nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/Source/WTF/wtf/CagedPtr.h

161 lines
4.8 KiB
C
Raw Permalink Normal View History

All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
/*
Define MacroAssemblerARM64E::numberOfPACBits based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH). https://bugs.webkit.org/show_bug.cgi?id=227147 rdar://78785309 Reviewed by Saam Barati. Source/bmalloc: For OS(DARWIN), define BOS_EFFECTIVE_ADDRESS_WIDTH in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. * bmalloc/Algorithm.h: (bmalloc::clzConstexpr): (bmalloc::getMSBSetConstexpr): * bmalloc/BPlatform.h: * bmalloc/Gigacage.h: * bmalloc/ObjectTypeTable.h: * bmalloc/Packed.h: Source/JavaScriptCore: * assembler/MacroAssemblerARM64E.h: * bytecode/CodeOrigin.h: * runtime/JSString.h: * runtime/OptionsList.h: Source/WTF: For OS(DARWIN), define OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. Also update an assertion in WTFAssertions.cpp to verify that address bits are less than 48. The purpose of this assertion is to ensure that our 64-bit NaN boxing encoding for JSValues will work. Hence, we should use the encoding limit for pointers of 48 bits. It no longer makes sense to assert based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH), because OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) is defined in terms of MACH_VM_MAX_ADDRESS. * wtf/CagedPtr.h: * wtf/CompactPointerTuple.h: * wtf/PlatformOS.h: * wtf/WTFAssertions.cpp: * wtf/threads/Signals.cpp: Tools: * TestWebKitAPI/Tests/WTF/Packed.cpp: Canonical link: https://commits.webkit.org/238948@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279028 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-06-18 01:44:42 +00:00
* Copyright (C) 2017-2021 Apple Inc. All rights reserved.
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF
* THE POSSIBILITY OF SUCH DAMAGE.
*/
#pragma once
#include <wtf/Gigacage.h>
Define MacroAssemblerARM64E::numberOfPACBits based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH). https://bugs.webkit.org/show_bug.cgi?id=227147 rdar://78785309 Reviewed by Saam Barati. Source/bmalloc: For OS(DARWIN), define BOS_EFFECTIVE_ADDRESS_WIDTH in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. * bmalloc/Algorithm.h: (bmalloc::clzConstexpr): (bmalloc::getMSBSetConstexpr): * bmalloc/BPlatform.h: * bmalloc/Gigacage.h: * bmalloc/ObjectTypeTable.h: * bmalloc/Packed.h: Source/JavaScriptCore: * assembler/MacroAssemblerARM64E.h: * bytecode/CodeOrigin.h: * runtime/JSString.h: * runtime/OptionsList.h: Source/WTF: For OS(DARWIN), define OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. Also update an assertion in WTFAssertions.cpp to verify that address bits are less than 48. The purpose of this assertion is to ensure that our 64-bit NaN boxing encoding for JSValues will work. Hence, we should use the encoding limit for pointers of 48 bits. It no longer makes sense to assert based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH), because OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) is defined in terms of MACH_VM_MAX_ADDRESS. * wtf/CagedPtr.h: * wtf/CompactPointerTuple.h: * wtf/PlatformOS.h: * wtf/WTFAssertions.cpp: * wtf/threads/Signals.cpp: Tools: * TestWebKitAPI/Tests/WTF/Packed.cpp: Canonical link: https://commits.webkit.org/238948@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279028 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-06-18 01:44:42 +00:00
#include <wtf/MathExtras.h>
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
#include <wtf/PtrTag.h>
Inclusive software: Remove instances of "dumb" from the code https://bugs.webkit.org/show_bug.cgi?id=217778 Reviewed by Simon Fraser. Source/JavaScriptCore: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean): * heap/SlotVisitor.h: * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitVirtualCall): (JSC::AssemblyHelpers::emitDumbVirtualCall): Deleted. * jit/AssemblyHelpers.h: * jit/JITCall.cpp: (JSC::JIT::compileCallEvalSlowCase): * jit/JITCall32_64.cpp: (JSC::JIT::compileCallEvalSlowCase): * runtime/CachedTypes.cpp: * runtime/JSCJSValue.h: * runtime/WriteBarrier.h: * runtime/WriteBarrierInlines.h: (JSC::RawValueTraits<Unknown>>::set): (JSC::DumbValueTraits<Unknown>>::set): Deleted. * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/generateWasm.py: (opcodeIterator): Source/WebCore: * Modules/webaudio/AudioNode.h: * dom/GCReachableRef.h: * page/EventHandler.cpp: (WebCore::EventHandler::handleDrag): * rendering/InlineFlowBox.cpp: (WebCore::InlineFlowBox::addToLine): Source/WTF: * WTF.xcodeproj/project.pbxproj: * icu/unicode/caniter.h: * wtf/Bag.h: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: * wtf/Forward.h: * wtf/NakedRef.h: * wtf/RawPtrTraits.h: Renamed from Source/WTF/wtf/DumbPtrTraits.h. * wtf/RawValueTraits.h: Renamed from Source/WTF/wtf/DumbValueTraits.h. * wtf/Ref.h: * wtf/RefCountedArray.h: * wtf/RefPtr.h: * wtf/SentinelLinkedList.h: Canonical link: https://commits.webkit.org/230896@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-10-26 20:08:01 +00:00
#include <wtf/RawPtrTraits.h>
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
CagedPtr doesn't merge PAC bits back into the resulting caged pointer. https://bugs.webkit.org/show_bug.cgi?id=199214 Reviewed by Yusuke Suzuki. The current code means that caging will just strip the any failed authentication bits. Adding this code doesn't appear to be a regression on iPhone Xs. * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::getUnsafe const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213179@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-26 02:25:19 +00:00
