Changeset 268170 in webkit

Timestamp:

Oct 7, 2020, 9:18:58 PM (5 years ago)

Author:

[email protected]

Message:

[JSC] Restrict more ptr-tagging and avoid using OperationPtrTag for JIT code
​https://bugs.webkit.org/show_bug.cgi?id=217460

Reviewed by Saam Barati.

Source/JavaScriptCore:

This patch makes tagging / untagging pointer functions solid by using PtrTag in template parameter.
Later, we will introduce compile time behavior change for different kind of PtrTag so that we can insert OperationPtrTag validation
when tagging a function with OperationPtrTag.

We also found that FTL is tagging JIT code with OperationPtrTag wrongly. We should tag it with JITThunkPtrTag.

• assembler/AbstractMacroAssembler.h:

(JSC::AbstractMacroAssembler::getLinkerAddress):

• assembler/AssemblerBuffer.h:

(JSC::ARM64EHash::update):
(JSC::ARM64EHash::finalHash const):

• assembler/JITOperationList.cpp:

(JSC::addPointers):

• assembler/MacroAssemblerARM64.cpp:

(JSC::MacroAssembler::probe):

• assembler/MacroAssemblerCodeRef.h:

(JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
(JSC::MacroAssemblerCodePtr::createFromExecutableAddress):

• assembler/testmasm.cpp:

(JSC::testProbeModifiesProgramCounter):

• b3/air/testair.cpp:
• ftl/FTLOutput.h:

(JSC::FTL::Output::callWithoutSideEffects):
(JSC::FTL::Output::operation):

• ftl/FTLSlowPathCall.cpp:

(JSC::FTL::SlowPathCallContext::makeCall):

• jit/JITCode.cpp:

(JSC::JITCodeWithCodeRef::executableAddressAtOffset):

• jit/JITExceptions.cpp:

(JSC::genericUnwind):

• jit/JITOperations.cpp:
• jit/Repatch.cpp:

(JSC::readPutICCallTarget):
(JSC::ftlThunkAwareRepatchCall):
(JSC::tryCacheGetBy):
(JSC::tryCachePutByID):

• llint/LLIntData.cpp:

(JSC::LLInt::initialize):

• llint/LLIntPCRanges.h:

(JSC::LLInt::isLLIntPC):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::setUpCall):

• llint/LLIntThunks.cpp:

(JSC::LLInt::generateThunkWithJumpTo):

• runtime/MachineContext.h:

(JSC::MachineContext::instructionPointer):

• runtime/NativeExecutable.cpp:

(JSC::NativeExecutable::finishCreation):

• runtime/PutPropertySlot.h:

(JSC::PutPropertySlot::setCustomValue):
(JSC::PutPropertySlot::setCustomAccessor):
(JSC::PutPropertySlot::customSetter const):

• wasm/WasmAirIRGenerator.cpp:

(JSC::Wasm::AirIRGenerator::emitCCall):

• wasm/WasmSlowPaths.cpp:

Source/WTF:

• wtf/PlatformRegisters.cpp:

(WTF::threadStateLRInternal):
(WTF::threadStatePCInternal):

• wtf/PtrTag.h:

