Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (275078 => 275079)
--- trunk/Source/_javascript_Core/ChangeLog 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-03-26 05:25:40 UTC (rev 275079)
@@ -1,3 +1,54 @@
+2021-03-25 Saam Barati <sbar...@apple.com>
+
+ validate untagArrayPtr
+ https://bugs.webkit.org/show_bug.cgi?id=214953
+ <rdar://problem/66391434>
+
+ Reviewed by Mark Lam.
+
+ This patch adds validation to untagArrayPtr along paths where we don't
+ immediately store/load from the result.
+
+ This patch also changes the removeArrayPtrTag macro assembler function to
+ use a bitwise and instead of xpacd to strip the tag, because it's faster.
+
+ * assembler/MacroAssemblerARM64E.h:
+ (JSC::MacroAssemblerARM64E::untagArrayPtr):
+ (JSC::MacroAssemblerARM64E::removeArrayPtrTag):
+ * assembler/testmasm.cpp:
+ (JSC::testCagePreservesPACFailureBit):
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateWithGuard):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr):
+ (JSC::FTL::DFG::LowerDFGToB3::caged):
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::cageWithoutUntagging):
+ (JSC::AssemblyHelpers::cageConditionallyAndUntag):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::cageWithoutUntagging): Deleted.
+ (JSC::AssemblyHelpers::cageConditionally): Deleted.
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * wasm/WasmAirIRGenerator.cpp:
+ (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+ (JSC::Wasm::AirIRGenerator::addCallIndirect):
+ * wasm/WasmB3IRGenerator.cpp:
+ (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+ (JSC::Wasm::B3IRGenerator::addCallIndirect):
+ * wasm/WasmBinding.cpp:
+ (JSC::Wasm::wasmToWasm):
+ * wasm/js/JSToWasm.cpp:
+ (JSC::Wasm::createJSToWasmWrapper):
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
2021-03-25 Jessie Berlin <jber...@webkit.org>
Remove 10.13 DEPLOYMENT_TARGETs and SYSTEM_VERSION_PREFIXs
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h (275078 => 275079)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h 2021-03-26 05:25:40 UTC (rev 275079)
@@ -109,21 +109,39 @@
m_assembler.pacdb(target, length);
}
- ALWAYS_INLINE void untagArrayPtr(RegisterID length, RegisterID target)
+ ALWAYS_INLINE void untagArrayPtr(RegisterID length, RegisterID target, bool validateAuth, RegisterID scratch)
{
+ if (validateAuth) {
+ ASSERT(scratch != InvalidGPRReg);
+ move(target, scratch);
+ }
+
m_assembler.autdb(target, length);
+
+ if (validateAuth) {
+ ASSERT(target != ARM64Registers::sp);
+ ASSERT(scratch != ARM64Registers::sp);
+ removeArrayPtrTag(scratch);
+ auto isValidPtr = branch64(Equal, scratch, target);
+ breakpoint(0xc473);
+ isValidPtr.link(this);
+ }
}
- ALWAYS_INLINE void untagArrayPtr(Address length, RegisterID target)
+ ALWAYS_INLINE void untagArrayPtr(Address length, RegisterID target, bool validateAuth)
{
auto lengthGPR = getCachedDataTempRegisterIDAndInvalidate();
load32(length, lengthGPR);
- m_assembler.autdb(target, lengthGPR);
+ auto scratch = validateAuth ? getCachedMemoryTempRegisterIDAndInvalidate() : InvalidGPRReg;
+ untagArrayPtr(lengthGPR, target, validateAuth, scratch);
}
ALWAYS_INLINE void removeArrayPtrTag(RegisterID target)
{
- m_assembler.xpacd(target);
+ // If we couldn't fit this into a single instruction, we'd be better
+ // off emitting two shifts to mask off the top bits.
