Changeset 288476 in webkit for trunk/Source/JavaScriptCore/yarr

Timestamp:

Jan 24, 2022, 3:20:23 PM (3 years ago)

Author:

Mikhail R. Gadelha

Message:

[JSC][32bit] Fix regexp crash on ARMv7
​https://bugs.webkit.org/show_bug.cgi?id=234476

Reviewed by Yusuke Suzuki.

This patch fixes several regexp crashes on ARMv7 due to an incorrect
offset to retrieve the 5th argument from the stack: in ARMv7, only
4 arguments are passed via registers r0-r3i, and any other argument is
placed on the stack, however, YarrJIT was trying to get the 5th arg
from a fixed offset, so because the generateEnter() method pushed
register into the stack, the offset was wrong. This patch fixes how
the offset is calculated for MIPS and ARMv7.

This patch also introduces some small changes:

1. Added static_asserts that the YarrJIT calls do indeed have 5 arguments

and that the 5th argument has the type that we expect (MatchingContextHolder*).

2. Removed an unnecessary pointer from the MatchingContextHolder

constructor.

3. Fixed some warnings in the YarrJIT code here and there.

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compileRegExpTestInline):

• runtime/RegExpInlines.h:

(JSC::RegExp::matchInline):

• yarr/YarrJIT.cpp:
• yarr/YarrMatchingContextHolder.h:

(JSC::Yarr::MatchingContextHolder::MatchingContextHolder):

Location:

trunk/Source/JavaScriptCore/yarr

Files:

• YarrJIT.cpp (modified) (16 diffs)
• YarrJIT.h (modified) (4 diffs)
• YarrJITRegisters.h (modified) (1 diff)
• YarrMatchingContextHolder.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/yarr/YarrJIT.cpp

@@ -28 +28 @@
 #include "YarrJIT.h"
 
+#include "CCallHelpers.h"
 #include "LinkBuffer.h"
 #include "Options.h"
@@ -187 +188 @@
 class YarrGenerator final : public YarrJITInfo {
 
-#ifdef  JIT_UNICODE_EXPRESSIONS
-    const MacroAssembler::TrustedImm32 surrogateTagMask = MacroAssembler::TrustedImm32(0xfffffc00);
-#endif
-
 #if ENABLE(YARR_JIT_ALL_PARENS_EXPRESSIONS)
     struct ParenContextSizes {
@@ -604 +601 @@
 
         // Is the character a leading surrogate?
-        m_jit.and32(YarrJITDefaultRegisters::surrogateTagMask, resultReg, m_regs.unicodeTemp);
+        m_jit.and32(m_regs.surrogateTagMask, resultReg, m_regs.unicodeTemp);
         notUnicode.append(m_jit.branch32(MacroAssembler::NotEqual, m_regs.unicodeTemp, m_regs.leadingSurrogateTag));
 
@@ -613 +610 @@
         // Is the character a trailing surrogate?
         m_jit.load16Unaligned(MacroAssembler::Address(m_regs.regUnicodeInputAndTrail), m_regs.regUnicodeInputAndTrail);
-        m_jit.and32(YarrJITDefaultRegisters::surrogateTagMask, m_regs.regUnicodeInputAndTrail, m_regs.unicodeTemp);
+        m_jit.and32(m_regs.surrogateTagMask, m_regs.regUnicodeInputAndTrail, m_regs.unicodeTemp);
         notUnicode.append(m_jit.branch32(MacroAssembler::NotEqual, m_regs.unicodeTemp, m_regs.trailingSurrogateTag));
 
@@ -3962 +3959 @@
     void generateEnter()
     {
+        auto pushInEnter = [&](GPRReg gpr) {
+            m_jit.push(gpr);
+            m_pushCountInEnter += 1;
+        };
+
+        auto pushPairInEnter = [&](GPRReg gpr1, GPRReg gpr2) {
+            m_jit.pushPair(gpr1, gpr2);
+            m_pushCountInEnter += 2;
+        };
+
 #if CPU(X86_64)
-        m_jit.push(X86Registers::ebp);
-        m_jit.move(MacroAssembler::stackPointerRegister, X86Registers::ebp);
+        UNUSED_VARIABLE(pushPairInEnter);
+        m_jit.emitFunctionPrologue();
 
         if (m_pattern.m_saveInitialStartValue)
-            m_jit.push(X86Registers::ebx);
+            pushInEnter(X86Registers::ebx);
 
