Ignore:
Timestamp:
Apr 7, 2021, 2:28:49 AM (4 years ago)
Author:
[email protected]
Message:

JSTests:
[JSC] WasmMemory caging should care about nullptr
https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>

Reviewed by Mark Lam.

  • wasm/stress/4g-memory-cage.js: Added.

(async test):

  • wasm/stress/more-than-4g-offset-access-oom.js: Added.

(async test):

  • wasm/stress/null-memory-cage-explicit.js: Added.

(async test):

  • wasm/stress/null-memory-cage.js: Added.

(async test):

Source/JavaScriptCore:
[JSC] WasmMemory caging should care about nullptr
https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>

Reviewed by Mark Lam.

  1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB. This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone.
  2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB. And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero. caging needs to handle this case as we do in CagedPtr::getMayBeNull.
  • assembler/MacroAssemblerARM64E.h:

(JSC::MacroAssemblerARM64E::untagArrayPtrLength32):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):

  • llint/LowLevelInterpreter64.asm:
  • llint/WebAssembly.asm:
  • offlineasm/arm64e.rb:
  • offlineasm/ast.rb:
  • offlineasm/instructions.rb:
  • runtime/CagedBarrierPtr.h:

(JSC::CagedBarrierPtr::CagedBarrierPtr):
(JSC::CagedBarrierPtr::set):
(JSC::CagedBarrierPtr::get const):
(JSC::CagedBarrierPtr::getMayBeNull const):
(JSC::CagedBarrierPtr::at const):
(JSC::CagedBarrierPtr::setWithoutBarrier):

  • wasm/WasmInstance.h:

(JSC::Wasm::Instance::updateCachedMemory):

  • wasm/WasmMemory.cpp:

(JSC::Wasm::MemoryHandle::MemoryHandle):

  • wasm/WasmMemory.h:

Source/WTF:
[JSC] WasmMemory caging should care nullptr
https://bugs.webkit.org/show_bug.cgi?id=224268
<rdar://problem/74654838>

Reviewed by Mark Lam.

Accept size_t since Wasm::Memory's length can be larger than 4GB.

  • wtf/CagedPtr.h:

(WTF::CagedPtr::CagedPtr):
(WTF::CagedPtr::get const):
(WTF::CagedPtr::getMayBeNull const):
(WTF::CagedPtr::at const):
(WTF::CagedPtr::recage):

  • wtf/CagedUniquePtr.h:

(WTF::CagedUniquePtr::CagedUniquePtr):
(WTF::CagedUniquePtr::create):
(WTF::CagedUniquePtr::tryCreate):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/offlineasm/arm64e.rb

    r269511 r275597  
    147147            raise if operands.size != 2 or not operands.each { |operand| operand.is_a? RegisterID or operand.is_a? Tmp }
    148148            emitARM64("autdb ", operands, :ptr)
     149        when "removeArrayPtrTag"
     150            raise unless operands[0].is_a? RegisterID
     151            emitARM64Unflipped("xpacd ", operands, :ptr)
    149152        when "ret"
    150153            $asm.puts "retab"
Note: See TracChangeset for help on using the changeset viewer.