WebKit Bugzilla
Attachment 371487 Details for
Bug 198453
: Reenable Gigacage on ARM64.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-198453-20190606141953.patch (text/plain), 31.72 KB, created by
Keith Miller
on 2019-06-06 05:19:54 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-06-06 05:19:54 PDT
Size:
31.72 KB
patch
obsolete
>Subversion Revision: 246057 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 593fb21182ed8bf8229afeae9243551dcb4c08de..18a01b1ea220cc7643b262688d1a197fa5ebbb17 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,57 @@ >+2019-06-06 Keith Miller <keith_miller@apple.com> >+ >+ Reenable Gigacage on ARM64. >+ https://bugs.webkit.org/show_bug.cgi?id=198453 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the >+ old Gigacage however, arm64e uses both Gigacaging and PAC. In >+ order to ensure the PAC bits are not stripped in the caging >+ process we use the bit field insert instruction to take the low >+ bits from caging and the high bits from the PAC authentication. >+ >+ * assembler/MacroAssemblerARM64.h: >+ (JSC::MacroAssemblerARM64::bitFieldInsert64): >+ * assembler/MacroAssemblerARM64E.h: >+ * assembler/testmasm.cpp: >+ (JSC::testCagePreservesPACFailureBit): >+ (JSC::run): >+ * dfg/DFGSpeculativeJIT.cpp: >+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): >+ (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): >+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): >+ (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): >+ * ftl/FTLLowerDFGToB3.cpp: >+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): >+ (JSC::FTL::DFG::LowerDFGToB3::caged): >+ * jit/AssemblyHelpers.h: >+ (JSC::AssemblyHelpers::cageWithoutUntaging): >+ (JSC::AssemblyHelpers::cageConditionally): >+ (JSC::AssemblyHelpers::cage): Deleted. >+ * jit/JITPropertyAccess.cpp: >+ (JSC::JIT::emitIntTypedArrayGetByVal): >+ (JSC::JIT::emitFloatTypedArrayGetByVal): >+ (JSC::JIT::emitIntTypedArrayPutByVal): >+ (JSC::JIT::emitFloatTypedArrayPutByVal): >+ * llint/LowLevelInterpreter.asm: >+ * llint/LowLevelInterpreter64.asm: >+ * offlineasm/arm64.rb: >+ * offlineasm/instructions.rb: >+ * offlineasm/registers.rb: >+ * wasm/WasmAirIRGenerator.cpp: >+ (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::AirIRGenerator::addCallIndirect): >+ * wasm/WasmB3IRGenerator.cpp: >+ (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): >+ (JSC::Wasm::B3IRGenerator::addCallIndirect): >+ * wasm/WasmBinding.cpp: >+ (JSC::Wasm::wasmToWasm): >+ * wasm/js/JSToWasm.cpp: >+ (JSC::Wasm::createJSToWasmWrapper): >+ * wasm/js/WebAssemblyFunction.cpp: >+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow): >+ > 2019-06-03 Caio Lima <ticaiolima@gmail.com> > > [ESNext][BigInt] Implement support for "**" >diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog >index a7e8000845babca6d1f4edb417123de758014ec8..6a2d61d4be25cff033377a5350e12d89dc0f23a5 100644 >--- a/Source/bmalloc/ChangeLog >+++ b/Source/bmalloc/ChangeLog >@@ -1,3 +1,12 @@ >+2019-06-06 Keith Miller <keith_miller@apple.com> >+ >+ Reenable Gigacage on ARM64. >+ https://bugs.webkit.org/show_bug.cgi?id=198453 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * bmalloc/Gigacage.h: >+ > 2019-06-03 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r246022. >diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h b/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h >index eff8b71f39232277fbe3a6344869659374bf8621..9157257728ab7c66cd1e2e26d01451487562e02a 100644 >--- a/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h >+++ b/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h >@@ -2526,6 +2526,15 @@ public: > m_assembler.fcsel<64>(dest, thenCase, elseCase, ARM64Condition(cond)); > } > >+ // Bit field operations: >+ >+ // destBitOffset is the top bit of the destination where the bits