Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (268169 => 268170)
--- trunk/Source/_javascript_Core/ChangeLog 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-10-08 04:18:58 UTC (rev 268170)
@@ -1,3 +1,66 @@
+2020-10-07 Yusuke Suzuki <[email protected]>
+
+ [JSC] Restrict more ptr-tagging and avoid using OperationPtrTag for JIT code
+ https://bugs.webkit.org/show_bug.cgi?id=217460
+
+ Reviewed by Saam Barati.
+
+ This patch makes tagging / untagging pointer functions solid by using PtrTag in template parameter.
+ Later, we will introduce compile time behavior change for different kind of PtrTag so that we can insert OperationPtrTag validation
+ when tagging a function with OperationPtrTag.
+
+ We also found that FTL is tagging JIT code with OperationPtrTag wrongly. We should tag it with JITThunkPtrTag.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::getLinkerAddress):
+ * assembler/AssemblerBuffer.h:
+ (JSC::ARM64EHash::update):
+ (JSC::ARM64EHash::finalHash const):
+ * assembler/JITOperationList.cpp:
+ (JSC::addPointers):
+ * assembler/MacroAssemblerARM64.cpp:
+ (JSC::MacroAssembler::probe):
+ * assembler/MacroAssemblerCodeRef.h:
+ (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+ (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+ * assembler/testmasm.cpp:
+ (JSC::testProbeModifiesProgramCounter):
+ * b3/air/testair.cpp:
+ * ftl/FTLOutput.h:
+ (JSC::FTL::Output::callWithoutSideEffects):
+ (JSC::FTL::Output::operation):
+ * ftl/FTLSlowPathCall.cpp:
+ (JSC::FTL::SlowPathCallContext::makeCall):
+ * jit/JITCode.cpp:
+ (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+ * jit/JITExceptions.cpp:
+ (JSC::genericUnwind):
+ * jit/JITOperations.cpp:
+ * jit/Repatch.cpp:
+ (JSC::readPutICCallTarget):
+ (JSC::ftlThunkAwareRepatchCall):
+ (JSC::tryCacheGetBy):
+ (JSC::tryCachePutByID):
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::initialize):
+ * llint/LLIntPCRanges.h:
+ (JSC::LLInt::isLLIntPC):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::setUpCall):
+ * llint/LLIntThunks.cpp:
+ (JSC::LLInt::generateThunkWithJumpTo):
+ * runtime/MachineContext.h:
+ (JSC::MachineContext::instructionPointer):
+ * runtime/NativeExecutable.cpp:
+ (JSC::NativeExecutable::finishCreation):
+ * runtime/PutPropertySlot.h:
+ (JSC::PutPropertySlot::setCustomValue):
+ (JSC::PutPropertySlot::setCustomAccessor):
+ (JSC::PutPropertySlot::customSetter const):
+ * wasm/WasmAirIRGenerator.cpp:
+ (JSC::Wasm::AirIRGenerator::emitCCall):
+ * wasm/WasmSlowPaths.cpp:
+
2020-10-07 Ross Kirsling <[email protected]>
[JSC] Revert String.prototype.item
Modified: trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h (268169 => 268170)
--- trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -877,7 +877,7 @@
template<PtrTag tag>
static void* getLinkerAddress(void* code, AssemblerLabel label)
{
- return tagCodePtr(AssemblerType::getRelocatedAddress(code, label), tag);
+ return tagCodePtr<tag>(AssemblerType::getRelocatedAddress(code, label));
}
static unsigned getLinkerCallReturnOffset(Call call)
Modified: trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h (268169 => 268170)
--- trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/assembler/AssemblerBuffer.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -187,15 +187,15 @@
ALWAYS_INLINE void update(uint32_t value)
{
uint64_t input = value ^ m_hash;
- uint64_t a = static_cast<uint32_t>(tagInt(input, static_cast<PtrTag>(0)) >> 39);
- uint64_t b = tagInt(input, static_cast<PtrTag>(0xb7e151628aed2a6a)) >> 23;
+ uint64_t a = static_cast<uint32_t>(tagInt<static_cast<PtrTag>(0)>(input) >> 39);
+ uint64_t b = tagInt<static_cast<PtrTag>(0xb7e151628aed2a6a)>(input) >> 23;
m_hash = a ^ b;
}
uint32_t finalHash() const
{
uint64_t hash = m_hash;
- uint64_t a = static_cast<uint32_t>(tagInt(hash, static_cast<PtrTag>(0xbf7158809cf4f3c7)) >> 39);
- uint64_t b = tagInt(hash, static_cast<PtrTag>(0x62e7160f38b4da56)) >> 23;
+ uint64_t a = static_cast<uint32_t>(tagInt<static_cast<PtrTag>(0xbf7158809cf4f3c7)>(hash) >> 39);
+ uint64_t b = tagInt<static_cast<PtrTag>(0x62e7160f38b4da56)>(hash) >> 23;