#include <climits>
Define MacroAssemblerARM64E::numberOfPACBits based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH). https://bugs.webkit.org/show_bug.cgi?id=227147 rdar://78785309 Reviewed by Saam Barati. Source/bmalloc: For OS(DARWIN), define BOS_EFFECTIVE_ADDRESS_WIDTH in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. * bmalloc/Algorithm.h: (bmalloc::clzConstexpr): (bmalloc::getMSBSetConstexpr): * bmalloc/BPlatform.h: * bmalloc/Gigacage.h: * bmalloc/ObjectTypeTable.h: * bmalloc/Packed.h: Source/JavaScriptCore: * assembler/MacroAssemblerARM64E.h: * bytecode/CodeOrigin.h: * runtime/JSString.h: * runtime/OptionsList.h: Source/WTF: For OS(DARWIN), define OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. Also update an assertion in WTFAssertions.cpp to verify that address bits are less than 48. The purpose of this assertion is to ensure that our 64-bit NaN boxing encoding for JSValues will work. Hence, we should use the encoding limit for pointers of 48 bits. It no longer makes sense to assert based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH), because OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) is defined in terms of MACH_VM_MAX_ADDRESS. * wtf/CagedPtr.h: * wtf/CompactPointerTuple.h: * wtf/PlatformOS.h: * wtf/WTFAssertions.cpp: * wtf/threads/Signals.cpp: Tools: * TestWebKitAPI/Tests/WTF/Packed.cpp: Canonical link: https://commits.webkit.org/238948@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279028 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-06-18 01:44:42 +00:00
#if OS(DARWIN)
#include <mach/vm_param.h>
#endif
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
namespace WTF {
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
constexpr bool tagCagedPtr = true;
Inclusive software: Remove instances of "dumb" from the code https://bugs.webkit.org/show_bug.cgi?id=217778 Reviewed by Simon Fraser. Source/JavaScriptCore: * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::emitCall): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCallEval): (JSC::FTL::DFG::LowerDFGToB3::unboxBoolean): * heap/SlotVisitor.h: * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitVirtualCall): (JSC::AssemblyHelpers::emitDumbVirtualCall): Deleted. * jit/AssemblyHelpers.h: * jit/JITCall.cpp: (JSC::JIT::compileCallEvalSlowCase): * jit/JITCall32_64.cpp: (JSC::JIT::compileCallEvalSlowCase): * runtime/CachedTypes.cpp: * runtime/JSCJSValue.h: * runtime/WriteBarrier.h: * runtime/WriteBarrierInlines.h: (JSC::RawValueTraits<Unknown>>::set): (JSC::DumbValueTraits<Unknown>>::set): Deleted. * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/generateWasm.py: (opcodeIterator): Source/WebCore: * Modules/webaudio/AudioNode.h: * dom/GCReachableRef.h: * page/EventHandler.cpp: (WebCore::EventHandler::handleDrag): * rendering/InlineFlowBox.cpp: (WebCore::InlineFlowBox::addToLine): Source/WTF: * WTF.xcodeproj/project.pbxproj: * icu/unicode/caniter.h: * wtf/Bag.h: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: * wtf/Forward.h: * wtf/NakedRef.h: * wtf/RawPtrTraits.h: Renamed from Source/WTF/wtf/DumbPtrTraits.h. * wtf/RawValueTraits.h: Renamed from Source/WTF/wtf/DumbValueTraits.h. * wtf/Ref.h: * wtf/RefCountedArray.h: * wtf/RefPtr.h: * wtf/SentinelLinkedList.h: Canonical link: https://commits.webkit.org/230896@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@268993 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-10-26 20:08:01 +00:00
template<Gigacage::Kind passedKind, typename T, bool shouldTag = false, typename PtrTraits = RawPtrTraits<T>>
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
class CagedPtr {
public:
Primitive auxiliaries and JSValue auxiliaries should have separate gigacages https://bugs.webkit.org/show_bug.cgi?id=174919 Reviewed by Keith Miller. Source/bmalloc: This introduces two kinds of Gigacage, Primitive and JSValue. This translates to two kinds of HeapKind, PrimitiveGigacage and JSValueGigacage. The new support functionality required turning Inline.h into BInline.h, and INLINE into BINLINE, and NO_INLINE into BNO_INLINE. * bmalloc.xcodeproj/project.pbxproj: * bmalloc/Allocator.cpp: (bmalloc::Allocator::refillAllocatorSlowCase): (bmalloc::Allocator::refillAllocator): (bmalloc::Allocator::allocateLarge): (bmalloc::Allocator::allocateLogSizeClass): * bmalloc/AsyncTask.h: * bmalloc/BInline.h: Copied from Source/bmalloc/bmalloc/Inline.h. * bmalloc/Cache.cpp: (bmalloc::Cache::tryAllocateSlowCaseNullCache): (bmalloc::Cache::allocateSlowCaseNullCache): (bmalloc::Cache::deallocateSlowCaseNullCache): (bmalloc::Cache::reallocateSlowCaseNullCache): * bmalloc/Deallocator.cpp: * bmalloc/Gigacage.cpp: (Gigacage::PrimitiveDisableCallbacks::PrimitiveDisableCallbacks): (Gigacage::ensureGigacage): (Gigacage::disablePrimitiveGigacage): (Gigacage::addPrimitiveDisableCallback): (Gigacage::removePrimitiveDisableCallback): (Gigacage::Callbacks::Callbacks): Deleted. (Gigacage::disableGigacage): Deleted. (Gigacage::addDisableCallback): Deleted. (Gigacage::removeDisableCallback): Deleted. * bmalloc/Gigacage.h: (Gigacage::name): (Gigacage::basePtr): (Gigacage::forEachKind): (Gigacage::caged): (Gigacage::isCaged): * bmalloc/Heap.cpp: (bmalloc::Heap::Heap): (bmalloc::Heap::usingGigacage): (bmalloc::Heap::gigacageBasePtr): * bmalloc/Heap.h: * bmalloc/HeapKind.h: (bmalloc::isGigacage): (bmalloc::gigacageKind): (bmalloc::heapKind): * bmalloc/Inline.h: Removed. * bmalloc/Map.h: * bmalloc/PerProcess.h: (bmalloc::PerProcess<T>::getFastCase): (bmalloc::PerProcess<T>::get): (bmalloc::PerProcess<T>::getSlowCase): * bmalloc/PerThread.h: (bmalloc::PerThread<T>::getFastCase): * bmalloc/Vector.h: (bmalloc::Vector<T>::push): (bmalloc::Vector<T>::shrinkCapacity): (bmalloc::Vector<T>::growCapacity): Source/JavaScriptCore: This adapts JSC to there being two gigacages. To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than singletons. I don't think we were gaining anything by making them be singletons. This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of gigacages. We'll have one of those allocators per cage. From there, this change teaches everyone who previously knew about cages that there are two cages. This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's not so obvious, so this change introduces some helpers to make it easy to define what cage you want to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and CagedPtr. This removes one layer of "get()" calls from a bunch of places. * JavaScriptCore.xcodeproj/project.pbxproj: * bytecode/AccessCase.cpp: (JSC::AccessCase::generateImpl): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::emitAllocateRawObject): (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): (JSC::DFG::SpeculativeJIT::compileNewTypedArray): (JSC::DFG::SpeculativeJIT::emitAllocateButterfly): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly): (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname): (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject): (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl): (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray): (JSC::FTL::DFG::LowerDFGToB3::caged): * heap/FastMallocAlignedMemoryAllocator.cpp: (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted. * heap/FastMallocAlignedMemoryAllocator.h: * heap/GigacageAlignedMemoryAllocator.cpp: (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator): (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory): (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory): (JSC::GigacageAlignedMemoryAllocator::dump const): (JSC::GigacageAlignedMemoryAllocator::instance): Deleted. * heap/GigacageAlignedMemoryAllocator.h: * jsc.cpp: (primitiveGigacageDisabled): (jscmain): (gigacageDisabled): Deleted. * llint/LowLevelInterpreter64.asm: * runtime/ArrayBuffer.cpp: (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBuffer::createAdopted): (JSC::ArrayBuffer::createFromBytes): * runtime/AuxiliaryBarrier.h: * runtime/ButterflyInlines.h: (JSC::Butterfly::createUninitialized): (JSC::Butterfly::tryCreate): (JSC::Butterfly::growArrayRight): * runtime/CagedBarrierPtr.h: Added. (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::clear): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::operator== const): (JSC::CagedBarrierPtr::operator!= const): (JSC::CagedBarrierPtr::operator bool const): (JSC::CagedBarrierPtr::setWithoutBarrier): (JSC::CagedBarrierPtr::operator* const): (JSC::CagedBarrierPtr::operator-> const): (JSC::CagedBarrierPtr::operator[] const): * runtime/DirectArguments.cpp: (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::unmapArgument): * runtime/DirectArguments.h: (JSC::DirectArguments::isMappedArgument const): * runtime/GenericArguments.h: * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): * runtime/HashMapImpl.cpp: (JSC::HashMapImpl<HashMapBucket>::visitChildren): * runtime/HashMapImpl.h: (JSC::HashMapBuffer::create): (JSC::HashMapImpl::buffer const): (JSC::HashMapImpl::rehash): * runtime/JSArray.cpp: (JSC::JSArray::tryCreateUninitializedRestricted): (JSC::JSArray::unshiftCountSlowCase): (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::fastSlice): (JSC::JSArray::shiftCountWithArrayStorage): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSArray.h: (JSC::JSArray::tryCreate): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::finalize): * runtime/JSLock.cpp: (JSC::JSLock::didAcquireLock): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::getOwnPropertySlotByIndex): (JSC::JSObject::putByIndex): (JSC::JSObject::enterDictionaryIndexingMode): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): (JSC::JSObject::convertUndecidedToArrayStorage): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToContiguous): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::setIndexQuicklyToUndecided): (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): (JSC::JSObject::deletePropertyByIndex): (JSC::JSObject::getOwnPropertyNames): (JSC::JSObject::putIndexedDescriptor): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength): (JSC::JSObject::getNewVectorLength): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::reallocateAndShrinkButterfly): (JSC::JSObject::allocateMoreOutOfLineStorage): (JSC::JSObject::getEnumerableLength): * runtime/JSObject.h: (JSC::JSObject::getArrayLength const): (JSC::JSObject::getVectorLength): (JSC::JSObject::putDirectIndex): (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::hasSparseMap): (JSC::JSObject::inSparseIndexingMode): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): (JSC::JSObject::outOfLineStorage const): (JSC::JSObject::outOfLineStorage): (JSC::JSObject::ensureInt32): (JSC::JSObject::ensureDouble): (JSC::JSObject::ensureContiguous): (JSC::JSObject::ensureArrayStorage): (JSC::JSObject::arrayStorage): (JSC::JSObject::arrayStorageOrNull): (JSC::JSObject::ensureLength): * runtime/RegExpMatchesArray.h: (JSC::tryCreateUninitializedRegExpMatchesArray): * runtime/VM.cpp: (JSC::VM::VM): (JSC::VM::~VM): (JSC::VM::primitiveGigacageDisabledCallback): (JSC::VM::primitiveGigacageDisabled): (JSC::VM::gigacageDisabledCallback): Deleted. (JSC::VM::gigacageDisabled): Deleted. * runtime/VM.h: (JSC::VM::gigacageAuxiliarySpace): (JSC::VM::firePrimitiveGigacageEnabledIfNecessary): (JSC::VM::primitiveGigacageEnabled): (JSC::VM::fireGigacageEnabledIfNecessary): Deleted. (JSC::VM::gigacageEnabled): Deleted. * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::create): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::grow): Source/WebCore: No new tests because no change in behavior. Adapting to API changes - we now specify the AlignedMemoryAllocator differently and we need to be specific about which Gigacage we're using. * bindings/js/WebCoreJSClientData.cpp: (WebCore::JSVMClientData::JSVMClientData): * platform/graphics/cocoa/GPUBufferMetal.mm: (WebCore::GPUBuffer::GPUBuffer): Source/WebKit: The disable callback is all about the primitive gigacage. * WebProcess/WebProcess.cpp: (WebKit::primitiveGigacageDisabled): (WebKit::m_webSQLiteDatabaseTracker): (WebKit::gigacageDisabled): Deleted. Source/WTF: This mirrors the changes from bmalloc/Gigacage.h. Also it teaches CagedPtr how to reason about multiple gigacages. * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::operator[] const): * wtf/Gigacage.cpp: (Gigacage::tryMalloc): (Gigacage::tryAllocateVirtualPages): (Gigacage::freeVirtualPages): (Gigacage::tryAlignedMalloc): (Gigacage::alignedFree): (Gigacage::free): * wtf/Gigacage.h: (Gigacage::disablePrimitiveGigacage): (Gigacage::addPrimitiveDisableCallback): (Gigacage::removePrimitiveDisableCallback): (Gigacage::name): (Gigacage::basePtr): (Gigacage::caged): (Gigacage::isCaged): (Gigacage::tryAlignedMalloc): (Gigacage::alignedFree): (Gigacage::free): (Gigacage::disableGigacage): Deleted. (Gigacage::addDisableCallback): Deleted. (Gigacage::removeDisableCallback): Deleted. Canonical link: https://commits.webkit.org/192001@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220352 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-07 21:31:49 +00:00
static constexpr Gigacage::Kind kind = passedKind;
Define MacroAssemblerARM64E::numberOfPACBits based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH). https://bugs.webkit.org/show_bug.cgi?id=227147 rdar://78785309 Reviewed by Saam Barati. Source/bmalloc: For OS(DARWIN), define BOS_EFFECTIVE_ADDRESS_WIDTH in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. * bmalloc/Algorithm.h: (bmalloc::clzConstexpr): (bmalloc::getMSBSetConstexpr): * bmalloc/BPlatform.h: * bmalloc/Gigacage.h: * bmalloc/ObjectTypeTable.h: * bmalloc/Packed.h: Source/JavaScriptCore: * assembler/MacroAssemblerARM64E.h: * bytecode/CodeOrigin.h: * runtime/JSString.h: * runtime/OptionsList.h: Source/WTF: For OS(DARWIN), define OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) in terms of MACH_VM_MAX_ADDRESS, which is provided by the SDK. This ensures that it is correct for each target OS(DARWIN) platform. Also update an assertion in WTFAssertions.cpp to verify that address bits are less than 48. The purpose of this assertion is to ensure that our 64-bit NaN boxing encoding for JSValues will work. Hence, we should use the encoding limit for pointers of 48 bits. It no longer makes sense to assert based on OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH), because OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) is defined in terms of MACH_VM_MAX_ADDRESS. * wtf/CagedPtr.h: * wtf/CompactPointerTuple.h: * wtf/PlatformOS.h: * wtf/WTFAssertions.cpp: * wtf/threads/Signals.cpp: Tools: * TestWebKitAPI/Tests/WTF/Packed.cpp: Canonical link: https://commits.webkit.org/238948@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279028 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-06-18 01:44:42 +00:00
static constexpr unsigned numberOfPointerBits = sizeof(T*) * CHAR_BIT;
Rename numberOfPACBits to maxNumberOfAllowedPACBits. https://bugs.webkit.org/show_bug.cgi?id=227156 Reviewed by Saam Barati. Source/JavaScriptCore: Just renaming the constant to better describe what it represents. There are no behavior changes. * assembler/MacroAssemblerARM64E.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq): * jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::cageWithoutUntagging): (JSC::AssemblyHelpers::cageConditionallyAndUntag): * llint/LowLevelInterpreter64.asm: Source/WTF: * wtf/CagedPtr.h: Canonical link: https://commits.webkit.org/238949@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279029 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-06-18 02:06:58 +00:00
static constexpr unsigned maxNumberOfAllowedPACBits = numberOfPointerBits - OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH);
static constexpr uintptr_t nonPACBitsMask = (1ull << (numberOfPointerBits - maxNumberOfAllowedPACBits)) - 1;
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
CagedPtr() : CagedPtr(nullptr) { }
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
CagedPtr(std::nullptr_t)
: m_ptr(shouldTag ? tagArrayPtr<T>(nullptr, 0) : nullptr)
{ }