+ ASSERT(LogicalImmediate::create64(nonPACBitsMask).isValid());
+ and64(TrustedImmPtr(nonPACBitsMask), target);
}
static constexpr RegisterID InvalidGPR = static_cast<RegisterID>(-1);
Modified: trunk/Source/_javascript_Core/assembler/testmasm.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/assembler/testmasm.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/assembler/testmasm.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -2460,7 +2460,7 @@
RELEASE_ASSERT(!Gigacage::disablingPrimitiveGigacageIsForbidden());
auto cage = compile([] (CCallHelpers& jit) {
emitFunctionPrologue(jit);
- jit.cageConditionally(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2);
jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR);
emitFunctionEpilogue(jit);
jit.ret();
Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -1068,7 +1068,7 @@
jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
jit.loadPtr(CCallHelpers::Address(baseGPR, JSArrayBufferView::offsetOfVector()), scratch2GPR);
- jit.cageConditionally(Gigacage::Primitive, scratch2GPR, scratchGPR, scratchGPR);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, scratch2GPR, scratchGPR, scratchGPR, false);
jit.signExtend32ToPtr(propertyGPR, scratchGPR);
if (isInt(type)) {
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -7481,12 +7481,13 @@
storageResult(storageGPR, node);
}
-void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg)
+void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg, bool validateAuth)
{
auto untagArrayPtr = [&]() {
#if CPU(ARM64E)
- m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg);
+ m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg, validateAuth);
#else
+ UNUSED_PARAM(validateAuth);
UNUSED_PARAM(baseReg);
UNUSED_PARAM(storageReg);
#endif
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (275078 => 275079)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-03-26 05:25:40 UTC (rev 275079)
@@ -1683,7 +1683,7 @@
template<bool strict>
GPRReg fillSpeculateInt32Internal(Edge, DataFormat& returnFormat);
- void cageTypedArrayStorage(GPRReg, GPRReg);
+ void cageTypedArrayStorage(GPRReg, GPRReg, bool validateAuth = true);
void recordSetLocal(
Operand bytecodeReg, VirtualRegister machineReg, DataFormat format)
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -5274,7 +5274,7 @@
m_jit.branch64(MacroAssembler::AboveOrEqual, t2, t1));
m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2);
- cageTypedArrayStorage(dataViewGPR, t2);
+ cageTypedArrayStorage(dataViewGPR, t2, false);
m_jit.zeroExtend32ToWord(indexGPR, t1);
auto baseIndex = JITCompiler::BaseIndex(t2, t1, MacroAssembler::TimesOne);
@@ -5475,7 +5475,7 @@
m_jit.branch64(MacroAssembler::AboveOrEqual, t2, t1));
m_jit.loadPtr(JITCompiler::Address(dataViewGPR, JSArrayBufferView::offsetOfVector()), t2);
- cageTypedArrayStorage(dataViewGPR, t2);
+ cageTypedArrayStorage(dataViewGPR, t2, false);
m_jit.zeroExtend32ToWord(indexGPR, t1);
auto baseIndex = JITCompiler::BaseIndex(t2, t1, MacroAssembler::TimesOne);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -16387,9 +16387,10 @@
PatchpointValue* authenticate = m_out.patchpoint(pointerType());
authenticate->appendSomeRegister(ptr);
authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
+ authenticate->numGPScratchRegisters = 1;
authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
jit.move(params[1].gpr(), params[0].gpr());
- jit.untagArrayPtr(params[2].gpr(), params[0].gpr());
+ jit.untagArrayPtr(params[2].gpr(), params[0].gpr(), true, params.gpScratch(0));
});
return authenticate;
#else
@@ -16443,6 +16444,11 @@
LValue masked = m_out.bitAnd(ptr, mask);
LValue result = m_out.add(masked, basePtr);
+#if CPU(ARM64E)
+ result = m_out.select(
+ m_out.equal(ptr, m_out.constIntPtr(JSArrayBufferView::nullVectorPtr())),
+ ptr, result);
+#endif
#if CPU(ARM64E)
if (kind == Gigacage::Primitive) {
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -1024,6 +1024,85 @@
storePtr(scratch, vm.addressOfLastStackTop());
}
+void AssemblyHelpers::cageWithoutUntagging(Gigacage::Kind kind, GPRReg storage)
+{
+#if GIGACAGE_ENABLED
+ if (!Gigacage::isEnabled(kind))
+ return;
+
+#if CPU(ARM64E)
+ RegisterID tempReg = InvalidGPRReg;
+ Jump skip;
+ if (kind == Gigacage::Primitive) {
+ skip = branchPtr(Equal, storage, TrustedImmPtr(JSArrayBufferView::nullVectorPtr()));
+ tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
+ move(storage, tempReg);
+ // Flip the registers since bitFieldInsert only inserts into the low bits.
+ std::swap(storage, tempReg);
+ }
+#endif
+ andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
+ addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
+#if CPU(ARM64E)
+ if (kind == Gigacage::Primitive)
+ bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg);
+ if (skip.isSet())
+ skip.link(this);
+#endif
+
+#else
+ UNUSED_PARAM(kind);
+ UNUSED_PARAM(storage);
+#endif
+}
+
+// length may be the same register as scratch.
