Changeset 265151 in webkit

Timestamp:

Jul 31, 2020 11:46:18 AM (4 years ago)

Author:

sbarati@apple.com

Message:

validate untagArrayPtr
​https://bugs.webkit.org/show_bug.cgi?id=214953

Reviewed by Keith Miller.

This patch adds validation to untagArrayPtr along paths where we don't
immediately store/load from the result.

This patch also changes the removeArrayPtrTag macro assembler function to
use shifts instead of xpacd to strip the tag, because it's faster.

• assembler/MacroAssemblerARM64E.h:

(JSC::MacroAssemblerARM64E::untagArrayPtr):
(JSC::MacroAssemblerARM64E::removeArrayPtrTag):

• assembler/testmasm.cpp:

(JSC::testCagePreservesPACFailureBit):

• bytecode/AccessCase.cpp:

(JSC::AccessCase::generateWithGuard):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
(JSC::FTL::DFG::LowerDFGToB3::caged):

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::cageWithoutUntagging):
(JSC::AssemblyHelpers::cageConditionallyAndUntag):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::cageWithoutUntagging): Deleted.
(JSC::AssemblyHelpers::cageConditionally): Deleted.

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):

• wasm/WasmB3IRGenerator.cpp:

(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):

• wasm/WasmBinding.cpp:

(JSC::Wasm::wasmToWasm):

• wasm/js/JSToWasm.cpp:

(JSC::Wasm::createJSToWasmWrapper):

• wasm/js/WebAssemblyFunction.cpp:

(JSC::WebAssemblyFunction::jsCallEntrypointSlow):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/MacroAssemblerARM64E.h (modified) (1 diff)
• assembler/testmasm.cpp (modified) (1 diff)
• bytecode/AccessCase.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• jit/AssemblyHelpers.cpp (modified) (1 diff)
• jit/AssemblyHelpers.h (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (2 diffs)
• wasm/WasmAirIRGenerator.cpp (modified) (2 diffs)
• wasm/WasmB3IRGenerator.cpp (modified) (2 diffs)
• wasm/WasmBinding.cpp (modified) (1 diff)
• wasm/js/JSToWasm.cpp (modified) (1 diff)
• wasm/js/WebAssemblyFunction.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-07-31  Saam Barati  <sbarati@apple.com>
+
+        validate untagArrayPtr
+        https://bugs.webkit.org/show_bug.cgi?id=214953
+
+        Reviewed by Keith Miller.
+
+        This patch adds validation to untagArrayPtr along paths where we don't
+        immediately store/load from the result.
+        
+        This patch also changes the removeArrayPtrTag macro assembler function to
+        use shifts instead of xpacd to strip the tag, because it's faster.
+
+        * assembler/MacroAssemblerARM64E.h:
+        (JSC::MacroAssemblerARM64E::untagArrayPtr):
+        (JSC::MacroAssemblerARM64E::removeArrayPtrTag):
+        * assembler/testmasm.cpp:
+        (JSC::testCagePreservesPACFailureBit):
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
+        (JSC::FTL::DFG::LowerDFGToB3::caged):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::cageWithoutUntagging):
+        (JSC::AssemblyHelpers::cageConditionallyAndUntag):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::cageWithoutUntagging): Deleted.
+        (JSC::AssemblyHelpers::cageConditionally): Deleted.
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitIntTypedArrayPutByVal):
+        (JSC::JIT::emitFloatTypedArrayPutByVal):
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::AirIRGenerator::addCallIndirect):
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+        (JSC::Wasm::B3IRGenerator::addCallIndirect):
+        * wasm/WasmBinding.cpp:
+        (JSC::Wasm::wasmToWasm):
+        * wasm/js/JSToWasm.cpp:
+        (JSC::Wasm::createJSToWasmWrapper):
+        * wasm/js/WebAssemblyFunction.cpp:
+        (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
 2020-07-31  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h

