Changeset 246451 in webkit


Ignore:
Timestamp:
Jun 14, 2019 4:14:14 PM (5 years ago)
Author:
keith_miller@apple.com
Message:

Restore PAC based cage.
https://bugs.webkit.org/show_bug.cgi?id=198872

Rubber-stamped by Saam Barati.

Source/bmalloc:

  • bmalloc/Gigacage.h:

Source/JavaScriptCore:

  • assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::bitFieldInsert64):

  • assembler/MacroAssemblerARM64E.h:
  • assembler/testmasm.cpp:

(JSC::testCagePreservesPACFailureBit):
(JSC::run):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::caged):

  • jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionally):
(JSC::AssemblyHelpers::cage): Deleted.

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

  • llint/LowLevelInterpreter.asm:
  • llint/LowLevelInterpreter64.asm:
  • offlineasm/arm64.rb:
  • offlineasm/instructions.rb:
  • offlineasm/registers.rb:
  • wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):

  • wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):

  • wasm/WasmBinding.cpp:

(JSC::Wasm::wasmToWasm):

  • wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

  • wasm/js/WebAssemblyFunction.cpp:

(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

Location:
trunk/Source
Files:
20 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r246408 r246451  
     12019-06-14  Keith Miller  <keith_miller@apple.com>
     2
     3        Restore PAC based cage.
     4        https://bugs.webkit.org/show_bug.cgi?id=198872
     5
     6        Rubber-stamped by Saam Barati.
     7
     8        * assembler/MacroAssemblerARM64.h:
     9        (JSC::MacroAssemblerARM64::bitFieldInsert64):
     10        * assembler/MacroAssemblerARM64E.h:
     11        * assembler/testmasm.cpp:
     12        (JSC::testCagePreservesPACFailureBit):
     13        (JSC::run):
     14        * dfg/DFGSpeculativeJIT.cpp:
     15        (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
     16        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
     17        (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
     18        (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
     19        * ftl/FTLLowerDFGToB3.cpp:
     20        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
     21        (JSC::FTL::DFG::LowerDFGToB3::caged):
     22        * jit/AssemblyHelpers.h:
     23        (JSC::AssemblyHelpers::cageWithoutUntagging):
     24        (JSC::AssemblyHelpers::cageConditionally):
     25        (JSC::AssemblyHelpers::cage): Deleted.
     26        * jit/JITPropertyAccess.cpp:
     27        (JSC::JIT::emitIntTypedArrayGetByVal):
     28        (JSC::JIT::emitFloatTypedArrayGetByVal):
     29        (JSC::JIT::emitIntTypedArrayPutByVal):
     30        (JSC::JIT::emitFloatTypedArrayPutByVal):
     31        * llint/LowLevelInterpreter.asm:
     32        * llint/LowLevelInterpreter64.asm:
     33        * offlineasm/arm64.rb:
     34        * offlineasm/instructions.rb:
     35        * offlineasm/registers.rb:
     36        * wasm/WasmAirIRGenerator.cpp:
     37        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
     38        (JSC::Wasm::AirIRGenerator::addCallIndirect):
     39        * wasm/WasmB3IRGenerator.cpp:
     40        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
     41        (JSC::Wasm::B3IRGenerator::addCallIndirect):
     42        * wasm/WasmBinding.cpp:
     43        (JSC::Wasm::wasmToWasm):
     44        * wasm/js/JSToWasm.cpp:
     45        (JSC::Wasm::createJSToWasmWrapper):
     46        * wasm/js/WebAssemblyFunction.cpp:
     47        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
     48
    1492019-06-13  Yusuke Suzuki  <ysuzuki@apple.com>
    250
  • trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h

    r246240 r246451  
    25272527    }
    25282528
     2529    // Bit field operations:
     2530
     2531    // destBitOffset is the top bit of the destination where the bits should be copied to. Zero is the lowest order bit.
     2532    void bitFieldInsert64(RegisterID source, unsigned destBitOffset, unsigned width, RegisterID dest)
     2533    {
     2534        ASSERT(width <= 64 - destBitOffset && destBitOffset < 64);
     2535        m_assembler.bfi<64>(dest, source, destBitOffset, width);
     2536    }
     2537
    25292538    // Forwards / external control flow operations:
    25302539    //
  • trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h

