WebKit Bugzilla
Attachment 370065 Details for
Bug 197620
: Wasm should cage the memory base pointers in structs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-197620-20190516135650.patch (text/plain), 24.52 KB, created by
Keith Miller
on 2019-05-16 13:56:51 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-05-16 13:56:51 PDT
Size:
24.52 KB
patch
obsolete
>Subversion Revision: 245301 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index e732524d691b3eedbc0b97a881cd68b069535e73..315a276a996572cf967aa01153cca342000df168 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,39 @@ >+2019-05-16 Keith Miller <keith_miller@apple.com> >+ >+ Wasm should cage the memory base pointers in structs >+ https://bugs.webkit.org/show_bug.cgi?id=197620 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Currently, we use cageConditionally; this only matters for API >+ users since the web content process cannot disable primitive >+ gigacage. This patch also adds a set helper for union/intersection >+ of RegisterSets. >+ >+ * assembler/CPU.h: >+ (JSC::isARM64E): >+ * jit/RegisterSet.h: >+ (JSC::RegisterSet::set): >+ * wasm/WasmAirIRGenerator.cpp: >+ (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::AirIRGenerator::addCallIndirect): >+ * wasm/WasmB3IRGenerator.cpp: >+ (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::B3IRGenerator::addCallIndirect): >+ * wasm/WasmBinding.cpp: >+ (JSC::Wasm::wasmToWasm): >+ * wasm/WasmInstance.h: >+ (JSC::Wasm::Instance::cachedMemory const): >+ (JSC::Wasm::Instance::updateCachedMemory): >+ * wasm/WasmMemory.cpp: >+ (JSC::Wasm::Memory::grow): >+ * wasm/WasmMemory.h: >+ (JSC::Wasm::Memory::memory const): >+ * wasm/js/JSToWasm.cpp: >+ (JSC::Wasm::createJSToWasmWrapper): >+ * wasm/js/WebAssemblyFunction.cpp: >+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow): >+ > 2019-05-14 Ross Kirsling <ross.kirsling@sony.com> > > Unreviewed restoration of non-unified build. >diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog >index 6bc60aa7e4bf74aa275461c4ac185caa4d982601..f089d67d8682f9d4691895c72bed07fd78503be2 100644 >--- a/Source/WTF/ChangeLog >+++ b/Source/WTF/ChangeLog >@@ -1,3 +1,16 @@ >+2019-05-16 Keith Miller <keith_miller@apple.com> >+ >+ Wasm should cage the memory base pointers in structs >+ https://bugs.webkit.org/show_bug.cgi?id=197620 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Rename reauthenticate to recage. >+ >+ * wtf/CagedPtr.h: >+ (WTF::CagedPtr::recage): >+ (WTF::CagedPtr::reauthenticate): Deleted. >+ > 2019-05-14 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r245281. >diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog >index 128c1ff54b29fee4a1ed4ed951d5b52322467f34..7581e0efcf3f00ec4beda1ba6f9ce70c6c09f144 100644 >--- a/Source/bmalloc/ChangeLog >+++ b/Source/bmalloc/ChangeLog >@@ -1,3 +1,15 @@ >+2019-05-16 Keith Miller <keith_miller@apple.com> >+ >+ Wasm should cage the memory base pointers in structs >+ https://bugs.webkit.org/show_bug.cgi?id=197620 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Fix signature to take Gigacage::Kind, which matches GIGACAGE_ENABLED build. >+ >+ * bmalloc/Gigacage.h: >+ (Gigacage::isEnabled): >+ > 2019-05-08 Keith Miller <keith_miller@apple.com> > > Remove Gigacage from arm64 and use PAC for arm64e instead >diff --git a/Source/JavaScriptCore/assembler/CPU.h b/Source/JavaScriptCore/assembler/CPU.h >index ddccd00a879b517021ceef8fd19966097dbf8757..c1674ec919c7bec2678a374817b719ab6e2cb6bc 100644 >--- a/Source/JavaScriptCore/assembler/CPU.h >+++ b/Source/JavaScriptCore/assembler/CPU.h >@@ -56,6 +56,15 @@ constexpr bool isARM64() > #endif > } > >+constexpr bool isARM64E() >+{ >+#if CPU(ARM64E) >+ return true; >+#else >+ return false; >+#endif >+} >+ > constexpr bool isX86() > { > #if CPU(X86_64) || CPU(X86) >diff --git a/Source/JavaScriptCore/jit/RegisterSet.h b/Source/JavaScriptCore/jit/RegisterSet.h >index ae4232376358da6b8b9c661932b73b1c964d96d7..8c01842d6949ea48a62ea36a4ebf0695ffe68cd6 