Title: [226474] trunk/Source/_javascript_Core
Revision
226474
Author
msab...@apple.com
Date
2018-01-05 16:37:08 -0800 (Fri, 05 Jan 2018)

Log Message

Add ability to disable indexed property masking for testing
https://bugs.webkit.org/show_bug.cgi?id=181350

Reviewed by Keith Miller.

Made the masking of indexed properties runtime controllable via a new JSC::Option
named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.

The new option has a generic name as it will probably be used to disable future mitigations.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
(JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
* jit/JIT.cpp:
(JSC::JIT::JIT):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
* runtime/Options.h:
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (226473 => 226474)


--- trunk/Source/_javascript_Core/ChangeLog	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-01-06 00:37:08 UTC (rev 226474)
@@ -1,5 +1,39 @@
 2018-01-05  Michael Saboff  <msab...@apple.com>
 
+        Add ability to disable indexed property masking for testing
+        https://bugs.webkit.org/show_bug.cgi?id=181350
+
+        Reviewed by Keith Miller.
+
+        Made the masking of indexed properties runtime controllable via a new JSC::Option
+        named disableSpectreMitigations.  This is done to test the efficacy of that mitigation.
+
+        The new option has a generic name as it will probably be used to disable future mitigations.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
+        (JSC::DFG::SpeculativeJIT::loadFromIntTypedArray):
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
+        (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
+        (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
+        * jit/JIT.cpp:
+        (JSC::JIT::JIT):
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDoubleLoad):
+        (JSC::JIT::emitContiguousLoad):
+        (JSC::JIT::emitArrayStorageLoad):
+        * runtime/Options.h:
+        * wasm/WasmB3IRGenerator.cpp:
+        (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
+
+2018-01-05  Michael Saboff  <msab...@apple.com>
+
         Allow JSC Config Files to set Restricted Options
         https://bugs.webkit.org/show_bug.cgi?id=181352
 

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (226473 => 226474)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2018-01-06 00:37:08 UTC (rev 226474)
@@ -74,6 +74,7 @@
     , m_currentNode(0)
     , m_lastGeneratedNode(LastNodeType)
     , m_indexInBlock(0)
+    , m_indexMaskingMode(Options::disableSpectreMitigations() ? IndexMaskingDisabled : IndexMaskingEnabled)
     , m_generationInfo(m_jit.graph().frameRegisterCount())
     , m_state(m_jit.graph())
     , m_interpreter(m_jit.graph(), m_state)
@@ -2856,7 +2857,8 @@
 
 void SpeculativeJIT::loadFromIntTypedArray(GPRReg baseReg, GPRReg storageReg, GPRReg propertyReg, GPRReg resultReg, TypedArrayType type)
 {
-    m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+    if (m_indexMaskingMode == IndexMaskingEnabled)
+        m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
     switch (elementSize(type)) {
     case 1:
         if (isSigned(type))
@@ -3158,7 +3160,8 @@
     FPRTemporary result(this);
     FPRReg resultReg = result.fpr();
     emitTypedArrayBoundsCheck(node, baseReg, propertyReg);
-    m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+    if (m_indexMaskingMode == IndexMaskingEnabled)
+        m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
     switch (elementSize(type)) {
     case 4:
         m_jit.loadFloat(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour), resultReg);

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (226473 => 226474)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2018-01-06 00:37:08 UTC (rev 226474)
@@ -3317,6 +3317,11 @@
     Node* m_currentNode;
     NodeType m_lastGeneratedNode;
     unsigned m_indexInBlock;
+
+    enum IndexMaskingMode { IndexMaskingDisabled, IndexMaskingEnabled };
+    
+    IndexMaskingMode m_indexMaskingMode;
+
     // Virtual and physical register maps.
     Vector<GenerationInfo, 32> m_generationInfo;
     RegisterBank<GPRInfo> m_gprs;

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (226473 => 226474)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-01-06 00:37:08 UTC (rev 226474)
@@ -2746,7 +2746,8 @@
                 
                 GPRTemporary result(this);
 