+void AssemblyHelpers::cageConditionallyAndUntag(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch, bool validateAuth)
+{
+#if GIGACAGE_ENABLED
+ if (Gigacage::isEnabled(kind)) {
+ if (kind != Gigacage::Primitive || Gigacage::disablingPrimitiveGigacageIsForbidden())
+ cageWithoutUntagging(kind, storage);
+ else {
+#if CPU(ARM64E)
+ if (length == scratch)
+ scratch = getCachedMemoryTempRegisterIDAndInvalidate();
+#endif
+ JumpList done;
+#if CPU(ARM64E)
+ done.append(branchPtr(Equal, storage, TrustedImmPtr(JSArrayBufferView::nullVectorPtr())));
+#endif
+ done.append(branchTest8(NonZero, AbsoluteAddress(&Gigacage::disablePrimitiveGigacageRequested)));
+
+ loadPtr(Gigacage::addressOfBasePtr(kind), scratch);
+ done.append(branchTest64(Zero, scratch));
+#if CPU(ARM64E)
+ GPRReg tempReg = getCachedDataTempRegisterIDAndInvalidate();
+ move(storage, tempReg);
+ ASSERT(LogicalImmediate::create64(Gigacage::mask(kind)).isValid());
+ andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg);
+ addPtr(scratch, tempReg);
+ bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage);
+#else
+ andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
+ addPtr(scratch, storage);
+#endif // CPU(ARM64E)
+ done.link(this);
+ }
+ }
+#endif
+
+#if CPU(ARM64E)
+ if (kind == Gigacage::Primitive)
+ untagArrayPtr(length, storage, validateAuth, scratch);
+#endif
+ UNUSED_PARAM(validateAuth);
+ UNUSED_PARAM(kind);
+ UNUSED_PARAM(storage);
+ UNUSED_PARAM(length);
+ UNUSED_PARAM(scratch);
+}
+
} // namespace JSC
#endif // ENABLE(JIT)
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (275078 => 275079)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2021-03-26 05:25:40 UTC (rev 275079)
@@ -1731,77 +1731,10 @@
ok.link(this);
}
- void cageWithoutUntagging(Gigacage::Kind kind, GPRReg storage)
- {
-#if GIGACAGE_ENABLED
- if (!Gigacage::isEnabled(kind))
- return;
-
-#if CPU(ARM64E)
- RegisterID tempReg = InvalidGPRReg;
- if (kind == Gigacage::Primitive) {
- tempReg = getCachedMemoryTempRegisterIDAndInvalidate();
- move(storage, tempReg);
- // Flip the registers since bitFieldInsert only inserts into the low bits.
- std::swap(storage, tempReg);
- }
-#endif
- andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
- addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage);
-#if CPU(ARM64E)
- if (kind == Gigacage::Primitive)
- bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg);
-#endif
-
-#else
- UNUSED_PARAM(kind);
- UNUSED_PARAM(storage);
-#endif
- }
-
+ JS_EXPORT_PRIVATE void cageWithoutUntagging(Gigacage::Kind, GPRReg storage);
// length may be the same register as scratch.
- void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch)
- {
-#if GIGACAGE_ENABLED
- if (Gigacage::isEnabled(kind)) {
- if (kind != Gigacage::Primitive || Gigacage::disablingPrimitiveGigacageIsForbidden())
- cageWithoutUntagging(kind, storage);
- else {
-#if CPU(ARM64E)
- if (length == scratch)
- scratch = getCachedMemoryTempRegisterIDAndInvalidate();
-#endif
- JumpList done;
- done.append(branchTest8(NonZero, AbsoluteAddress(&Gigacage::disablePrimitiveGigacageRequested)));
+ JS_EXPORT_PRIVATE void cageConditionallyAndUntag(Gigacage::Kind, GPRReg storage, GPRReg length, GPRReg scratch, bool validateAuth = true);
- loadPtr(Gigacage::addressOfBasePtr(kind), scratch);
- done.append(branchTest64(Zero, scratch));
-#if CPU(ARM64E)
- GPRReg tempReg = getCachedDataTempRegisterIDAndInvalidate();
- move(storage, tempReg);
- ASSERT(LogicalImmediate::create64(Gigacage::mask(kind)).isValid());
- andPtr(TrustedImmPtr(Gigacage::mask(kind)), tempReg);
- addPtr(scratch, tempReg);
- bitFieldInsert64(tempReg, 0, 64 - numberOfPACBits, storage);
-#else
- andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage);
- addPtr(scratch, storage);
-#endif // CPU(ARM64E)
- done.link(this);
- }
- }
-#endif
-
-#if CPU(ARM64E)
- if (kind == Gigacage::Primitive)
- untagArrayPtr(length, storage);
-#endif
- UNUSED_PARAM(kind);
- UNUSED_PARAM(storage);
- UNUSED_PARAM(length);
- UNUSED_PARAM(scratch);
- }
-
void emitComputeButterflyIndexingMask(GPRReg vectorLengthGPR, GPRReg scratchGPR, GPRReg resultGPR)
{
ASSERT(scratchGPR != resultGPR);
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -1811,7 +1811,7 @@
// We would be loading this into base as in get_by_val, except that the slow
// path expects the base to be unclobbered.
loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
- cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
+ cageConditionallyAndUntag(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2, false);
if (isClamped(type)) {
ASSERT(elementSize(type) == 1);
@@ -1900,7 +1900,7 @@
// We would be loading this into base as in get_by_val, except that the slow
// path expects the base to be unclobbered.
loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch);
- cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2);
+ cageConditionallyAndUntag(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2, false);
switch (elementSize(type)) {
case 4:
Modified: trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -959,8 +959,7 @@
RegisterSet clobbers;
clobbers.set(pinnedRegs->baseMemoryPointer);
clobbers.set(pinnedRegs->boundsCheckingSizeRegister);
- if (!isARM64())
- clobbers.set(RegisterSet::macroScratchRegisters());
+ clobbers.set(RegisterSet::macroScratchRegisters());
auto* patchpoint = addPatchpoint(B3::Void);
B3::Effects effects = B3::Effects::none();
@@ -968,17 +967,17 @@
effects.reads = B3::HeapRange::top();
patchpoint->effects = effects;
patchpoint->clobber(clobbers);
- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+ patchpoint->numGPScratchRegisters = 1;
patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
- GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->boundsCheckingSizeRegister;
+ GPRReg scratch = params.gpScratch(0);
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs->boundsCheckingSizeRegister);
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs->boundsCheckingSizeRegister, scratch);
});
emitPatchpoint(block, patchpoint, Tmp(), instance);
@@ -3358,7 +3357,7 @@
// FIXME: We shouldn't have to do this: https://bugs.webkit.org/show_bug.cgi?id=172181
patchpoint->clobber(PinnedRegisterInfo::get().toSave(MemoryMode::BoundsChecking));
patchpoint->clobber(RegisterSet::macroScratchRegisters());
- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+ patchpoint->numGPScratchRegisters = 1;
patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
@@ -3373,12 +3372,12 @@
// FIXME: We should support more than one memory size register
// see: https://bugs.webkit.org/show_bug.cgi?id=162952
ASSERT(pinnedRegs.boundsCheckingSizeRegister != newContextInstance);
- GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.boundsCheckingSizeRegister;
+ GPRReg scratch = params.gpScratch(0);
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister); // Bound checking size.
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratch);
});
emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue());
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -579,8 +579,7 @@
RegisterSet clobbers;
clobbers.set(pinnedRegs->baseMemoryPointer);
clobbers.set(pinnedRegs->boundsCheckingSizeRegister);
- if (!isARM64())
- clobbers.set(RegisterSet::macroScratchRegisters());
+ clobbers.set(RegisterSet::macroScratchRegisters());
B3::PatchpointValue* patchpoint = block->appendNew<B3::PatchpointValue>(proc, B3::Void, origin());
Effects effects = Effects::none();
@@ -588,18 +587,18 @@
effects.reads = B3::HeapRange::top();
patchpoint->effects = effects;
patchpoint->clobber(clobbers);
- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+ patchpoint->numGPScratchRegisters = 1;
patchpoint->append(instance, ValueRep::SomeRegister);
patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
- GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->boundsCheckingSizeRegister;
+ GPRReg scratch = params.gpScratch(0);
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs->boundsCheckingSizeRegister);
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs->boundsCheckingSizeRegister, scratch);
});
}
}
@@ -2544,7 +2543,7 @@
patchpoint->clobber(RegisterSet::macroScratchRegisters());
patchpoint->append(newContextInstance, ValueRep::SomeRegister);
patchpoint->append(instanceValue(), ValueRep::SomeRegister);
- patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+ patchpoint->numGPScratchRegisters = 1;
patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
@@ -2560,12 +2559,12 @@
// FIXME: We should support more than one memory size register
// see: https://bugs.webkit.org/show_bug.cgi?id=162952
ASSERT(pinnedRegs.boundsCheckingSizeRegister != newContextInstance);
- GPRReg scratchOrBoundsCheckingSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.boundsCheckingSizeRegister;
+ GPRReg scratch = params.gpScratch(0);
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister); // Memory size.