@@ -91 +91 @@
     }
 
-    ALWAYS_INLINE void untagArrayPtr(RegisterID length, RegisterID target)
-    {
+    ALWAYS_INLINE void untagArrayPtr(RegisterID length, RegisterID target, bool validateAuth, RegisterID scratch)
+    {
+        if (validateAuth) {
+            ASSERT(scratch != InvalidGPRReg);
+            move(target, scratch);
+        }
+
         m_assembler.autdb(target, length);
-    }
-
-    ALWAYS_INLINE void untagArrayPtr(Address length, RegisterID target)
+
+        if (validateAuth) {
+            ASSERT(target != ARM64Registers::sp);
+            ASSERT(scratch != ARM64Registers::sp);
+            removeArrayPtrTag(scratch);
+            auto isValidPtr = branch64(Equal, scratch, target);
+            breakpoint(0xabcd);
+            isValidPtr.link(this);
+        }
+    }
+
+    ALWAYS_INLINE void untagArrayPtr(Address length, RegisterID target, bool validateAuth)
     {
         auto lengthGPR = getCachedDataTempRegisterIDAndInvalidate();
         load32(length, lengthGPR);
+        auto scratch = InvalidGPRReg; 
+        if (validateAuth) {
+            scratch = getCachedMemoryTempRegisterIDAndInvalidate();
+            move(target, scratch);
+        }
+
         m_assembler.autdb(target, lengthGPR);
+
+        if (validateAuth) {
+            ASSERT(target != ARM64Registers::sp);
+            removeArrayPtrTag(scratch);
+            auto isValidPtr = branch64(Equal, scratch, target);
+            breakpoint(0xabcd);
+            isValidPtr.link(this);
+        }
     }
 
     ALWAYS_INLINE void removeArrayPtrTag(RegisterID target)
     {
-        m_assembler.xpacd(target);
+        // If we couldn't fit this into a single instruction, we'd be better
+        // off emitting two shifts to mask off the top bits.
+        ASSERT(LogicalImmediate::create64(nonPACBitsMask).isValid());
+        and64(TrustedImmPtr(nonPACBitsMask), target);
     }
 

trunk/Source/JavaScriptCore/assembler/testmasm.cpp

@@ -2461 +2461 @@
     auto cage = compile([] (CCallHelpers& jit) {
         emitFunctionPrologue(jit);
-        jit.cageConditionally(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2);
+        jit.cageConditionallyAndUntag(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2);
         jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR);
         emitFunctionEpilogue(jit);

trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

@@ -1022 +1022 @@
 
         jit.loadPtr(CCallHelpers::Address(baseGPR, JSArrayBufferView::offsetOfVector()), scratch2GPR);
-        jit.cageConditionally(Gigacage::Primitive, scratch2GPR, scratchGPR, scratchGPR);
+        jit.cageConditionallyAndUntag(Gigacage::Primitive, scratch2GPR, scratchGPR, scratchGPR, false);
 
         jit.signExtend32ToPtr(propertyGPR, scratchGPR);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -7240 +7240 @@
 }
 
-void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
+void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg, bool validateAuth)
 {
     auto untagArrayPtr = [&]() {
 #if CPU(ARM64E)
-        m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
+        m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg, validateAuth);
 #else
+        UNUSED_PARAM(validateAuth);
         UNUSED_PARAM(baseReg);
         UNUSED_PARAM(storageReg);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1661 +1661 @@
     GPRReg fillSpeculateInt32Internal(Edge, DataFormat& returnFormat);
     
-    void cageTypedArrayStorage(GPRReg, GPRReg);
+    void cageTypedArrayStorage(GPRReg, GPRReg, bool validateAuth = true);
     
     void recordSetLocal(

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -5124 +5124 @@
 
         m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2);
-        cageTypedArrayStorage(dataViewGPR, t2);
+        cageTypedArrayStorage(dataViewGPR, t2, false);
 
         m_jit.zeroExtend32ToWord(indexGPR, t1);
@@ -5325 +5325 @@
 
         m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2);
-        cageTypedArrayStorage(dataViewGPR, t2);
+        cageTypedArrayStorage(dataViewGPR, t2, false);
 
         m_jit.zeroExtend32ToWord(indexGPR, t1);

