056 … … 1089 1140 RUN(testMoveDoubleConditionally64()); 1090 1141 1142 RUN(testCagePreservesPACFailureBit()); 1143 1091 1144 if (tasks.isEmpty()) 1092 1145 usage(); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r246073 r246150 2874 2874 2875 2875 JITCompiler::Jump hasNullVector; 2876 #if !GIGACAGE_ENABLED &&CPU(ARM64E)2876 #if CPU(ARM64E) 2877 2877 { 2878 2878 GPRReg scratch = m_jit.scratchRegister(); … … 2883 2883 hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); 2884 2884 } 2885 #else // !GIGACAGE_ENABLED &&CPU(ARM64E)2885 #else // CPU(ARM64E) 2886 2886 hasNullVector = m_jit.branchTestPtr( 2887 2887 MacroAssembler::Zero, … … 6761 6761 void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) 6762 6762 { 6763 #if CPU(ARM64E) 6764 m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); 6765 #else 6766 UNUSED_PARAM(baseReg); 6767 UNUSED_PARAM(storageReg); 6768 #endif 6769 6763 6770 #if GIGACAGE_ENABLED 6764 6771 UNUSED_PARAM(baseReg); … … 6773 6780 } 6774 6781 6775 m_jit.cage(Gigacage::Primitive, storageReg); 6776 #elif CPU(ARM64E) 6777 m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); 6778 #else 6779 UNUSED_PARAM(baseReg); 6780 UNUSED_PARAM(storageReg); 6782 m_jit.cageWithoutUntaging(Gigacage::Primitive, storageReg); 6781 6783 #endif 6782 6784 } … … 6842 6844 6843 6845 m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR); 6844 m_jit.cage (Gigacage::JSValue, dataGPR);6846 m_jit.cageWithoutUntaging(Gigacage::JSValue, dataGPR); 6845 6847 6846 6848 cageTypedArrayStorage(baseGPR, vectorGPR); … … 9846 9848 m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit); 9847 9849 done.link(&m_jit); 9848 #if !GIGACAGE_ENABLED &&CPU(ARM64E)9850 #if CPU(ARM64E) 9849 9851 // sizeGPR is still boxed as a number and there is no 32-bit variant of the PAC instructions. 9850 9852 m_jit.zeroExtend32ToPtr(sizeGPR, scratchGPR); -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r246073 r246150 6486 6486 m_heaps.typedArrayProperties); 6487 6487 6488 #if !GIGACAGE_ENABLED &&CPU(ARM64E)6488 #if CPU(ARM64E) 6489 6489 { 6490 6490 LValue sizePtr = m_out.zeroExtPtr(size); … … 14158 14158 LValue caged(Gigacage::Kind kind, LValue ptr, LValue base) 14159 14159 { 14160 #if CPU(ARM64E) 14161 if (kind == Gigacage::Primitive) { 14162 LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); 14163 ptr = untagArrayPtr(ptr, size); 14164 } 14165 #else 14166 UNUSED_PARAM(kind); 14167 UNUSED_PARAM(base); 14168 #endif 14169 14160 14170 #if GIGACAGE_ENABLED 14161 14171 UNUSED_PARAM(base); … … 14176 14186 LValue result = m_out.add(masked, basePtr); 14177 14187 14188 #if CPU(ARM64E) 14189 { 14190 PatchpointValue* merge = m_out.patchpoint(pointerType()); 14191 merge->append(result, B3::ValueRep(B3::ValueRep::SomeLateRegister)); 14192 merge->appendSomeRegister(ptr); 14193 merge->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { 14194 jit.move(params[2].gpr(), params[0].gpr()); 14195 jit.bitFieldInsert64(params[1].gpr(), 0, 64 - MacroAssembler::numberOfPACBits, params[0].gpr()); 14196 }); 14197 result = merge; 14198 } 14199 #endif 14178 14200 // Make sure that B3 doesn't try to do smart reassociation of these pointer bits. 14179 14201 // FIXME: In an ideal world, B3 would not do harmful reassociations, and if it did, it would be able … … 14188 14210 // https://bugs.webkit.org/show_bug.cgi?id=175493 14189 14211 return m_out.opaque(result); 14190 #elif CPU(ARM64E)14191 if (kind == Gigacage::Primitive) {14192 LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);14193 return untagArrayPtr(ptr, size);14194 }14195 14196 return ptr;14197 #else14198 UNUSED_PARAM(kind);14199 UNUSED_PARAM(base);14200 return ptr;14201 14212 #endif 14202 14213 } -
trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h
r246038 r246150 1555 1555 ok.link(this); 1556 1556 } 1557 1558 void cage (Gigacage::Kind kind, GPRReg storage)1557 1558 void cageWithoutUntaging(Gigacage::Kind kind, GPRReg storage) 1559 1559 { 1560 1560 #if GIGACAGE_ENABLED 1561 1561 if (!Gigacage::isEnabled(kind)) 1562 1562 return; 1563 1563 1564 #if CPU(ARM64E) 1565 RegisterID tempReg = InvalidGPRReg; 1566 if (kind == Gigacage::Primitive) { 1567 tempReg = getCachedMemoryTempRegisterIDAndInvalidate(); 1568 move(storage, tempReg); 1569 // Flip the registers since bitFieldInsert only inserts into the low bits. 1570 std::swap(storage, tempReg); 1571 } 1572 #endif 1564 1573 andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); 1565 1574 addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage); 1575 #if CPU(ARM64E) 1576 if (kind == Gigacage::Primitive) 1577 bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg); 1578 #endif 1579 1566 1580 #else 1567 1581 UNUSED_PARAM(kind); … … 1569 1583 #endif 1570 1584 } 1571 1572 void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength) 1573 { 1585 1586 // length may be the same register as scratch. 