return static_cast<uint32_t>(a ^ b);
}
private:
Modified: trunk/Source/_javascript_Core/assembler/JITOperationList.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/assembler/JITOperationList.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/assembler/JITOperationList.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -48,7 +48,7 @@
for (const uintptr_t* current = beginHost; current != endHost; ++current) {
void* codePtr = removeCodePtrTag(bitwise_cast<void*>(*current));
if (codePtr) {
- auto result = map.add(codePtr, tagCodePtr(codePtr, JSEntryPtrTag));
+ auto result = map.add(codePtr, tagCodePtr<JSEntryPtrTag>(codePtr));
ASSERT(result.isNewEntry);
}
}
@@ -55,7 +55,7 @@
for (const uintptr_t* current = beginOperations; current != endOperations; ++current) {
void* codePtr = removeCodePtrTag(bitwise_cast<void*>(*current));
if (codePtr) {
- auto result = map.add(codePtr, tagCodePtr(codePtr, OperationPtrTag));
+ auto result = map.add(codePtr, tagCodePtr<OperationPtrTag>(codePtr));
ASSERT(result.isNewEntry);
}
}
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARM64.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -545,7 +545,7 @@
move(TrustedImmPtr(tagCFunction<OperationPtrTag>(ctiMasmProbeTrampoline)), x26);
move(TrustedImmPtr(tagCFunction<JITProbeExecutorPtrTag>(Probe::executeProbe)), x28);
#if CPU(ARM64E)
- ASSERT(isTaggedWith(function, JITProbePtrTag));
+ assertIsTaggedWith<JITProbePtrTag>(function);
#endif
move(TrustedImmPtr(reinterpret_cast<void*>(function)), x24);
move(TrustedImmPtr(arg), x25);
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (268169 => 268170)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -278,7 +278,7 @@
: m_value(value)
#endif
{
- assertIsTaggedWith(value, tag);
+ assertIsTaggedWith<tag>(value);
ASSERT(value);
#if CPU(ARM_THUMB2)
ASSERT(!(reinterpret_cast<uintptr_t>(value) & 1));
@@ -290,7 +290,7 @@
{
ASSERT(value);
ASSERT_VALID_CODE_POINTER(value);
- assertIsTaggedWith(value, tag);
+ assertIsTaggedWith<tag>(value);
MacroAssemblerCodePtr result;
result.m_value = value;
return result;
Modified: trunk/Source/_javascript_Core/assembler/testmasm.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/assembler/testmasm.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/assembler/testmasm.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -2123,7 +2123,7 @@
// Write expected values into the registers.
jit.probe([&] (Probe::Context& context) {
probeCallCount++;
- context.cpu.pc() = untagCodePtr(continuation.code().executableAddress(), JSEntryPtrTag);
+ context.cpu.pc() = untagCodePtr<JSEntryPtrTag>(continuation.code().executableAddress());
});
jit.breakpoint(); // We should never get here.
Modified: trunk/Source/_javascript_Core/b3/air/testair.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/b3/air/testair.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/b3/air/testair.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -99,7 +99,7 @@
template<typename T, typename... Arguments>
T invoke(const B3::Compilation& code, Arguments... arguments)
{
- void* executableAddress = untagCFunctionPtr(code.code().executableAddress(), B3CompilationPtrTag);
+ void* executableAddress = untagCFunctionPtr<B3CompilationPtrTag>(code.code().executableAddress());
T (*function)(Arguments...) = bitwise_cast<T(*)(Arguments...)>(executableAddress);
return function(arguments...);
}
Modified: trunk/Source/_javascript_Core/ftl/FTLOutput.h (268169 => 268170)
--- trunk/Source/_javascript_Core/ftl/FTLOutput.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/ftl/FTLOutput.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -395,13 +395,13 @@
{
static_assert(!std::is_same<Function, LValue>::value);
return m_block->appendNew<B3::CCallValue>(m_proc, type, origin(), B3::Effects::none(),
- constIntPtr(tagCFunctionPtr<void*>(function, OperationPtrTag)), arg1, args...);
+ constIntPtr(tagCFunctionPtr<void*, OperationPtrTag>(function)), arg1, args...);
}
// FIXME: Consider enhancing this to allow the client to choose the target PtrTag to use.