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -15939 +15939 @@
         authenticate->appendSomeRegister(ptr);
         authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
+        authenticate->numGPScratchRegisters = 1;
         authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
             jit.move(params[1].gpr(), params[0].gpr());
-            jit.untagArrayPtr(params[2].gpr(), params[0].gpr());
+            jit.untagArrayPtr(params[2].gpr(), params[0].gpr(), true, params.gpScratch(0));
         });
         return authenticate;
@@ -15995 +15996 @@
         LValue masked = m_out.bitAnd(ptr, mask);
         LValue result = m_out.add(masked, basePtr);
+#if CPU(ARM64E)
+        result = m_out.select(
+            m_out.equal(ptr, m_out.constIntPtr(JSArrayBufferView::nullVectorPtr())),
+            ptr, result);
+#endif
 
 #if CPU(ARM64E)

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -1140 +1140 @@
 }
 
+void AssemblyHelpers::cageWithoutUntagging(Gigacage::Kind kind, GPRReg storage)
+{
+#if GIGACAGE_ENABLED
+    if (!Gigacage::isEnabled(kind))
+        return;
+
+#if CPU(ARM64E)
+    RegisterID tempReg = InvalidGPRReg;
+    Jump skip;
+    if (kind == Gigacage::Primitive) {
+        skip = branchPtr(Equal, storage, TrustedImmPtr(JSArrayBufferView::nullVectorPtr()));
+        tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
+        move(storage, tempReg);
+        // Flip the registers since bitFieldInsert only inserts into the low bits.
+        std::swap(storage, tempReg);
+    }
+#endif
+    andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
+    addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
+#if CPU(ARM64E)
+    if (kind == Gigacage::Primitive)
+        bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg);
+    if (skip.isSet())
+        skip.link(this);
+#endif
+
+#else
+    UNUSED_PARAM(kind);
+    UNUSED_PARAM(storage);
+#endif
+}
+
+// length may be the same register as scratch.
+void AssemblyHelpers::cageConditionallyAndUntag(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch, bool validateAuth)
+{
+#if GIGACAGE_ENABLED
+    if (Gigacage::isEnabled(kind)) {
+        if (kind != Gigacage::Primitive || Gigacage::disablingPrimitiveGigacageIsForbidden())
+            cageWithoutUntagging(kind, storage);
+        else {
+#if CPU(ARM64E)
+            if (length == scratch)
+                scratch = getCachedMemoryTempRegisterIDAndInvalidate();
+#endif
+            JumpList done;
+#if CPU(ARM64E)
+            done.append(branchPtr(Equal, storage, TrustedImmPtr(JSArrayBufferView::nullVectorPtr())));
+#endif
+            done.append(branchTest8(NonZero, AbsoluteAddress(&Gigacage::disablePrimitiveGigacageRequested)));
+
+            loadPtr(Gigacage::addressOfBasePtr(kind), scratch);
+            done.append(branchTest64(Zero, scratch));
+#if CPU(ARM64E)
+            GPRReg tempReg = getCachedDataTempRegisterIDAndInvalidate();
+            move(storage, tempReg);
+            ASSERT(LogicalImmediate::create64(Gigacage::mask(kind)).isValid());
+            andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg);
+            addPtr(scratch, tempReg);
+            bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage);
+#else
+            andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
+            addPtr(scratch, storage);
+#endif // CPU(ARM64E)
+            done.link(this);
+        }
+    }
+#endif
+
+#if CPU(ARM64E)
+    if (kind == Gigacage::Primitive)
+        untagArrayPtr(length, storage, validateAuth, scratch);
+#endif
+    UNUSED_PARAM(validateAuth);
+    UNUSED_PARAM(kind);
+    UNUSED_PARAM(storage);
+    UNUSED_PARAM(length);
+    UNUSED_PARAM(scratch);
+}
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -1733 +1733 @@
     }
 
