Ignore:
Timestamp:
Nov 3, 2020, 6:31:56 PM (5 years ago)
Author:
[email protected]
Message:

[JSC] Add JITCage support
https://bugs.webkit.org/show_bug.cgi?id=218143

Reviewed by Saam Barati.

Source/JavaScriptCore:

Towards software verified JIT, this patch adds partial JIT-Caging support which cages JIT call / jumps in a certain format.
This is currently only enabled when internal SDK is enabled. And it is only enabled in ARM64E for now.
Currently, this patch does not have CSS JIT support. Subsequent patch will add it.
We ensured that JS2 and RAMification are neutral.

  • CMakeLists.txt:
  • JavaScriptCore.xcodeproj/project.pbxproj:
  • assembler/JITOperationList.cpp:

(JSC::addPointers):
(JSC::JITOperationList::populatePointersInJavaScriptCoreForLLInt):

  • assembler/JITOperationList.h:

(JSC::JITOperationList::map const):
(JSC::JITOperationList::assertIsHostFunction):
(JSC::JITOperationList::assertIsJITOperation):
(JSC::JITOperationList::contains const): Deleted.

  • assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::farJump):

  • assembler/MacroAssemblerARM64E.h:

(JSC::MacroAssemblerARM64E::callTrustedPtr):
(JSC::MacroAssemblerARM64E::call):
(JSC::MacroAssemblerARM64E::callRegister):
(JSC::MacroAssemblerARM64E::farJumpRegister):
(JSC::MacroAssemblerARM64E::farJump):
(JSC::MacroAssemblerARM64E::ret):

  • assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::farJump):

  • assembler/MacroAssemblerMIPS.h:

(JSC::MacroAssemblerMIPS::farJump):

  • assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::farJump):

  • bytecode/BytecodeList.rb:
  • dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

  • dfg/DFGOSRExitCompilerCommon.cpp:

(JSC::DFG::callerReturnPC):
(JSC::DFG::adjustAndJumpToTarget):

  • dfg/DFGOSRExitCompilerCommon.h:
  • jit/ExecutableAllocator.cpp:

(JSC::ExecutableAllocator::setJITEnabled):
(JSC::initializeJITPageReservation):

  • jit/GPRInfo.h:
  • jit/PolymorphicCallStubRoutine.cpp:

(JSC::PolymorphicCallNode::unlink):

  • jit/ThunkGenerators.cpp:

(JSC::emitPointerValidation):

  • llint/LLIntData.cpp:

(JSC::LLInt::initialize):

  • llint/LLIntData.h:

(JSC::LLInt::getOpcode):
(JSC::LLInt::getOpcodeWide16):
(JSC::LLInt::getOpcodeWide32):
(JSC::LLInt::getCodePtr):
(JSC::LLInt::getWide16CodePtr):
(JSC::LLInt::getWide32CodePtr):
(JSC::LLInt::getCodeFunctionPtr):
(JSC::LLInt::getWide16CodeFunctionPtr):
(JSC::LLInt::getWide32CodeFunctionPtr):

  • llint/LLIntEntrypoint.cpp:

(JSC::LLInt::entrypointTrampoline):
(JSC::LLInt::setFunctionEntrypoint):
(JSC::LLInt::setEvalEntrypoint):
(JSC::LLInt::setProgramEntrypoint):
(JSC::LLInt::setModuleProgramEntrypoint):
(JSC::LLInt::getHostCallReturnValueEntrypoint):
(JSC::LLInt::fuzzerReturnEarlyFromLoopHintEntrypoint):
(JSC::LLInt::genericReturnPointEntrypoint):

  • llint/LLIntEntrypoint.h:
  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::commonCallEval):
(JSC::LLInt::dispatchToNextInstruction):

  • llint/LLIntThunks.cpp:

(JSC::LLInt::generateThunkWithJumpTo):
(JSC::LLInt::generateThunkWithJumpToPrologue):
(JSC::LLInt::generateThunkWithJumpToLLIntReturnPoint):
(JSC::LLInt::functionForCallEntryThunk):
(JSC::LLInt::functionForConstructEntryThunk):
(JSC::LLInt::functionForCallArityCheckThunk):
(JSC::LLInt::functionForConstructArityCheckThunk):
(JSC::LLInt::evalEntryThunk):
(JSC::LLInt::programEntryThunk):
(JSC::LLInt::moduleProgramEntryThunk):
(JSC::LLInt::wasmFunctionEntryThunk):
(JSC::LLInt::handleCatchThunk):
(JSC::LLInt::genericReturnPointThunk):
(JSC::LLInt::fuzzerReturnEarlyFromLoopHintThunk):
(JSC::LLInt::createJSGateThunk):
(JSC::LLInt::createWasmGateThunk):
(JSC::LLInt::createTailCallGate):
(JSC::LLInt::loopOSREntryGateThunk):
(JSC::LLInt::entryOSREntryGateThunk):
(JSC::LLInt::wasmOSREntryGateThunk):
(JSC::LLInt::exceptionHandlerGateThunk):
(JSC::LLInt::returnFromLLIntGateThunk):
(JSC::LLInt::tagGateThunk):
(JSC::LLInt::untagGateThunk):
(JSC::LLInt::jitCagePtrThunk):
(JSC::LLInt::normalOSRExitTrampolineThunk):
(JSC::LLInt::checkpointOSRExitTrampolineThunk):
(JSC::LLInt::checkpointOSRExitFromInlinedCallTrampolineThunk):
(JSC::LLInt::returnLocationThunk):

  • llint/LLIntThunks.h:
  • llint/LowLevelInterpreter.asm:
  • llint/LowLevelInterpreter32_64.asm:
  • llint/LowLevelInterpreter64.asm:
  • llint/WebAssembly.asm:
  • offlineasm/arm64.rb:
  • offlineasm/mips.rb:
  • runtime/Gate.h: Added.
  • runtime/JSCConfig.h:
  • runtime/JSCPtrTag.cpp:

(JSC::tagForPtr):
(JSC::callerType):
(JSC::calleeType):

  • runtime/JSCPtrTag.h:

(JSC::tagJSCCodePtrImpl):
(JSC::untagJSCCodePtrImpl):
(JSC::tagCodePtrWithStackPointerForJITCall):
(JSC::untagCodePtrWithStackPointerForJITCall):

  • runtime/MatchResult.h:

(JSC::MatchResult::MatchResult):

  • runtime/Options.cpp:

(JSC::disableAllJITOptions):
(JSC::canUseJITCage):

  • runtime/OptionsList.h:
  • wasm/WasmSlowPaths.cpp:
  • yarr/YarrJIT.cpp:
  • yarr/YarrJIT.h:

(JSC::Yarr::YarrCodeBlock::execute):

Source/WTF:

  • wtf/OSAllocator.h:

(WTF::OSAllocator::reserveAndCommit):
(WTF::OSAllocator::reallocateCommitted):

  • wtf/PageReservation.h:

(WTF::PageReservation::reserve):
(WTF::PageReservation::reserveWithGuardPages):
(WTF::PageReservation::reserveAndCommitWithGuardPages):
(WTF::PageReservation::PageReservation):

  • wtf/PlatformEnable.h:
  • wtf/PlatformUse.h:
  • wtf/PtrTag.h:

(WTF::assertIsTaggedWith):
(WTF::tagCodePtrWithStackPointerForJITCall): Deleted.
(WTF::untagCodePtrWithStackPointerForJITCall): Deleted.

