Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (271278 => 271279)
--- trunk/Source/_javascript_Core/ChangeLog 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,3 +1,42 @@
+2021-01-07 Mark Lam <[email protected]>
+
+ Work around Clang bug in __builtin_return_address().
+ https://bugs.webkit.org/show_bug.cgi?id=220432
+ rdar://71648468
+
+ Reviewed by Yusuke Suzuki.
+
+ Clang's __builtin_return_address() currently sometimes returns a PAC signed pointer
+ and sometimes not. This patch works around that by always ensuring that the pointer
+ is not signed.
+
+ Also changed the ReturnAddressPtr to store a signed pointer.
+
+ * assembler/MacroAssemblerCodeRef.h:
+ (JSC::ReturnAddressPtr::ReturnAddressPtr):
+ (JSC::ReturnAddressPtr::untaggedValue const):
+ (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+ * interpreter/AbstractPC.h:
+ (JSC::AbstractPC::AbstractPC):
+ * interpreter/CallFrame.h:
+ * jit/JIT.cpp:
+ (JSC::ctiPatchCallByReturnAddress):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::privateCompileHasIndexedProperty):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::privateCompileHasIndexedProperty):
+ * jit/JITOperations.cpp:
+ (JSC::JSC_DEFINE_JIT_OPERATION):
+ (JSC::unprofiledMul): Deleted.
+ (JSC::profiledMul): Deleted.
+ (JSC::unprofiledSub): Deleted.
+ (JSC::profiledSub): Deleted.
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::privateCompilePutByVal):
+ (JSC::JIT::privateCompilePutPrivateNameWithCachedId):
+ (JSC::JIT::privateCompilePutByValWithCachedId):
+ * runtime/JSCPtrTag.h:
+
2021-01-07 Alexey Shvayka <[email protected]>
[JSC] Simplify get*PropertyNames() methods and EnumerationMode
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h (271278 => 271279)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerCodeRef.h 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -234,9 +234,13 @@
public:
ReturnAddressPtr() { }
- explicit ReturnAddressPtr(const void* value)
- : m_value(value)
+ explicit ReturnAddressPtr(const void* returnAddress)
{
+#if CPU(ARM64E)
+ assertIsNotTagged(returnAddress);
+ returnAddress = retagCodePtr<NoPtrTag, ReturnAddressPtrTag>(returnAddress);
+#endif
+ m_value = returnAddress;
ASSERT_VALID_CODE_POINTER(m_value);
}
@@ -245,6 +249,11 @@
return m_value;
}
+ const void* untaggedValue() const
+ {
+ return untagCodePtr<ReturnAddressPtrTag>(m_value);
+ }
+
void dump(PrintStream& out) const
{
out.print(RawPointer(m_value));
@@ -297,10 +306,9 @@
}
explicit MacroAssemblerCodePtr(ReturnAddressPtr ra)
- : m_value(tagCodePtr<tag>(ra.value()))
+ : m_value(retagCodePtr<ReturnAddressPtrTag, tag>(ra.value()))
{
- assertIsNotTagged(ra.value());
- ASSERT(ra.value());
+ ASSERT(ra.untaggedValue());
ASSERT_VALID_CODE_POINTER(m_value);
}
Modified: trunk/Source/_javascript_Core/interpreter/AbstractPC.h (271278 => 271279)
--- trunk/Source/_javascript_Core/interpreter/AbstractPC.h 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/interpreter/AbstractPC.h 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -47,6 +47,7 @@
: m_pointer(ptr.value())
, m_mode(JIT)
{
+ assertIsTaggedWith<ReturnAddressPtrTag>(m_pointer);
}
bool hasJITReturnAddress() const { return m_mode == JIT; }
Modified: trunk/Source/_javascript_Core/interpreter/CallFrame.h (271278 => 271279)
--- trunk/Source/_javascript_Core/interpreter/CallFrame.h 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/interpreter/CallFrame.h 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2001 Harri Porten ([email protected])
* Copyright (C) 2001 Peter Kelly ([email protected])
- * Copyright (C) 2003-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2021 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -318,6 +318,8 @@
JS_EXPORT_PRIVATE bool isFromJSCode(void* returnAddress);
#if USE(BUILTIN_FRAME_ADDRESS)
+// FIXME (see rdar://72897291): Work around a Clang bug where __builtin_return_address()
+// sometimes gives us a signed pointer, and sometimes does not.
#define DECLARE_CALL_FRAME(vm) \
({ \
ASSERT(JSC::isFromJSCode(removeCodePtrTag<void*>(__builtin_return_address(0)))); \
Modified: trunk/Source/_javascript_Core/jit/JIT.cpp (271278 => 271279)
--- trunk/Source/_javascript_Core/jit/JIT.cpp 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/jit/JIT.cpp 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -63,7 +63,7 @@
void ctiPatchCallByReturnAddress(ReturnAddressPtr returnAddress, FunctionPtr<CFunctionPtrTag> newCalleeFunction)
{
MacroAssembler::repatchCall(
- CodeLocationCall<NoPtrTag>(MacroAssemblerCodePtr<NoPtrTag>(returnAddress)),
+ CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)),
newCalleeFunction.retagged<OperationPtrTag>());
}
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes.cpp (271278 => 271279)
--- trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2021 Apple Inc. All rights reserved.