-    void cageWithoutUntagging(Gigacage::Kind kind, GPRReg storage)
-    {
-#if GIGACAGE_ENABLED
-        if (!Gigacage::isEnabled(kind))
-            return;
-
-#if CPU(ARM64E)
-        RegisterID tempReg = InvalidGPRReg;
-        if (kind == Gigacage::Primitive) {
-            tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
-            move(storage, tempReg);
-            // Flip the registers since bitFieldInsert only inserts into the low bits.
-            std::swap(storage, tempReg);
-        }
-#endif
-        andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
-        addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
-#if CPU(ARM64E)
-        if (kind == Gigacage::Primitive)
-            bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg);
-#endif
-
-#else
-        UNUSED_PARAM(kind);
-        UNUSED_PARAM(storage);
-#endif
-    }
-
+    JS_EXPORT_PRIVATE void cageWithoutUntagging(Gigacage::Kind, GPRReg storage);
     // length may be the same register as scratch.
-    void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch)
-    {
-#if GIGACAGE_ENABLED
-        if (Gigacage::isEnabled(kind)) {
-            if (kind != Gigacage::Primitive || Gigacage::disablingPrimitiveGigacageIsForbidden())
-                cageWithoutUntagging(kind, storage);
-            else {
-#if CPU(ARM64E)
-                if (length == scratch)
-                    scratch = getCachedMemoryTempRegisterIDAndInvalidate();
-#endif
-                JumpList done;
-                done.append(branchTest8(NonZero, AbsoluteAddress(&Gigacage::disablePrimitiveGigacageRequested)));
-
-                loadPtr(Gigacage::addressOfBasePtr(kind), scratch);
-                done.append(branchTest64(Zero, scratch));
-#if CPU(ARM64E)
-                GPRReg tempReg = getCachedDataTempRegisterIDAndInvalidate();
-                move(storage, tempReg);
-                ASSERT(LogicalImmediate::create64(Gigacage::mask(kind)).isValid());
-                andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg);
-                addPtr(scratch, tempReg);
-                bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage);
-#else
-                andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
-                addPtr(scratch, storage);
-#endif // CPU(ARM64E)
-                done.link(this);
-            }
-        }
-#endif
-
-#if CPU(ARM64E)
-        if (kind == Gigacage::Primitive)
-            untagArrayPtr(length, storage);
-#endif
-        UNUSED_PARAM(kind);
-        UNUSED_PARAM(storage);
-        UNUSED_PARAM(length);
-        UNUSED_PARAM(scratch);
-    }
+    JS_EXPORT_PRIVATE void cageConditionallyAndUntag(Gigacage::Kind, GPRReg storage, GPRReg length, GPRReg scratch, bool validateAuth = true);
 
     void emitComputeButterflyIndexingMask(GPRReg vectorLengthGPR, GPRReg scratchGPR, GPRReg resultGPR)

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1631 +1631 @@
     // path expects the base to be unclobbered.
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
-    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
+    cageConditionallyAndUntag(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2, false);
     
     if (isClamped(type)) {
@@ -1720 +1720 @@
     // path expects the base to be unclobbered.
     loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
-    cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
+    cageConditionallyAndUntag(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2, false);
     
     switch (elementSize(type)) {

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -955 +955 @@
             jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
+            jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
         });
 
@@ -2301 +2301 @@
             jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+            jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
         });
 

trunk/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp

@@ -581 +581 @@
             jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
+            jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize);
         });
     }
@@ -1855 +1855 @@
             jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
 
-            jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+            jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
         });
         doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);

trunk/Source/JavaScriptCore/wasm/WasmBinding.cpp

@@ -73 +73 @@
         jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
         jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
+        jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize);
     }
 

trunk/Source/JavaScriptCore/wasm/js/JSToWasm.cpp

@@ -238 +238 @@
 
         jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
+        jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
     }
 

trunk/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp

@@ -369 +369 @@
 
         jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-        jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
+        jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize);
     }