  • wtf/posix/OSAllocatorPOSIX.cpp:

(WTF::OSAllocator::reserveUncommitted):
(WTF::OSAllocator::reserveAndCommit):

  • wtf/win/OSAllocatorWin.cpp:

(WTF::OSAllocator::reserveUncommitted):
(WTF::OSAllocator::reserveAndCommit):

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

    r268656 r269349  
    156156
    157157#define LLINT_CALL_END_IMPL(callFrame, callTarget, callTargetTag) \
    158     LLINT_RETURN_TWO((retagCodePtr<callTargetTag, SlowPathPtrTag>(callTarget)), (callFrame))
     158    LLINT_RETURN_TWO((retagCodePtr<callTargetTag, JSEntrySlowPathPtrTag>(callTarget)), (callFrame))
    159159
    160160#define LLINT_CALL_THROW(globalObject, exceptionToThrow) do {                   \
     
    468468        *ptr += codeBlock->llintExecuteCounter().m_activeThreshold;
    469469        if (*ptr >= Options::earlyReturnFromInfiniteLoopsLimit())
    470             LLINT_RETURN_TWO(LLInt::getCodePtr<JSEntryPtrTag>(fuzzer_return_early_from_loop_hint).executableAddress(), callFrame->topOfFrame());
     470            LLINT_RETURN_TWO(LLInt::fuzzerReturnEarlyFromLoopHintEntrypoint().code().executableAddress(), callFrame->topOfFrame());
    471471    }
    472472   
     
    19461946}
    19471947
    1948 inline SlowPathReturnType commonCallEval(CallFrame* callFrame, const Instruction* pc, MacroAssemblerCodePtr<JSEntryPtrTag> returnPoint)
     1948inline SlowPathReturnType commonCallEval(CallFrame* callFrame, const Instruction* pc, MacroAssemblerCodeRef<JSEntryPtrTag> returnPoint)
    19491949{
    19501950    LLINT_BEGIN_NO_SET_PC();
     
    19571957    calleeFrame->setCallerFrame(callFrame);
    19581958    calleeFrame->uncheckedR(VirtualRegister(CallFrameSlot::callee)) = calleeAsValue;
    1959     calleeFrame->setReturnPC(returnPoint.executableAddress());
     1959    calleeFrame->setReturnPC(returnPoint.code().executableAddress());
    19601960    calleeFrame->setCodeBlock(nullptr);
    19611961    callFrame->setCurrentVPC(pc);
     
    19711971LLINT_SLOW_PATH_DECL(slow_path_call_eval)
    19721972{
    1973     return commonCallEval(callFrame, pc, LLInt::getCodePtr<JSEntryPtrTag>(llint_generic_return_point));
     1973    return commonCallEval(callFrame, pc, LLInt::genericReturnPointEntrypoint(OpcodeSize::Narrow));
    19741974}
    19751975
    19761976LLINT_SLOW_PATH_DECL(slow_path_call_eval_wide16)
    19771977{
    1978     return commonCallEval(callFrame, pc, LLInt::getWide16CodePtr<JSEntryPtrTag>(llint_generic_return_point));
     1978    return commonCallEval(callFrame, pc, LLInt::genericReturnPointEntrypoint(OpcodeSize::Wide16));
    19791979}
    19801980
    19811981LLINT_SLOW_PATH_DECL(slow_path_call_eval_wide32)
    19821982{
    1983     return commonCallEval(callFrame, pc, LLInt::getWide32CodePtr<JSEntryPtrTag>(llint_generic_return_point));
     1983    return commonCallEval(callFrame, pc, LLInt::genericReturnPointEntrypoint(OpcodeSize::Wide32));
    19841984}
    19851985
     
    22662266    if (Options::forceOSRExitToLLInt() || codeBlock->jitType() == JITType::InterpreterThunk) {
    22672267        const Instruction* nextPC = pc.next().ptr();
    2268         auto nextBytecode = LLInt::getCodePtr<JSEntryPtrTag>(*pc.next().ptr());
    2269         return encodeResult(nextPC, nextBytecode.executableAddress());
     2268#if ENABLE(JIT)
     2269        return encodeResult(nextPC, LLInt::normalOSRExitTrampolineThunk().code().executableAddress());
     2270#else
     2271        return encodeResult(nextPC, LLInt::getCodeRef<JSEntryPtrTag>(normal_osr_exit_trampoline).code().executableAddress());
     2272#endif
    22702273    }
    22712274
Note: See TracChangeset for help on using the changeset viewer.