Remove Gigacage from arm64 and use PAC for arm64e instead https://bugs.webkit.org/show_bug.cgi?id=197110 Reviewed by Saam Barati. Source/bmalloc: Stop using gigacage on arm64 and add a new cage function cagedMayBeNull that is the same as cage but returns a nullptr if the incoming pointer is already null. * bmalloc/Gigacage.h: (Gigacage::cagedMayBeNull): Source/JavaScriptCore: This patch makes a bunch of changes. I'll start with global changes then go over changes to each tier and finish with bug fixes. Global Changes: Change CagedBarrierPtr to work with PAC so constructors and accessors now expect to receive a length. Update assembler helper methods to use do PAC when caging. LLInt: Add arm64e.rb backend as we missed that when originally open sourcing our arm64e code. Add a new optional t6 temporary, which is only used currently on arm64e for GetByVal on a TypedArray. Refactor caging into two helper macros for Primitive/JSValue cages. Baseline/DFG: Add authentication where needed for GetByVal and inline object construction. FTL: Add a new ValueRep that allows for a late register use. We want this for the authentication patchpoint since we use the length register at the same time as we are defing the authenticated pointer. Wasm: Use the TaggedArrayStoragePtr class for the memory base pointer. In theory we should be caging those pointers but I don't want to risk introducing a performance regression with the rest of this change. I've filed https://bugs.webkit.org/show_bug.cgi?id=197620 to do this later. As we no longer have the Gigacage using most of our VA memory, we can enable fast memories on iOS. Using fast memories leads to roughly a 2% JetStream2 speedup. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagArrayPtr): (JSC::MacroAssemblerARM64E::untagArrayPtr): (JSC::MacroAssemblerARM64E::removeArrayPtrTag): * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): (JSC::B3::ValueRep::isReg const): * dfg/DFGOperations.cpp: (JSC::DFG::newTypedArrayWithSize): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): (JSC::FTL::DFG::LowerDFGToB3::caged): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::clearCallLinkInfo): * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/arm64e.rb: Added. * offlineasm/ast.rb: * offlineasm/instructions.rb: * offlineasm/registers.rb: * offlineasm/x86.rb: * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::SharedArrayBufferContents): (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::ArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): (JSC::ArrayBuffer::byteLength const): * runtime/ArrayBufferView.cpp: (JSC::ArrayBufferView::ArrayBufferView): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): (JSC::ArrayBufferView::byteLength const): (JSC::ArrayBufferView::setRangeImpl): (JSC::ArrayBufferView::getRangeImpl): * runtime/CachedTypes.cpp: (JSC::CachedScopedArgumentsTable::encode): (JSC::CachedScopedArgumentsTable::decode const): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::getUnsafe const): (JSC::CagedBarrierPtr::at const): (JSC::CagedBarrierPtr::operator== const): (JSC::CagedBarrierPtr::operator bool const): (JSC::CagedBarrierPtr::setWithoutBarrier): (JSC::CagedBarrierPtr::operator* const): Deleted. (JSC::CagedBarrierPtr::operator-> const): Deleted. (JSC::CagedBarrierPtr::operator[] const): Deleted. (): Deleted. * runtime/DataView.cpp: (JSC::DataView::DataView): * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/DirectArguments.cpp: (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::unmapArgument): * runtime/DirectArguments.h: * runtime/GenericArguments.h: * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::visitChildren): (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): * runtime/GenericTypedArrayView.h: * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::slowDownAndWasteMemory): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::isNeutered): (JSC::JSArrayBufferView::hasVector const): (JSC::JSArrayBufferView::vector const): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): * runtime/Options.h: * runtime/ScopedArgumentsTable.cpp: (JSC::ScopedArgumentsTable::clone): (JSC::ScopedArgumentsTable::setLength): * runtime/ScopedArgumentsTable.h: * runtime/SymbolTable.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::cachedMemory const): (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::grow): (JSC::Wasm::Memory::dump const): * wasm/WasmMemory.h: (JSC::Wasm::Memory::memory const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): Source/WTF: This patch changes the Gigacage to use PAC on arm64e. As part of this process all platforms must provide their length when materializing the caged pointer. Since it would be somewhat confusing to have two parameters for an operator [] those methods have been removed. Lastly, this patch removes the specializations for void* caged pointers, instead opting to use enable_if on the methods that would normally fail on void* e.g. anything that returns a T&. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::getUnsafe const): (WTF::CagedPtr::at const): (WTF::CagedPtr::reauthenticate): (WTF::CagedPtr::operator=): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): Deleted. (WTF::CagedPtr::operator-> const): Deleted. (WTF::CagedPtr::operator[] const): Deleted. (): Deleted. * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::~CagedUniquePtr): (WTF::CagedUniquePtr::destroy): (): Deleted. * wtf/Gigacage.h: (Gigacage::cagedMayBeNull): * wtf/PtrTag.h: (WTF::tagArrayPtr): (WTF::untagArrayPtr): (WTF::removeArrayPtrTag): (WTF::retagArrayPtr): * wtf/TaggedArrayStoragePtr.h: Copied from Source/JavaScriptCore/runtime/ArrayBufferView.cpp. (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): (WTF::TaggedArrayStoragePtr::get const): (WTF::TaggedArrayStoragePtr::getUnsafe const): (WTF::TaggedArrayStoragePtr::resize): (WTF::TaggedArrayStoragePtr::operator bool const): Canonical link: https://commits.webkit.org/211843@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245064 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-05-08 20:07:53 +00:00