100644 >--- a/Source/JavaScriptCore/jit/RegisterSet.h >+++ b/Source/JavaScriptCore/jit/RegisterSet.h >@@ -84,7 +84,9 @@ public: > set(regs.tagGPR(), value); > set(regs.payloadGPR(), value); > } >- >+ >+ void set(const RegisterSet& other, bool value = true) { value ? merge(other) : exclude(other); } >+ > void clear(Reg reg) > { > ASSERT(!!reg); >diff --git a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >index 26a400dfbf5132d7e37a156934aa605a411667ce..475e9268849e82b50ec42653698a0482bd6fe921 100644 >--- a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >@@ -40,6 +40,7 @@ > #include "B3Procedure.h" > #include "B3ProcedureInlines.h" > #include "BinarySwitch.h" >+#include "DisallowMacroScratchRegisterUsage.h" > #include "ScratchRegisterAllocator.h" > #include "VirtualRegister.h" > #include "WasmCallingConvention.h" >@@ -822,6 +823,8 @@ void AirIRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit resto > RegisterSet clobbers; > clobbers.set(pinnedRegs->baseMemoryPointer); > clobbers.set(pinnedRegs->sizeRegister); >+ if (!isARM64()) >+ clobbers.set(RegisterSet::macroScratchRegisters()); > > auto* patchpoint = addPatchpoint(B3::Void); > B3::Effects effects = B3::Effects::none(); >@@ -829,13 +832,18 @@ void AirIRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit resto > effects.reads = B3::HeapRange::top(); > patchpoint->effects = effects; > patchpoint->clobber(clobbers); >+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; > > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); >+ GPRReg baseMemory = pinnedRegs->baseMemoryPointer; >+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; >+ > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); >- jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), pinnedRegs->baseMemoryPointer); >-#if CPU(ARM64E) >- jit.untagArrayPtr(pinnedRegs->sizeRegister, pinnedRegs->baseMemoryPointer); >-#endif >+ jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); >+ >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > > emitPatchpoint(block, patchpoint, Tmp(), instance); >@@ -1844,6 +1852,8 @@ auto AirIRGenerator::addCallIndirect(const Signature& signature, Vector<Expressi > // FIXME: We shouldn't have to do this: https://bugs.webkit.org/show_bug.cgi?id=172181 > patchpoint->clobber(PinnedRegisterInfo::get().toSave(MemoryMode::BoundsChecking)); > patchpoint->clobber(RegisterSet::macroScratchRegisters()); >+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; >+ > patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { > AllowMacroScratchRegisterUsage allowScratch(jit); > GPRReg newContextInstance = params[0].gpr(); >@@ -1857,11 +1867,12 @@ auto AirIRGenerator::addCallIndirect(const Signature& signature, Vector<Expressi > // FIXME: We should support more than one memory size register > // see: https://bugs.webkit.org/show_bug.cgi?id=162952 > ASSERT(pinnedRegs.sizeRegister != newContextInstance); >+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister; >+ > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. >-#if CPU(ARM64E) >- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory); >-#endif >+ >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > > emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue()); >diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >index aee8b4da0048515ec5c8bd89294570b8dc0606c9..15f464f02ce369f35e4ccb15e1be25e0db0e703c 100644 >--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >@@ -47,6 +47,7 @@ > #include "B3VariableValue.h" > #include "B3WasmAddressValue.h" > #include "B3WasmBoundsCheckValue.h" >+#include "DisallowMacroScratchRegisterUsage.h" > #include "JSCInlines.h" > #include "ScratchRegisterAllocator.h" > #include "VirtualRegister.h" >@@ -468,6 +469,8 @@ void B3IRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit restor > RegisterSet clobbers; > clobbers.set(pinnedRegs->baseMemoryPointer); > clobbers.set(pinnedRegs->sizeRegister); >+ if (!isARM64()) >+ clobbers.set(RegisterSet::macroScratchRegisters()); > > B3::PatchpointValue* patchpoint = block->appendNew<B3::PatchpointValue>(proc, B3::Void, origin()); > Effects effects = Effects::none(); >@@ -475,16 +478,19 @@ void B3IRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit restor > effects.reads = B3::HeapRange::top(); > patchpoint->effects = effects; > patchpoint->clobber(clobbers); >+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; > > patchpoint->append(instance, ValueRep::SomeRegister); >- > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); > GPRReg baseMemory = pinnedRegs->baseMemoryPointer; >+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; >+ > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); >-#if CPU(ARM64E) >- jit.untagArrayPtr(pinnedRegs->sizeRegister, baseMemory); >-#endif >+ >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > } > } >@@ -1272,6 +1278,8 @@ auto B3IRGenerator::addCallIndirect(const Signature& signature, Vector<Expressio > patchpoint->clobber(RegisterSet::macroScratchRegisters()); > patchpoint->append(newContextInstance, ValueRep::SomeRegister); > patchpoint->append(instanceValue(), ValueRep::SomeRegister); >+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; >+ > patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { > AllowMacroScratchRegisterUsage allowScratch(jit); > GPRReg newContextInstance = params[0].gpr(); >@@ -1286,11 +1294,12 @@ auto B3IRGenerator::addCallIndirect(const Signature& signature, Vector<Expressio > // FIXME: We should support more than one memory size register > // see: https://bugs.webkit.org/show_bug.cgi?id=162952 > ASSERT(pinnedRegs.sizeRegister != newContextInstance); >+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister; >+ > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. >-#if CPU(ARM64E) >- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory); >-#endif >+ >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > }); > doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation); > >diff --git a/Source/JavaScriptCore/wasm/WasmBinding.cpp b/Source/JavaScriptCore/wasm/WasmBinding.cpp >index 0647a637518c5c0d5a7f828f69473441346aec79..0c53cb66fd0db32d8834bfe6a23c4b067f6ed281 100644 >--- a/Source/JavaScriptCore/wasm/WasmBinding.cpp >+++ b/Source/JavaScriptCore/wasm/WasmBinding.cpp >@@ -45,7 +45,7 @@ Expected<MacroAssemblerCodeRef<WasmEntryPtrTag>, BindingFailure> wasmToWasm(unsi > const PinnedRegisterInfo& pinnedRegs = PinnedRegisterInfo::get(); > JIT jit; > >- GPRReg scratch = GPRInfo::nonPreservedNonArgumentGPR0; >+ GPRReg scratch = wasmCallingConventionAir().prologueScratch(0); > GPRReg baseMemory = pinnedRegs.baseMemoryPointer; > ASSERT(baseMemory != scratch); > ASSERT(pinnedRegs.sizeRegister != baseMemory); >@@ -65,11 +65,13 @@ Expected<MacroAssemblerCodeRef<WasmEntryPtrTag>, BindingFailure> wasmToWasm(unsi > > // FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952 > // Set up the callee's baseMemory register as well as the memory size registers. >- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. >- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*). >-#if CPU(ARM64E) >- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory); >-#endif >+ { >+ GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1); >+ >+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. >+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*). >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ } > > // Tail call into the callee WebAssembly function. > jit.loadPtr(scratch, scratch); >diff --git a/Source/JavaScriptCore/wasm/WasmInstance.h b/Source/JavaScriptCore/wasm/WasmInstance.h >index 387bdd15a52b5f084e67ac50f07925515d4ee414..cd34a648dd52fcdbe2474e68b2b7c687277f40e0 100644 >--- a/Source/JavaScriptCore/wasm/WasmInstance.h >+++ b/Source/JavaScriptCore/wasm/WasmInstance.h >@@ -64,7 +64,7 @@ public: > Memory* memory() { return