Modified: branches/safari-608-branch/Source/_javascript_Core/ChangeLog (250499 => 250500)
--- branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-09-30 07:55:07 UTC (rev 250499)
+++ branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-09-30 08:30:23 UTC (rev 250500)
@@ -1,3 +1,71 @@
+2019-09-30 Babak Shafiei <bshaf...@apple.com>
+
+ Cherry-pick r247799. rdar://problem/55826880
+
+ performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer.
+ https://bugs.webkit.org/show_bug.cgi?id=200100
+ <rdar://problem/53474939>
+
+ Reviewed by Yusuke Suzuki.
+
+ * assembler/ARM64Assembler.h:
+ (JSC::ARM64Assembler::CopyFunction::CopyFunction):
+ (JSC::ARM64Assembler::CopyFunction::operator()):
+ - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because
+ retagCodePtr() would auth, assert, and re-pac the pointer. This is needed in
+ general because retagCodePtr() doesn't know that you will consume the pointer
+ immediately (and therefore crash imminently if a failed auth is encountered).
+ Since we know here that we will call with the auth'ed pointer immediately, we
+ can skip the assert.
+
+ This also has the benefit of letting Clang do a peephole optimization to emit
+ a blrab instruction with the intended diversifier, instead of emitting multiple
+ instructions to auth the pointer into a C function, and then using a blraaz to
+ do a C function call.
+
+ (JSC::ARM64Assembler::linkJumpOrCall):
+ (JSC::ARM64Assembler::linkCompareAndBranch):
+ (JSC::ARM64Assembler::linkConditionalBranch):
+ (JSC::ARM64Assembler::linkTestAndBranch):
+ * assembler/LinkBuffer.cpp:
+ (JSC::LinkBuffer::copyCompactAndLinkCode):
+ * runtime/JSCPtrTag.h:
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247799 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-07-24 Mark Lam <mark....@apple.com>
+
+ performJITMemcpy should be PACed with a non-zero diversifier when passed and called via a pointer.
+ https://bugs.webkit.org/show_bug.cgi?id=200100
+ <rdar://problem/53474939>
+
+ Reviewed by Yusuke Suzuki.
+
+ * assembler/ARM64Assembler.h:
+ (JSC::ARM64Assembler::CopyFunction::CopyFunction):
+ (JSC::ARM64Assembler::CopyFunction::operator()):
+ - I choose to use ptrauth_auth_function() here instead of retagCodePtr() because
+ retagCodePtr() would auth, assert, and re-pac the pointer. This is needed in
+ general because retagCodePtr() doesn't know that you will consume the pointer
+ immediately (and therefore crash imminently if a failed auth is encountered).
+ Since we know here that we will call with the auth'ed pointer immediately, we
+ can skip the assert.
+
+ This also has the benefit of letting Clang do a peephole optimization to emit
+ a blrab instruction with the intended diversifier, instead of emitting multiple
+ instructions to auth the pointer into a C function, and then using a blraaz to
+ do a C function call.
