Ignore:
Timestamp:
Oct 7, 2020, 9:18:58 PM (5 years ago)
Author:
[email protected]
Message:

[JSC] Restrict more ptr-tagging and avoid using OperationPtrTag for JIT code
https://bugs.webkit.org/show_bug.cgi?id=217460

Reviewed by Saam Barati.

Source/JavaScriptCore:

This patch makes tagging / untagging pointer functions solid by using PtrTag in template parameter.
Later, we will introduce compile time behavior change for different kind of PtrTag so that we can insert OperationPtrTag validation
when tagging a function with OperationPtrTag.

We also found that FTL is tagging JIT code with OperationPtrTag wrongly. We should tag it with JITThunkPtrTag.

  • assembler/AbstractMacroAssembler.h:

(JSC::AbstractMacroAssembler::getLinkerAddress):

  • assembler/AssemblerBuffer.h:

(JSC::ARM64EHash::update):
(JSC::ARM64EHash::finalHash const):

  • assembler/JITOperationList.cpp:

(JSC::addPointers):

  • assembler/MacroAssemblerARM64.cpp:

(JSC::MacroAssembler::probe):

  • assembler/MacroAssemblerCodeRef.h:

(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):

  • assembler/testmasm.cpp:

(JSC::testProbeModifiesProgramCounter):

  • b3/air/testair.cpp:
  • ftl/FTLOutput.h:

(JSC::FTL::Output::callWithoutSideEffects):
(JSC::FTL::Output::operation):

  • ftl/FTLSlowPathCall.cpp:

(JSC::FTL::SlowPathCallContext::makeCall):

  • jit/JITCode.cpp:

(JSC::JITCodeWithCodeRef::executableAddressAtOffset):

  • jit/JITExceptions.cpp:

(JSC::genericUnwind):

  • jit/JITOperations.cpp:
  • jit/Repatch.cpp:

(JSC::readPutICCallTarget):
(JSC::ftlThunkAwareRepatchCall):
(JSC::tryCacheGetBy):
(JSC::tryCachePutByID):

  • llint/LLIntData.cpp:

(JSC::LLInt::initialize):

  • llint/LLIntPCRanges.h:

(JSC::LLInt::isLLIntPC):

  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::setUpCall):

  • llint/LLIntThunks.cpp:

(JSC::LLInt::generateThunkWithJumpTo):

  • runtime/MachineContext.h:

(JSC::MachineContext::instructionPointer):

  • runtime/NativeExecutable.cpp:

(JSC::NativeExecutable::finishCreation):

  • runtime/PutPropertySlot.h:

(JSC::PutPropertySlot::setCustomValue):
(JSC::PutPropertySlot::setCustomAccessor):
(JSC::PutPropertySlot::customSetter const):

  • wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::emitCCall):

  • wasm/WasmSlowPaths.cpp:

Source/WTF:

  • wtf/PlatformRegisters.cpp:

(WTF::threadStateLRInternal):
(WTF::threadStatePCInternal):

  • wtf/PtrTag.h:

(WTF::tagCFunctionPtr):
(WTF::tagCFunction):
(WTF::untagCFunctionPtr):
(WTF::tagInt):
(WTF::isTaggedWith):
(WTF::assertIsTaggedWith):
(WTF::assertIsNullOrTaggedWith):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jit/Repatch.cpp

    r267489 r268170  
    7474static FunctionPtr<CFunctionPtrTag> readPutICCallTarget(CodeBlock* codeBlock, CodeLocationCall<JSInternalPtrTag> call)
    7575{
    76     FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
    7776#if ENABLE(FTL_JIT)
    7877    if (codeBlock->jitType() == JITType::FTLJIT) {
    79         MacroAssemblerCodePtr<JITThunkPtrTag> thunk = MacroAssemblerCodePtr<OperationPtrTag>::createFromExecutableAddress(target.executableAddress()).retagged<JITThunkPtrTag>();
     78        FunctionPtr<JITThunkPtrTag> target = MacroAssembler::readCallTarget<JITThunkPtrTag>(call);
     79        MacroAssemblerCodePtr<JITThunkPtrTag> thunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.executableAddress());
    8080        return codeBlock->vm().ftlThunks->keyForSlowPathCallThunk(thunk).callTarget().retagged<CFunctionPtrTag>();
    8181    }
     
    8383    UNUSED_PARAM(codeBlock);
    8484#endif // ENABLE(FTL_JIT)
     85    FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
    8586    return target.retagged<CFunctionPtrTag>();
    8687}
     
    9293        VM& vm = codeBlock->vm();
    9394        FTL::Thunks& thunks = *vm.ftlThunks;
    94         FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
    95         auto slowPathThunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.retaggedExecutableAddress<JITThunkPtrTag>());
     95        FunctionPtr<JITThunkPtrTag> target = MacroAssembler::readCallTarget<JITThunkPtrTag>(call);
     96        auto slowPathThunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.executableAddress());
    9697        FTL::SlowPathCallKey key = thunks.keyForSlowPathCallThunk(slowPathThunk);
    9798        key = key.withCallTarget(newCalleeFunction);
     
    406407                    newCase = GetterSetterAccessCase::create(
    407408                        vm, codeBlock, type, propertyName, offset, structure, conditionSet, loadTargetFromProxy,
    408                         slot.watchpointSet(), slot.isCacheableCustom() ? slot.customGetter() : nullptr,
     409                        slot.watchpointSet(), slot.isCacheableCustom() ? FunctionPtr<OperationPtrTag>(slot.customGetter()) : nullptr,
    409410                        slot.isCacheableCustom() && slot.slotBase() != baseValue ? slot.slotBase() : nullptr,
    410411                        domAttribute, WTFMove(prototypeAccessChain));
     
    742743                newCase = GetterSetterAccessCase::create(
    743744                    vm, codeBlock, slot.isCustomAccessor() ? AccessCase::CustomAccessorSetter : AccessCase::CustomValueSetter, oldStructure, propertyName,
    744                     invalidOffset, conditionSet, WTFMove(prototypeAccessChain), isProxy, slot.customSetter(), slot.base() != baseValue ? slot.base() : nullptr);
     745                    invalidOffset, conditionSet, WTFMove(prototypeAccessChain), isProxy, slot.customSetter().retagged<OperationPtrTag>(), slot.base() != baseValue ? slot.base() : nullptr);
    745746            } else {
    746747                ASSERT(slot.isCacheableSetter());
Note: See TracChangeset for help on using the changeset viewer.