    r246368 r246451  
    4040class MacroAssemblerARM64E : public MacroAssemblerARM64 {
    4141public:
     42    static constexpr unsigned numberOfPACBits = 25;
     43
    4244    ALWAYS_INLINE void tagReturnAddress()
    4345    {
  • trunk/Source/JavaScriptCore/assembler/testmasm.cpp

    r246240 r246451  
    4040#include <wtf/Lock.h>
    4141#include <wtf/NumberOfCores.h>
     42#include <wtf/PtrTag.h>
    4243#include <wtf/Threading.h>
    4344#include <wtf/text/StringCommon.h>
     
    107108        dataLog("FAILED while testing " #_actual ": expected: ", _expected, ", actual: ", _actual, "\n"); \
    108109        WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_EQ("#_actual ", " #_expected ")"); \
     110        CRASH();                                                        \
     111    } while (false)
     112
     113#define CHECK_NOT_EQ(_actual, _expected) do {                               \
     114        if ((_actual) != (_expected))                                   \
     115            break;                                                      \
     116        crashLock.lock();                                               \
     117        dataLog("FAILED while testing " #_actual ": expected not: ", _expected, ", actual: ", _actual, "\n"); \
     118        WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_NOT_EQ("#_actual ", " #_expected ")"); \
    109119        CRASH();                                                        \
    110120    } while (false)
     
    10021012
    10031013#endif
     1014}
     1015
     1016static void testCagePreservesPACFailureBit()
     1017{
     1018    auto cage = compile([] (CCallHelpers& jit) {
     1019        jit.emitFunctionPrologue();
     1020        jit.cageConditionally(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2);
     1021        jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR);
     1022        jit.emitFunctionEpilogue();
     1023        jit.ret();
     1024    });
     1025
     1026    void* ptr = Gigacage::tryMalloc(Gigacage::Primitive, 1);
     1027    void* taggedPtr = tagArrayPtr(ptr, 1);
     1028    dataLogLn("starting test");
     1029    if (isARM64E()) {
     1030        // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now.
     1031        CHECK_NOT_EQ(invoke<void*>(cage, taggedPtr, 2), ptr);
     1032    } else
     1033        CHECK_EQ(invoke<void*>(cage, taggedPtr, 2), ptr);
     1034
     1035    CHECK_EQ(invoke<void*>(cage, taggedPtr, 1), ptr);
     1036
     1037    auto cageWithoutAuthentication = compile([] (CCallHelpers& jit) {
     1038        jit.emitFunctionPrologue();
     1039        jit.cageWithoutUntagging(Gigacage::Primitive, GPRInfo::argumentGPR0);
     1040        jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR);
     1041        jit.emitFunctionEpilogue();
     1042        jit.ret();
     1043    });
     1044
     1045    if (isARM64E()) {
     1046        // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now.
     1047        CHECK_NOT_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr);
     1048    } else
     1049        CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr);
     1050
     1051    CHECK_EQ(untagArrayPtr(taggedPtr, 1), ptr);
     1052    CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 1)), ptr);
     1053
     1054    Gigacage::free(Gigacage::Primitive, ptr);
    10041055}
    10051056
     
    10891140    RUN(testMoveDoubleConditionally64());
    10901141
     1142    RUN(testCagePreservesPACFailureBit());
     1143
    10911144    if (tasks.isEmpty())
    10921145        usage();
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r246368 r246451  
    28742874
    28752875            JITCompiler::Jump hasNullVector;
    2876 #if !GIGACAGE_ENABLED && CPU(ARM64E)
     2876#if CPU(ARM64E)
    28772877            {
    28782878                GPRReg scratch = m_jit.scratchRegister();
     
    28832883                hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch);
    28842884            }
    2885 #else // !GIGACAGE_ENABLED && CPU(ARM64E)
     2885#else // CPU(ARM64E)
    28862886            hasNullVector = m_jit.branchTestPtr(
    28872887                MacroAssembler::Zero,
     