+
+ (JSC::ARM64Assembler::linkJumpOrCall):
+ (JSC::ARM64Assembler::linkCompareAndBranch):
+ (JSC::ARM64Assembler::linkConditionalBranch):
+ (JSC::ARM64Assembler::linkTestAndBranch):
+ * assembler/LinkBuffer.cpp:
+ (JSC::LinkBuffer::copyCompactAndLinkCode):
+ * runtime/JSCPtrTag.h:
+
2019-09-27 Alan Coon <alanc...@apple.com>
Cherry-pick r250440. rdar://problem/55800893
Modified: branches/safari-608-branch/Source/_javascript_Core/assembler/ARM64Assembler.h (250499 => 250500)
--- branches/safari-608-branch/Source/_javascript_Core/assembler/ARM64Assembler.h 2019-09-30 07:55:07 UTC (rev 250499)
+++ branches/safari-608-branch/Source/_javascript_Core/assembler/ARM64Assembler.h 2019-09-30 08:30:23 UTC (rev 250500)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -2910,7 +2910,27 @@
return m_jumpsToLink;
}
+#if CPU(ARM64E)
+ class CopyFunction {
+ typedef void* (*Func)(void*, const void*, size_t);
+ public:
+ CopyFunction(Func func)
+ : m_func(func)
+ {
+ assertIsNullOrTaggedWith(func, CopyFunctionPtrTag);
+ }
+
+ void* operator()(void* dst, const void* src, size_t size)
+ {
+ return ptrauth_auth_function(m_func, ptrauth_key_process_dependent_code, CopyFunctionPtrTag)(dst, src, size);
+ }
+
+ private:
+ Func m_func;
+ };
+#else
typedef void* (*CopyFunction)(void*, const void*, size_t);
+#endif
static void ALWAYS_INLINE link(LinkRecord& record, uint8_t* from, const uint8_t* fromInstruction8, uint8_t* to, CopyFunction copy)
{
@@ -2977,7 +2997,7 @@
}
template<bool isCall>
- static void linkJumpOrCall(int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
+ static void linkJumpOrCall(int* from, const int* fromInstruction, void* to, CopyFunction copy = tagCFunctionPtr<CopyFunctionPtrTag>(performJITMemcpy))
{
bool link;
int imm26;
@@ -2998,7 +3018,7 @@
}
template<bool isDirect>
- static void linkCompareAndBranch(Condition condition, bool is64Bit, RegisterID rt, int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
+ static void linkCompareAndBranch(Condition condition, bool is64Bit, RegisterID rt, int* from, const int* fromInstruction, void* to, CopyFunction copy = tagCFunctionPtr<CopyFunctionPtrTag>(performJITMemcpy))
{
ASSERT(!(reinterpret_cast<intptr_t>(from) & 3));
ASSERT(!(reinterpret_cast<intptr_t>(to) & 3));
@@ -3026,7 +3046,7 @@
}
template<bool isDirect>
- static void linkConditionalBranch(Condition condition, int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
+ static void linkConditionalBranch(Condition condition, int* from, const int* fromInstruction, void* to, CopyFunction copy = tagCFunctionPtr<CopyFunctionPtrTag>(performJITMemcpy))
{
ASSERT(!(reinterpret_cast<intptr_t>(from) & 3));
ASSERT(!(reinterpret_cast<intptr_t>(to) & 3));
@@ -3054,7 +3074,7 @@
}
template<bool isDirect>
- static void linkTestAndBranch(Condition condition, unsigned bitNumber, RegisterID rt, int* from, const int* fromInstruction, void* to, CopyFunction copy = performJITMemcpy)
+ static void linkTestAndBranch(Condition condition, unsigned bitNumber, RegisterID rt, int* from, const int* fromInstruction, void* to, CopyFunction copy = tagCFunctionPtr<CopyFunctionPtrTag>(performJITMemcpy))
{
ASSERT(!(reinterpret_cast<intptr_t>(from) & 3));
ASSERT(!(reinterpret_cast<intptr_t>(to) & 3));
Modified: branches/safari-608-branch/Source/_javascript_Core/assembler/LinkBuffer.cpp (250499 => 250500)
--- branches/safari-608-branch/Source/_javascript_Core/assembler/LinkBuffer.cpp 2019-09-30 07:55:07 UTC (rev 250499)
+++ branches/safari-608-branch/Source/_javascript_Core/assembler/LinkBuffer.cpp 2019-09-30 08:30:23 UTC (rev 250500)
@@ -228,13 +228,12 @@
recordLinkOffsets(m_assemblerStorage, readPtr, initialSize, readPtr - writePtr);
- for (unsigned i = 0; i < jumpCount; ++i) {
#if CPU(ARM64E) && ENABLE(FAST_JIT_PERMISSIONS)
- auto memcpyFunction = memcpy;
+ auto memcpyFunction = tagCFunctionPtr<CopyFunctionPtrTag>(memcpy);
#else
- auto memcpyFunction = performJITMemcpy;
+ auto memcpyFunction = tagCFunctionPtr<CopyFunctionPtrTag>(performJITMemcpy);
#endif
-
+ for (unsigned i = 0; i < jumpCount; ++i) {
uint8_t* location = codeOutData + jumpsToLink[i].from();
uint8_t* target = codeOutData + jumpsToLink[i].to() - executableOffsetFor(jumpsToLink[i].to());
MacroAssembler::link(jumpsToLink[i], outData + jumpsToLink[i].from(), location, target, memcpyFunction);