 #if OS(WINDOWS)
-        m_jit.push(X86Registers::edi);
+        pushInEnter(X86Registers::edi);
 #endif
 #if ENABLE(YARR_JIT_ALL_PARENS_EXPRESSIONS)
         if (m_containsNestedSubpatterns) {
 #if OS(WINDOWS)
-            m_jit.push(X86Registers::esi);
-#endif
-            m_jit.push(X86Registers::r12);
+            pushInEnter(X86Registers::esi);
+#endif
+            pushInEnter(X86Registers::r12);
         }
 #endif
 
         if (m_decodeSurrogatePairs) {
-            m_jit.push(X86Registers::r13);
-            m_jit.push(X86Registers::r14);
-            m_jit.push(X86Registers::r15);
+            pushInEnter(X86Registers::r13);
+            pushInEnter(X86Registers::r14);
+            pushInEnter(X86Registers::r15);
         }
 #if OS(WINDOWS)
         if (m_compileMode == JITCompileMode::IncludeSubpatterns)
-            m_jit.loadPtr(MacroAssembler::Address(X86Registers::ebp, 6 * sizeof(void*)), m_regs.output);
+            m_jit.loadPtr(MacroAssembler::Address(MacroAssembler::framePointerRegister, 6 * sizeof(void*)), m_regs.output);
         // rcx is the pointer to the allocated space for result in x64 Windows.
-        m_jit.push(X86Registers::ecx);
+        pushInEnter(X86Registers::ecx);
 #endif
 #elif CPU(ARM64)
+        UNUSED_VARIABLE(pushInEnter);
         if (!Options::useJITCage())
             m_jit.tagReturnAddress();
         if (m_decodeSurrogatePairs) {
             if (!Options::useJITCage())
-                m_jit.pushPair(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister);
+                pushPairInEnter(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister);
             m_jit.move(MacroAssembler::TrustedImm32(0x10000), m_regs.supplementaryPlanesBase);
             m_jit.move(MacroAssembler::TrustedImm32(0xd800), m_regs.leadingSurrogateTag);
@@ -4003 +4011 @@
         }
 #elif CPU(ARM_THUMB2)
-        m_jit.push(ARMRegisters::r4);
-        m_jit.push(ARMRegisters::r5);
-        m_jit.push(ARMRegisters::r6);
-        m_jit.push(ARMRegisters::r8);
-        m_jit.push(ARMRegisters::r10);
+        UNUSED_VARIABLE(pushPairInEnter);
+        pushInEnter(ARMRegisters::r4);
+        pushInEnter(ARMRegisters::r5);
+        pushInEnter(ARMRegisters::r6);
+        pushInEnter(ARMRegisters::r8);
+        pushInEnter(ARMRegisters::r10);
 #elif CPU(RISCV64)
+        UNUSED_VARIABLE(pushInEnter);
         if (m_decodeSurrogatePairs)
-            m_jit.pushPair(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister);
-#elif CPU(MIPS)
-        // Do nothing.
+            pushPairInEnter(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister);
+#else
+        UNUSED_VARIABLE(pushInEnter);
+        UNUSED_VARIABLE(pushPairInEnter);
 #endif
     }
@@ -4053 +4064 @@
         if (m_pattern.m_saveInitialStartValue)
             m_jit.pop(X86Registers::ebx);
-        m_jit.pop(X86Registers::ebp);
+        m_jit.emitFunctionEpilogue();
 #elif CPU(ARM64)
         if (m_decodeSurrogatePairs) {
@@ -4068 +4079 @@
         if (m_decodeSurrogatePairs)
             m_jit.popPair(MacroAssembler::framePointerRegister, MacroAssembler::linkRegister);
-#elif CPU(MIPS)
-        // Do nothing
-#endif
+#endif
+
 #if CPU(ARM64E)
         if (Options::useJITCage())
@@ -4087 +4097 @@
 
 public:
-    YarrGenerator(MacroAssembler& jit, const VM* vm, YarrCodeBlock* codeBlock, const YarrJITRegs& regs, YarrPattern& pattern, const String& patternString, CharSize charSize, JITCompileMode compileMode)
+    YarrGenerator(CCallHelpers& jit, const VM* vm, YarrCodeBlock* codeBlock, const YarrJITRegs& regs, YarrPattern& pattern, const String& patternString, CharSize charSize, JITCompileMode compileMode)
         : m_jit(jit)
         , m_vm(vm)
@@ -4106 +4116 @@
     }
 