(WTF::tagCFunctionPtr):
(WTF::tagCFunction):
(WTF::untagCFunctionPtr):
(WTF::tagInt):
(WTF::isTaggedWith):
(WTF::assertIsTaggedWith):
(WTF::assertIsNullOrTaggedWith):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/assembler/AbstractMacroAssembler.h (modified) (1 diff)
• JavaScriptCore/assembler/AssemblerBuffer.h (modified) (2 diffs)
• JavaScriptCore/assembler/JITOperationList.cpp (modified) (2 diffs)
• JavaScriptCore/assembler/MacroAssemblerARM64.cpp (modified) (1 diff)
• JavaScriptCore/assembler/MacroAssemblerCodeRef.h (modified) (2 diffs)
• JavaScriptCore/assembler/testmasm.cpp (modified) (1 diff)
• JavaScriptCore/b3/air/testair.cpp (modified) (1 diff)
• JavaScriptCore/ftl/FTLOutput.h (modified) (2 diffs)
• JavaScriptCore/ftl/FTLSlowPathCall.cpp (modified) (2 diffs)
• JavaScriptCore/jit/JITCode.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITExceptions.cpp (modified) (1 diff)
• JavaScriptCore/jit/JITOperations.cpp (modified) (3 diffs)
• JavaScriptCore/jit/Repatch.cpp (modified) (5 diffs)
• JavaScriptCore/llint/LLIntData.cpp (modified) (1 diff)
• JavaScriptCore/llint/LLIntPCRanges.h (modified) (1 diff)
• JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (3 diffs)
• JavaScriptCore/llint/LLIntThunks.cpp (modified) (1 diff)
• JavaScriptCore/runtime/JSCPtrTag.h (modified) (1 diff)
• JavaScriptCore/runtime/MachineContext.h (modified) (1 diff)
• JavaScriptCore/runtime/NativeExecutable.cpp (modified) (1 diff)
• JavaScriptCore/runtime/PutPropertySlot.h (modified) (4 diffs)
• JavaScriptCore/wasm/WasmAirIRGenerator.cpp (modified) (1 diff)
• JavaScriptCore/wasm/WasmSlowPaths.cpp (modified) (1 diff)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/PlatformRegisters.cpp (modified) (2 diffs)
• WTF/wtf/PtrTag.h (modified) (12 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-10-07  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Restrict more ptr-tagging and avoid using OperationPtrTag for JIT code
+        https://bugs.webkit.org/show_bug.cgi?id=217460
+
+        Reviewed by Saam Barati.
+
+        This patch makes tagging / untagging pointer functions solid by using PtrTag in template parameter.
+        Later, we will introduce compile time behavior change for different kind of PtrTag so that we can insert OperationPtrTag validation
+        when tagging a function with OperationPtrTag.
+
+        We also found that FTL is tagging JIT code with OperationPtrTag wrongly. We should tag it with JITThunkPtrTag.
+
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::getLinkerAddress):
+        * assembler/AssemblerBuffer.h:
+        (JSC::ARM64EHash::update):
+        (JSC::ARM64EHash::finalHash const):
+        * assembler/JITOperationList.cpp:
+        (JSC::addPointers):
+        * assembler/MacroAssemblerARM64.cpp:
+        (JSC::MacroAssembler::probe):
+        * assembler/MacroAssemblerCodeRef.h:
+        (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
+        (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
+        * assembler/testmasm.cpp:
+        (JSC::testProbeModifiesProgramCounter):
+        * b3/air/testair.cpp:
+        * ftl/FTLOutput.h:
+        (JSC::FTL::Output::callWithoutSideEffects):
+        (JSC::FTL::Output::operation):
+        * ftl/FTLSlowPathCall.cpp:
+        (JSC::FTL::SlowPathCallContext::makeCall):
+        * jit/JITCode.cpp:
+        (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
+        * jit/JITExceptions.cpp:
+        (JSC::genericUnwind):
+        * jit/JITOperations.cpp:
+        * jit/Repatch.cpp:
+        (JSC::readPutICCallTarget):
+        (JSC::ftlThunkAwareRepatchCall):
+        (JSC::tryCacheGetBy):
+        (JSC::tryCachePutByID):
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::initialize):
+        * llint/LLIntPCRanges.h:
+        (JSC::LLInt::isLLIntPC):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::setUpCall):
+        * llint/LLIntThunks.cpp:
+        (JSC::LLInt::generateThunkWithJumpTo):
+        * runtime/MachineContext.h:
+        (JSC::MachineContext::instructionPointer):
+        * runtime/NativeExecutable.cpp:
+        (JSC::NativeExecutable::finishCreation):
+        * runtime/PutPropertySlot.h:
+        (JSC::PutPropertySlot::setCustomValue):
+        (JSC::PutPropertySlot::setCustomAccessor):
+        (JSC::PutPropertySlot::customSetter const):
+        * wasm/WasmAirIRGenerator.cpp:
+        (JSC::Wasm::AirIRGenerator::emitCCall):
+        * wasm/WasmSlowPaths.cpp:
+
 2020-10-07  Ross Kirsling  <[email protected]>
 

trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h

@@ -878 +878 @@
     static void* getLinkerAddress(void* code, AssemblerLabel label)
     {
-        return tagCodePtr(AssemblerType::getRelocatedAddress(code, label), tag);
+        return tagCodePtr<tag>(AssemblerType::getRelocatedAddress(code, label));
     }
 