1587 void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch) 1588 { 1589 #if CPU(ARM64E) 1590 if (kind == Gigacage::Primitive) 1591 untagArrayPtr(length, storage); 1592 #else 1593 UNUSED_PARAM(kind); 1594 UNUSED_PARAM(storage); 1595 UNUSED_PARAM(length); 1596 #endif 1597 1574 1598 #if GIGACAGE_ENABLED 1575 1599 if (!Gigacage::isEnabled(kind)) … … 1577 1601 1578 1602 if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled()) 1579 return cage(kind, storage); 1580 1581 loadPtr(&Gigacage::basePtr(kind), scratchOrLength); 1582 Jump done = branchTestPtr(Zero, scratchOrLength); 1583 andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); 1584 addPtr(scratchOrLength, storage); 1585 done.link(this); 1586 #elif CPU(ARM64E) 1587 if (kind == Gigacage::Primitive) 1588 untagArrayPtr(scratchOrLength, storage); 1589 #else 1590 UNUSED_PARAM(kind); 1591 UNUSED_PARAM(storage); 1592 UNUSED_PARAM(scratchOrLength); 1593 #endif 1603 cageWithoutUntaging(kind, storage); 1604 else { 1605 loadPtr(&Gigacage::basePtr(kind), scratch); 1606 Jump done = branchTestPtr(Zero, scratch); 1607 #if CPU(ARM64E) 1608 auto tempReg = getCachedMemoryTempRegisterIDAndInvalidate(); 1609 move(storage, tempReg); 1610 andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg); 1611 addPtr(scratch, tempReg); 1612 bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage); 1613 #else 1614 andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); 1615 addPtr(scratch, storage); 1616 #endif 1617 done.link(this); 1618 1619 1620 } 1621 #else 1622 UNUSED_PARAM(scratch); 1623 #endif 1624 1594 1625 } 1595 1626 -
trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
r245658 r246150 1673 1673 slowCases.append(branch32(AboveOrEqual, property, scratch2)); 1674 1674 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); 1675 cageConditionally(Gigacage::Primitive, scratch, scratch2 );1675 cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2); 1676 1676 1677 1677 switch (elementSize(type)) { … … 1737 1737 slowCases.append(branch32(AboveOrEqual, property, scratch2)); 1738 1738 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); 1739 cageConditionally(Gigacage::Primitive, scratch, scratch2 );1739 cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2); 1740 1740 1741 1741 switch (elementSize(type)) { … … 1802 1802 // path expects the base to be unclobbered. 1803 1803 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); 1804 cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2 );1804 cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2); 1805 1805 1806 1806 if (isClamped(type)) { … … 1891 1891 // path expects the base to be unclobbered. 1892 1892 loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); 1893 cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2 );1893 cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2); 1894 1894 1895 1895 switch (elementSize(type)) { -
trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
r246006 r246150 77 77 # - pc holds the (native) program counter on 32-bits ARM architectures (ARMv7) 78 78 # 79 # - t0, t1, t2, t3, t4 and optionally t5are temporary registers that can get trashed on79 # - t0, t1, t2, t3, t4, and optionally t5, t6, and t7 are temporary registers that can get trashed on 80 80 # calls, and are pairwise distinct registers. t4 holds the JS program counter, so use 81 81 # with caution in opcodes (actually, don't use it in opcodes at all, except as PC). -
trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
r246038 r246150 435 435 macro loadCagedPrimitive(source, dest, scratchOrLength) 436 436 loadp source, dest 437 if ARM64E 438 const result = t7 439 untagArrayPtr scratchOrLength, dest 440 move dest, result 441 else 442 const result = dest 443 end 437 444 if GIGACAGE_ENABLED 438 uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength) 439 elsif ARM64E 440 untagArrayPtr scratchOrLength, dest 445 uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, result, scratchOrLength) 446 if ARM64E 447 const numberOfPACBits = constexpr MacroAssembler::numberOfPACBits 448 bfiq result, 0, 64 - numberOfPACBits, dest 449 end 441 450 end 442 451 end -
trunk/Source/JavaScriptCore/offlineasm/arm64.rb