-                m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+                if (m_indexMaskingMode == IndexMaskingEnabled)
+                    m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
                 m_jit.load64(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), result.gpr());
                 if (node->arrayMode().isSaneChain()) {
                     ASSERT(node->arrayMode().type() == Array::Contiguous);
@@ -2781,7 +2782,8 @@
             
             slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
 
-            m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+            if (m_indexMaskingMode == IndexMaskingEnabled)
+                m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
             m_jit.load64(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), resultReg);
             slowCases.append(m_jit.branchTest64(MacroAssembler::Zero, resultReg));
             
@@ -2812,7 +2814,8 @@
 
                 speculationCheck(OutOfBounds, JSValueRegs(), 0, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
 
-                m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+                if (m_indexMaskingMode == IndexMaskingEnabled)
+                    m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
                 m_jit.loadDouble(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), resultReg);
                 if (!node->arrayMode().isSaneChain())
                     speculationCheck(LoadFromHole, JSValueRegs(), 0, m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, resultReg, resultReg));
@@ -2840,7 +2843,8 @@
             
             slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(storageReg, Butterfly::offsetOfPublicLength())));
 
-            m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
+            if (m_indexMaskingMode == IndexMaskingEnabled)
+                m_jit.and32(MacroAssembler::Address(baseReg, JSObject::butterflyIndexingMaskOffset()), propertyReg);
             m_jit.loadDouble(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight), tempReg);
             slowCases.append(m_jit.branchDouble(MacroAssembler::DoubleNotEqualOrUnordered, tempReg, tempReg));
             boxDouble(tempReg, resultReg);

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (226473 => 226474)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-01-06 00:37:08 UTC (rev 226474)
@@ -149,6 +149,7 @@
         , m_availabilityCalculator(m_graph)
         , m_state(state.graph)
         , m_interpreter(state.graph, m_state)
+        , m_indexMaskingMode(Options::disableSpectreMitigations() ? IndexMaskingDisabled : IndexMaskingEnabled)
     {
     }
     
@@ -11071,6 +11072,9 @@
 
     TypedPointer maskedIndex(IndexedAbstractHeap& heap, LValue storage, LValue index, LValue baseObject, Edge edge, ptrdiff_t offset = 0)
     {
+        if (m_indexMaskingMode == IndexMaskingDisabled)
+            return baseIndex(heap, storage, index, edge, offset);
+
         LValue mask = m_out.zeroExtPtr(m_out.load32(baseObject, m_heaps.JSObject_butterflyMask));
         return m_out.baseIndex(
             heap, storage, m_out.zeroExtPtr(index), provenValue(edge), offset, mask);
@@ -13146,8 +13150,10 @@
     
     TypedPointer pointerIntoTypedArray(LValue base, LValue storage, LValue index, TypedArrayType type)
     {
-        LValue mask = m_out.load32(base, m_heaps.JSObject_butterflyMask);
-        LValue offset = m_out.shl(m_out.zeroExtPtr(m_out.bitAnd(mask, index)), m_out.constIntPtr(logElementSize(type)));
+        if (m_indexMaskingMode == IndexMaskingEnabled)
+            index = m_out.bitAnd(index, m_out.load32(base, m_heaps.JSObject_butterflyMask));
+        LValue offset = m_out.shl(m_out.zeroExtPtr(index), m_out.constIntPtr(logElementSize(type)));
+
         return TypedPointer(
             m_heaps.typedArrayProperties,
             m_out.add(
@@ -15703,6 +15709,10 @@
     DFG::BasicBlock* m_nextHighBlock;
     LBasicBlock m_nextLowBlock;
 
+    enum IndexMaskingMode { IndexMaskingDisabled, IndexMaskingEnabled };
+
+    IndexMaskingMode m_indexMaskingMode;
+
     NodeOrigin m_origin;
     unsigned m_nodeIndex;
     Node* m_node;

Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (226473 => 226474)