trunk/Source/JavaScriptCore/assembler/AssemblerBuffer.h

@@ -188 +188 @@
         {
             uint64_t input = value ^ m_hash;
-            uint64_t a = static_cast<uint32_t>(tagInt(input, static_cast<PtrTag>(0)) >> 39);
-            uint64_t b = tagInt(input, static_cast<PtrTag>(0xb7e151628aed2a6a)) >> 23;
+            uint64_t a = static_cast<uint32_t>(tagInt<static_cast<PtrTag>(0)>(input) >> 39);
+            uint64_t b = tagInt<static_cast<PtrTag>(0xb7e151628aed2a6a)>(input) >> 23;
             m_hash = a ^ b;
         }
@@ -195 +195 @@
         {
             uint64_t hash = m_hash;
-            uint64_t a = static_cast<uint32_t>(tagInt(hash, static_cast<PtrTag>(0xbf7158809cf4f3c7)) >> 39);
-            uint64_t b = tagInt(hash, static_cast<PtrTag>(0x62e7160f38b4da56)) >> 23;
+            uint64_t a = static_cast<uint32_t>(tagInt<static_cast<PtrTag>(0xbf7158809cf4f3c7)>(hash) >> 39);
+            uint64_t b = tagInt<static_cast<PtrTag>(0x62e7160f38b4da56)>(hash) >> 23;
             return static_cast<uint32_t>(a ^ b);
         }

trunk/Source/JavaScriptCore/assembler/JITOperationList.cpp

@@ -49 +49 @@
         void* codePtr = removeCodePtrTag(bitwise_cast<void*>(*current));
         if (codePtr) {
-            auto result = map.add(codePtr, tagCodePtr(codePtr, JSEntryPtrTag));
+            auto result = map.add(codePtr, tagCodePtr<JSEntryPtrTag>(codePtr));
             ASSERT(result.isNewEntry);
         }
@@ -56 +56 @@
         void* codePtr = removeCodePtrTag(bitwise_cast<void*>(*current));
         if (codePtr) {
-            auto result = map.add(codePtr, tagCodePtr(codePtr, OperationPtrTag));
+            auto result = map.add(codePtr, tagCodePtr<OperationPtrTag>(codePtr));
             ASSERT(result.isNewEntry);
         }

trunk/Source/JavaScriptCore/assembler/MacroAssemblerARM64.cpp

@@ -546 +546 @@
     move(TrustedImmPtr(tagCFunction<JITProbeExecutorPtrTag>(Probe::executeProbe)), x28);
 #if CPU(ARM64E)
-    ASSERT(isTaggedWith(function, JITProbePtrTag));
+    assertIsTaggedWith<JITProbePtrTag>(function);
 #endif
     move(TrustedImmPtr(reinterpret_cast<void*>(function)), x24);

trunk/Source/JavaScriptCore/assembler/MacroAssemblerCodeRef.h

@@ -279 +279 @@
 #endif
     {
-        assertIsTaggedWith(value, tag);
+        assertIsTaggedWith<tag>(value);
         ASSERT(value);
 #if CPU(ARM_THUMB2)
@@ -291 +291 @@
         ASSERT(value);
         ASSERT_VALID_CODE_POINTER(value);
-        assertIsTaggedWith(value, tag);
+        assertIsTaggedWith<tag>(value);
         MacroAssemblerCodePtr result;
         result.m_value = value;

trunk/Source/JavaScriptCore/assembler/testmasm.cpp

@@ -2124 +2124 @@
         jit.probe([&] (Probe::Context& context) {
             probeCallCount++;
-            context.cpu.pc() = untagCodePtr(continuation.code().executableAddress(), JSEntryPtrTag);
+            context.cpu.pc() = untagCodePtr<JSEntryPtrTag>(continuation.code().executableAddress());
         });
 

trunk/Source/JavaScriptCore/b3/air/testair.cpp

@@ -100 +100 @@
 T invoke(const B3::Compilation& code, Arguments... arguments)
 {
-    void* executableAddress = untagCFunctionPtr(code.code().executableAddress(), B3CompilationPtrTag);
+    void* executableAddress = untagCFunctionPtr<B3CompilationPtrTag>(code.code().executableAddress());
     T (*function)(Arguments...) = bitwise_cast<T(*)(Arguments...)>(executableAddress);
     return function(arguments...);

trunk/Source/JavaScriptCore/ftl/FTLOutput.h

@@ -396 +396 @@
         static_assert(!std::is_same<Function, LValue>::value);
         return m_block->appendNew<B3::CCallValue>(m_proc, type, origin(), B3::Effects::none(),
-            constIntPtr(tagCFunctionPtr<void*>(function, OperationPtrTag)), arg1, args...);
+            constIntPtr(tagCFunctionPtr<void*, OperationPtrTag>(function)), arg1, args...);
     }
 
