Diff
Index: branches/safari-610-branch
===================================================================
--- branches/safari-610-branch 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch 2020-12-16 18:31:52 UTC (rev 270897)
Property changes: branches/safari-610-branch
Modified: svn:mergeinfo
-/trunk:53455
\ No newline at end of property
+/trunk:53455,270686
\ No newline at end of property
Modified: branches/safari-610-branch/Source/_javascript_Core/ChangeLog (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/ChangeLog 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/ChangeLog 2020-12-16 18:31:52 UTC (rev 270897)
@@ -1,3 +1,38 @@
+2020-12-16 Mark Lam <[email protected]>
+
+ Cherry-pick r270686. rdar://problem/72321615
+
+ 2020-12-11 Mark Lam <[email protected]>
+
+ Add extra validation after untagging code pointers.
+ https://bugs.webkit.org/show_bug.cgi?id=219765
+ rdar://72069920
+
+ Reviewed by Robin Morisset.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::untagReturnAddress):
+ (JSC::AbstractMacroAssembler::validateUntaggedPtr):
+ * assembler/MacroAssemblerARM64E.h:
+ (JSC::MacroAssemblerARM64E::untagReturnAddress):
+ (JSC::MacroAssemblerARM64E::validateUntaggedPtr):
+ * dfg/DFGOSRExitCompilerCommon.cpp:
+ (JSC::DFG::reifyInlinedCallFrames):
+ * ftl/FTLThunks.cpp:
+ (JSC::FTL::genericGenerationThunkGenerator):
+ * jit/CCallHelpers.h:
+ (JSC::CCallHelpers::prepareForTailCallSlow):
+ * jit/CallFrameShuffler.cpp:
+ (JSC::CallFrameShuffler::prepareForTailCall):
+ * jit/ThunkGenerators.cpp:
+ (JSC::emitPointerValidation):
+ (JSC::arityFixupGenerator):
+ * llint/LLIntThunks.cpp:
+ (JSC::LLInt::createTailCallGate):
+ (JSC::LLInt::untagGateThunk):
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
2020-12-08 Russell Epstein <[email protected]>
Cherry-pick r270052. rdar://problem/72099688
Modified: branches/safari-610-branch/Source/_javascript_Core/assembler/AbstractMacroAssembler.h (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2020-12-16 18:31:52 UTC (rev 270897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -996,7 +996,7 @@
}
ALWAYS_INLINE void tagReturnAddress() { }
- ALWAYS_INLINE void untagReturnAddress() { }
+ ALWAYS_INLINE void untagReturnAddress(RegisterID = RegisterID::InvalidGPRReg) { }
ALWAYS_INLINE void tagPtr(PtrTag, RegisterID) { }
ALWAYS_INLINE void tagPtr(RegisterID, RegisterID) { }
@@ -1003,6 +1003,7 @@
ALWAYS_INLINE void untagPtr(PtrTag, RegisterID) { }
ALWAYS_INLINE void untagPtr(RegisterID, RegisterID) { }
ALWAYS_INLINE void removePtrTag(RegisterID) { }
+ ALWAYS_INLINE void validateUntaggedPtr(RegisterID, RegisterID = RegisterID::InvalidGPRReg) { }
protected:
AbstractMacroAssembler()
Modified: branches/safari-610-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/assembler/MacroAssemblerARM64E.h 2020-12-16 18:31:52 UTC (rev 270897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -47,9 +47,10 @@
tagPtr(ARM64Registers::sp, ARM64Registers::lr);
}
- ALWAYS_INLINE void untagReturnAddress()
+ ALWAYS_INLINE void untagReturnAddress(RegisterID scratch = InvalidGPR)
{
untagPtr(ARM64Registers::sp, ARM64Registers::lr);
+ validateUntaggedPtr(ARM64Registers::lr, scratch);
}
ALWAYS_INLINE void tagPtr(PtrTag tag, RegisterID target)
@@ -75,6 +76,13 @@
m_assembler.autib(target, tagGPR);
}
+ ALWAYS_INLINE void validateUntaggedPtr(RegisterID target, RegisterID scratch = InvalidGPR)
+ {
+ if (scratch == InvalidGPR)
+ scratch = getCachedDataTempRegisterIDAndInvalidate();
+ load8(Address(target), scratch);
+ }
+
ALWAYS_INLINE void untagPtr(RegisterID tag, RegisterID target)
{
m_assembler.autib(target, tag);
Modified: branches/safari-610-branch/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp 2020-12-16 18:31:52 UTC (rev 270897)
@@ -284,6 +284,7 @@
jit.addPtr(AssemblyHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, GPRInfo::regT2);
jit.untagPtr(GPRInfo::regT2, GPRInfo::regT3);
jit.addPtr(AssemblyHelpers::TrustedImm32(inlineCallFrame->returnPCOffset() + sizeof(void*)), GPRInfo::callFrameRegister, GPRInfo::regT2);
