Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (226473 => 226474)
--- trunk/Source/_javascript_Core/ChangeLog 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-01-06 00:37:08 UTC (rev 226474)
@@ -1,5 +1,39 @@
2018-01-05 Michael Saboff <msab...@apple.com>
+ Add ability to disable indexed property masking for testing
+ https://bugs.webkit.org/show_bug.cgi?id=181350
+
+ Reviewed by Keith Miller.
+
+ Made the masking of indexed properties runtime controllable via a new JSC::Option
+ named disableSpectreMitigations. This is done to test the efficacy of that mitigation.
+
+ The new option has a generic name as it will probably be used to disable future mitigations.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+ (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
+ (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
+ (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+ * jit/JIT.cpp:
+ (JSC::JIT::JIT):
+ * jit/JIT.h:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitDoubleLoad):
+ (JSC::JIT::emitContiguousLoad):
+ (JSC::JIT::emitArrayStorageLoad):
+ * runtime/Options.h:
+ * wasm/WasmB3IRGenerator.cpp:
+ (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+
+2018-01-05 Michael Saboff <msab...@apple.com>
+
Allow JSC Config Files to set Restricted Options
https://bugs.webkit.org/show_bug.cgi?id=181352
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (226473 => 226474)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-01-06 00:37:08 UTC (rev 226474)
@@ -74,6 +74,7 @@
, m_currentNode(0)
, m_lastGeneratedNode(LastNodeType)
, m_indexInBlock(0)
+ , m_indexMaskingMode(Options::disableSpectreMitigations() ? IndexMaskingDisabled : IndexMaskingEnabled)
, m_generationInfo(m_jit.graph().frameRegisterCount())
, m_state(m_jit.graph())
, m_interpreter(m_jit.graph(), m_state)
@@ -2856,7 +2857,8 @@
void SpeculativeJIT::loadFromIntTypedArray(GPRReg baseReg, GPRReg storageReg, GPRReg propertyReg, GPRReg resultReg, TypedArrayType type)
{
- m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+ if (m_indexMaskingMode == IndexMaskingEnabled)
+ m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
switch (elementSize(type)) {
case 1:
if (isSigned(type))
@@ -3158,7 +3160,8 @@
FPRTemporary result(this);
FPRReg resultReg = result.fpr();
emitTypedArrayBoundsCheck(node, baseReg, propertyReg);
- m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+ if (m_indexMaskingMode == IndexMaskingEnabled)
+ m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
switch (elementSize(type)) {
case 4:
m_jit.loadFloat(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour), resultReg);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (226473 => 226474)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-01-06 00:37:08 UTC (rev 226474)
@@ -3317,6 +3317,11 @@
Node* m_currentNode;
NodeType m_lastGeneratedNode;
unsigned m_indexInBlock;
+
+ enum IndexMaskingMode { IndexMaskingDisabled, IndexMaskingEnabled };
+
+ IndexMaskingMode m_indexMaskingMode;
+
// Virtual and physical register maps.
Vector<GenerationInfo, 32> m_generationInfo;
RegisterBank<GPRInfo> m_gprs;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (226473 => 226474)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-01-06 00:37:08 UTC (rev 226474)
@@ -2746,7 +2746,8 @@
GPRTemporary result(this);
- m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+ if (m_indexMaskingMode == IndexMaskingEnabled)
+ m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
m_jit.load64(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), result.gpr());
if (node->arrayMode().isSaneChain()) {
ASSERT(node->arrayMode().type() == Array::Contiguous);
@@ -2781,7 +2782,8 @@
slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
- m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+ if (m_indexMaskingMode == IndexMaskingEnabled)
+ m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
m_jit.load64(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), resultReg);
slowCases.append(m_jit.branchTest64(MacroAssembler::Zero, resultReg));
@@ -2812,7 +2814,8 @@
speculationCheck(OutOfBounds, JSValueRegs(), 0, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
- m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+ if (m_indexMaskingMode == IndexMaskingEnabled)
+ m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
m_jit.loadDouble(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), resultReg);
if (!node->arrayMode().isSaneChain())
speculationCheck(LoadFromHole, JSValueRegs(), 0, m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, resultReg, resultReg));
@@ -2840,7 +2843,8 @@
slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
- m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+ if (m_indexMaskingMode == IndexMaskingEnabled)
+ m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
m_jit.loadDouble(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), tempReg);
slowCases.append(m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, tempReg, tempReg));
