Reenable Gigacage on ARM64.
https://bugs.webkit.org/show_bug.cgi?id=198453
Reviewed by Michael Saboff.
Source/bmalloc:
Source/JavaScriptCore:
This patch adds back Gigacaging on Apple's ARM64 ports. Unlike the
old Gigacage however, arm64e uses both Gigacaging and PAC. In
order to ensure the PAC bits are not stripped in the caging
process we use the bit field insert instruction to take the low
bits from caging and the high bits from the PAC authentication.
- assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::bitFieldInsert64):
- assembler/MacroAssemblerARM64E.h:
- assembler/testmasm.cpp:
(JSC::testCagePreservesPACFailureBit):
(JSC::run):
- dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds):
(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
(JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
(JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
(JSC::FTL::DFG::LowerDFGToB3::caged):
(JSC::AssemblyHelpers::cageWithoutUntaging):
(JSC::AssemblyHelpers::cageConditionally):
(JSC::AssemblyHelpers::cage): Deleted.
- jit/JITPropertyAccess.cpp:
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
- llint/LowLevelInterpreter.asm:
- llint/LowLevelInterpreter64.asm:
- offlineasm/arm64.rb:
- offlineasm/instructions.rb:
- offlineasm/registers.rb:
- wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):
- wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
(JSC::Wasm::wasmToWasm):
(JSC::Wasm::createJSToWasmWrapper):
- wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