-    YarrGenerator(MacroAssembler& jit, const VM* vm, YarrBoyerMoyerData* yarrBMData, const YarrJITRegs& regs, YarrPattern& pattern, const String& patternString, CharSize charSize, JITCompileMode compileMode)
+    YarrGenerator(CCallHelpers& jit, const VM* vm, YarrBoyerMoyerData* yarrBMData, const YarrJITRegs& regs, YarrPattern& pattern, const String& patternString, CharSize charSize, JITCompileMode compileMode)
         : m_jit(jit)
         , m_vm(vm)
@@ -4140 +4150 @@
     }
 
+    template<typename OperationType>
+    static constexpr void functionChecks()
+    {
+        static_assert(FunctionTraits<OperationType>::cCallArity() == 5, "YarrJITCode takes 5 arguments");
+        static_assert(std::is_same<MatchingContextHolder*, typename FunctionTraits<OperationType>::template ArgumentType<4>>::value, "MatchingContextHolder* is expected as the function 5th argument");
+    }
+
     void compile(YarrCodeBlock& codeBlock)
     {
@@ -4192 +4209 @@
             // Check stack size
             m_jit.addPtr(MacroAssembler::TrustedImm32(-callFrameSizeInBytes), MacroAssembler::stackPointerRegister, m_regs.regT0);
+
+            // Make sure that the JITed functions have 5 parameters and that the 5th argument is a MatchingContextHolder*
+            functionChecks<YarrCodeBlock::YarrJITCode8>();
+            functionChecks<YarrCodeBlock::YarrJITCode16>();
+            functionChecks<YarrCodeBlock::YarrJITCodeMatchOnly8>();
+            functionChecks<YarrCodeBlock::YarrJITCodeMatchOnly16>();
 #if CPU(X86_64) && OS(WINDOWS)
             // matchingContext is the 5th argument, it is found on the stack.
             MacroAssembler::RegisterID matchingContext = m_regs.regT1;
-            m_jit.loadPtr(MacroAssembler::Address(X86Registers::ebp, 7 * sizeof(void*)), matchingContext);
+            m_jit.loadPtr(MacroAssembler::Address(MacroAssembler::framePointerRegister, 7 * sizeof(void*)), matchingContext);
 #elif CPU(ARM_THUMB2) || CPU(MIPS)
-            // matchingContext is the 5th argument, it is found on the stack.
+            // Not enough argument registers: try to load the 5th argument from the stack
             MacroAssembler::RegisterID matchingContext = m_regs.regT1;
-            m_jit.loadPtr(MacroAssembler::Address(MacroAssembler::stackPointerRegister, 4 * sizeof(void*)), matchingContext);
+
+            // The argument will be in an offset that depends on the arch and the number of registers we pushed into the stack
+            // POKE_ARGUMENT_OFFSET: MIPS reserves space in the stack for all arguments, so we add +4 offset
+            // m_pushCountInEnter: number of registers pushed into the stack (see generateEnter())
+            unsigned offset = POKE_ARGUMENT_OFFSET + m_pushCountInEnter;
+            m_jit.loadPtr(MacroAssembler::Address(MacroAssembler::stackPointerRegister, offset * sizeof(void*)), matchingContext);
 #else
             MacroAssembler::RegisterID matchingContext = m_regs.matchingContext;
@@ -4619 +4647 @@
 
 private:
-    MacroAssembler& m_jit;
+    CCallHelpers& m_jit;
     const VM* m_vm;
     YarrCodeBlock* m_codeBlock;
@@ -4673 +4701 @@
     
     std::unique_ptr<YarrDisassembler> m_disassembler;
+
+    // Member is used to count the number of GPR pushed into the stack when
+    // entering JITed code. It is used to figure out if an function argument
+    // offset in the stack if there wasn't enough registers to pass it, e.g.,
+    // ARMv7 and MIPS only use 4 registers to pass function arguments.
+    unsigned m_pushCountInEnter { 0 };
 };
 
@@ -4707 +4741 @@
 void jitCompile(YarrPattern& pattern, String& patternString, CharSize charSize, VM* vm, YarrCodeBlock& codeBlock, JITCompileMode mode)
 {
-    MacroAssembler masm;
+    CCallHelpers masm;
 
     ASSERT(mode == JITCompileMode::MatchOnly || mode == JITCompileMode::IncludeSubpatterns);
@@ -4728 +4762 @@
 #endif
 
