Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (259896 => 259897)
--- trunk/Source/_javascript_Core/ChangeLog 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-04-10 20:27:31 UTC (rev 259897)
@@ -1,5 +1,39 @@
2020-04-10 Mark Lam <mark....@apple.com>
+ Use more PAC diversity for JIT probe code.
+ https://bugs.webkit.org/show_bug.cgi?id=210252
+ <rdar://problem/54490367>
+
+ Reviewed by Keith Miller.
+
+ Introducing new PtrTags:
+ JITProbePtrTag - for the client probe function.
+ JITProbeTrampolinePtrTag - for calling the ctiMasmProbeTrampoline.
+ JITProbeExecutorPtrTag - for calling the probe executor.
+ Currently, this is only the Probe::executeProbe().
+ JITProbeStackInitializationFunctionPtrTag - for calling the optional stack
+ initialization function that the client probe function may set.
+
+ We'll now use these in the JIT probe mechanism instead of adopting the default
+ CFunctionPtrTag.
+
+ * assembler/MacroAssembler.cpp:
+ (JSC::MacroAssembler::probe):
+ * assembler/MacroAssemblerARM64.cpp:
+ (JSC::MacroAssembler::probe):
+ * assembler/MacroAssemblerPrinter.h:
+ (JSC::MacroAssembler::print):
+ * assembler/ProbeContext.h:
+ * runtime/JSCPtrTag.h:
+ * tools/JSDollarVM.cpp:
+ (JSC::callWithStackSizeProbeFunction):
+ * wasm/WasmAirIRGenerator.cpp:
+ (JSC::Wasm::AirIRGenerator::emitLoopTierUpCheck):
+ * wasm/WasmB3IRGenerator.cpp:
+ (JSC::Wasm::B3IRGenerator::emitLoopTierUpCheck):
+
+2020-04-10 Mark Lam <mark....@apple.com>
+
[Follow up] Fix bad tests in testmasm's testCagePreservesPACFailureBit().
https://bugs.webkit.org/show_bug.cgi?id=210314
<rdar://problem/61556785>
Modified: trunk/Source/_javascript_Core/assembler/MacroAssembler.cpp (259896 => 259897)
--- trunk/Source/_javascript_Core/assembler/MacroAssembler.cpp 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/assembler/MacroAssembler.cpp 2020-04-10 20:27:31 UTC (rev 259897)
@@ -28,6 +28,7 @@
#if ENABLE(ASSEMBLER)
+#include "JSCPtrTag.h"
#include "Options.h"
#include "ProbeContext.h"
#include <wtf/PrintStream.h>
@@ -55,8 +56,9 @@
void MacroAssembler::probe(Function<void(Probe::Context&)> func)
{
- probe(stdFunctionCallback, new Function<void(Probe::Context&)>(WTFMove(func)));
+ probe(tagCFunction<JITProbePtrTag>(stdFunctionCallback), new Function<void(Probe::Context&)>(WTFMove(func)));
}
+
#endif // ENABLE(MASM_PROBE)
} // namespace JSC
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp (259896 => 259897)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-04-10 20:27:31 UTC (rev 259897)
@@ -28,6 +28,7 @@
#if ENABLE(ASSEMBLER) && CPU(ARM64)
#include "MacroAssembler.h"
+#include "JSCPtrTag.h"
#include "ProbeContext.h"
#include <wtf/InlineASM.h>
@@ -297,6 +298,13 @@
static_assert(LR_RESTORATION_SIZE == sizeof(LRRestorationRecord), "LR_RESTORATION_SIZE is incorrect");
static_assert(!(sizeof(LRRestorationRecord) & 0xf), "LRRestorationRecord must be 16-byte aligned");
+#if CPU(ARM64E)
+#define JIT_PROBE_EXECUTOR_PTR_TAG 0x28de
+#define JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG 0x315c
+static_assert(JIT_PROBE_EXECUTOR_PTR_TAG == JITProbeExecutorPtrTag);
+static_assert(JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG == JITProbeStackInitializationFunctionPtrTag);
+#endif
+
// We use x29 and x30 instead of fp and lr because GCC's inline assembler does not recognize fp and lr.