JSTests: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. * wasm/stress/4g-memory-cage.js: Added. (async test): * wasm/stress/more-than-4g-offset-access-oom.js: Added. (async test): * wasm/stress/null-memory-cage-explicit.js: Added. (async test): * wasm/stress/null-memory-cage.js: Added. (async test): Source/JavaScriptCore: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. 1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB. This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone. 2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB. And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero. caging needs to handle this case as we do in CagedPtr::getMayBeNull. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::untagArrayPtrLength32): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): * llint/LowLevelInterpreter64.asm: * llint/WebAssembly.asm: * offlineasm/arm64e.rb: * offlineasm/ast.rb: * offlineasm/instructions.rb: * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::at const): (JSC::CagedBarrierPtr::setWithoutBarrier): * wasm/WasmInstance.h: (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::MemoryHandle::MemoryHandle): * wasm/WasmMemory.h: Source/WTF: [JSC] WasmMemory caging should care nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. Accept size_t since Wasm::Memory's length can be larger than 4GB. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::at const): (WTF::CagedPtr::recage): * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::tryCreate): Canonical link: https://commits.webkit.org/236242@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275597 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-04-07 09:28:49 +00:00
CagedPtr(T* ptr, size_t size)
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
: m_ptr(shouldTag ? tagArrayPtr(ptr, size) : ptr)
{ }
JSTests: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. * wasm/stress/4g-memory-cage.js: Added. (async test): * wasm/stress/more-than-4g-offset-access-oom.js: Added. (async test): * wasm/stress/null-memory-cage-explicit.js: Added. (async test): * wasm/stress/null-memory-cage.js: Added. (async test): Source/JavaScriptCore: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. 1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB. This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone. 2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB. And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero. caging needs to handle this case as we do in CagedPtr::getMayBeNull. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::untagArrayPtrLength32): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): * llint/LowLevelInterpreter64.asm: * llint/WebAssembly.asm: * offlineasm/arm64e.rb: * offlineasm/ast.rb: * offlineasm/instructions.rb: * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::at const): (JSC::CagedBarrierPtr::setWithoutBarrier): * wasm/WasmInstance.h: (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::MemoryHandle::MemoryHandle): * wasm/WasmMemory.h: Source/WTF: [JSC] WasmMemory caging should care nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. Accept size_t since Wasm::Memory's length can be larger than 4GB. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::at const): (WTF::CagedPtr::recage): * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::tryCreate): Canonical link: https://commits.webkit.org/236242@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275597 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-04-07 09:28:49 +00:00
T* get(size_t size) const
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
{
ASSERT(m_ptr);
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
T* ptr = PtrTraits::unwrap(m_ptr);
PACCage should first cage leaving PAC bits intact then authenticate https://bugs.webkit.org/show_bug.cgi?id=199372 Reviewed by Saam Barati. Source/bmalloc: * bmalloc/ProcessCheck.mm: (bmalloc::shouldProcessUnconditionallyUseBmalloc): Source/JavaScriptCore: This ordering prevents someone from taking a signed pointer from outside the gigacage and using it in a struct that expects a caged pointer. Previously, the PACCaging just double checked that the PAC bits were valid for the original pointer. +---------------------------+ | | | | | "PAC" | "base" | "offset" +----+ | | | | | +---------------------------+ | Caging | | | | | v | +---------------------------+ | | | | | | Bit Merge | 00000 | base | "offset" | | | | | | | +---------------------------+ | | | | v | Bit Merge +---------------------------+ | | | | | | | "PAC" | base | "offset" +<--------+ | | | | +---------------------------+ | | | Authenticate | v +---------------------------+ | | | | | Auth | base | "offset" | | | | | +---------------------------+ The above ascii art graph shows how the PACCage system works. The key take away is that even if someone passes in a valid, signed pointer outside the cage it will still fail to authenticate as the "base" bits will change before authentication. * assembler/MacroAssemblerARM64E.h: * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::caged): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * llint/LowLevelInterpreter64.asm: Source/WTF: * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213370@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247101 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-07-03 20:25:14 +00:00