@@ -402 +402 @@
     // https://bugs.webkit.org/show_bug.cgi?id=184324
     template<typename FunctionType>
-    LValue operation(FunctionType function) { return constIntPtr(tagCFunctionPtr<void*>(function, OperationPtrTag)); }
+    LValue operation(FunctionType function) { return constIntPtr(tagCFunctionPtr<void*, OperationPtrTag>(function)); }
 
     void jump(LBasicBlock);

trunk/Source/JavaScriptCore/ftl/FTLSlowPathCall.cpp

@@ -121 +121 @@
 {
     SlowPathCallKey key = keyWithTarget(callTarget);
-    SlowPathCall result = SlowPathCall(m_jit.call(OperationPtrTag), key);
+    SlowPathCall result = SlowPathCall(m_jit.call(JITThunkPtrTag), key);
 
     m_jit.addLinkTask(
@@ -128 +128 @@
                 vm.ftlThunks->getSlowPathCallThunk(vm, result.key());
 
-            linkBuffer.link(result.call(), CodeLocationLabel<OperationPtrTag>(thunk.retaggedCode<OperationPtrTag>()));
+            linkBuffer.link(result.call(), CodeLocationLabel<JITThunkPtrTag>(thunk.code()));
         });
     

trunk/Source/JavaScriptCore/jit/JITCode.cpp

@@ -117 +117 @@
 {
     RELEASE_ASSERT(m_ref);
-    assertIsTaggedWith(m_ref.code().executableAddress(), JSEntryPtrTag);
+    assertIsTaggedWith<JSEntryPtrTag>(m_ref.code().executableAddress());
     if (!offset)
         return m_ref.code().executableAddress();

trunk/Source/JavaScriptCore/jit/JITExceptions.cpp

@@ -83 +83 @@
     ASSERT(bitwise_cast<uintptr_t>(callFrame) < bitwise_cast<uintptr_t>(vm.topEntryFrame));
 
-    assertIsTaggedWith(catchRoutine, ExceptionHandlerPtrTag);
+    assertIsTaggedWith<ExceptionHandlerPtrTag>(catchRoutine);
     vm.callFrameForCatch = callFrame;
     vm.targetMachinePCForThrow = catchRoutine;

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -2624 +2624 @@
     }
 
-    assertIsTaggedWith(result, JSSwitchPtrTag);
+    assertIsTaggedWith<JSSwitchPtrTag>(result);
     return reinterpret_cast<char*>(result);
 }
@@ -2644 +2644 @@
     else
         result = jumpTable.ctiDefault.executableAddress();
-    assertIsTaggedWith(result, JSSwitchPtrTag);
+    assertIsTaggedWith<JSSwitchPtrTag>(result);
     return reinterpret_cast<char*>(result);
 }
@@ -2669 +2669 @@
         result = jumpTable.ctiDefault.executableAddress();
 
-    assertIsTaggedWith(result, JSSwitchPtrTag);
+    assertIsTaggedWith<JSSwitchPtrTag>(result);
     return reinterpret_cast<char*>(result);
 }