+ jit.validateUntaggedPtr(GPRInfo::regT3, GPRInfo::nonArgGPR0);
jit.tagPtr(GPRInfo::regT2, GPRInfo::regT3);
#endif
jit.storePtr(GPRInfo::regT3, AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
Modified: branches/safari-610-branch/Source/_javascript_Core/ftl/FTLThunks.cpp (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/ftl/FTLThunks.cpp 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/ftl/FTLThunks.cpp 2020-12-16 18:31:52 UTC (rev 270897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -117,6 +117,7 @@
#if CPU(ARM64E)
jit.untagPtr(resultTag, AssemblyHelpers::linkRegister);
+ jit.validateUntaggedPtr(AssemblyHelpers::linkRegister);
jit.tagReturnAddress();
#else
UNUSED_PARAM(resultTag);
Modified: branches/safari-610-branch/Source/_javascript_Core/jit/CCallHelpers.h (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/jit/CCallHelpers.h 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/jit/CCallHelpers.h 2020-12-16 18:31:52 UTC (rev 270897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -782,6 +782,7 @@
#if CPU(ARM64E)
addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister, tempGPR);
untagPtr(tempGPR, linkRegister);
+ validateUntaggedPtr(linkRegister, tempGPR);
#endif
#elif CPU(MIPS)
loadPtr(Address(framePointerRegister, sizeof(void*)), returnAddressRegister);
Modified: branches/safari-610-branch/Source/_javascript_Core/jit/CallFrameShuffler.cpp (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/jit/CallFrameShuffler.cpp 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/jit/CallFrameShuffler.cpp 2020-12-16 18:31:52 UTC (rev 270897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -446,6 +446,7 @@
m_jit.addPtr(MacroAssembler::TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister);
m_jit.untagPtr(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister);
m_jit.subPtr(MacroAssembler::TrustedImm32(sizeof(CallerFrameAndPC)), MacroAssembler::framePointerRegister);
+ m_jit.validateUntaggedPtr(MacroAssembler::linkRegister);
#endif
#elif CPU(MIPS)
Modified: branches/safari-610-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/jit/ThunkGenerators.cpp 2020-12-16 18:31:52 UTC (rev 270897)
@@ -49,7 +49,7 @@
isNonZero.link(&jit);
jit.pushToSave(pointerGPR);
jit.untagPtr(tag, pointerGPR);
- jit.load8(pointerGPR, pointerGPR);
+ jit.validateUntaggedPtr(pointerGPR, pointerGPR);
jit.popToRestore(pointerGPR);
}
@@ -394,6 +394,7 @@
jit.loadPtr(JSInterfaceJIT::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()), GPRInfo::regT3);
jit.addPtr(JSInterfaceJIT::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, extraTemp);
jit.untagPtr(extraTemp, GPRInfo::regT3);
+ jit.validateUntaggedPtr(GPRInfo::regT3, extraTemp);
PtrTag tempReturnPCTag = static_cast<PtrTag>(random());
jit.move(JSInterfaceJIT::TrustedImmPtr(tempReturnPCTag), extraTemp);
jit.tagPtr(extraTemp, GPRInfo::regT3);
@@ -450,6 +451,7 @@
jit.loadPtr(JSInterfaceJIT::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()), GPRInfo::regT3);
jit.move(JSInterfaceJIT::TrustedImmPtr(tempReturnPCTag), extraTemp);
jit.untagPtr(extraTemp, GPRInfo::regT3);
+ jit.validateUntaggedPtr(GPRInfo::regT3, extraTemp);
jit.addPtr(JSInterfaceJIT::TrustedImm32(sizeof(CallerFrameAndPC)), GPRInfo::callFrameRegister, extraTemp);
jit.tagPtr(extraTemp, GPRInfo::regT3);
jit.storePtr(GPRInfo::regT3, JSInterfaceJIT::Address(GPRInfo::callFrameRegister, CallFrame::returnPCOffset()));
Modified: branches/safari-610-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp (270896 => 270897)
--- branches/safari-610-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2020-12-16 18:23:34 UTC (rev 270896)
+++ branches/safari-610-branch/Source/_javascript_Core/wasm/js/WebAssemblyFunction.cpp 2020-12-16 18:31:52 UTC (rev 270897)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -414,7 +414,7 @@
jit.move(CCallHelpers::TrustedImmPtr(this), GPRInfo::regT0);
jit.emitFunctionEpilogue();
#if CPU(ARM64E)
- jit.untagReturnAddress();
+ jit.untagReturnAddress(scratchGPR);
#endif
auto jumpToHostCallThunk = jit.jump();