-void jitCompileInlinedTest(StackCheck* m_compilationThreadStackChecker, const String& patternString, OptionSet<Yarr::Flags> flags, CharSize charSize, const VM* vm, YarrBoyerMoyerData& boyerMooreData, MacroAssembler& jit, YarrJITRegisters& jitRegisters)
+void jitCompileInlinedTest(StackCheck* m_compilationThreadStackChecker, const String& patternString, OptionSet<Yarr::Flags> flags, CharSize charSize, const VM* vm, YarrBoyerMoyerData& boyerMooreData, CCallHelpers& jit, YarrJITRegisters& jitRegisters)
 {
     Yarr::ErrorCode errorCode;

trunk/Source/JavaScriptCore/yarr/YarrJIT.h

@@ -44 +44 @@
 namespace JSC {
 
-class VM;
+class CCallHelpers;
 class ExecutablePool;
 class MacroAssembler;
+class VM;
 
 namespace Yarr {
@@ -272 +273 @@
     WTF_MAKE_NONCOPYABLE(YarrCodeBlock);
 
-    using YarrJITCode8 = SlowPathReturnType (*)(const LChar* input, UCPURegister start, UCPURegister length, int* output, MatchingContextHolder& matchingContext) YARR_CALL;
-    using YarrJITCode16 = SlowPathReturnType (*)(const UChar* input, UCPURegister start, UCPURegister length, int* output, MatchingContextHolder& matchingContext) YARR_CALL;
-    using YarrJITCodeMatchOnly8 = SlowPathReturnType (*)(const LChar* input, UCPURegister start, UCPURegister length, void*, MatchingContextHolder& matchingContext) YARR_CALL;
-    using YarrJITCodeMatchOnly16 = SlowPathReturnType (*)(const UChar* input, UCPURegister start, UCPURegister length, void*, MatchingContextHolder& matchingContext) YARR_CALL;
-
 public:
+    using YarrJITCode8 = SlowPathReturnType (*)(const LChar* input, UCPURegister start, UCPURegister length, int* output, MatchingContextHolder*) YARR_CALL;
+    using YarrJITCode16 = SlowPathReturnType (*)(const UChar* input, UCPURegister start, UCPURegister length, int* output, MatchingContextHolder*) YARR_CALL;
+    using YarrJITCodeMatchOnly8 = SlowPathReturnType (*)(const LChar* input, UCPURegister start, UCPURegister length, void*, MatchingContextHolder*) YARR_CALL;
+    using YarrJITCodeMatchOnly16 = SlowPathReturnType (*)(const UChar* input, UCPURegister start, UCPURegister length, void*, MatchingContextHolder*) YARR_CALL;
+
     YarrCodeBlock() = default;
 
@@ -327 +328 @@
     InlineStats& get16BitInlineStats() { return  m_matchOnly16Stats; }
 
-    MatchResult execute(const LChar* input, unsigned start, unsigned length, int* output, MatchingContextHolder& matchingContext)
+    MatchResult execute(const LChar* input, unsigned start, unsigned length, int* output, MatchingContextHolder* matchingContext)
     {
         ASSERT(has8BitCode());
 #if CPU(ARM64E)
         if (Options::useJITCage())
-            return MatchResult(vmEntryToYarrJIT(input, start, length, output, &matchingContext, retagCodePtr<Yarr8BitPtrTag, YarrEntryPtrTag>(m_ref8.code().executableAddress())));
+            return MatchResult(vmEntryToYarrJIT(input, start, length, output, matchingContext, retagCodePtr<Yarr8BitPtrTag, YarrEntryPtrTag>(m_ref8.code().executableAddress())));
 #endif
         return MatchResult(untagCFunctionPtr<YarrJITCode8, Yarr8BitPtrTag>(m_ref8.code().executableAddress())(input, start, length, output, matchingContext));
     }
 
-    MatchResult execute(const UChar* input, unsigned start, unsigned length, int* output, MatchingContextHolder& matchingContext)
+    MatchResult execute(const UChar* input, unsigned start, unsigned length, int* output, MatchingContextHolder* matchingContext)
     {
         ASSERT(has16BitCode());
 #if CPU(ARM64E)
         if (Options::useJITCage())
-            return MatchResult(vmEntryToYarrJIT(input, start, length, output, &matchingContext, retagCodePtr<Yarr16BitPtrTag, YarrEntryPtrTag>(m_ref16.code().executableAddress())));
+            return MatchResult(vmEntryToYarrJIT(input, start, length, output, matchingContext, retagCodePtr<Yarr16BitPtrTag, YarrEntryPtrTag>(m_ref16.code().executableAddress())));
 #endif
         return MatchResult(untagCFunctionPtr<YarrJITCode16, Yarr16BitPtrTag>(m_ref16.code().executableAddress())(input, start, length, output, matchingContext));
     }
 