* Copyright (C) 2010 Patrick Gansterer <[email protected]>
*
* Redistribution and use in source and binary forms, with or without
@@ -1428,10 +1428,10 @@
byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
- "Baseline has_indexed_property stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.value());
+ "Baseline has_indexed_property stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
MacroAssembler::repatchJump(byValInfo->badTypeJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
- MacroAssembler::repatchCall(CodeLocationCall<NoPtrTag>(MacroAssemblerCodePtr<NoPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(operationHasIndexedPropertyGeneric));
+ MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(operationHasIndexedPropertyGeneric));
}
void JIT::emit_op_has_enumerable_indexed_property(const Instruction* currentInstruction)
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (271278 => 271279)
--- trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2021 Apple Inc. All rights reserved.
* Copyright (C) 2010 Patrick Gansterer <[email protected]>
*
* Redistribution and use in source and binary forms, with or without
@@ -1187,10 +1187,10 @@
byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
- "Baseline has_indexed_property stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.value());
+ "Baseline has_indexed_property stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
MacroAssembler::repatchJump(byValInfo->badTypeJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
- MacroAssembler::repatchCall(CodeLocationCall<NoPtrTag>(MacroAssemblerCodePtr<NoPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(operationHasIndexedPropertyGeneric));
+ MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(operationHasIndexedPropertyGeneric));
}
void JIT::emit_op_has_enumerable_indexed_property(const Instruction* currentInstruction)
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (271278 => 271279)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -86,7 +86,9 @@
#define OUR_RETURN_ADDRESS _ReturnAddress()
#else
-#define OUR_RETURN_ADDRESS __builtin_return_address(0)
+// FIXME (see rdar://72897291): Work around a Clang bug where __builtin_return_address()
+// sometimes gives us a signed pointer, and sometimes does not.
+#define OUR_RETURN_ADDRESS removeCodePtrTag(__builtin_return_address(0))
#endif
#if ENABLE(OPCODE_SAMPLING)
@@ -2947,6 +2949,9 @@
UNUSED_PARAM(scope);
#if COMPILER(GCC_COMPATIBLE)
void* returnPC = __builtin_return_address(0);
+ // FIXME (see rdar://72897291): Work around a Clang bug where __builtin_return_address()
+ // sometimes gives us a signed pointer, and sometimes does not.
+ returnPC = removeCodePtrTag(returnPC);
doExceptionFuzzing(globalObject, scope, "JITOperations", returnPC);
#endif // COMPILER(GCC_COMPATIBLE)
}
@@ -2960,6 +2965,9 @@
UNUSED_PARAM(scope);
#if COMPILER(GCC_COMPATIBLE)
void* returnPC = __builtin_return_address(0);
+ // FIXME (see rdar://72897291): Work around a Clang bug where __builtin_return_address()
+ // sometimes gives us a signed pointer, and sometimes does not.
+ returnPC = removeCodePtrTag(returnPC);
doExceptionFuzzing(callFrame->lexicalGlobalObject(vm), scope, "JITOperations", returnPC);
#endif // COMPILER(GCC_COMPATIBLE)
}
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (271278 => 271279)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -1513,15 +1513,15 @@
if (!isDirect) {
byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
- "Baseline put_by_val stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.value());
+ "Baseline put_by_val stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
} else {
byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
- "Baseline put_by_val_direct stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.value());
+ "Baseline put_by_val_direct stub for %s, return point %p", toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
}
MacroAssembler::repatchJump(byValInfo->badTypeJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
- MacroAssembler::repatchCall(CodeLocationCall<NoPtrTag>(MacroAssemblerCodePtr<NoPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(isDirect ? operationDirectPutByValGeneric : operationPutByValGeneric));
+ MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(isDirect ? operationDirectPutByValGeneric : operationPutByValGeneric));
}
// This function is only consumed from another translation unit (JITOperations.cpp),
// so we list off the two expected specializations in advance.