boxDouble(tempReg, resultReg);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (226473 => 226474)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-01-06 00:37:08 UTC (rev 226474)
@@ -149,6 +149,7 @@
, m_availabilityCalculator(m_graph)
, m_state(state.graph)
, m_interpreter(state.graph, m_state)
+ , m_indexMaskingMode(Options::disableSpectreMitigations() ? IndexMaskingDisabled : IndexMaskingEnabled)
{
}
@@ -11071,6 +11072,9 @@
TypedPointer maskedIndex(IndexedAbstractHeap& heap, LValue storage, LValue index, LValue baseObject, Edge edge, ptrdiff_t offset = 0)
{
+ if (m_indexMaskingMode == IndexMaskingDisabled)
+ return baseIndex(heap, storage, index, edge, offset);
+
LValue mask = m_out.zeroExtPtr(m_out.load32(baseObject, m_heaps.JSObject_butterflyMask));
return m_out.baseIndex(
heap, storage, m_out.zeroExtPtr(index), provenValue(edge), offset, mask);
@@ -13146,8 +13150,10 @@
TypedPointer pointerIntoTypedArray(LValue base, LValue storage, LValue index, TypedArrayType type)
{
- LValue mask = m_out.load32(base, m_heaps.JSObject_butterflyMask);
- LValue offset = m_out.shl(m_out.zeroExtPtr(m_out.bitAnd(mask, index)), m_out.constIntPtr(logElementSize(type)));
+ if (m_indexMaskingMode == IndexMaskingEnabled)
+ index = m_out.bitAnd(index, m_out.load32(base, m_heaps.JSObject_butterflyMask));
+ LValue offset = m_out.shl(m_out.zeroExtPtr(index), m_out.constIntPtr(logElementSize(type)));
+
return TypedPointer(
m_heaps.typedArrayProperties,
m_out.add(
@@ -15703,6 +15709,10 @@
DFG::BasicBlock* m_nextHighBlock;
LBasicBlock m_nextLowBlock;
+ enum IndexMaskingMode { IndexMaskingDisabled, IndexMaskingEnabled };
+
+ IndexMaskingMode m_indexMaskingMode;
+
NodeOrigin m_origin;
unsigned m_nodeIndex;
Node* m_node;
Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (226473 => 226474)
--- trunk/Source/_javascript_Core/jit/JIT.cpp 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/jit/JIT.cpp 2018-01-06 00:37:08 UTC (rev 226474)
@@ -84,6 +84,7 @@
, m_pcToCodeOriginMapBuilder(*vm)
, m_canBeOptimized(false)
, m_shouldEmitProfiling(false)
+ , m_shouldUseIndexMasking(Options::disableSpectreMitigations() ? false : true)
, m_loopOSREntryBytecodeOffset(loopOSREntryBytecodeOffset)
{
}
Modified: trunk/Source/_javascript_Core/jit/JIT.h (226473 => 226474)
--- trunk/Source/_javascript_Core/jit/JIT.h 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/jit/JIT.h 2018-01-06 00:37:08 UTC (rev 226474)
@@ -944,6 +944,7 @@
bool m_canBeOptimized;
bool m_canBeOptimizedOrInlined;
bool m_shouldEmitProfiling;
+ bool m_shouldUseIndexMasking;
unsigned m_loopOSREntryBytecodeOffset { 0 };
} JIT_CLASS_ALIGNMENT;
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (226473 => 226474)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2018-01-06 00:37:08 UTC (rev 226474)
@@ -174,7 +174,8 @@
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
- and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
+ if (m_shouldUseIndexMasking)
+ and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
@@ -188,7 +189,8 @@
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
- and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
+ if (m_shouldUseIndexMasking)
+ and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
load64(BaseIndex(regT2, regT1, TimesEight), regT0);
slowCases.append(branchTest64(Zero, regT0));
@@ -205,7 +207,8 @@
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
- and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
+ if (m_shouldUseIndexMasking)
+ and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
load64(BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()), regT0);
slowCases.append(branchTest64(Zero, regT0));
Modified: trunk/Source/_javascript_Core/runtime/Options.h (226473 => 226474)
--- trunk/Source/_javascript_Core/runtime/Options.h 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/runtime/Options.h 2018-01-06 00:37:08 UTC (rev 226474)
@@ -458,6 +458,8 @@
\
v(bool, useWebAssembly, true, Normal, "Expose the WebAssembly global object.") \
\
+ v(bool, disableSpectreMitigations, false, Restricted, "Disable Spectre mitigations.") \
+ \
v(bool, useAsyncIterator, enableAsyncIteration, Normal, "Allow to use Async Iterator in JS.") \
\
v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (226473 => 226474)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2018-01-06 00:37:08 UTC (rev 226474)
@@ -650,7 +650,7 @@
// We're not using signal handling at all, we must therefore check that no memory access exceeds the current memory size.
ASSERT(m_memorySizeGPR);
ASSERT(sizeOfOperation + offset > offset);
- GPRReg indexingMask = shouldMask == ShouldMask::Yes ? m_indexingMaskGPR : InvalidGPRReg;
+ GPRReg indexingMask = (shouldMask == ShouldMask::Yes && !Options::disableSpectreMitigations()) ? m_indexingMaskGPR : InvalidGPRReg;
m_currentBlock->appendNew<WasmBoundsCheckValue>(m_proc, origin(), m_memorySizeGPR, indexingMask, pointer, sizeOfOperation + offset - 1);
break;
}