    67616761void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
    67626762{
     6763#if CPU(ARM64E)
     6764    m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
     6765#else
     6766    UNUSED_PARAM(baseReg);
     6767    UNUSED_PARAM(storageReg);
     6768#endif
     6769
    67636770#if GIGACAGE_ENABLED
    67646771    UNUSED_PARAM(baseReg);
     
    67736780    }
    67746781   
    6775     m_jit.cage(Gigacage::Primitive, storageReg);
    6776 #elif CPU(ARM64E)
    6777     m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
    6778 #else
    6779     UNUSED_PARAM(baseReg);
    6780     UNUSED_PARAM(storageReg);
     6782    m_jit.cageWithoutUntagging(Gigacage::Primitive, storageReg);
    67816783#endif
    67826784}
     
    68426844
    68436845    m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR);
    6844     m_jit.cage(Gigacage::JSValue, dataGPR);
     6846    m_jit.cageWithoutUntagging(Gigacage::JSValue, dataGPR);
    68456847
    68466848    cageTypedArrayStorage(baseGPR, vectorGPR);
     
    98469848    m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit);
    98479849    done.link(&m_jit);
    9848 #if !GIGACAGE_ENABLED && CPU(ARM64E)
     9850#if CPU(ARM64E)
    98499851    // sizeGPR is still boxed as a number and there is no 32-bit variant of the PAC instructions.
    98509852    m_jit.zeroExtend32ToPtr(sizeGPR, scratchGPR);
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r246368 r246451  
    64866486                m_heaps.typedArrayProperties);
    64876487
    6488 #if !GIGACAGE_ENABLED && CPU(ARM64E)
     6488#if CPU(ARM64E)
    64896489            {
    64906490                LValue sizePtr = m_out.zeroExtPtr(size);
     
    1415814158    LValue caged(Gigacage::Kind kind, LValue ptr, LValue base)
    1415914159    {
     14160#if CPU(ARM64E)
     14161        if (kind == Gigacage::Primitive) {
     14162            LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
     14163            ptr = untagArrayPtr(ptr, size);
     14164        }
     14165#else
     14166        UNUSED_PARAM(kind);
     14167        UNUSED_PARAM(base);
     14168#endif
     14169
    1416014170#if GIGACAGE_ENABLED
    1416114171        UNUSED_PARAM(base);
     
    1417614186        LValue result = m_out.add(masked, basePtr);
    1417714187
     14188#if CPU(ARM64E)
     14189        {
     14190            PatchpointValue* merge = m_out.patchpoint(pointerType());
     14191            merge->append(result, B3::ValueRep(B3::ValueRep::SomeLateRegister));
     14192            merge->appendSomeRegister(ptr);
     14193            merge->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
     14194                jit.move(params[2].gpr(), params[0].gpr());
     14195                jit.bitFieldInsert64(params[1].gpr(), 0, 64 - MacroAssembler::numberOfPACBits, params[0].gpr());
     14196            });
     14197            result = merge;
     14198        }
     14199#endif
    1417814200        // Make sure that B3 doesn't try to do smart reassociation of these pointer bits.
    1417914201        // FIXME: In an ideal world, B3 would not do harmful reassociations, and if it did, it would be able
     
    1418814210        // https://bugs.webkit.org/show_bug.cgi?id=175493
    1418914211        return m_out.opaque(result);
    14190 #elif CPU(ARM64E)
    14191         if (kind == Gigacage::Primitive) {
    14192             LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);
    14193             return untagArrayPtr(ptr, size);
    14194         }
    14195 
     14212#endif
    1419614213        return ptr;
    14197 #else
    14198         UNUSED_PARAM(kind);
    14199         UNUSED_PARAM(base);
    14200         return ptr;
    14201 #endif
    1420214214    }
    1420314215   
  • trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

    r246368 r246451  
    15551555        ok.link(this);
    15561556    }
    1557    
    1558     void cage(Gigacage::Kind kind, GPRReg storage)
     1557
     1558    void cageWithoutUntagging(Gigacage::Kind kind, GPRReg storage)
    15591559    {
    15601560#if GIGACAGE_ENABLED
    15611561        if (!Gigacage::isEnabled(kind))
    15621562            return;
    1563        
     1563
     1564#if CPU(ARM64E)
     1565        RegisterID tempReg = InvalidGPRReg;
     1566        if (kind == Gigacage::Primitive) {
     1567            tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
     1568            move(storage, tempReg);
     1569            // Flip the registers since bitFieldInsert only inserts into the low bits.
     1570            std::swap(storage, tempReg);
     1571        }
     1572#endif
    15641573        andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
    15651574        addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
     1575#if CPU(ARM64E)
     1576        if (kind == Gigacage::Primitive)
     1577            bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg);
     1578#endif
     1579
    15661580#else
    15671581        UNUSED_PARAM(kind);
     