// https://bugs.webkit.org/show_bug.cgi?id=184324
template<typename FunctionType>
- LValue operation(FunctionType function) { return constIntPtr(tagCFunctionPtr<void*>(function, OperationPtrTag)); }
+ LValue operation(FunctionType function) { return constIntPtr(tagCFunctionPtr<void*, OperationPtrTag>(function)); }
void jump(LBasicBlock);
void branch(LValue condition, LBasicBlock taken, Weight takenWeight, LBasicBlock notTaken, Weight notTakenWeight);
Modified: trunk/Source/_javascript_Core/ftl/FTLSlowPathCall.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/ftl/FTLSlowPathCall.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/ftl/FTLSlowPathCall.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -120,7 +120,7 @@
SlowPathCall SlowPathCallContext::makeCall(VM& vm, FunctionPtr<CFunctionPtrTag> callTarget)
{
SlowPathCallKey key = keyWithTarget(callTarget);
- SlowPathCall result = SlowPathCall(m_jit.call(OperationPtrTag), key);
+ SlowPathCall result = SlowPathCall(m_jit.call(JITThunkPtrTag), key);
m_jit.addLinkTask(
[result, &vm] (LinkBuffer& linkBuffer) {
@@ -127,7 +127,7 @@
MacroAssemblerCodeRef<JITThunkPtrTag> thunk =
vm.ftlThunks->getSlowPathCallThunk(vm, result.key());
- linkBuffer.link(result.call(), CodeLocationLabel<OperationPtrTag>(thunk.retaggedCode<OperationPtrTag>()));
+ linkBuffer.link(result.call(), CodeLocationLabel<JITThunkPtrTag>(thunk.code()));
});
return result;
Modified: trunk/Source/_javascript_Core/jit/JITCode.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/jit/JITCode.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/jit/JITCode.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -116,7 +116,7 @@
void* JITCodeWithCodeRef::executableAddressAtOffset(size_t offset)
{
RELEASE_ASSERT(m_ref);
- assertIsTaggedWith(m_ref.code().executableAddress(), JSEntryPtrTag);
+ assertIsTaggedWith<JSEntryPtrTag>(m_ref.code().executableAddress());
if (!offset)
return m_ref.code().executableAddress();
Modified: trunk/Source/_javascript_Core/jit/JITExceptions.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/jit/JITExceptions.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/jit/JITExceptions.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -82,7 +82,7 @@
ASSERT(bitwise_cast<uintptr_t>(callFrame) < bitwise_cast<uintptr_t>(vm.topEntryFrame));
- assertIsTaggedWith(catchRoutine, ExceptionHandlerPtrTag);
+ assertIsTaggedWith<ExceptionHandlerPtrTag>(catchRoutine);
vm.callFrameForCatch = callFrame;
vm.targetMachinePCForThrow = catchRoutine;
vm.targetInterpreterPCForThrow = catchPCForInterpreter;
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -2623,7 +2623,7 @@
}
}
- assertIsTaggedWith(result, JSSwitchPtrTag);
+ assertIsTaggedWith<JSSwitchPtrTag>(result);
return reinterpret_cast<char*>(result);
}
@@ -2643,7 +2643,7 @@
result = jumpTable.ctiForValue(static_cast<int32_t>(key.asDouble())).executableAddress();
else
result = jumpTable.ctiDefault.executableAddress();
- assertIsTaggedWith(result, JSSwitchPtrTag);
+ assertIsTaggedWith<JSSwitchPtrTag>(result);
return reinterpret_cast<char*>(result);
}
@@ -2668,7 +2668,7 @@
} else
result = jumpTable.ctiDefault.executableAddress();
- assertIsTaggedWith(result, JSSwitchPtrTag);
+ assertIsTaggedWith<JSSwitchPtrTag>(result);
return reinterpret_cast<char*>(result);
}
Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -73,15 +73,16 @@
static FunctionPtr<CFunctionPtrTag> readPutICCallTarget(CodeBlock* codeBlock, CodeLocationCall<JSInternalPtrTag> call)
{
- FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
#if ENABLE(FTL_JIT)
if (codeBlock->jitType() == JITType::FTLJIT) {