T* cagedPtr = Gigacage::caged(kind, ptr);
T* untaggedPtr = shouldTag ? untagArrayPtr(mergePointers(ptr, cagedPtr), size) : cagedPtr;
return untaggedPtr;
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
}
JSTests: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. * wasm/stress/4g-memory-cage.js: Added. (async test): * wasm/stress/more-than-4g-offset-access-oom.js: Added. (async test): * wasm/stress/null-memory-cage-explicit.js: Added. (async test): * wasm/stress/null-memory-cage.js: Added. (async test): Source/JavaScriptCore: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. 1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB. This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone. 2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB. And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero. caging needs to handle this case as we do in CagedPtr::getMayBeNull. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::untagArrayPtrLength32): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): * llint/LowLevelInterpreter64.asm: * llint/WebAssembly.asm: * offlineasm/arm64e.rb: * offlineasm/ast.rb: * offlineasm/instructions.rb: * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::at const): (JSC::CagedBarrierPtr::setWithoutBarrier): * wasm/WasmInstance.h: (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::MemoryHandle::MemoryHandle): * wasm/WasmMemory.h: Source/WTF: [JSC] WasmMemory caging should care nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. Accept size_t since Wasm::Memory's length can be larger than 4GB. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::at const): (WTF::CagedPtr::recage): * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::tryCreate): Canonical link: https://commits.webkit.org/236242@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275597 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-04-07 09:28:49 +00:00
T* getMayBeNull(size_t size) const
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
{
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
T* ptr = PtrTraits::unwrap(m_ptr);
PACCage should first cage leaving PAC bits intact then authenticate https://bugs.webkit.org/show_bug.cgi?id=199372 Reviewed by Saam Barati. Source/bmalloc: * bmalloc/ProcessCheck.mm: (bmalloc::shouldProcessUnconditionallyUseBmalloc): Source/JavaScriptCore: This ordering prevents someone from taking a signed pointer from outside the gigacage and using it in a struct that expects a caged pointer. Previously, the PACCaging just double checked that the PAC bits were valid for the original pointer. +---------------------------+ | | | | | "PAC" | "base" | "offset" +----+ | | | | | +---------------------------+ | Caging | | | | | v | +---------------------------+ | | | | | | Bit Merge | 00000 | base | "offset" | | | | | | | +---------------------------+ | | | | v | Bit Merge +---------------------------+ | | | | | | | "PAC" | base | "offset" +<--------+ | | | | +---------------------------+ | | | Authenticate | v +---------------------------+ | | | | | Auth | base | "offset" | | | | | +---------------------------+ The above ascii art graph shows how the PACCage system works. The key take away is that even if someone passes in a valid, signed pointer outside the cage it will still fail to authenticate as the "base" bits will change before authentication. * assembler/MacroAssemblerARM64E.h: * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::caged): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * llint/LowLevelInterpreter64.asm: Source/WTF: * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213370@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247101 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-07-03 20:25:14 +00:00
if (!removeArrayPtrTag(ptr))
return nullptr;
T* cagedPtr = Gigacage::caged(kind, ptr);
T* untaggedPtr = shouldTag ? untagArrayPtr(mergePointers(ptr, cagedPtr), size) : cagedPtr;
return untaggedPtr;
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
}
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
T* getUnsafe() const
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
{
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
T* ptr = PtrTraits::unwrap(m_ptr);
CagedPtr doesn't merge PAC bits back into the resulting caged pointer. https://bugs.webkit.org/show_bug.cgi?id=199214 Reviewed by Yusuke Suzuki. The current code means that caging will just strip the any failed authentication bits. Adding this code doesn't appear to be a regression on iPhone Xs. * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::getUnsafe const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213179@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-26 02:25:19 +00:00
ptr = shouldTag ? removeArrayPtrTag(ptr) : ptr;
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
return Gigacage::cagedMayBeNull(kind, ptr);
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
}
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
// We need the template here so that the type of U is deduced at usage time rather than class time. U should always be T.