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -74 +74 @@
 static FunctionPtr<CFunctionPtrTag> readPutICCallTarget(CodeBlock* codeBlock, CodeLocationCall<JSInternalPtrTag> call)
 {
-    FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
 #if ENABLE(FTL_JIT)
     if (codeBlock->jitType() == JITType::FTLJIT) {
-        MacroAssemblerCodePtr<JITThunkPtrTag> thunk = MacroAssemblerCodePtr<OperationPtrTag>::createFromExecutableAddress(target.executableAddress()).retagged<JITThunkPtrTag>();
+        FunctionPtr<JITThunkPtrTag> target = MacroAssembler::readCallTarget<JITThunkPtrTag>(call);
+        MacroAssemblerCodePtr<JITThunkPtrTag> thunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.executableAddress());
         return codeBlock->vm().ftlThunks->keyForSlowPathCallThunk(thunk).callTarget().retagged<CFunctionPtrTag>();
     }
@@ -83 +83 @@
     UNUSED_PARAM(codeBlock);
 #endif // ENABLE(FTL_JIT)
+    FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
     return target.retagged<CFunctionPtrTag>();
 }
@@ -92 +93 @@
         VM& vm = codeBlock->vm();
         FTL::Thunks& thunks = *vm.ftlThunks;
-        FunctionPtr<OperationPtrTag> target = MacroAssembler::readCallTarget<OperationPtrTag>(call);
-        auto slowPathThunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.retaggedExecutableAddress<JITThunkPtrTag>());
+        FunctionPtr<JITThunkPtrTag> target = MacroAssembler::readCallTarget<JITThunkPtrTag>(call);
+        auto slowPathThunk = MacroAssemblerCodePtr<JITThunkPtrTag>::createFromExecutableAddress(target.executableAddress());
         FTL::SlowPathCallKey key = thunks.keyForSlowPathCallThunk(slowPathThunk);
         key = key.withCallTarget(newCalleeFunction);
@@ -406 +407 @@
                     newCase = GetterSetterAccessCase::create(
                         vm, codeBlock, type, propertyName, offset, structure, conditionSet, loadTargetFromProxy,
-                        slot.watchpointSet(), slot.isCacheableCustom() ? slot.customGetter() : nullptr,
+                        slot.watchpointSet(), slot.isCacheableCustom() ? FunctionPtr<OperationPtrTag>(slot.customGetter()) : nullptr,
                         slot.isCacheableCustom() && slot.slotBase() != baseValue ? slot.slotBase() : nullptr,
                         domAttribute, WTFMove(prototypeAccessChain));
@@ -742 +743 @@
                 newCase = GetterSetterAccessCase::create(
                     vm, codeBlock, slot.isCustomAccessor() ? AccessCase::CustomAccessorSetter : AccessCase::CustomValueSetter, oldStructure, propertyName,
-                    invalidOffset, conditionSet, WTFMove(prototypeAccessChain), isProxy, slot.customSetter(), slot.base() != baseValue ? slot.base() : nullptr);
+                    invalidOffset, conditionSet, WTFMove(prototypeAccessChain), isProxy, slot.customSetter().retagged<OperationPtrTag>(), slot.base() != baseValue ? slot.base() : nullptr);
             } else {
                 ASSERT(slot.isCacheableSetter());

trunk/Source/JavaScriptCore/llint/LLIntData.cpp

@@ -63 +63 @@
 
     for (int i = 0; i < numOpcodeIDs + numWasmOpcodeIDs; ++i) {
-        g_jscConfig.llint.opcodeMap[i] = tagCodePtr(g_jscConfig.llint.opcodeMap[i], BytecodePtrTag);
-        g_jscConfig.llint.opcodeMapWide16[i] = tagCodePtr(g_jscConfig.llint.opcodeMapWide16[i], BytecodePtrTag);
-        g_jscConfig.llint.opcodeMapWide32[i] = tagCodePtr(g_jscConfig.llint.opcodeMapWide32[i], BytecodePtrTag);
+        g_jscConfig.llint.opcodeMap[i] = tagCodePtr<BytecodePtrTag>(g_jscConfig.llint.opcodeMap[i]);
+        g_jscConfig.llint.opcodeMapWide16[i] = tagCodePtr<BytecodePtrTag>(g_jscConfig.llint.opcodeMapWide16[i]);
+        g_jscConfig.llint.opcodeMapWide32[i] = tagCodePtr<BytecodePtrTag>(g_jscConfig.llint.opcodeMapWide32[i]);
     }
 

trunk/Source/JavaScriptCore/llint/LLIntPCRanges.h

@@ -41 +41 @@
 {
     uintptr_t pcAsInt = bitwise_cast<uintptr_t>(pc);
-    uintptr_t llintStart = untagCodePtr<uintptr_t>(llintPCRangeStart, CFunctionPtrTag);
-    uintptr_t llintEnd = untagCodePtr<uintptr_t>(llintPCRangeEnd, CFunctionPtrTag);
+    uintptr_t llintStart = untagCodePtr<uintptr_t, CFunctionPtrTag>(llintPCRangeStart);
+    uintptr_t llintEnd = untagCodePtr<uintptr_t, CFunctionPtrTag>(llintPCRangeEnd);
     RELEASE_ASSERT(llintStart < llintEnd);
     return llintStart <= pcAsInt && pcAsInt <= llintEnd;

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -156 +156 @@
 
 #define LLINT_CALL_END_IMPL(callFrame, callTarget, callTargetTag) \
-    LLINT_RETURN_TWO(retagCodePtr((callTarget), callTargetTag, SlowPathPtrTag), (callFrame))
+    LLINT_RETURN_TWO((retagCodePtr<callTargetTag, SlowPathPtrTag>(callTarget)), (callFrame))
 
 #define LLINT_CALL_THROW(globalObject, exceptionToThrow) do {                   \
@@ -1723 +1723 @@
             }
 