- MacroAssemblerCodePtr<JITThunkPtrTag> thunk = MacroAssemblerCodePtr<OperationPtrTag>::createFromExecutableAddress(target.executableAddress()).retagged<JITThunkPtrTag>();
+ FunctionPtr<JITThunkPtrTag> target = MacroAssembler::readCallTarget<JITThunkPtrTag>(call);
+ MacroAssemblerCodePtr<JITThunkPtrTag> thunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.executableAddress());
return codeBlock->vm().ftlThunks->keyForSlowPathCallThunk(thunk).callTarget().retagged<CFunctionPtrTag>();
}
#else
UNUSED_PARAM(codeBlock);
#endif // ENABLE(FTL_JIT)
+ FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
return target.retagged<CFunctionPtrTag>();
}
@@ -91,8 +92,8 @@
if (codeBlock->jitType() == JITType::FTLJIT) {
VM& vm = codeBlock->vm();
FTL::Thunks& thunks = *vm.ftlThunks;
- FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
- auto slowPathThunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.retaggedExecutableAddress<JITThunkPtrTag>());
+ FunctionPtr<JITThunkPtrTag> target = MacroAssembler::readCallTarget<JITThunkPtrTag>(call);
+ auto slowPathThunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.executableAddress());
FTL::SlowPathCallKey key = thunks.keyForSlowPathCallThunk(slowPathThunk);
key = key.withCallTarget(newCalleeFunction);
MacroAssembler::repatchCall(call, FunctionPtr<OperationPtrTag>(thunks.getSlowPathCallThunk(vm, key).retaggedCode<OperationPtrTag>()));
@@ -405,7 +406,7 @@
newCase = GetterSetterAccessCase::create(
vm, codeBlock, type, propertyName, offset, structure, conditionSet, loadTargetFromProxy,
- slot.watchpointSet(), slot.isCacheableCustom() ? slot.customGetter() : nullptr,
+ slot.watchpointSet(), slot.isCacheableCustom() ? FunctionPtr<OperationPtrTag>(slot.customGetter()) : nullptr,
slot.isCacheableCustom() && slot.slotBase() != baseValue ? slot.slotBase() : nullptr,
domAttribute, WTFMove(prototypeAccessChain));
}
@@ -741,7 +742,7 @@
newCase = GetterSetterAccessCase::create(
vm, codeBlock, slot.isCustomAccessor() ? AccessCase::CustomAccessorSetter : AccessCase::CustomValueSetter, oldStructure, propertyName,
- invalidOffset, conditionSet, WTFMove(prototypeAccessChain), isProxy, slot.customSetter(), slot.base() != baseValue ? slot.base() : nullptr);
+ invalidOffset, conditionSet, WTFMove(prototypeAccessChain), isProxy, slot.customSetter().retagged<OperationPtrTag>(), slot.base() != baseValue ? slot.base() : nullptr);
} else {
ASSERT(slot.isCacheableSetter());
ObjectPropertyConditionSet conditionSet;
Modified: trunk/Source/_javascript_Core/llint/LLIntData.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/llint/LLIntData.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/llint/LLIntData.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -62,9 +62,9 @@
#endif // ENABLE(WEBASSEMBLY)
for (int i = 0; i < numOpcodeIDs + numWasmOpcodeIDs; ++i) {
- g_jscConfig.llint.opcodeMap[i] = tagCodePtr(g_jscConfig.llint.opcodeMap[i], BytecodePtrTag);
- g_jscConfig.llint.opcodeMapWide16[i] = tagCodePtr(g_jscConfig.llint.opcodeMapWide16[i], BytecodePtrTag);
- g_jscConfig.llint.opcodeMapWide32[i] = tagCodePtr(g_jscConfig.llint.opcodeMapWide32[i], BytecodePtrTag);
+ g_jscConfig.llint.opcodeMap[i] = tagCodePtr<BytecodePtrTag>(g_jscConfig.llint.opcodeMap[i]);
+ g_jscConfig.llint.opcodeMapWide16[i] = tagCodePtr<BytecodePtrTag>(g_jscConfig.llint.opcodeMapWide16[i]);
+ g_jscConfig.llint.opcodeMapWide32[i] = tagCodePtr<BytecodePtrTag>(g_jscConfig.llint.opcodeMapWide32[i]);
}
ASSERT(llint_throw_from_slow_path_trampoline < UINT8_MAX);
Modified: trunk/Source/_javascript_Core/llint/LLIntPCRanges.h (268169 => 268170)