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratch);
});
doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);
Modified: trunk/Source/_javascript_Core/wasm/WasmBinding.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/wasm/WasmBinding.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/wasm/WasmBinding.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -68,11 +68,9 @@
// FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952
// Set up the callee's baseMemory register as well as the memory size registers.
{
- GPRReg scratchOrBoundsCheckingSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.boundsCheckingSizeRegister : wasmCallingConvention().prologueScratchGPRs[1];
-
jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister); // Bound checking size.
jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
- jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, scratchOrBoundsCheckingSize);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, pinnedRegs.boundsCheckingSizeRegister, wasmCallingConvention().prologueScratchGPRs[1]);
}
// Tail call into the callee WebAssembly function.
Modified: trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/wasm/js/JSToWasm.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -256,7 +256,8 @@
if (!!info.memory) {
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
- GPRReg scratchOrBoundsCheckingSize = wasmCallingConvention().prologueScratchGPRs[0];
+ GPRReg size = wasmCallingConvention().prologueScratchGPRs[0];
+ GPRReg scratch = wasmCallingConvention().prologueScratchGPRs[1];
if (Context::useFastTLS())
jit.loadWasmContextInstance(baseMemory);
@@ -264,8 +265,8 @@
GPRReg currentInstanceGPR = Context::useFastTLS() ? baseMemory : wasmContextInstanceGPR;
if (isARM64E()) {
if (mode != Wasm::MemoryMode::Signaling)
- scratchOrBoundsCheckingSize = pinnedRegs.boundsCheckingSizeRegister;
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), scratchOrBoundsCheckingSize);
+ size = pinnedRegs.boundsCheckingSizeRegister;
+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), size);
} else {
if (mode != Wasm::MemoryMode::Signaling)
jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), pinnedRegs.boundsCheckingSizeRegister);
@@ -272,7 +273,7 @@
}
jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrBoundsCheckingSize, scratchOrBoundsCheckingSize);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, size, scratch);
}
CCallHelpers::Call call = jit.threadSafePatchableNearCall();
Modified: trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp (275078 => 275079)
--- trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2021-03-26 05:24:51 UTC (rev 275078)
+++ trunk/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2021-03-26 05:25:40 UTC (rev 275079)
@@ -367,12 +367,14 @@
if (!!moduleInformation.memory) {
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
- GPRReg scratchOrBoundsCheckingSize = stackLimitGPR;
+ GPRReg scratchOrBoundsCheckingSize = InvalidGPRReg;
auto mode = instance()->memoryMode();
if (isARM64E()) {
if (mode != Wasm::MemoryMode::Signaling)
scratchOrBoundsCheckingSize = pinnedRegs.boundsCheckingSizeRegister;
+ else
+ scratchOrBoundsCheckingSize = stackLimitGPR;
jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedBoundsCheckingSize()), scratchOrBoundsCheckingSize);
} else {
if (mode != Wasm::MemoryMode::Signaling)
@@ -380,7 +382,7 @@
}
jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrBoundsCheckingSize, scratchOrBoundsCheckingSize);
+ jit.cageConditionallyAndUntag(Gigacage::Primitive, baseMemory, scratchOrBoundsCheckingSize, scratchGPR);
}
// We use this callee to indicate how to unwind past these types of frames:
@@ -390,13 +392,11 @@
m_jsToWasmICCallee.set(vm, this, JSToWasmICCallee::create(vm, globalObject(), this));
jit.storePtr(CCallHelpers::TrustedImmPtr(m_jsToWasmICCallee.get()), CCallHelpers::addressFor(CallFrameSlot::callee));
- {
- // FIXME: Currently we just do an indirect jump. But we should teach the Module
- // how to repatch us:
- // https://bugs.webkit.org/show_bug.cgi?id=196570
- jit.loadPtr(entrypointLoadLocation(), scratchGPR);
- jit.call(scratchGPR, WasmEntryPtrTag);
- }
+ // FIXME: Currently we just do an indirect jump. But we should teach the Module
+ // how to repatch us:
+ // https://bugs.webkit.org/show_bug.cgi?id=196570
+ jit.loadPtr(entrypointLoadLocation(), scratchGPR);
+ jit.call(scratchGPR, WasmEntryPtrTag);
marshallJSResult(jit, signature, wasmCallInfo, savedResultRegisters);