// See https://bugs.webkit.org/show_bug.cgi?id=175512 for details.
asm (
@@ -382,7 +390,8 @@
// the caller of the probe (which is what we want in order to play nice with debuggers e.g. lldb).
"mov x0, sp" "\n" // Set the Probe::State* arg.
#if CPU(ARM64E)
- "blraaz x28" "\n" // Call the probe handler.
+ "movz lr, #" STRINGIZE_VALUE_OF(JIT_PROBE_EXECUTOR_PTR_TAG) "\n"
+ "blrab x28, lr" "\n" // Call the probe handler.
#else
"blr x28" "\n" // Call the probe handler.
#endif
@@ -422,7 +431,8 @@
"mov x0, x27" "\n" // Set the Probe::State* arg.
#if CPU(ARM64E)
- "blraaz x2" "\n" // Call the initializeStackFunction (loaded into x2 above).
+ "movz lr, #" STRINGIZE_VALUE_OF(JIT_PROBE_STACK_INITIALIZATION_FUNCTION_PTR_TAG) "\n"
+ "blrab x2, lr" "\n" // Call the initializeStackFunction (loaded into x2 above).all the probe handler.
#else
"blr x2" "\n" // Call the initializeStackFunction (loaded into x2 above).
#endif
@@ -531,11 +541,12 @@
storePair64(x24, x25, sp, TrustedImm32(offsetof(IncomingProbeRecord, x24)));
storePair64(x26, x27, sp, TrustedImm32(offsetof(IncomingProbeRecord, x26)));
storePair64(x28, x30, sp, TrustedImm32(offsetof(IncomingProbeRecord, x28))); // Note: x30 is lr.
- move(TrustedImmPtr(reinterpret_cast<void*>(ctiMasmProbeTrampoline)), x26);
- move(TrustedImmPtr(reinterpret_cast<void*>(Probe::executeProbe)), x28);
+ move(TrustedImmPtr(tagCFunction<JITProbeTrampolinePtrTag>(ctiMasmProbeTrampoline)), x26);
+ move(TrustedImmPtr(tagCFunction<JITProbeExecutorPtrTag>(Probe::executeProbe)), x28);
+ ASSERT(isTaggedWith(function, JITProbePtrTag));
move(TrustedImmPtr(reinterpret_cast<void*>(function)), x24);
move(TrustedImmPtr(arg), x25);
- call(x26, CFunctionPtrTag);
+ call(x26, JITProbeTrampolinePtrTag);
// ctiMasmProbeTrampoline should have restored every register except for lr and the sp.
load64(Address(sp, offsetof(LRRestorationRecord, lr)), lr);
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerPrinter.h (259896 => 259897)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerPrinter.h 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerPrinter.h 2020-04-10 20:27:31 UTC (rev 259897)
@@ -25,6 +25,7 @@
#pragma once
+#include "JSCPtrTag.h"
#include "MacroAssembler.h"
#include "Printer.h"
#include "ProbeContext.h"
@@ -232,12 +233,12 @@
inline void MacroAssembler::print(Arguments&&... arguments)
{
auto printRecordList = Printer::makePrintRecordList(std::forward<Arguments>(arguments)...);
- probe(Printer::printCallback, printRecordList);
+ probe(tagCFunction<JITProbePtrTag>(Printer::printCallback), printRecordList);
}
inline void MacroAssembler::print(Printer::PrintRecordList* printRecordList)
{
- probe(Printer::printCallback, printRecordList);
+ probe(tagCFunction<JITProbePtrTag>(Printer::printCallback), printRecordList);
}
#endif // ENABLE(MASM_PROBE)
Modified: trunk/Source/_javascript_Core/assembler/ProbeContext.h (259896 => 259897)
--- trunk/Source/_javascript_Core/assembler/ProbeContext.h 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/assembler/ProbeContext.h 2020-04-10 20:27:31 UTC (rev 259897)
@@ -175,10 +175,18 @@
struct State;
typedef void (*StackInitializationFunction)(State*);
+#if CPU(ARM64E)