--- trunk/Source/_javascript_Core/llint/LLIntPCRanges.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/llint/LLIntPCRanges.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -40,8 +40,8 @@
ALWAYS_INLINE bool isLLIntPC(void* pc)
{
uintptr_t pcAsInt = bitwise_cast<uintptr_t>(pc);
- uintptr_t llintStart = untagCodePtr<uintptr_t>(llintPCRangeStart, CFunctionPtrTag);
- uintptr_t llintEnd = untagCodePtr<uintptr_t>(llintPCRangeEnd, CFunctionPtrTag);
+ uintptr_t llintStart = untagCodePtr<uintptr_t, CFunctionPtrTag>(llintPCRangeStart);
+ uintptr_t llintEnd = untagCodePtr<uintptr_t, CFunctionPtrTag>(llintPCRangeEnd);
RELEASE_ASSERT(llintStart < llintEnd);
return llintStart <= pcAsInt && pcAsInt <= llintEnd;
}
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -155,7 +155,7 @@
} while (false)
#define LLINT_CALL_END_IMPL(callFrame, callTarget, callTargetTag) \
- LLINT_RETURN_TWO(retagCodePtr((callTarget), callTargetTag, SlowPathPtrTag), (callFrame))
+ LLINT_RETURN_TWO((retagCodePtr<callTargetTag, SlowPathPtrTag>(callTarget)), (callFrame))
#define LLINT_CALL_THROW(globalObject, exceptionToThrow) do { \
JSGlobalObject* __ct_globalObject = (globalObject); \
@@ -1722,7 +1722,7 @@
callLinkInfo->link(vm, callerCodeBlock, internalFunction, codePtr);
}
- assertIsTaggedWith(codePtr.executableAddress(), JSEntryPtrTag);
+ assertIsTaggedWith<JSEntryPtrTag>(codePtr.executableAddress());
LLINT_CALL_RETURN(globalObject, calleeFrame, codePtr.executableAddress(), JSEntryPtrTag);
}
RELEASE_AND_RETURN(throwScope, handleHostCall(calleeFrame, calleeAsValue, kind));
@@ -1765,7 +1765,7 @@
codeBlock->linkIncomingCall(callFrame, callLinkInfo);
}
- assertIsTaggedWith(codePtr.executableAddress(), JSEntryPtrTag);
+ assertIsTaggedWith<JSEntryPtrTag>(codePtr.executableAddress());
LLINT_CALL_RETURN(globalObject, calleeFrame, codePtr.executableAddress(), JSEntryPtrTag);
}
Modified: trunk/Source/_javascript_Core/llint/LLIntThunks.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/llint/LLIntThunks.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/llint/LLIntThunks.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -52,7 +52,7 @@
{
JSInterfaceJIT jit;
- assertIsTaggedWith(target, JSEntryPtrTag);
+ assertIsTaggedWith<JSEntryPtrTag>(target);
#if ENABLE(WEBASSEMBLY)
CCallHelpers::RegisterID scratch = Wasm::wasmCallingConvention().prologueScratchGPRs[0];
Modified: trunk/Source/_javascript_Core/runtime/JSCPtrTag.h (268169 => 268170)
--- trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -50,6 +50,7 @@
v(OperationPtrTag) \
v(OSREntryPtrTag) \
v(OSRExitPtrTag) \
+ v(PutValuePtrTag) \
v(SlowPathPtrTag) \
v(WasmEntryPtrTag) \
v(Yarr8BitPtrTag) \
Modified: trunk/Source/_javascript_Core/runtime/MachineContext.h (268169 => 268170)
--- trunk/Source/_javascript_Core/runtime/MachineContext.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/runtime/MachineContext.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -457,7 +457,7 @@
return makeOptional(MacroAssemblerCodePtr<PlatformRegistersPCPtrTag>(nullptr));
if (!usesPointerTagging())
return makeOptional(MacroAssemblerCodePtr<PlatformRegistersPCPtrTag>(value));
- if (isTaggedWith(value, PlatformRegistersPCPtrTag))
+ if (isTaggedWith<PlatformRegistersPCPtrTag>(value))
return makeOptional(MacroAssemblerCodePtr<PlatformRegistersPCPtrTag>(value));
return WTF::nullopt;
}
Modified: trunk/Source/_javascript_Core/runtime/NativeExecutable.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/runtime/NativeExecutable.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/runtime/NativeExecutable.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -60,10 +60,10 @@