    15691583#endif
    15701584    }
    1571    
    1572     void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength)
    1573     {
     1585
     1586    // length may be the same register as scratch.
     1587    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch)
     1588    {
     1589#if CPU(ARM64E)
     1590        if (kind == Gigacage::Primitive)
     1591            untagArrayPtr(length, storage);
     1592#else
     1593        UNUSED_PARAM(kind);
     1594        UNUSED_PARAM(storage);
     1595        UNUSED_PARAM(length);
     1596#endif
     1597
    15741598#if GIGACAGE_ENABLED
    15751599        if (!Gigacage::isEnabled(kind))
     
    15771601       
    15781602        if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled())
    1579             return cage(kind, storage);
    1580        
    1581         loadPtr(&Gigacage::basePtr(kind), scratchOrLength);
    1582         Jump done = branchTestPtr(Zero, scratchOrLength);
    1583         andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
    1584         addPtr(scratchOrLength, storage);
    1585         done.link(this);
    1586 #elif CPU(ARM64E)
    1587         if (kind == Gigacage::Primitive)
    1588             untagArrayPtr(scratchOrLength, storage);
    1589 #else
    1590         UNUSED_PARAM(kind);
    1591         UNUSED_PARAM(storage);
    1592         UNUSED_PARAM(scratchOrLength);
    1593 #endif
     1603            cageWithoutUntagging(kind, storage);
     1604        else {
     1605            loadPtr(&Gigacage::basePtr(kind), scratch);
     1606            Jump done = branchTestPtr(Zero, scratch);
     1607#if CPU(ARM64E)
     1608            auto tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
     1609            move(storage, tempReg);
     1610            andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg);
     1611            addPtr(scratch, tempReg);
     1612            bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage);
     1613#else
     1614            andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
     1615            addPtr(scratch, storage);
     1616#endif
     1617            done.link(this);
     1618
     1619
     1620        }
     1621#else
     1622        UNUSED_PARAM(scratch);
     1623#endif
     1624
    15941625    }
    15951626
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r246368 r246451  
    16731673    slowCases.append(branch32(AboveOrEqual, property, scratch2));
    16741674    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    1675     cageConditionally(Gigacage::Primitive, scratch, scratch2);
     1675    cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2);
    16761676
    16771677    switch (elementSize(type)) {
     
    17371737    slowCases.append(branch32(AboveOrEqual, property, scratch2));
    17381738    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch);
    1739     cageConditionally(Gigacage::Primitive, scratch, scratch2);
     1739    cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2);
    17401740   
    17411741    switch (elementSize(type)) {
     
    18021802    // path expects the base to be unclobbered.
    18031803    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
    1804     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     1804    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
    18051805   
    18061806    if (isClamped(type)) {
     
    18911891    // path expects the base to be unclobbered.
    18921892    loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
    1893     cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2);
     1893    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
    18941894   
    18951895    switch (elementSize(type)) {
  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

    r246240 r246451  
    7777#  - pc holds the (native) program counter on 32-bits ARM architectures (ARMv7)
    7878#
    79 #  - t0, t1, t2, t3, t4 and optionally t5 are temporary registers that can get trashed on
     79#  - t0, t1, t2, t3, t4, and optionally t5, t6, and t7 are temporary registers that can get trashed on
    8080#  calls, and are pairwise distinct registers. t4 holds the JS program counter, so use
    8181#  with caution in opcodes (actually, don't use it in opcodes at all, except as PC).
  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