+#define PROBE_FUNCTION_PTRAUTH __ptrauth(ptrauth_key_process_dependent_code, 0, JITProbePtrTag)
+#define PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH __ptrauth(ptrauth_key_process_dependent_code, 0, JITProbeStackInitializationFunctionPtrTag)
+#else
+#define PROBE_FUNCTION_PTRAUTH
+#define PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH
+#endif
+
struct State {
- Probe::Function probeFunction;
+ Probe::Function PROBE_FUNCTION_PTRAUTH probeFunction;
void* arg;
- StackInitializationFunction initializeStackFunction;
+ StackInitializationFunction PROBE_STACK_INITIALIZATION_FUNCTION_PTRAUTH initializeStackFunction;
void* initializeStackArg;
CPUState cpu;
};
Modified: trunk/Source/_javascript_Core/runtime/JSCPtrTag.h (259896 => 259897)
--- trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2020-04-10 20:27:31 UTC (rev 259897)
@@ -39,6 +39,10 @@
v(DisassemblyPtrTag) \
v(ExceptionHandlerPtrTag) \
v(ExecutableMemoryPtrTag) \
+ v(JITProbePtrTag) \
+ v(JITProbeTrampolinePtrTag) \
+ v(JITProbeExecutorPtrTag) \
+ v(JITProbeStackInitializationFunctionPtrTag) \
v(JITThunkPtrTag) \
v(JITStubRoutinePtrTag) \
v(JSEntryPtrTag) \
Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (259896 => 259897)
--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-04-10 20:27:31 UTC (rev 259897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -2136,7 +2136,10 @@
static void callWithStackSizeProbeFunction(Probe::State* state)
{
JSGlobalObject* globalObject = bitwise_cast<JSGlobalObject*>(state->arg);
- JSFunction* function = bitwise_cast<JSFunction*>(state->probeFunction);
+ // The bits loaded from state->probeFunction will be tagged like
+ // a C function. So, we'll need to untag it to extract the bits
+ // for the JSFunction*.
+ JSFunction* function = bitwise_cast<JSFunction*>(untagCodePtr<CFunctionPtrTag>(state->probeFunction));
state->initializeStackFunction = nullptr;
state->initializeStackArg = nullptr;
Modified: trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp (259896 => 259897)
--- trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2020-04-10 20:27:31 UTC (rev 259897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1826,7 +1826,7 @@
forceOSREntry.link(&jit);
tierUp.link(&jit);
- jit.probe(operationWasmTriggerOSREntryNow, osrEntryDataPtr);
+ jit.probe(tagCFunction<JITProbePtrTag>(operationWasmTriggerOSREntryNow), osrEntryDataPtr);
jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::argumentGPR0).linkTo(tierUpResume, &jit);
jit.farJump(GPRInfo::argumentGPR1, WasmEntryPtrTag);
});
Modified: trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp (259896 => 259897)
--- trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2020-04-10 20:22:22 UTC (rev 259896)
+++ trunk/Source/_javascript_Core/wasm/WasmB3IRGenerator.cpp 2020-04-10 20:27:31 UTC (rev 259897)
@@ -1338,7 +1338,7 @@
forceOSREntry.link(&jit);
tierUp.link(&jit);
- jit.probe(operationWasmTriggerOSREntryNow, osrEntryDataPtr);
+ jit.probe(tagCFunction<JITProbePtrTag>(operationWasmTriggerOSREntryNow), osrEntryDataPtr);
jit.branchTestPtr(CCallHelpers::Zero, GPRInfo::argumentGPR0).linkTo(tierUpResume, &jit);
jit.farJump(GPRInfo::argumentGPR1, WasmEntryPtrTag);
});