m_jitCodeForConstructWithArityCheck = m_jitCodeForConstruct->addressForCall(MustCheckArity);
m_name = name;
- assertIsTaggedWith(m_jitCodeForCall->addressForCall(ArityCheckNotRequired).executableAddress(), JSEntryPtrTag);
- assertIsTaggedWith(m_jitCodeForConstruct->addressForCall(ArityCheckNotRequired).executableAddress(), JSEntryPtrTag);
- assertIsTaggedWith(m_jitCodeForCallWithArityCheck.executableAddress(), JSEntryPtrTag);
- assertIsTaggedWith(m_jitCodeForConstructWithArityCheck.executableAddress(), JSEntryPtrTag);
+ assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForCall->addressForCall(ArityCheckNotRequired).executableAddress());
+ assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForConstruct->addressForCall(ArityCheckNotRequired).executableAddress());
+ assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForCallWithArityCheck.executableAddress());
+ assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForConstructWithArityCheck.executableAddress());
}
NativeExecutable::NativeExecutable(VM& vm, TaggedNativeFunction function, TaggedNativeFunction constructor)
Modified: trunk/Source/_javascript_Core/runtime/PutPropertySlot.h (268169 => 268170)
--- trunk/Source/_javascript_Core/runtime/PutPropertySlot.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/runtime/PutPropertySlot.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -66,7 +66,7 @@
m_offset = offset;
}
- void setCustomValue(JSObject* base, FunctionPtr<OperationPtrTag> function)
+ void setCustomValue(JSObject* base, PutValueFunc function)
{
m_type = CustomValue;
m_base = base;
@@ -73,7 +73,7 @@
m_putFunction = function;
}
- void setCustomAccessor(JSObject* base, FunctionPtr<OperationPtrTag> function)
+ void setCustomAccessor(JSObject* base, PutValueFunc function)
{
m_type = CustomAccessor;
m_base = base;
@@ -97,7 +97,7 @@
m_isStrictMode = value;
}
- FunctionPtr<OperationPtrTag> customSetter() const
+ FunctionPtr<PutValuePtrTag> customSetter() const
{
ASSERT(isCacheableCustom());
return m_putFunction;
@@ -137,7 +137,7 @@
Type m_type;
uint8_t m_context;
CacheabilityType m_cacheability;
- FunctionPtr<OperationPtrTag> m_putFunction;
+ FunctionPtr<PutValuePtrTag> m_putFunction;
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/wasm/WasmAirIRGenerator.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -598,7 +598,7 @@
Inst inst(CCall, origin);
Tmp callee = g64();
- append(block, Move, Arg::immPtr(tagCFunctionPtr<void*>(func, OperationPtrTag)), callee);
+ append(block, Move, Arg::immPtr(tagCFunctionPtr<void*, OperationPtrTag>(func)), callee);
inst.args.append(callee);
if (result)
Modified: trunk/Source/_javascript_Core/wasm/WasmSlowPaths.cpp (268169 => 268170)
--- trunk/Source/_javascript_Core/wasm/WasmSlowPaths.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/_javascript_Core/wasm/WasmSlowPaths.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -64,7 +64,7 @@
} while (false)
#define WASM_CALL_RETURN(targetInstance, callTarget, callTargetTag) do { \
- WASM_RETURN_TWO(retagCodePtr(callTarget, callTargetTag, SlowPathPtrTag), targetInstance); \
+ WASM_RETURN_TWO((retagCodePtr<callTargetTag, SlowPathPtrTag>(callTarget)), targetInstance); \
} while (false)
#define CODE_BLOCK() \
Modified: trunk/Source/WTF/ChangeLog (268169 => 268170)
--- trunk/Source/WTF/ChangeLog 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/WTF/ChangeLog 2020-10-08 04:18:58 UTC (rev 268170)
@@ -1,3 +1,22 @@
+2020-10-07 Yusuke Suzuki <[email protected]>
+
+ [JSC] Restrict more ptr-tagging and avoid using OperationPtrTag for JIT code
+ https://bugs.webkit.org/show_bug.cgi?id=217460
+
+ Reviewed by Saam Barati.
