Changeset 249613 in webkit

Timestamp:

Sep 7, 2019 8:01:31 AM (5 years ago)

Author:

mark.lam@apple.com

Message:

performJITMemcpy() source buffer should not be in the Gigacage.
​https://bugs.webkit.org/show_bug.cgi?id=201577
<rdar://problem/55142606>

Reviewed by Michael Saboff.

Source/bmalloc:

1. Add the Gigacage start address and totalSize to the Config.
2. Add a contains() function that uses the start address and totalSize to check if a given pointer is in the Gigacage's address range.

• bmalloc/Gigacage.cpp:

(Gigacage::ensureGigacage):
(Gigacage::verifyGigacageIsEnabled):

• bmalloc/Gigacage.h:

(Gigacage::contains):

Source/JavaScriptCore:

Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
buffer is not in the Gigacage.

• jit/ExecutableAllocator.h:

(JSC::performJITMemcpy):

Source/WTF:

• wtf/Gigacage.h:

(Gigacage::contains):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/jit/ExecutableAllocator.h (modified) (2 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Gigacage.h (modified) (1 diff)
• bmalloc/ChangeLog (modified) (1 diff)
• bmalloc/bmalloc/Gigacage.cpp (modified) (3 diffs)
• bmalloc/bmalloc/Gigacage.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-09-07  Mark Lam  <mark.lam@apple.com>
+
+        performJITMemcpy() source buffer should not be in the Gigacage.
+        https://bugs.webkit.org/show_bug.cgi?id=201577
+        <rdar://problem/55142606>
+
+        Reviewed by Michael Saboff.
+
+        Add a RELEASE_ASSERT in performJITMemcpy() to ensure that the passed in source
+        buffer is not in the Gigacage.
+
+        * jit/ExecutableAllocator.h:
+        (JSC::performJITMemcpy):
+
 2019-09-07  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/jit/ExecutableAllocator.h

@@ -32 +32 @@
 #include <limits>
 #include <wtf/Assertions.h>
+#include <wtf/Gigacage.h>
 #include <wtf/Lock.h>
 #include <wtf/MetaAllocatorHandle.h>
@@ -125 +126 @@
 static ALWAYS_INLINE void* performJITMemcpy(void *dst, const void *src, size_t n)
 {
+    RELEASE_ASSERT(!Gigacage::contains(src));
 #if CPU(ARM64)
     static constexpr size_t instructionSize = sizeof(unsigned);

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2019-09-07  Mark Lam  <mark.lam@apple.com>
+
+        performJITMemcpy() source buffer should not be in the Gigacage.
+        https://bugs.webkit.org/show_bug.cgi?id=201577
+        <rdar://problem/55142606>
+
+        Reviewed by Michael Saboff.
+
+        * wtf/Gigacage.h:
+        (Gigacage::contains):
+
 2019-09-06  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/WTF/wtf/Gigacage.h

@@ -70 +70 @@
 }
 
+ALWAYS_INLINE bool contains(const void*) { return false; }
 ALWAYS_INLINE bool isEnabled(Kind) { return false; }
 ALWAYS_INLINE size_t mask(Kind) { return 0; }

trunk/Source/bmalloc/ChangeLog

@@ +1 @@
+2019-09-07  Mark Lam  <mark.lam@apple.com>
+
+        performJITMemcpy() source buffer should not be in the Gigacage.
+        https://bugs.webkit.org/show_bug.cgi?id=201577
+        <rdar://problem/55142606>
+
+        Reviewed by Michael Saboff.
+
+        1. Add the Gigacage start address and totalSize to the Config.
+        2. Add a contains() function that uses the start address and totalSize to check
+           if a given pointer is in the Gigacage's address range.
+
+        * bmalloc/Gigacage.cpp:
+        (Gigacage::ensureGigacage):
+        (Gigacage::verifyGigacageIsEnabled):
+        * bmalloc/Gigacage.h:
+        (Gigacage::contains):
+
 2019-09-06  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/bmalloc/bmalloc/Gigacage.cpp

@@ -78 +78 @@
 // bounds, the access is guaranteed to land somewhere else in the cage or inside the runway.
 // If this were less than 32GB, those OOB accesses could reach outside of the cage.
-constexpr size_t gigacageRunway = 32llu * 1024 * 1024 * 1024;
+constexpr size_t gigacageRunway = 32llu * bmalloc::Sizes::GB;
 
 alignas(configSizeToProtect) Config g_gigacageConfig;
@@ -233 +233 @@
                 }
             }
-            
+
+            g_gigacageConfig.start = base;
+            g_gigacageConfig.totalSize = totalSize;
             vmDeallocatePhysicalPages(base, totalSize);
             g_gigacageConfig.isEnabled = true;
@@ -297 +299 @@
     for (size_t i = 0; i < NumberOfKinds; ++i)
         isEnabled = isEnabled && g_gigacageConfig.basePtrs[i];
+    isEnabled = isEnabled && g_gigacageConfig.start;
+    isEnabled = isEnabled && g_gigacageConfig.totalSize;
     return isEnabled;
 }

trunk/Source/bmalloc/bmalloc/Gigacage.h

@@ -129 +129 @@
             bool ensureGigacageHasBeenCalled;
 
+            void* start;
+            size_t totalSize;
             void* basePtrs[NumberOfKinds];
         };
@@ -231 +233 @@
 }
 
+BINLINE bool contains(const void* ptr)
+{
+    auto* start = reinterpret_cast<const uint8_t*>(g_gigacageConfig.start);
+    auto* p = reinterpret_cast<const uint8_t*>(ptr);
+    return static_cast<size_t>(p - start) < g_gigacageConfig.totalSize;
+}
+
 BEXPORT bool shouldBeEnabled();
 
@@ -243 +252 @@
 BINLINE size_t size(Kind) { BCRASH(); return 0; }
 BINLINE void ensureGigacage() { }
+BINLINE bool contains(const void*) { return false; }
 BINLINE bool isEnabled() { return false; }
 BINLINE bool isCaged(Kind, const void*) { return true; }