m_memory.get(); } > Table* table() { return m_table.get(); } > >- void* cachedMemory() const { return m_cachedMemory.get(cachedMemorySize()); } >+ void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedMemorySize()); } > size_t cachedMemorySize() const { return m_cachedMemorySize; } > > void setMemory(Ref<Memory>&& memory) >@@ -76,7 +76,7 @@ public: > void updateCachedMemory() > { > if (m_memory != nullptr) { >- m_cachedMemory = TaggedArrayStoragePtr<void>(memory()->memory(), memory()->size()); >+ m_cachedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>(memory()->memory(), memory()->size()); > m_cachedMemorySize = memory()->size(); > } > } >@@ -143,7 +143,7 @@ private: > } > void* m_owner { nullptr }; // In a JS embedding, this is a JSWebAssemblyInstance*. > Context* m_context { nullptr }; >- TaggedArrayStoragePtr<void> m_cachedMemory; >+ CagedPtr<Gigacage::Primitive, void, tagCagedPtr> m_cachedMemory; > size_t m_cachedMemorySize { 0 }; > Ref<Module> m_module; > RefPtr<CodeBlock> m_codeBlock; >diff --git a/Source/JavaScriptCore/wasm/WasmMemory.cpp b/Source/JavaScriptCore/wasm/WasmMemory.cpp >index 4ca54aceca70a6ec54075964fd9c1a49554adc6b..5910382348e96d123aa1f539e39b09da031f064e 100644 >--- a/Source/JavaScriptCore/wasm/WasmMemory.cpp >+++ b/Source/JavaScriptCore/wasm/WasmMemory.cpp >@@ -423,7 +423,7 @@ Expected<PageCount, Memory::GrowFailReason> Memory::grow(PageCount delta) > memcpy(newMemory, memory(), m_size); > if (m_memory) > Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size); >- m_memory = TaggedArrayStoragePtr<void>(newMemory, desiredSize); >+ m_memory = CagedMemory(newMemory, desiredSize); > m_mappedCapacity = desiredSize; > m_size = desiredSize; > ASSERT(memory() == newMemory); >@@ -439,7 +439,7 @@ Expected<PageCount, Memory::GrowFailReason> Memory::grow(PageCount delta) > dataLog("mprotect failed: ", strerror(errno), "\n"); > RELEASE_ASSERT_NOT_REACHED(); > } >- m_memory.resize(m_size, desiredSize); >+ m_memory.recage(m_size, desiredSize); > m_size = desiredSize; > return success(); > } >diff --git a/Source/JavaScriptCore/wasm/WasmMemory.h b/Source/JavaScriptCore/wasm/WasmMemory.h >index 9adbb1193292e4c2500c2b83812de2791d3b8411..9670838f1711f82e7bb4e15bf8b5dd3b84826b51 100644 >--- a/Source/JavaScriptCore/wasm/WasmMemory.h >+++ b/Source/JavaScriptCore/wasm/WasmMemory.h >@@ -30,11 +30,11 @@ > #include "WasmMemoryMode.h" > #include "WasmPageCount.h" > >+#include <wtf/CagedPtr.h> > #include <wtf/Expected.h> > #include <wtf/Function.h> > #include <wtf/RefCounted.h> > #include <wtf/RefPtr.h> >-#include <wtf/TaggedArrayStoragePtr.h> > #include <wtf/Vector.h> > #include <wtf/WeakPtr.h> > >@@ -69,7 +69,7 @@ public: > static size_t fastMappedBytes(); // Includes redzone. > static bool addressIsInActiveFastMemory(void*); > >- void* memory() const { ASSERT(m_memory.get(size()) == m_memory.getUnsafe()); return m_memory.get(size()); } >+ void* memory() const { ASSERT(m_memory.getMayBeNull(size()) == m_memory.getUnsafe()); return m_memory.getMayBeNull(size()); } > size_t size() const { return m_size; } > PageCount sizeInPages() const { return PageCount::fromBytes(m_size); } > >@@ -97,7 +97,8 @@ private: > Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback); > Memory(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback); > >- TaggedArrayStoragePtr<void> m_memory; >+ using CagedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>; >+ CagedMemory m_memory; > size_t m_size { 0 }; > PageCount m_initial; > PageCount m_maximum; >diff --git a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >index e036cef6da41b1b8cfbf18e46b1de3aecb7a70e1..774bce0d73863270d29cd787de5535e67e0b544a 100644 >--- a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >+++ b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >@@ -210,28 +210,23 @@ std::unique_ptr<InternalFunction> createJSToWasmWrapper(CompilationContext& comp > > if (!!info.memory) { > GPRReg baseMemory = pinnedRegs.baseMemoryPointer; >+ GPRReg scratchOrSize = wasmCallingConventionAir().prologueScratch(0); > > if (Context::useFastTLS()) > jit.loadWasmContextInstance(baseMemory); > > GPRReg currentInstanceGPR = Context::useFastTLS() ? baseMemory : wasmContextInstanceGPR; >- if (mode != MemoryMode::Signaling) { >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >-#if CPU(ARM64E) >- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory); >-#endif >+ if (isARM64E()) { >+ if (mode != Wasm::MemoryMode::Signaling) >+ scratchOrSize = pinnedRegs.sizeRegister; >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize); > } else { >-#if CPU(ARM64E) >- GPRReg scratch = wasmCallingConventionAir().prologueScratch(0); >- >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch); >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.untagArrayPtr(scratch, baseMemory); >-#else >- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >-#endif >+ if (mode != Wasm::MemoryMode::Signaling) >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); > } >+ >+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > } > > CCallHelpers::Call call = jit.threadSafePatchableNearCall(); >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >index cf7c779bd4aeca4964b9bd6817f8419f5e1e7839..6dcec80dd84e14c02acb587f7c099d0228e16379 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >@@ -395,22 +395,20 @@ MacroAssemblerCodePtr<JSEntryPtrTag> WebAssemblyFunction::jsCallEntrypointSlow() > > if (!!moduleInformation.memory) { > GPRReg baseMemory = pinnedRegs.baseMemoryPointer; >+ GPRReg scratchOrSize = scratch2GPR; >+ auto mode = instance()->memoryMode(); > >- if (instance()->memoryMode() != Wasm::MemoryMode::Signaling) { >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >-#if CPU(ARM64E) >- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory); >-#endif >+ if (isARM64E()) { >+ if (mode != Wasm::MemoryMode::Signaling) >+ scratchOrSize = pinnedRegs.sizeRegister; >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize); > } else { >-#if CPU(ARM64E) >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch2GPR); >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.untagArrayPtr(scratch2GPR, baseMemory); >-#else >- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >-#endif >+ if (mode != Wasm::MemoryMode::Signaling) >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); > } >+ >+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); > } > > // We use this callee to indicate how to unwind past these types of frames: >diff --git a/Source/WTF/wtf/CagedPtr.h b/Source/WTF/wtf/CagedPtr.h >index 7c80efb7766e905dc19fc178e90f4f4ba6dddcac..71ec51e2947b5b2ca06ea2c4056dadceb938df6e 100644 >--- a/Source/WTF/wtf/CagedPtr.h >+++ b/Source/WTF/wtf/CagedPtr.h >@@ -78,7 +78,7 @@ public: > typename std::enable_if<!std::is_same<void, U>::value, T>::type& > /* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; } > >- void reauthenticate(unsigned oldSize, unsigned newSize) >+ void recage(unsigned oldSize, unsigned newSize) > { > auto ptr = get(oldSize); > ASSERT(ptr == getUnsafe()); >diff --git a/Source/bmalloc/bmalloc/Gigacage.h b/Source/bmalloc/bmalloc/Gigacage.h >index bcde37c34bde2664544004376228feabcc62e450..76d72df74a136f0219155cf208f7c77958c4e996 100644 >--- a/Source/bmalloc/bmalloc/Gigacage.h >+++ b/Source/bmalloc/bmalloc/Gigacage.h >@@ -226,7 +226,7 @@ BINLINE size_t size(Kind) { BCRASH(); return 0; } > BINLINE void ensureGigacage() { } > BINLINE bool wasEnabled() { return false; } > BINLINE bool isCaged(Kind, const void*) { return true; } >-BINLINE bool isEnabled() { return false; } >+BINLINE bool isEnabled(Kind) { return false; } > template<typename T> BINLINE T* caged(Kind, T* ptr) { return ptr; } > template<typename T> BINLINE T* cagedMayBeNull(Kind, T* ptr) { return ptr; } > BINLINE void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=370065">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 197620
: 370065