+
+ * wtf/PlatformRegisters.cpp:
+ (WTF::threadStateLRInternal):
+ (WTF::threadStatePCInternal):
+ * wtf/PtrTag.h:
+ (WTF::tagCFunctionPtr):
+ (WTF::tagCFunction):
+ (WTF::untagCFunctionPtr):
+ (WTF::tagInt):
+ (WTF::isTaggedWith):
+ (WTF::assertIsTaggedWith):
+ (WTF::assertIsNullOrTaggedWith):
+
2020-10-07 Keith Rollin <[email protected]>
Update post-processing rules for headers to not unnecessarily change timestamps
Modified: trunk/Source/WTF/wtf/PlatformRegisters.cpp (268169 => 268170)
--- trunk/Source/WTF/wtf/PlatformRegisters.cpp 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/WTF/wtf/PlatformRegisters.cpp 2020-10-08 04:18:58 UTC (rev 268170)
@@ -39,7 +39,7 @@
void* candidateLR = arm_thread_state64_get_lr_fptr(regs);
#if USE(UNTAGGED_THREAD_STATE_PTR)
- if (candidateLR && isTaggedWith(candidateLR, CFunctionPtrTag))
+ if (candidateLR && isTaggedWith<CFunctionPtrTag>(candidateLR))
return retagCodePtr<CFunctionPtrTag, PlatformRegistersLRPtrTag>(candidateLR);
candidateLR = bitwise_cast<void*>(arm_thread_state64_get_lr(regs));
if (!candidateLR)
@@ -56,7 +56,7 @@
void* candidatePC = arm_thread_state64_get_pc_fptr(regs);
#if USE(UNTAGGED_THREAD_STATE_PTR)
- if (candidatePC && isTaggedWith(candidatePC, CFunctionPtrTag))
+ if (candidatePC && isTaggedWith<CFunctionPtrTag>(candidatePC))
return retagCodePtr<CFunctionPtrTag, PlatformRegistersPCPtrTag>(candidatePC);
candidatePC = bitwise_cast<void*>(arm_thread_state64_get_pc(regs));
if (!candidatePC)
Modified: trunk/Source/WTF/wtf/PtrTag.h (268169 => 268170)
--- trunk/Source/WTF/wtf/PtrTag.h 2020-10-08 03:19:43 UTC (rev 268169)
+++ trunk/Source/WTF/wtf/PtrTag.h 2020-10-08 04:18:58 UTC (rev 268170)
@@ -193,12 +193,6 @@
return ptrauth_sign_unauthenticated(ptr, ptrauth_key_process_dependent_code, tag);
}
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T tagCodePtr(PtrType ptr, PtrTag tag)
-{
- return bitwise_cast<T>(tagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T tagCodePtr(PtrType ptr)
{
@@ -205,12 +199,6 @@
return bitwise_cast<T>(tagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
}
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCodePtr(PtrType ptr, PtrTag tag)
-{
- return tagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
-}
-
template<PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline PtrType tagCodePtr(PtrType ptr) { return tagCodePtr(ptr, tag); }
@@ -234,12 +222,6 @@
return result;
}
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T untagCodePtr(PtrType ptr, PtrTag tag)
-{
- return bitwise_cast<T>(untagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T untagCodePtr(PtrType ptr)
{
@@ -246,12 +228,6 @@
return bitwise_cast<T>(untagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
}
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCodePtr(PtrType ptr, PtrTag tag)
-{
- return untagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
-}
-
template<PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline PtrType untagCodePtr(PtrType ptr) { return untagCodePtr(ptr, tag); }
@@ -312,12 +288,6 @@
return retagCodePtrImpl<tagAction>(ptr, CFunctionPtrTag, tag);
}
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T tagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
- return bitwise_cast<T>(tagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T tagCFunctionPtr(PtrType ptr)
{
@@ -324,19 +294,13 @@
return bitwise_cast<T>(tagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
}
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
- return tagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
-}
-
template<PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCFunctionPtr(PtrType ptr) { return tagCFunctionPtr(ptr, tag); }
+inline PtrType tagCFunctionPtr(PtrType ptr) { return tagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag); }
template<PtrTag newTag, typename FunctionType, class = typename std::enable_if<std::is_pointer<FunctionType>::value && std::is_function<typename std::remove_pointer<FunctionType>::type>::value>::type>
inline FunctionType tagCFunction(FunctionType func)
{
- ASSERT(isTaggedWith(func, CFunctionPtrTag));
+ assertIsTaggedWith<CFunctionPtrTag>(func);
ASSERT(newTag != CFunctionPtrTag);
return ptrauth_auth_and_resign(func, ptrauth_key_function_pointer, 0, ptrauth_key_process_dependent_code, newTag);
}
@@ -356,12 +320,6 @@
return retagCodePtrImpl<tagAction>(ptr, tag, CFunctionPtrTag);
}
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T untagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
- return bitwise_cast<T>(untagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T untagCFunctionPtr(PtrType ptr)