r245906 r246150 127 127 when 't6' 128 128 arm64GPRName('x6', kind) 129 when 't7' 130 arm64GPRName('x7', kind) 129 131 when 'cfr' 130 132 arm64GPRName('x29', kind) … … 1020 1022 when "memfence" 1021 1023 $asm.puts "dmb sy" 1024 when "bfiq" 1025 $asm.puts "bfi #{operands[3].arm64Operand(:quad)}, #{operands[0].arm64Operand(:quad)}, #{operands[1].value}, #{operands[2].value}" 1022 1026 when "pcrtoaddr" 1023 1027 $asm.puts "adr #{operands[1].arm64Operand(:quad)}, #{operands[0].value}" -
trunk/Source/JavaScriptCore/offlineasm/instructions.rb
r245906 r246150 274 274 ARM64_INSTRUCTIONS = 275 275 [ 276 "bfiq", # Bit field insert <source reg> <last bit written> <width immediate> <dest reg> 276 277 "pcrtoaddr", # Address from PC relative offset - adr instruction 277 278 "nopFixCortexA53Err835769", # nop on Cortex-A53 (nothing otherwise) -
trunk/Source/JavaScriptCore/offlineasm/registers.rb
r245064 r246150 33 33 "t5", 34 34 "t6", 35 "t7", 35 36 "cfr", 36 37 "a0", -
trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp
r246139 r246150 849 849 850 850 patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { 851 RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); 852 AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); 851 AllowMacroScratchRegisterUsage allowScratch(jit); 853 852 GPRReg baseMemory = pinnedRegs->baseMemoryPointer; 854 853 GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; … … 857 856 jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); 858 857 859 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);858 jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize); 860 859 }); 861 860 … … 1989 1988 jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. 1990 1989 1991 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);1990 jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); 1992 1991 }); 1993 1992 -
trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
r246139 r246150 492 492 patchpoint->append(instance, ValueRep::SomeRegister); 493 493 patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { 494 RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); 495 AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); 494 AllowMacroScratchRegisterUsage allowScratch(jit); 496 495 GPRReg baseMemory = pinnedRegs->baseMemoryPointer; 497 496 GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; … … 500 499 jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); 501 500 502 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);501 jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize); 503 502 }); 504 503 } … … 1402 1401 jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. 1403 1402 1404 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);1403 jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); 1405 1404 }); 1406 1405 doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation); -
trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp
r245681 r246150 68 68 // Set up the callee's baseMemory register as well as the memory size registers. 69 69 { 70 GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);70 GPRReg scratchOrSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1); 71 71 72 72 jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. 73 73 jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*). 74 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);74 jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); 75 75 } 76 76 -
trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp
r245496 r246150 229 229 230 230 jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); 231 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize );231 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize); 232 232 } 233 233 -
trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
r245496 r246150 424 424 425 425 jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); 426 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize );426 jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize); 427 427 } 428 428 -
trunk/Source/bmalloc/ChangeLog
r246038 r246150 1 2019-06-06 Keith Miller <keith_miller@apple.com> 2 3 Reenable Gigacage on ARM64. 4 https://bugs.webkit.org/show_bug.cgi?id=198453 5 6 Reviewed by Michael Saboff. 7 8 * bmalloc/Gigacage.h: 9 1 10 2019-06-03 Commit Queue <commit-queue@webkit.org> 2 11 -
trunk/Source/bmalloc/bmalloc/Gigacage.h
r246038 r246150 35 35 #include <inttypes.h> 36 36 37 #if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64)) 37 #if ((BOS(DARWIN) || BOS(LINUX)) && \ 38 (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS))))) 38 39 #define GIGACAGE_ENABLED 1 39 40 #else
Note: See TracChangeset
for help on using the changeset viewer.