-            assertIsTaggedWith(codePtr.executableAddress(), JSEntryPtrTag);
+            assertIsTaggedWith<JSEntryPtrTag>(codePtr.executableAddress());
             LLINT_CALL_RETURN(globalObject, calleeFrame, codePtr.executableAddress(), JSEntryPtrTag);
         }
@@ -1766 +1766 @@
     }
 
-    assertIsTaggedWith(codePtr.executableAddress(), JSEntryPtrTag);
+    assertIsTaggedWith<JSEntryPtrTag>(codePtr.executableAddress());
     LLINT_CALL_RETURN(globalObject, calleeFrame, codePtr.executableAddress(), JSEntryPtrTag);
 }

trunk/Source/JavaScriptCore/llint/LLIntThunks.cpp

@@ -53 +53 @@
     JSInterfaceJIT jit;
 
-    assertIsTaggedWith(target, JSEntryPtrTag);
+    assertIsTaggedWith<JSEntryPtrTag>(target);
 
 #if ENABLE(WEBASSEMBLY)

trunk/Source/JavaScriptCore/runtime/JSCPtrTag.h

@@ -51 +51 @@
     v(OSREntryPtrTag) \
     v(OSRExitPtrTag) \
+    v(PutValuePtrTag) \
     v(SlowPathPtrTag) \
     v(WasmEntryPtrTag) \

trunk/Source/JavaScriptCore/runtime/MachineContext.h

@@ -458 +458 @@
     if (!usesPointerTagging())
         return makeOptional(MacroAssemblerCodePtr<PlatformRegistersPCPtrTag>(value));
-    if (isTaggedWith(value, PlatformRegistersPCPtrTag))
+    if (isTaggedWith<PlatformRegistersPCPtrTag>(value))
         return makeOptional(MacroAssemblerCodePtr<PlatformRegistersPCPtrTag>(value));
     return WTF::nullopt;

trunk/Source/JavaScriptCore/runtime/NativeExecutable.cpp

@@ -61 +61 @@
     m_name = name;
 
-    assertIsTaggedWith(m_jitCodeForCall->addressForCall(ArityCheckNotRequired).executableAddress(), JSEntryPtrTag);
-    assertIsTaggedWith(m_jitCodeForConstruct->addressForCall(ArityCheckNotRequired).executableAddress(), JSEntryPtrTag);
-    assertIsTaggedWith(m_jitCodeForCallWithArityCheck.executableAddress(), JSEntryPtrTag);
-    assertIsTaggedWith(m_jitCodeForConstructWithArityCheck.executableAddress(), JSEntryPtrTag);
+    assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForCall->addressForCall(ArityCheckNotRequired).executableAddress());
+    assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForConstruct->addressForCall(ArityCheckNotRequired).executableAddress());
+    assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForCallWithArityCheck.executableAddress());
+    assertIsTaggedWith<JSEntryPtrTag>(m_jitCodeForConstructWithArityCheck.executableAddress());
 }
 

trunk/Source/JavaScriptCore/runtime/PutPropertySlot.h

@@ -67 +67 @@
     }
 
-    void setCustomValue(JSObject* base, FunctionPtr<OperationPtrTag> function)
+    void setCustomValue(JSObject* base, PutValueFunc function)
     {
         m_type = CustomValue;
@@ -74 +74 @@
     }
 
-    void setCustomAccessor(JSObject* base, FunctionPtr<OperationPtrTag> function)
+    void setCustomAccessor(JSObject* base, PutValueFunc function)
     {
         m_type = CustomAccessor;
@@ -98 +98 @@
     }
 
-    FunctionPtr<OperationPtrTag> customSetter() const
+    FunctionPtr<PutValuePtrTag> customSetter() const
     {
         ASSERT(isCacheableCustom());
@@ -138 +138 @@
     uint8_t m_context;
     CacheabilityType m_cacheability;
-    FunctionPtr<OperationPtrTag> m_putFunction;
+    FunctionPtr<PutValuePtrTag> m_putFunction;
 };
 

trunk/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp

@@ -599 +599 @@
 
         Tmp callee = g64();
-        append(block, Move, Arg::immPtr(tagCFunctionPtr<void*>(func, OperationPtrTag)), callee);
+        append(block, Move, Arg::immPtr(tagCFunctionPtr<void*, OperationPtrTag>(func)), callee);
         inst.args.append(callee);
 

trunk/Source/JavaScriptCore/wasm/WasmSlowPaths.cpp

@@ -65 +65 @@
 
 #define WASM_CALL_RETURN(targetInstance, callTarget, callTargetTag) do { \
-        WASM_RETURN_TWO(retagCodePtr(callTarget, callTargetTag, SlowPathPtrTag), targetInstance); \
+        WASM_RETURN_TWO((retagCodePtr<callTargetTag, SlowPathPtrTag>(callTarget)), targetInstance); \
     } while (false)
 