{
@@ -374,17 +332,11 @@
return bitwise_cast<T>(untagCFunctionPtrImpl<tagAction>(ptr, tag));
}
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
- return untagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
-}
-
template<PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCFunctionPtr(PtrType ptr) { return untagCFunctionPtr(ptr, tag); }
+inline PtrType untagCFunctionPtr(PtrType ptr) { return untagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag); }
-template <typename IntType>
-inline IntType tagInt(IntType ptrInt, PtrTag tag)
+template <PtrTag tag, typename IntType>
+inline IntType tagInt(IntType ptrInt)
{
static_assert(sizeof(IntType) == sizeof(uintptr_t), "");
return bitwise_cast<IntType>(ptrauth_sign_unauthenticated(bitwise_cast<void*>(ptrInt), ptrauth_key_process_dependent_data, tag));
@@ -425,8 +377,8 @@
assertIsTagged(ptr);
}
-template<typename PtrType>
-bool isTaggedWith(PtrType value, PtrTag tag)
+template<PtrTag tag, typename PtrType>
+bool isTaggedWith(PtrType value)
{
void* ptr = bitwise_cast<void*>(value);
if (tag == NoPtrTag)
@@ -434,17 +386,17 @@
return ptr == tagCodePtrImpl<PtrTagAction::NoAssert>(removeCodePtrTag(ptr), tag);
}
-template<typename PtrType>
-void assertIsTaggedWith(PtrType value, PtrTag tag)
+template<PtrTag tag, typename PtrType>
+void assertIsTaggedWith(PtrType value)
{
WTF_PTRTAG_ASSERT(PtrTagAction::DebugAssert, value, tag, isTaggedWith(value, tag));
}
-template<typename PtrType>
-void assertIsNullOrTaggedWith(PtrType ptr, PtrTag tag)
+template<PtrTag tag, typename PtrType>
+void assertIsNullOrTaggedWith(PtrType ptr)
{
if (ptr)
- assertIsTaggedWith(ptr, tag);
+ assertIsTaggedWith<tag>(ptr);
}
inline bool usesPointerTagging() { return true; }
@@ -494,27 +446,15 @@
}
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-constexpr T tagCodePtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T tagCodePtr(PtrType ptr) { return bitwise_cast<T>(ptr); }
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-constexpr PtrType tagCodePtr(PtrType ptr, PtrTag) { return ptr; }
-
template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline PtrType tagCodePtr(PtrType ptr) { return ptr; }
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-constexpr T untagCodePtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T untagCodePtr(PtrType ptr) { return bitwise_cast<T>(ptr); }
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-constexpr PtrType untagCodePtr(PtrType ptr, PtrTag) { return ptr; }
-
template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline PtrType untagCodePtr(PtrType ptr) { return ptr; }
@@ -536,15 +476,9 @@
template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
constexpr PtrType removeCodePtrTag(PtrType ptr) { return ptr; }
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T tagCFunctionPtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T tagCFunctionPtr(PtrType ptr) { return bitwise_cast<T>(ptr); }
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCFunctionPtr(PtrType ptr, PtrTag) { return ptr; }
-
template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline PtrType tagCFunctionPtr(PtrType ptr) { return ptr; }
@@ -557,20 +491,14 @@
return bitwise_cast<ReturnType>(tagCFunction<newTag>(func));
}
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T untagCFunctionPtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline T untagCFunctionPtr(PtrType ptr) { return bitwise_cast<T>(ptr); }
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCFunctionPtr(PtrType ptr, PtrTag) { return ptr; }
-
template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
inline PtrType untagCFunctionPtr(PtrType ptr) { return ptr; }
-template <typename IntType>
-inline IntType tagInt(IntType ptrInt, PtrTag)
+template <PtrTag, typename IntType>
+inline IntType tagInt(IntType ptrInt)
{
static_assert(sizeof(IntType) == sizeof(uintptr_t), "");
return ptrInt;
@@ -583,10 +511,10 @@
template<typename PtrType> void assertIsTagged(PtrType) { }
template<typename PtrType> void assertIsNullOrTagged(PtrType) { }
-template<typename PtrType> bool isTaggedWith(PtrType, PtrTag) { return false; }
+template<PtrTag, typename PtrType> bool isTaggedWith(PtrType) { return false; }
-template<typename PtrType> void assertIsTaggedWith(PtrType, PtrTag) { }
-template<typename PtrType> void assertIsNullOrTaggedWith(PtrType, PtrTag) { }
+template<PtrTag, typename PtrType> void assertIsTaggedWith(PtrType) { }
+template<PtrTag, typename PtrType> void assertIsNullOrTaggedWith(PtrType) { }
inline bool usesPointerTagging() { return false; }