should be copied to. Zero is the lowest order bit. >+ void bitFieldInsert64(RegisterID source, unsigned destBitOffset, unsigned width, RegisterID dest) >+ { >+ ASSERT(width <= 64 - destBitOffset && destBitOffset < 64); >+ m_assembler.bfi<64>(dest, source, destBitOffset, width); >+ } >+ > // Forwards / external control flow operations: > // > // This set of jump and conditional branch operations return a Jump >@@ -4558,6 +4567,7 @@ protected: > } > > friend class LinkBuffer; >+ friend class DFG::SpeculativeJIT; > > template<PtrTag tag> > static void linkCall(void* code, Call call, FunctionPtr<tag> function) >diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h b/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >index 0b968f6afedfea695a4a3a308d340f076c9cfa40..f95ee525ccdbe56d38316956fa5f99a3449d952e 100644 >--- a/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >+++ b/Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h >@@ -39,6 +39,9 @@ using Assembler = TARGET_ASSEMBLER; > > class MacroAssemblerARM64E : public MacroAssemblerARM64 { > public: >+ >+ static constexpr unsigned numberOfPACBits = 25; // TODO: Figure out what this number actually is... >+ > ALWAYS_INLINE void tagReturnAddress() > { > tagPtr(ARM64Registers::sp, ARM64Registers::lr); >diff --git a/Source/JavaScriptCore/assembler/testmasm.cpp b/Source/JavaScriptCore/assembler/testmasm.cpp >index ac5c63291b3d8935b59b9fce40613754d9ddc1f1..815c3d1bb55ece9d14fd86bc700c8037788e7c81 100644 >--- a/Source/JavaScriptCore/assembler/testmasm.cpp >+++ b/Source/JavaScriptCore/assembler/testmasm.cpp >@@ -39,6 +39,7 @@ > #include <wtf/Function.h> > #include <wtf/Lock.h> > #include <wtf/NumberOfCores.h> >+#include <wtf/PtrTag.h> > #include <wtf/Threading.h> > #include <wtf/text/StringCommon.h> > >@@ -109,6 +110,15 @@ template<typename T> T nextID(T id) { return static_cast<T>(id + 1); } > CRASH(); \ > } while (false) > >+#define CHECK_NOT_EQ(_actual, _expected) do { \ >+ if ((_actual) != (_expected)) \ >+ break; \ >+ crashLock.lock(); \ >+ dataLog("FAILED while testing " #_actual ": expected not: ", _expected, ", actual: ", _actual, "\n"); \ >+ WTFReportAssertionFailure(__FILE__, __LINE__, WTF_PRETTY_FUNCTION, "CHECK_NOT_EQ("#_actual ", " #_expected ")"); \ >+ CRASH(); \ >+ } while (false) >+ > #if ENABLE(MASM_PROBE) > bool isPC(MacroAssembler::RegisterID id) > { >@@ -935,6 +945,47 @@ void testByteSwap() > #endif > } > >+static void testCagePreservesPACFailureBit() >+{ >+ auto cage = compile([] (CCallHelpers& jit) { >+ jit.emitFunctionPrologue(); >+ jit.cageConditionally(Gigacage::Primitive, GPRInfo::argumentGPR0, GPRInfo::argumentGPR1, GPRInfo::argumentGPR2); >+ jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR); >+ jit.emitFunctionEpilogue(); >+ jit.ret(); >+ }); >+ >+ void* ptr = Gigacage::tryMalloc(Gigacage::Primitive, 1); >+ void* taggedPtr = tagArrayPtr(ptr, 1); >+ dataLogLn("starting test"); >+ if (isARM64E()) { >+ // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now. >+ CHECK_NOT_EQ(invoke<void*>(cage, taggedPtr, 2), ptr); >+ } else >+ CHECK_EQ(invoke<void*>(cage, taggedPtr, 2), ptr); >+ >+ CHECK_EQ(invoke<void*>(cage, taggedPtr, 1), ptr); >+ >+ auto cageWithoutAuthentication = compile([] (CCallHelpers& jit) { >+ jit.emitFunctionPrologue(); >+ jit.cageWithoutUntaging(Gigacage::Primitive, GPRInfo::argumentGPR0); >+ jit.move(GPRInfo::argumentGPR0, GPRInfo::returnValueGPR); >+ jit.emitFunctionEpilogue(); >+ jit.ret(); >+ }); >+ >+ if (isARM64E()) { >+ // FIXME: This won't work if authentication failures trap but I don't know how to test for that right now. >+ CHECK_NOT_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr); >+ } else >+ CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 2)), ptr); >+ >+ CHECK_EQ(untagArrayPtr(taggedPtr, 1), ptr); >+ CHECK_EQ(invoke<void*>(cageWithoutAuthentication, untagArrayPtr(taggedPtr, 1)), ptr); >+ >+ Gigacage::free(Gigacage::Primitive, ptr); >+} >+ > #define RUN(test) do { \ > if (!shouldRun(#test)) \ > break; \ >@@ -1018,6 +1069,8 @@ void run(const char* filter) > > RUN(testByteSwap()); > >+ RUN(testCagePreservesPACFailureBit()); >+ > if (tasks.isEmpty()) > usage(); > >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >index e5538f19360636fc5a43a3a29fe18f5437015c77..b1e3ef26754a5127bb3c1ea3dab76b73da44e429 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >@@ -2873,7 +2873,7 @@ JITCompiler::Jump SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds(Node* > TrustedImm32(WastefulTypedArray)); > > JITCompiler::Jump hasNullVector; >-#if !GIGACAGE_ENABLED && CPU(ARM64E) >+#if CPU(ARM64E) > { > GPRReg scratch = m_jit.scratchRegister(); > DisallowMacroScratchRegisterUsage disallowScratch(m_jit); >@@ -2882,7 +2882,7 @@ JITCompiler::Jump SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds(Node* > m_jit.removeArrayPtrTag(scratch); > hasNullVector = m_jit.branchTestPtr(MacroAssembler::Zero, scratch); > } >-#else // !GIGACAGE_ENABLED && CPU(ARM64E) >+#else // CPU(ARM64E) > hasNullVector = m_jit.branchTestPtr( > MacroAssembler::Zero, > MacroAssembler::Address(base, JSArrayBufferView::offsetOfVector())); >@@ -6760,6 +6760,13 @@ void SpeculativeJIT::compileConstantStoragePointer(Node* node) > > void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) > { >+#if CPU(ARM64E) >+ m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); >+#else >+ UNUSED_PARAM(baseReg); >+ UNUSED_PARAM(storageReg); >+#endif >+ > #if GIGACAGE_ENABLED > UNUSED_PARAM(baseReg); > if (!Gigacage::shouldBeEnabled()) >@@ -6772,12 +6779,7 @@ void SpeculativeJIT::cageTypedArrayStorage(GPRReg baseReg, GPRReg storageReg) > return; > } > >- m_jit.cage(Gigacage::Primitive, storageReg); >-#elif CPU(ARM64E) >- m_jit.untagArrayPtr(MacroAssembler::Address(baseReg, JSArrayBufferView::offsetOfLength()), storageReg); >-#else >- UNUSED_PARAM(baseReg); >- UNUSED_PARAM(storageReg); >+ m_jit.cageWithoutUntaging(Gigacage::Primitive, storageReg); > #endif > } > >@@ -6841,7 +6843,7 @@ void SpeculativeJIT::compileGetTypedArrayByteOffset(Node* node) > JITCompiler::Jump nullVector = m_jit.branchTestPtr(JITCompiler::Zero, vectorGPR); > > m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), dataGPR); >- m_jit.cage(Gigacage::JSValue, dataGPR); >+ m_jit.cageWithoutUntaging(Gigacage::JSValue, dataGPR); > > cageTypedArrayStorage(baseGPR, vectorGPR); > >@@ -9845,7 +9847,7 @@ void SpeculativeJIT::compileNewTypedArrayWithSize(Node* node) > MacroAssembler::BaseIndex(storageGPR, scratchGPR, MacroAssembler::TimesFour)); > m_jit.branchTest32(MacroAssembler::NonZero, scratchGPR).linkTo(loop, &m_jit); > done.link(&m_jit); >-#if !GIGACAGE_ENABLED && CPU(ARM64E) >+#if CPU(ARM64E) > // sizeGPR is still boxed as a number and there is no 32-bit variant of the PAC instructions. > m_jit.zeroExtend32ToPtr(sizeGPR, scratchGPR); > m_jit.tagArrayPtr(scratchGPR, storageGPR); >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index 94c9658225a710dab803152da0249f63d390ffac..59bced4576512930a9c550b1895b18beaa337b3d 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -6483,7 +6483,7 @@ private: > m_out.int64Zero, > m_heaps.typedArrayProperties); > >-#if !GIGACAGE_ENABLED && CPU(ARM64E) >+#if CPU(ARM64E) > { > LValue sizePtr = m_out.zeroExtPtr(size); > PatchpointValue* authenticate = m_out.patchpoint(pointerType()); >@@ -14155,6 +14155,16 @@ private: > > LValue caged(Gigacage::Kind kind, LValue ptr, LValue base) > { >+#if CPU(ARM64E) >+ if (kind == Gigacage::Primitive) { >+ LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); >+ ptr = untagArrayPtr(ptr, size); >+ } >+#else >+ UNUSED_PARAM(kind); >+ UNUSED_PARAM(base); >+#endif >+ > #if GIGACAGE_ENABLED > UNUSED_PARAM(base); > if (!Gigacage::isEnabled(kind)) >@@ -14173,6 +14183,18 @@ private: > LValue masked = m_out.bitAnd(ptr, mask); > LValue result = m_out.add(masked, basePtr); > >+#if CPU(ARM64E) >+ { >+ PatchpointValue* merge = m_out.patchpoint(pointerType()); >+ merge->append(result, B3::ValueRep(B3::ValueRep::SomeLateRegister)); >+ merge->appendSomeRegister(ptr); >+ merge->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >+ jit.move(params[2].gpr(), params[0].gpr()); >+ jit.bitFieldInsert64(params[1].gpr(), 0, 64 - MacroAssembler::numberOfPACBits, params[0].gpr()); >+ }); >+ result = merge; >+ } >+#endif > // Make sure that B3 doesn't try to do smart reassociation of these pointer bits. > // FIXME: In an ideal world, B3 would not do harmful reassociations, and if it did, it would be able > // to undo them during constant hoisting and regalloc. As it stands, if you remove this then Octane >@@ -14185,17 +14207,6 @@ private: > // and possibly other smart things if we want to be able to remove this opaque. > // https://bugs.webkit.org/show_bug.cgi?id=175493 > return m_out.opaque(result); >-#elif CPU(ARM64E) >- if (kind == Gigacage::Primitive) { >- LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length); >- return untagArrayPtr(ptr, size); >- } >- >- return ptr; >-#else >- UNUSED_PARAM(kind); >- UNUSED_PARAM(base); >- return ptr; > #endif > } > >diff --git a/Source/JavaScriptCore/jit/AssemblyHelpers.h b/Source/JavaScriptCore/jit/AssemblyHelpers.h >index d9268e83691421ffedc1541217c867f351edb8d4..72d55658799d447f9958e8c10bbda91a1e3de576 100644 >--- a/Source/JavaScriptCore/jit/AssemblyHelpers.h >+++ b/Source/JavaScriptCore/jit/AssemblyHelpers.h >@@ -1554,43 +1554,75 @@ public: > storeFence(); > ok.link(this); > } >- >- void cage(Gigacage::Kind kind, GPRReg storage) >+ >+ void cageWithoutUntaging(Gigacage::Kind kind, GPRReg storage) > { > #if GIGACAGE_ENABLED > if (!Gigacage::isEnabled(kind)) > return; >- >+ >+#if CPU(ARM64E) >+ RegisterID tempReg = InvalidGPRReg; >+ if (kind == Gigacage::Primitive) { >+ tempReg = getCachedMemoryTempRegisterIDAndInvalidate(); >+ move(storage, tempReg); >+ // Flip the registers since bitFieldInsert only inserts into the low bits. >+ std::swap(storage, tempReg); >+ } >+#endif > andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); > addPtr(TrustedImmPtr(Gigacage::basePtr(kind)), storage); >+#if CPU(ARM64E) >+ if (kind == Gigacage::Primitive) >+ bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg); >+#endif >+ > #else > UNUSED_PARAM(kind); > UNUSED_PARAM(storage); > #endif > } >- >- void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg scratchOrLength) >+ >+ // length may be the same register as scratch. >+ void cageConditionally(Gigacage::Kind kind, GPRReg storage, GPRReg length, GPRReg scratch) > { >+#if CPU(ARM64E) >+ if (kind == Gigacage::Primitive) >+ untagArrayPtr(length, storage); >+#else >+ UNUSED_PARAM(kind); >+ UNUSED_PARAM(storage); >+ UNUSED_PARAM(length); >+#endif >+ > #if GIGACAGE_ENABLED > if (!Gigacage::isEnabled(kind)) > return; > > if (kind != Gigacage::Primitive || Gigacage::isDisablingPrimitiveGigacageDisabled()) >- return cage(kind, storage); >- >- loadPtr(&Gigacage::basePtr(kind), scratchOrLength); >- Jump done = branchTestPtr(Zero, scratchOrLength); >- andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); >- addPtr(scratchOrLength, storage); >- done.link(this); >-#elif CPU(ARM64E) >- if (kind == Gigacage::Primitive) >- untagArrayPtr(scratchOrLength, storage); >+ cageWithoutUntaging(kind, storage); >+ else { >+ loadPtr(&Gigacage::basePtr(kind), scratch); >+ Jump done = branchTestPtr(Zero, scratch); >+#if CPU(ARM64E) >+ auto tempReg = getCachedMemoryTempRegisterIDAndInvalidate(); >+ move(storage, tempReg); >+ // Flip the registers since bitFieldInsert only inserts into