Changeset 275597 in webkit for trunk/Source/JavaScriptCore/offlineasm

Timestamp:

Apr 7, 2021, 2:28:49 AM (4 years ago)

Author:

[email protected]

Message:

JSTests:
[JSC] WasmMemory caging should care about nullptr
​https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>

Reviewed by Mark Lam.

• wasm/stress/4g-memory-cage.js: Added.

(async test):

• wasm/stress/more-than-4g-offset-access-oom.js: Added.

(async test):

• wasm/stress/null-memory-cage-explicit.js: Added.

(async test):

• wasm/stress/null-memory-cage.js: Added.

(async test):

Source/JavaScriptCore:
[JSC] WasmMemory caging should care about nullptr
​https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>

Reviewed by Mark Lam.

1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB. This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone.
2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB. And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero. caging needs to handle this case as we do in CagedPtr::getMayBeNull.

• assembler/MacroAssemblerARM64E.h:

(JSC::MacroAssemblerARM64E::untagArrayPtrLength32):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):

• llint/LowLevelInterpreter64.asm:
• llint/WebAssembly.asm:
• offlineasm/arm64e.rb:
• offlineasm/ast.rb:
• offlineasm/instructions.rb:
• runtime/CagedBarrierPtr.h:

(JSC::CagedBarrierPtr::CagedBarrierPtr):
(JSC::CagedBarrierPtr::set):
(JSC::CagedBarrierPtr::get const):
(JSC::CagedBarrierPtr::getMayBeNull const):
(JSC::CagedBarrierPtr::at const):
(JSC::CagedBarrierPtr::setWithoutBarrier):

• wasm/WasmInstance.h:

(JSC::Wasm::Instance::updateCachedMemory):

• wasm/WasmMemory.cpp:

(JSC::Wasm::MemoryHandle::MemoryHandle):

• wasm/WasmMemory.h:

Source/WTF:
[JSC] WasmMemory caging should care nullptr
​https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>

Reviewed by Mark Lam.

Accept size_t since Wasm::Memory's length can be larger than 4GB.

• wtf/CagedPtr.h:

(WTF::CagedPtr::CagedPtr):
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::at const):
(WTF::CagedPtr::recage):

• wtf/CagedUniquePtr.h:

(WTF::CagedUniquePtr::CagedUniquePtr):
(WTF::CagedUniquePtr::create):
(WTF::CagedUniquePtr::tryCreate):

Location:

trunk/Source/JavaScriptCore/offlineasm

Files:

• arm64e.rb (modified) (1 diff)
• ast.rb (modified) (1 diff)
• instructions.rb (modified) (1 diff)

trunk/Source/JavaScriptCore/offlineasm/arm64e.rb

@@ -147 +147 @@
             raise if operands.size != 2 or not operands.each { |operand| operand.is_a? RegisterID or operand.is_a? Tmp }
             emitARM64("autdb ", operands, :ptr)
+        when "removeArrayPtrTag"
+            raise unless operands[0].is_a? RegisterID
+            emitARM64Unflipped("xpacd ", operands, :ptr)
         when "ret"
             $asm.puts "retab"

trunk/Source/JavaScriptCore/offlineasm/ast.rb

@@ -946 +946 @@
         when "emit"
             $asm.puts "#{operands[0].dump}"
-        when "tagCodePtr", "tagReturnAddress", "untagReturnAddress", "removeCodePtrTag", "untagArrayPtr"
+        when "tagCodePtr", "tagReturnAddress", "untagReturnAddress", "removeCodePtrTag", "untagArrayPtr", "removeArrayPtrTag"
         else
             raise "Unhandled opcode #{opcode} at #{codeOriginString}"

trunk/Source/JavaScriptCore/offlineasm/instructions.rb

@@ -308 +308 @@
      "untagReturnAddress",
      "removeCodePtrTag",
-     "untagArrayPtr",    
+     "untagArrayPtr",
+     "removeArrayPtrTag",
      "tzcnti",
      "tzcntq",