@@ -1557,11 +1557,11 @@
byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
- "Baseline put_private_name with cached property name '%s' stub for %s, return point %p", propertyName.uid()->utf8().data(), toCString(*m_codeBlock).data(), returnAddress.value());
+ "Baseline put_private_name with cached property name '%s' stub for %s, return point %p", propertyName.uid()->utf8().data(), toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
byValInfo->stubInfo = gen.stubInfo();
MacroAssembler::repatchJump(byValInfo->notIndexJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
- MacroAssembler::repatchCall(CodeLocationCall<NoPtrTag>(MacroAssemblerCodePtr<NoPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(operationPutPrivateNameGeneric));
+ MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(operationPutPrivateNameGeneric));
}
template<typename Op>
@@ -1595,11 +1595,11 @@
byValInfo->stubRoutine = FINALIZE_CODE_FOR_STUB(
m_codeBlock, patchBuffer, JITStubRoutinePtrTag,
- "Baseline put_by_val%s with cached property name '%s' stub for %s, return point %p", (putKind == PutKind::Direct) ? "_direct" : "", propertyName.uid()->utf8().data(), toCString(*m_codeBlock).data(), returnAddress.value());
+ "Baseline put_by_val%s with cached property name '%s' stub for %s, return point %p", (putKind == PutKind::Direct) ? "_direct" : "", propertyName.uid()->utf8().data(), toCString(*m_codeBlock).data(), returnAddress.untaggedValue());
byValInfo->stubInfo = gen.stubInfo();
MacroAssembler::repatchJump(byValInfo->notIndexJump, CodeLocationLabel<JITStubRoutinePtrTag>(byValInfo->stubRoutine->code().code()));
- MacroAssembler::repatchCall(CodeLocationCall<NoPtrTag>(MacroAssemblerCodePtr<NoPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(putKind == PutKind::Direct ? operationDirectPutByValGeneric : operationPutByValGeneric));
+ MacroAssembler::repatchCall(CodeLocationCall<ReturnAddressPtrTag>(MacroAssemblerCodePtr<ReturnAddressPtrTag>(returnAddress)), FunctionPtr<OperationPtrTag>(putKind == PutKind::Direct ? operationDirectPutByValGeneric : operationPutByValGeneric));
}
// This function is only consumed from another translation unit (JITOperations.cpp),
// so we list off the two expected specializations in advance.
Modified: trunk/Source/_javascript_Core/runtime/JSCPtrTag.h (271278 => 271279)
--- trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/_javascript_Core/runtime/JSCPtrTag.h 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2018-2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2018-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -59,6 +59,7 @@
v(JITProbeExecutorPtrTag, PtrTagCalleeType::Native, PtrTagCallerType::Native) \
v(JITProbePCPtrTag, PtrTagCalleeType::Native, PtrTagCallerType::Native) \
v(JITProbeStackInitializationFunctionPtrTag, PtrTagCalleeType::Native, PtrTagCallerType::Native) \
+ v(ReturnAddressPtrTag, PtrTagCalleeType::Native, PtrTagCallerType::Native) \
/* Callee:JIT Caller:Native */ \
v(NativeToJITGatePtrTag, PtrTagCalleeType::JIT, PtrTagCallerType::Native) \
v(YarrEntryPtrTag, PtrTagCalleeType::JIT, PtrTagCallerType::Native) \
Modified: trunk/Source/WebKit/ChangeLog (271278 => 271279)
--- trunk/Source/WebKit/ChangeLog 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/WebKit/ChangeLog 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,3 +1,19 @@
+2021-01-07 Mark Lam <[email protected]>
+
+ Work around Clang bug in __builtin_return_address().
+ https://bugs.webkit.org/show_bug.cgi?id=220432
+ rdar://71648468
+
+ Reviewed by Yusuke Suzuki.
+
+ * PluginProcess/mac/PluginProcessShim.mm:
+ (WebKit::shimCFStringCompare):
+ - We go direct to ptrauth.h instead of using the WTF PtrTag abstraction because
+ this file appears to be going out of its way to avoid importing config.h.
+ Because of this, importing PtrTag.h results in a lot of build error complications.
+ Rather than jump thru many hoops to make importing PtrTag.h work and because all
+ we really want is only to use ptrauth_strip(), importing ptrauth.h is simpler.
+
2021-01-07 Peng Liu <[email protected]>
PlaybackSessionManager::m_clientCounts is not updated correctly when a video enters picture-in-picture from fullscreen
Modified: trunk/Source/WebKit/PluginProcess/mac/PluginProcessShim.mm (271278 => 271279)
--- trunk/Source/WebKit/PluginProcess/mac/PluginProcessShim.mm 2021-01-08 01:02:25 UTC (rev 271278)
+++ trunk/Source/WebKit/PluginProcess/mac/PluginProcessShim.mm 2021-01-08 01:36:47 UTC (rev 271279)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2010 Apple Inc. All rights reserved.
+ * Copyright (C) 2010-2021 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -40,6 +40,10 @@
#import <wtf/Compiler.h>
#import <wtf/spi/darwin/SandboxSPI.h>
+#if CPU(ARM64E)
+#import <ptrauth.h>
+#endif
+
namespace WebKit {
extern "C" void WebKitPluginProcessShimInitialize(const PluginProcessShimCallbacks& callbacks);
@@ -239,7 +243,13 @@
{
if (pluginProcessShimCallbacks.stringCompare) {
CFComparisonResult result;
- if (pluginProcessShimCallbacks.stringCompare(a, b, options, __builtin_return_address(0), result))
+ // FIXME (see rdar://72897291): Work around a Clang bug where __builtin_return_address()
+ // sometimes gives us a signed pointer, and sometimes does not.
+ void* returnAddress = __builtin_return_address(0);
+#if CPU(ARM64E)
+ returnAddress = ptrauth_strip(returnAddress, ptrauth_key_process_dependent_code);
+#endif
+ if (pluginProcessShimCallbacks.stringCompare(a, b, options, returnAddress, result))
return result;
}