    r246368 r246451  
    435435macro loadCagedPrimitive(source, dest, scratchOrLength)
    436436    loadp source, dest
     437    if ARM64E
     438        const result = t7
     439        untagArrayPtr scratchOrLength, dest
     440        move dest, result
     441    else
     442        const result = dest
     443    end
    437444    if GIGACAGE_ENABLED
    438         uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength)
    439     elsif ARM64E
    440         untagArrayPtr scratchOrLength, dest
     445        uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, result, scratchOrLength)
     446        if ARM64E
     447            const numberOfPACBits = constexpr MacroAssembler::numberOfPACBits
     448            bfiq result, 0, 64 - numberOfPACBits, dest
     449        end
    441450    end
    442451end
  • trunk/Source/JavaScriptCore/offlineasm/arm64.rb

    r246240 r246451  
    127127        when 't6'
    128128          arm64GPRName('x6', kind)
     129        when 't7'
     130          arm64GPRName('x7', kind)
    129131        when 'cfr'
    130132            arm64GPRName('x29', kind)
     
    10201022        when "memfence"
    10211023            $asm.puts "dmb sy"
     1024        when "bfiq"
     1025            $asm.puts "bfi #{operands[3].arm64Operand(:quad)}, #{operands[0].arm64Operand(:quad)}, #{operands[1].value}, #{operands[2].value}"
    10221026        when "pcrtoaddr"
    10231027            $asm.puts "adr #{operands[1].arm64Operand(:quad)}, #{operands[0].value}"
  • trunk/Source/JavaScriptCore/offlineasm/instructions.rb

    r246240 r246451  
    274274ARM64_INSTRUCTIONS =
    275275    [
     276     "bfiq", # Bit field insert <source reg> <last bit written> <width immediate> <dest reg>
    276277     "pcrtoaddr",   # Address from PC relative offset - adr instruction
    277278     "nopFixCortexA53Err835769", # nop on Cortex-A53 (nothing otherwise)
  • trunk/Source/JavaScriptCore/offlineasm/registers.rb

    r246240 r246451  
    3333     "t5",
    3434     "t6",
     35     "t7",
    3536     "cfr",
    3637     "a0",
  • trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

    r246368 r246451  
    849849
    850850        patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
    851             RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
    852             AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
     851            AllowMacroScratchRegisterUsage allowScratch(jit);
    853852            GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
    854853            GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
     
    857856            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
    858857
    859             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     858            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
    860859        });
    861860
     
    19891988            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
    19901989
    1991             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     1990            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
    19921991        });
    19931992
  • trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

    r246368 r246451  
    492492        patchpoint->append(instance, ValueRep::SomeRegister);
    493493        patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
    494             RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
    495             AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
     494            AllowMacroScratchRegisterUsage allowScratch(jit);
    496495            GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
    497496            GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
     
    500499            jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
    501500
    502             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     501            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
    503502        });
    504503    }
     
    14021401            jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
    14031402
    1404             jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     1403            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
    14051404        });
    14061405        doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);
  • trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp

    r246368 r246451  
    6868    // Set up the callee's baseMemory register as well as the memory size registers.
    6969    {
    70         GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);
     70        GPRReg scratchOrSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);
    7171
    7272        jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
    7373        jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
    74         jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     74        jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
    7575    }
    7676
  • trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

    r246368 r246451  
    229229
    230230        jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
    231         jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     231        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
    232232    }
    233233
  • trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

    r246368 r246451  
    424424
    425425        jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
    426         jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
     426        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
    427427    }
    428428
  • trunk/Source/bmalloc/ChangeLog

    r246368 r246451  
     12019-06-14  Keith Miller  <keith_miller@apple.com>
     2
     3        Restore PAC based cage.
     4        https://bugs.webkit.org/show_bug.cgi?id=198872
     5
     6        Rubber-stamped by Saam Barati.
     7
     8        * bmalloc/Gigacage.h:
     9
    1102019-06-12  Commit Queue  <commit-queue@webkit.org>
    211
  • trunk/Source/bmalloc/bmalloc/Gigacage.h

    r246368 r246451  
    3535#include <inttypes.h>
    3636
    37 #if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64))
     37#if ((BOS(DARWIN) || BOS(LINUX)) && \
     38    (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS)))))
    3839#define GIGACAGE_ENABLED 1
    3940#else
Note: See TracChangeset for help on using the changeset viewer.