[webkit-changes] [245378] branches/safari-608.1.24-branch/Source/JavaScriptCore

Wed, 15 May 2019 22:44:29 -0700

Title: [245378] branches/safari-608.1.24-branch/Source/_javascript_Core
Revision
245378
Author
[email protected]
Date
2019-05-15 22:43:07 -0700 (Wed, 15 May 2019)

Log Message

Cherry-pick r245168. rdar://problem/50629257

    Fix crashes related to pointer authentication for primitive gigacage
    https://bugs.webkit.org/show_bug.cgi?id=197763
    <rdar://problem/50629257>

    Reviewed by Saam Barati.

    This fixes two bugs related to PAC for caging. The first is that
    we didn't clear the high bits of the size register going into the
    patchpoint to tag the new buffer for NewArrayBuffer. The second is
    that the GC needs to strip all stack pointers when considering
    them as a conservative root.

    * ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
    * heap/ConservativeRoots.cpp:
    (JSC::ConservativeRoots::genericAddPointer):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245168 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-608.1.24-branch/Source/_javascript_Core/ChangeLog (245377 => 245378)


--- branches/safari-608.1.24-branch/Source/_javascript_Core/ChangeLog	2019-05-16 05:43:05 UTC (rev 245377)
+++ branches/safari-608.1.24-branch/Source/_javascript_Core/ChangeLog	2019-05-16 05:43:07 UTC (rev 245378)
@@ -1,3 +1,46 @@
+2019-05-15  Kocsen Chung  <[email protected]>
+
+        Cherry-pick r245168. rdar://problem/50629257
+
+    Fix crashes related to pointer authentication for primitive gigacage
+    https://bugs.webkit.org/show_bug.cgi?id=197763
+    <rdar://problem/50629257>
+    
+    Reviewed by Saam Barati.
+    
+    This fixes two bugs related to PAC for caging. The first is that
+    we didn't clear the high bits of the size register going into the
+    patchpoint to tag the new buffer for NewArrayBuffer. The second is
+    that the GC needs to strip all stack pointers when considering
+    them as a conservative root.
+    
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+    * heap/ConservativeRoots.cpp:
+    (JSC::ConservativeRoots::genericAddPointer):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245168 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-05-09  Keith Miller  <[email protected]>
+
+            Fix crashes related to pointer authentication for primitive gigacage
+            https://bugs.webkit.org/show_bug.cgi?id=197763
+            <rdar://problem/50629257>
+
+            Reviewed by Saam Barati.
+
+            This fixes two bugs related to PAC for caging. The first is that
+            we didn't clear the high bits of the size register going into the
+            patchpoint to tag the new buffer for NewArrayBuffer. The second is
+            that the GC needs to strip all stack pointers when considering
+            them as a conservative root.
+
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+            * heap/ConservativeRoots.cpp:
+            (JSC::ConservativeRoots::genericAddPointer):
+
 2019-05-09  Xan López  <[email protected]>
 
         [CMake] Detect SSE2 at compile time

Modified: branches/safari-608.1.24-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (245377 => 245378)


--- branches/safari-608.1.24-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2019-05-16 05:43:05 UTC (rev 245377)
+++ branches/safari-608.1.24-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2019-05-16 05:43:07 UTC (rev 245378)
@@ -6468,14 +6468,17 @@
                 m_heaps.typedArrayProperties);
 
 #if !GIGACAGE_ENABLED && CPU(ARM64E)
-            PatchpointValue* authenticate = m_out.patchpoint(pointerType());
-            authenticate->appendSomeRegister(storage);
-            authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
-            authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
-                jit.move(params[1].gpr(), params[0].gpr());
-                jit.tagArrayPtr(params[2].gpr(), params[0].gpr());
-            });
-            storage = authenticate;
+            {
+                LValue sizePtr = m_out.zeroExtPtr(size);
+                PatchpointValue* authenticate = m_out.patchpoint(pointerType());
+                authenticate->appendSomeRegister(storage);
+                authenticate->append(sizePtr, B3::ValueRep(B3::ValueRep::SomeLateRegister));
+                authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
+                    jit.move(params[1].gpr(), params[0].gpr());
+                    jit.tagArrayPtr(params[2].gpr(), params[0].gpr());
+                });
+                storage = authenticate;
+            }
 #endif
 
             ValueFromBlock haveStorage = m_out.anchor(storage);

Modified: branches/safari-608.1.24-branch/Source/_javascript_Core/heap/ConservativeRoots.cpp (245377 => 245378)


--- branches/safari-608.1.24-branch/Source/_javascript_Core/heap/ConservativeRoots.cpp	2019-05-16 05:43:05 UTC (rev 245377)
+++ branches/safari-608.1.24-branch/Source/_javascript_Core/heap/ConservativeRoots.cpp	2019-05-16 05:43:07 UTC (rev 245378)
@@ -68,6 +68,7 @@
 template<typename MarkHook>
 inline void ConservativeRoots::genericAddPointer(void* p, HeapVersion markingVersion, HeapVersion newlyAllocatedVersion, TinyBloomFilter filter, MarkHook& markHook)
 {
+    p = removeArrayPtrTag(p);
     markHook.mark(p);
 
     HeapUtil::findGCObjectPointersForMarking(

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to