--- trunk/Source/_javascript_Core/jit/JIT.cpp	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/jit/JIT.cpp	2018-01-06 00:37:08 UTC (rev 226474)
@@ -84,6 +84,7 @@
     , m_pcToCodeOriginMapBuilder(*vm)
     , m_canBeOptimized(false)
     , m_shouldEmitProfiling(false)
+    , m_shouldUseIndexMasking(Options::disableSpectreMitigations() ? false : true)
     , m_loopOSREntryBytecodeOffset(loopOSREntryBytecodeOffset)
 {
 }

Modified: trunk/Source/_javascript_Core/jit/JIT.h (226473 => 226474)


--- trunk/Source/_javascript_Core/jit/JIT.h	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/jit/JIT.h	2018-01-06 00:37:08 UTC (rev 226474)
@@ -944,6 +944,7 @@
         bool m_canBeOptimized;
         bool m_canBeOptimizedOrInlined;
         bool m_shouldEmitProfiling;
+        bool m_shouldUseIndexMasking;
         unsigned m_loopOSREntryBytecodeOffset { 0 };
     } JIT_CLASS_ALIGNMENT;
 

Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (226473 => 226474)


--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2018-01-06 00:37:08 UTC (rev 226474)
@@ -174,7 +174,8 @@
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(DoubleShape));
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
-    and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
+    if (m_shouldUseIndexMasking)
+        and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
     loadDouble(BaseIndex(regT2, regT1, TimesEight), fpRegT0);
     slowCases.append(branchDouble(DoubleNotEqualOrUnordered, fpRegT0, fpRegT0));
     
@@ -188,7 +189,8 @@
     badType = patchableBranch32(NotEqual, regT2, TrustedImm32(expectedShape));
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, Butterfly::offsetOfPublicLength())));
-    and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
+    if (m_shouldUseIndexMasking)
+        and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
     load64(BaseIndex(regT2, regT1, TimesEight), regT0);
     slowCases.append(branchTest64(Zero, regT0));
     
@@ -205,7 +207,8 @@
     loadPtr(Address(regT0, JSObject::butterflyOffset()), regT2);
     slowCases.append(branch32(AboveOrEqual, regT1, Address(regT2, ArrayStorage::vectorLengthOffset())));
 
-    and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
+    if (m_shouldUseIndexMasking)
+        and32(Address(regT0, JSObject::butterflyIndexingMaskOffset()), regT1);
     load64(BaseIndex(regT2, regT1, TimesEight, ArrayStorage::vectorOffset()), regT0);
     slowCases.append(branchTest64(Zero, regT0));
     

Modified: trunk/Source/_javascript_Core/runtime/Options.h (226473 => 226474)


--- trunk/Source/_javascript_Core/runtime/Options.h	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/runtime/Options.h	2018-01-06 00:37:08 UTC (rev 226474)
@@ -458,6 +458,8 @@
     \
     v(bool, useWebAssembly, true, Normal, "Expose the WebAssembly global object.") \
     \
+    v(bool, disableSpectreMitigations, false, Restricted, "Disable Spectre mitigations.") \
+    \
     v(bool, useAsyncIterator, enableAsyncIteration, Normal, "Allow to use Async Iterator in JS.") \
     \
     v(bool, failToCompileWebAssemblyCode, false, Normal, "If true, no Wasm::Plan will sucessfully compile a function.") \

Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (226473 => 226474)


--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2018-01-06 00:27:12 UTC (rev 226473)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp	2018-01-06 00:37:08 UTC (rev 226474)
@@ -650,7 +650,7 @@
         // We're not using signal handling at all, we must therefore check that no memory access exceeds the current memory size.
         ASSERT(m_memorySizeGPR);
         ASSERT(sizeOfOperation + offset > offset);
-        GPRReg indexingMask = shouldMask == ShouldMask::Yes ? m_indexingMaskGPR : InvalidGPRReg;
+        GPRReg indexingMask = (shouldMask == ShouldMask::Yes && !Options::disableSpectreMitigations()) ? m_indexingMaskGPR : InvalidGPRReg;
         m_currentBlock->appendNew<WasmBoundsCheckValue>(m_proc, origin(), m_memorySizeGPR, indexingMask, pointer, sizeOfOperation + offset - 1);
         break;
     }
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to