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-10-07  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Restrict more ptr-tagging and avoid using OperationPtrTag for JIT code
+        https://bugs.webkit.org/show_bug.cgi?id=217460
+
+        Reviewed by Saam Barati.
+
+        * wtf/PlatformRegisters.cpp:
+        (WTF::threadStateLRInternal):
+        (WTF::threadStatePCInternal):
+        * wtf/PtrTag.h:
+        (WTF::tagCFunctionPtr):
+        (WTF::tagCFunction):
+        (WTF::untagCFunctionPtr):
+        (WTF::tagInt):
+        (WTF::isTaggedWith):
+        (WTF::assertIsTaggedWith):
+        (WTF::assertIsNullOrTaggedWith):
+
 2020-10-07  Keith Rollin  <[email protected]>
 

trunk/Source/WTF/wtf/PlatformRegisters.cpp

@@ -40 +40 @@
 
 #if USE(UNTAGGED_THREAD_STATE_PTR)
-    if (candidateLR && isTaggedWith(candidateLR, CFunctionPtrTag))
+    if (candidateLR && isTaggedWith<CFunctionPtrTag>(candidateLR))
         return retagCodePtr<CFunctionPtrTag, PlatformRegistersLRPtrTag>(candidateLR);
     candidateLR = bitwise_cast<void*>(arm_thread_state64_get_lr(regs));
@@ -57 +57 @@
 
 #if USE(UNTAGGED_THREAD_STATE_PTR)
-    if (candidatePC && isTaggedWith(candidatePC, CFunctionPtrTag))
+    if (candidatePC && isTaggedWith<CFunctionPtrTag>(candidatePC))
         return retagCodePtr<CFunctionPtrTag, PlatformRegistersPCPtrTag>(candidatePC);
     candidatePC = bitwise_cast<void*>(arm_thread_state64_get_pc(regs));

trunk/Source/WTF/wtf/PtrTag.h

@@ -194 +194 @@
 }
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T tagCodePtr(PtrType ptr, PtrTag tag)
-{
-    return bitwise_cast<T>(tagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
 template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T tagCodePtr(PtrType ptr)
 {
     return bitwise_cast<T>(tagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCodePtr(PtrType ptr, PtrTag tag)
-{
-    return tagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
 }
 
@@ -235 +223 @@
 }
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T untagCodePtr(PtrType ptr, PtrTag tag)
-{
-    return bitwise_cast<T>(untagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
 template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T untagCodePtr(PtrType ptr)
 {
     return bitwise_cast<T>(untagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCodePtr(PtrType ptr, PtrTag tag)
-{
-    return untagCodePtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
 }
 
@@ -313 +289 @@
 }
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T tagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
-    return bitwise_cast<T>(tagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
 template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T tagCFunctionPtr(PtrType ptr)
@@ -325 +295 @@
 }
 
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
-    return tagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
-}
-
 template<PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCFunctionPtr(PtrType ptr) { return tagCFunctionPtr(ptr, tag); }
+inline PtrType tagCFunctionPtr(PtrType ptr) { return tagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag); }
 
 template<PtrTag newTag, typename FunctionType, class = typename std::enable_if<std::is_pointer<FunctionType>::value && std::is_function<typename std::remove_pointer<FunctionType>::type>::value>::type>
 inline FunctionType tagCFunction(FunctionType func)
 {
-    ASSERT(isTaggedWith(func, CFunctionPtrTag));
+    assertIsTaggedWith<CFunctionPtrTag>(func);
     ASSERT(newTag != CFunctionPtrTag);
     return ptrauth_auth_and_resign(func, ptrauth_key_function_pointer, 0, ptrauth_key_process_dependent_code, newTag);
@@ -357 +321 @@
 }
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T untagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
-    return bitwise_cast<T>(untagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag));
-}
-
 template<typename T, PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T untagCFunctionPtr(PtrType ptr)
@@ -375 +333 @@
 }
 