the low bits. >+ std::swap(storage, tempReg); >+#endif >+ andPtr(TrustedImmPtr(Gigacage::mask(kind)), storage); >+ addPtr(scratch, storage); >+#if CPU(ARM64E) >+ bitFieldInsert64(storage, 0, 64 - numberOfPACBits, tempReg); >+#endif >+ done.link(this); >+ >+ >+ } > #else >- UNUSED_PARAM(kind); >- UNUSED_PARAM(storage); >- UNUSED_PARAM(scratchOrLength); >+ UNUSED_PARAM(scratch); > #endif >+ > } > > void emitComputeButterflyIndexingMask(GPRReg vectorLengthGPR, GPRReg scratchGPR, GPRReg resultGPR) >diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >index 9d621481f77474efb831bd4e5f1f58229e332556..cbb78d5b3ebbb28e88911d525a5799f7f684917b 100644 >--- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >+++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >@@ -1672,7 +1672,7 @@ JIT::JumpList JIT::emitIntTypedArrayGetByVal(const Instruction*, PatchableJump& > load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); > slowCases.append(branch32(AboveOrEqual, property, scratch2)); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); >- cageConditionally(Gigacage::Primitive, scratch, scratch2); >+ cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2); > > switch (elementSize(type)) { > case 1: >@@ -1736,7 +1736,7 @@ JIT::JumpList JIT::emitFloatTypedArrayGetByVal(const Instruction*, PatchableJump > load32(Address(base, JSArrayBufferView::offsetOfLength()), scratch2); > slowCases.append(branch32(AboveOrEqual, property, scratch2)); > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), scratch); >- cageConditionally(Gigacage::Primitive, scratch, scratch2); >+ cageConditionally(Gigacage::Primitive, scratch, scratch2, scratch2); > > switch (elementSize(type)) { > case 4: >@@ -1801,7 +1801,7 @@ JIT::JumpList JIT::emitIntTypedArrayPutByVal(Op bytecode, PatchableJump& badType > // We would be loading this into base as in get_by_val, except that the slow > // path expects the base to be unclobbered. > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); >- cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2); >+ cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2); > > if (isClamped(type)) { > ASSERT(elementSize(type) == 1); >@@ -1890,7 +1890,7 @@ JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Op bytecode, PatchableJump& badTy > // We would be loading this into base as in get_by_val, except that the slow > // path expects the base to be unclobbered. > loadPtr(Address(base, JSArrayBufferView::offsetOfVector()), lateScratch); >- cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2); >+ cageConditionally(Gigacage::Primitive, lateScratch, lateScratch2, lateScratch2); > > switch (elementSize(type)) { > case 4: >diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >index 4032e7e8f3f87bcbdbe1ef9cdfd17233b6c855da..c0ad83c6c4360f2826ec9968c383f6b7540d8a42 100644 >--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >@@ -76,7 +76,7 @@ > # > # - pc holds the (native) program counter on 32-bits ARM architectures (ARMv7) > # >-# - t0, t1, t2, t3, t4 and optionally t5 are temporary registers that can get trashed on >+# - t0, t1, t2, t3, t4, and optionally t5, t6, and t7 are temporary registers that can get trashed on > # calls, and are pairwise distinct registers. t4 holds the JS program counter, so use > # with caution in opcodes (actually, don't use it in opcodes at all, except as PC). > # >diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >index 6aaf0dd10c3eb8af6b277713419ac40e3d878397..903635af525a8b1f447060314307d1083d3635ad 100644 >--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >@@ -434,10 +434,19 @@ end > > macro loadCagedPrimitive(source, dest, scratchOrLength) > loadp source, dest >- if GIGACAGE_ENABLED >- uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, dest, scratchOrLength) >- elsif ARM64E >+ if ARM64E >+ const result = t7 > untagArrayPtr scratchOrLength, dest >+ move dest, result >+ else >+ const result = dest >+ end >+ if GIGACAGE_ENABLED >+ uncage(_g_gigacageBasePtrs + Gigacage::BasePtrs::primitive, constexpr Gigacage::primitiveGigacageMask, result, scratchOrLength) >+ if ARM64E >+ const numberOfPACBits = constexpr MacroAssembler::numberOfPACBits >+ bfiq result, 0, 64 - numberOfPACBits, dest >+ end > end > end > >diff --git a/Source/JavaScriptCore/offlineasm/arm64.rb b/Source/JavaScriptCore/offlineasm/arm64.rb >index 58bbc2aafd9b484edc665e6ad02648c44c9e177c..23d948f0a31d77159be46fad6460f0d6463ed50b 100644 >--- a/Source/JavaScriptCore/offlineasm/arm64.rb >+++ b/Source/JavaScriptCore/offlineasm/arm64.rb >@@ -126,6 +126,8 @@ class RegisterID > arm64GPRName('x5', kind) > when 't6' > arm64GPRName('x6', kind) >+ when 't7' >+ arm64GPRName('x7', kind) > when 'cfr' > arm64GPRName('x29', kind) > when 'csr0' >@@ -1019,6 +1021,8 @@ class Instruction > $asm.puts "smaddl #{operands[2].arm64Operand(:quad)}, #{operands[0].arm64Operand(:word)}, #{operands[1].arm64Operand(:word)}, xzr" > when "memfence" > $asm.puts "dmb sy" >+ when "bfiq" >+ $asm.puts "bfi #{operands[3].arm64Operand(:quad)}, #{operands[0].arm64Operand(:quad)}, #{operands[1].value}, #{operands[2].value}" > when "pcrtoaddr" > $asm.puts "adr #{operands[1].arm64Operand(:quad)}, #{operands[0].value}" > when "nopCortexA53Fix835769" >diff --git a/Source/JavaScriptCore/offlineasm/instructions.rb b/Source/JavaScriptCore/offlineasm/instructions.rb >index 2ad5944e9055a559136c28e36b872edb9bdd84e9..2cc3acf1582e44df80d744c8a7dd0319bc2d0d44 100644 >--- a/Source/JavaScriptCore/offlineasm/instructions.rb >+++ b/Source/JavaScriptCore/offlineasm/instructions.rb >@@ -273,6 +273,7 @@ ARM_INSTRUCTIONS = > > ARM64_INSTRUCTIONS = > [ >+ "bfiq", # Bit field insert <source reg> <width immediate> <last bit written> <dest reg> > "pcrtoaddr", # Address from PC relative offset - adr instruction > "nopFixCortexA53Err835769", # nop on Cortex-A53 (nothing otherwise) > "globaladdr" >diff --git a/Source/JavaScriptCore/offlineasm/registers.rb b/Source/JavaScriptCore/offlineasm/registers.rb >index aa8a40fd4e853cd48d45ecc2666cd9a164609d39..158d141946f8fdbb9c24fe9ebfc12e57a4a8d8b3 100644 >--- a/Source/JavaScriptCore/offlineasm/registers.rb >+++ b/Source/JavaScriptCore/offlineasm/registers.rb >@@ -32,6 +32,7 @@ GPRS = > "t4", > "t5", > "t6", >+ "t7", > "cfr", > "a0", > "a1", >diff --git a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >index 3f51d0b0fc42797341e864f807d527fc2446c0c1..162e990731f487cecbbfd72ee8e7593b2e59de31 100644 >--- a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp >@@ -843,15 +843,14 @@ void AirIRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit resto > patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0; > > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >- RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >- AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); >+ AllowMacroScratchRegisterUsage allowScratch(jit); > GPRReg baseMemory = pinnedRegs->baseMemoryPointer; > GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; > > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize); > }); > > emitPatchpoint(block, patchpoint, Tmp(), instance); >@@ -1948,7 +1947,7 @@ auto AirIRGenerator::addCallIndirect(const Signature& signature, Vector<Expressi > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); > }); > > emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue()); >diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >index 5e87f4bafb4d72b37d3f892561f25515403b9be7..12325185b636055bf6dd399739c9f69463dbcf3b 100644 >--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp >@@ -486,15 +486,14 @@ void B3IRGenerator::restoreWebAssemblyGlobalState(RestoreCachedStackLimit restor > > patchpoint->append(instance, ValueRep::SomeRegister); > patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) { >- RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64()); >- AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64()); >+ AllowMacroScratchRegisterUsage allowScratch(jit); > GPRReg baseMemory = pinnedRegs->baseMemoryPointer; > GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister; > > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister); > jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory); > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs->sizeRegister, scratchOrSize); > }); > } > } >@@ -1366,7 +1365,7 @@ auto B3IRGenerator::addCallIndirect(const Signature& signature, Vector<Expressio > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*. > >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); > }); > doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation); > >diff --git a/Source/JavaScriptCore/wasm/WasmBinding.cpp b/Source/JavaScriptCore/wasm/WasmBinding.cpp >index fed45b1063c9a36bf651cf803ee10f1c5be7c654..23c96474f4b7557e19ae182a60ce9077f736abbd 100644 >--- a/Source/JavaScriptCore/wasm/WasmBinding.cpp >+++ b/Source/JavaScriptCore/wasm/WasmBinding.cpp >@@ -67,11 +67,11 @@ Expected<MacroAssemblerCodeRef<WasmEntryPtrTag>, BindingFailure> wasmToWasm(unsi > // FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952 > // Set up the callee's baseMemory register as well as the memory size registers. > { >- GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1); >+ GPRReg scratchOrSize = !Gigacage::isEnabled(Gigacage::Primitive) ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1); > > jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size. > jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*). >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, pinnedRegs.sizeRegister, scratchOrSize); > } > > // Tail call into the callee WebAssembly function. >diff --git a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >index 657da57aeb7ce3daeaf3c25747818b620dce1492..26313e84269657fee9b6cbd73b57058c445fb5b8 100644 >--- a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >+++ b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp >@@ -228,7 +228,7 @@ std::unique_ptr<InternalFunction> createJSToWasmWrapper(CompilationContext& comp > } > > jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize); > } > > CCallHelpers::Call call = jit.threadSafePatchableNearCall(); >diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >index 2ff0e78e582f6561a28f3c59537821c03980b890..91b5b8388520a142aae09c52dc3fc8538e17bcff 100644 >--- a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp >@@ -423,7 +423,7 @@ MacroAssemblerCodePtr<JSEntryPtrTag> WebAssemblyFunction::jsCallEntrypointSlow() > } > > jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory); >- jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize); >+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize, scratchOrSize); > } > > // We use this callee to indicate how to unwind past these types of frames: >diff --git a/Source/bmalloc/bmalloc/Gigacage.h b/Source/bmalloc/bmalloc/Gigacage.h >index 76d72df74a136f0219155cf208f7c77958c4e996..a37d0baf9979deecc2e9e2542a8c2958ddf86b57 100644 >--- a/Source/bmalloc/bmalloc/Gigacage.h >+++ b/Source/bmalloc/bmalloc/Gigacage.h >@@ -34,7 +34,8 @@ > #include <cstddef> > #include <inttypes.h> > >-#if ((BOS(DARWIN) || BOS(LINUX)) && BCPU(X86_64)) >+#if ((BOS(DARWIN) || BOS(LINUX)) && \ >+ (BCPU(X86_64) || (BCPU(ARM64) && !defined(__ILP32__) && (!BPLATFORM(IOS_FAMILY) || BPLATFORM(IOS))))) > #define GIGACAGE_ENABLED 1 > #else > #define GIGACAGE_ENABLED 0
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=371487">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 198453
:
371113
|
371487
|
371488
|
371490