-    MatchResult execute(const LChar* input, unsigned start, unsigned length, MatchingContextHolder& matchingContext)
+    MatchResult execute(const LChar* input, unsigned start, unsigned length, MatchingContextHolder* matchingContext)
     {
         ASSERT(has8BitCodeMatchOnly());
 #if CPU(ARM64E)
         if (Options::useJITCage())
-            return MatchResult(vmEntryToYarrJIT(input, start, length, nullptr, &matchingContext, retagCodePtr<YarrMatchOnly8BitPtrTag, YarrEntryPtrTag>(m_matchOnly8.code().executableAddress())));
+            return MatchResult(vmEntryToYarrJIT(input, start, length, nullptr, matchingContext, retagCodePtr<YarrMatchOnly8BitPtrTag, YarrEntryPtrTag>(m_matchOnly8.code().executableAddress())));
 #endif
         return MatchResult(untagCFunctionPtr<YarrJITCodeMatchOnly8, YarrMatchOnly8BitPtrTag>(m_matchOnly8.code().executableAddress())(input, start, length, nullptr, matchingContext));
     }
 
-    MatchResult execute(const UChar* input, unsigned start, unsigned length, MatchingContextHolder& matchingContext)
+    MatchResult execute(const UChar* input, unsigned start, unsigned length, MatchingContextHolder* matchingContext)
     {
         ASSERT(has16BitCodeMatchOnly());
 #if CPU(ARM64E)
         if (Options::useJITCage())
-            return MatchResult(vmEntryToYarrJIT(input, start, length, nullptr, &matchingContext, retagCodePtr<YarrMatchOnly16BitPtrTag, YarrEntryPtrTag>(m_matchOnly16.code().executableAddress())));
+            return MatchResult(vmEntryToYarrJIT(input, start, length, nullptr, matchingContext, retagCodePtr<YarrMatchOnly16BitPtrTag, YarrEntryPtrTag>(m_matchOnly16.code().executableAddress())));
 #endif
         return MatchResult(untagCFunctionPtr<YarrJITCodeMatchOnly16, YarrMatchOnly16BitPtrTag>(m_matchOnly16.code().executableAddress())(input, start, length, nullptr, matchingContext));
@@ -440 +441 @@
 class YarrJITRegisters;
 
-void jitCompileInlinedTest(StackCheck*, const String&, OptionSet<Yarr::Flags>, CharSize, const VM*, YarrBoyerMoyerData&, MacroAssembler&, YarrJITRegisters&);
+void jitCompileInlinedTest(StackCheck*, const String&, OptionSet<Yarr::Flags>, CharSize, const VM*, YarrBoyerMoyerData&, CCallHelpers&, YarrJITRegisters&);
 #endif
 

trunk/Source/JavaScriptCore/yarr/YarrJITRegisters.h

@@ -207 +207 @@
     const MacroAssembler::TrustedImm32 leadingSurrogateTag = MacroAssembler::TrustedImm32(0xd800);
     const MacroAssembler::TrustedImm32 trailingSurrogateTag = MacroAssembler::TrustedImm32(0xdc00);
+    const MacroAssembler::TrustedImm32 surrogateTagMask = MacroAssembler::TrustedImm32(0xfffffc00);
 };
 #endif

trunk/Source/JavaScriptCore/yarr/YarrMatchingContextHolder.h

@@ -38 +38 @@
 namespace Yarr {
 
-class YarrCodeBlock;
-
 class MatchingContextHolder {
     WTF_FORBID_HEAP_ALLOCATION;
 public:
-    MatchingContextHolder(VM&, YarrCodeBlock*, RegExp*, MatchFrom);
+    MatchingContextHolder(VM&, bool, RegExp*, MatchFrom);
     ~MatchingContextHolder();
 
@@ -62 +60 @@
 };
 
-inline MatchingContextHolder::MatchingContextHolder(VM& vm, YarrCodeBlock* yarrCodeBlock, RegExp* regExp, MatchFrom matchFrom)
+inline MatchingContextHolder::MatchingContextHolder(VM& vm, bool usesPatternContextBuffer, RegExp* regExp, MatchFrom matchFrom)
     : m_vm(vm)
     , m_matchFrom(matchFrom)
@@ -75 +73 @@
 
 #if ENABLE(YARR_JIT_ALL_PARENS_EXPRESSIONS)
-    if (yarrCodeBlock && yarrCodeBlock->usesPatternContextBuffer()) {
+    if (usesPatternContextBuffer) {
         m_patternContextBuffer = m_vm.acquireRegExpPatternContexBuffer();
         m_patternContextBufferSize = VM::patternContextBufferSize;
     }
 #else
-    UNUSED_PARAM(yarrCodeBlock);
+    UNUSED_PARAM(usesPatternContextBuffer);
 #endif
 }