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCFunctionPtr(PtrType ptr, PtrTag tag)
-{
-    return untagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag);
-}
-
 template<PtrTag tag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCFunctionPtr(PtrType ptr) { return untagCFunctionPtr(ptr, tag); }
-
-template <typename IntType>
-inline IntType tagInt(IntType ptrInt, PtrTag tag)
+inline PtrType untagCFunctionPtr(PtrType ptr) { return untagCFunctionPtrImpl<PtrTagAction::DebugAssert>(ptr, tag); }
+
+template <PtrTag tag, typename IntType>
+inline IntType tagInt(IntType ptrInt)
 {
     static_assert(sizeof(IntType) == sizeof(uintptr_t), "");
@@ -426 +378 @@
 }
 
-template<typename PtrType>
-bool isTaggedWith(PtrType value, PtrTag tag)
+template<PtrTag tag, typename PtrType>
+bool isTaggedWith(PtrType value)
 {
     void* ptr = bitwise_cast<void*>(value);
@@ -435 +387 @@
 }
 
-template<typename PtrType>
-void assertIsTaggedWith(PtrType value, PtrTag tag)
+template<PtrTag tag, typename PtrType>
+void assertIsTaggedWith(PtrType value)
 {
     WTF_PTRTAG_ASSERT(PtrTagAction::DebugAssert, value, tag, isTaggedWith(value, tag));
 }
 
-template<typename PtrType>
-void assertIsNullOrTaggedWith(PtrType ptr, PtrTag tag)
+template<PtrTag tag, typename PtrType>
+void assertIsNullOrTaggedWith(PtrType ptr)
 {
     if (ptr)
-        assertIsTaggedWith(ptr, tag);
+        assertIsTaggedWith<tag>(ptr);
 }
 
@@ -495 +447 @@
 
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-constexpr T tagCodePtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
 template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T tagCodePtr(PtrType ptr) { return bitwise_cast<T>(ptr); }
 
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-constexpr PtrType tagCodePtr(PtrType ptr, PtrTag) { return ptr; }
-
 template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline PtrType tagCodePtr(PtrType ptr) { return ptr; }
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-constexpr T untagCodePtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
 template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T untagCodePtr(PtrType ptr)  { return bitwise_cast<T>(ptr); }
 
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-constexpr PtrType untagCodePtr(PtrType ptr, PtrTag) { return ptr; }
-
 template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline PtrType untagCodePtr(PtrType ptr) { return ptr; }
@@ -537 +477 @@
 constexpr PtrType removeCodePtrTag(PtrType ptr) { return ptr; }
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T tagCFunctionPtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
 template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T tagCFunctionPtr(PtrType ptr) { return bitwise_cast<T>(ptr); }
 
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType tagCFunctionPtr(PtrType ptr, PtrTag) { return ptr; }
-
 template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline PtrType tagCFunctionPtr(PtrType ptr) { return ptr; }
@@ -558 +492 @@
 }
 
-template<typename T, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value && !std::is_same<T, PtrType>::value>>
-inline T untagCFunctionPtr(PtrType ptr, PtrTag) { return bitwise_cast<T>(ptr); }
-
 template<typename T, PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline T untagCFunctionPtr(PtrType ptr) { return bitwise_cast<T>(ptr); }
 
-template<typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
-inline PtrType untagCFunctionPtr(PtrType ptr, PtrTag) { return ptr; }
-
 template<PtrTag, typename PtrType, typename = std::enable_if_t<std::is_pointer<PtrType>::value>>
 inline PtrType untagCFunctionPtr(PtrType ptr) { return ptr; }
 
-template <typename IntType>
-inline IntType tagInt(IntType ptrInt, PtrTag)
+template <PtrTag, typename IntType>
+inline IntType tagInt(IntType ptrInt)
 {
     static_assert(sizeof(IntType) == sizeof(uintptr_t), "");
@@ -584 +512 @@
 template<typename PtrType> void assertIsNullOrTagged(PtrType) { }
 
-template<typename PtrType> bool isTaggedWith(PtrType, PtrTag) { return false; }
-
-template<typename PtrType> void assertIsTaggedWith(PtrType, PtrTag) { }
-template<typename PtrType> void assertIsNullOrTaggedWith(PtrType, PtrTag) { }
+template<PtrTag, typename PtrType> bool isTaggedWith(PtrType) { return false; }
+
+template<PtrTag, typename PtrType> void assertIsTaggedWith(PtrType) { }
+template<PtrTag, typename PtrType> void assertIsNullOrTaggedWith(PtrType) { }
 
 inline bool usesPointerTagging() { return false; }