template<typename U = T>
typename std::enable_if<!std::is_same<void, U>::value, T>::type&
JSTests: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. * wasm/stress/4g-memory-cage.js: Added. (async test): * wasm/stress/more-than-4g-offset-access-oom.js: Added. (async test): * wasm/stress/null-memory-cage-explicit.js: Added. (async test): * wasm/stress/null-memory-cage.js: Added. (async test): Source/JavaScriptCore: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. 1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB. This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone. 2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB. And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero. caging needs to handle this case as we do in CagedPtr::getMayBeNull. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::untagArrayPtrLength32): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): * llint/LowLevelInterpreter64.asm: * llint/WebAssembly.asm: * offlineasm/arm64e.rb: * offlineasm/ast.rb: * offlineasm/instructions.rb: * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::at const): (JSC::CagedBarrierPtr::setWithoutBarrier): * wasm/WasmInstance.h: (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::MemoryHandle::MemoryHandle): * wasm/WasmMemory.h: Source/WTF: [JSC] WasmMemory caging should care nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. Accept size_t since Wasm::Memory's length can be larger than 4GB. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::at const): (WTF::CagedPtr::recage): * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::tryCreate): Canonical link: https://commits.webkit.org/236242@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275597 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-04-07 09:28:49 +00:00
/* T& */ at(size_t index, size_t size) const { return get(size)[index]; }
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
JSTests: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. * wasm/stress/4g-memory-cage.js: Added. (async test): * wasm/stress/more-than-4g-offset-access-oom.js: Added. (async test): * wasm/stress/null-memory-cage-explicit.js: Added. (async test): * wasm/stress/null-memory-cage.js: Added. (async test): Source/JavaScriptCore: [JSC] WasmMemory caging should care about nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. 1. Fix Wasm::MemoryHandle::boundsCheckingSize. We should just return m_mappedCapacity here since UINT32_MAX is not 4GB. This checking size can include redzone for fast-memory, but this is OK: bounds-check pass in LLInt (in upper tiers, we do not use bounds-check for fast-memory), and access to redzone, then fault occurs and signal handler can make it error since signal handler is checking whether the access is within Memory::fastMappedBytes which includes redzone. 2. Fix caging of wasm memory-base pointer in LLInt. We should use pointer sized length since it can be larger than 4GB. And we should handle nullptr case correctly: Wasm::MemoryHandle's memory can be nullptr when mapped size is zero. caging needs to handle this case as we do in CagedPtr::getMayBeNull. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::untagArrayPtrLength32): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): * llint/LowLevelInterpreter64.asm: * llint/WebAssembly.asm: * offlineasm/arm64e.rb: * offlineasm/ast.rb: * offlineasm/instructions.rb: * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::at const): (JSC::CagedBarrierPtr::setWithoutBarrier): * wasm/WasmInstance.h: (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::MemoryHandle::MemoryHandle): * wasm/WasmMemory.h: Source/WTF: [JSC] WasmMemory caging should care nullptr https://bugs.webkit.org/show_bug.cgi?id=224268 <rdar://problem/74654838> Reviewed by Mark Lam. Accept size_t since Wasm::Memory's length can be larger than 4GB. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::at const): (WTF::CagedPtr::recage): * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::tryCreate): Canonical link: https://commits.webkit.org/236242@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@275597 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2021-04-07 09:28:49 +00:00
void recage(size_t oldSize, size_t newSize)
Roll out PAC cage https://bugs.webkit.org/show_bug.cgi?id=198726 Reviewed by Keith Miller. Source/bmalloc: * bmalloc/Gigacage.h: (Gigacage::isEnabled): (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. Source/JavaScriptCore: This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. The resulting state we're in is we have Gigacage enabled on arm64. There is no more PAC caging. We're doing this because there are performance issues with PAC caging that we haven't resolved yet. * assembler/CPU.h: (JSC::isARM64E): Deleted. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): (JSC::B3::ValueRep::isReg const): * dfg/DFGOperations.cpp: (JSC::DFG::newTypedArrayWithSize): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): (JSC::FTL::DFG::LowerDFGToB3::caged): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::clearCallLinkInfo): * jit/RegisterSet.h: * llint/LowLevelInterpreter64.asm: * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::SharedArrayBufferContents): (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::ArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): (JSC::ArrayBuffer::byteLength const): * runtime/ArrayBufferView.cpp: (JSC::ArrayBufferView::ArrayBufferView): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): (JSC::ArrayBufferView::setRangeImpl): (JSC::ArrayBufferView::getRangeImpl): (JSC::ArrayBufferView::byteLength const): Deleted. * runtime/CachedTypes.cpp: (JSC::CachedScopedArgumentsTable::encode): (JSC::CachedScopedArgumentsTable::decode const): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::operator== const): (JSC::CagedBarrierPtr::operator!= const): (JSC::CagedBarrierPtr::operator bool const): (JSC::CagedBarrierPtr::setWithoutBarrier): (JSC::CagedBarrierPtr::operator* const): (JSC::CagedBarrierPtr::operator-> const): (JSC::CagedBarrierPtr::operator[] const): (JSC::CagedBarrierPtr::getUnsafe const): Deleted. (JSC::CagedBarrierPtr::at const): Deleted. * runtime/DataView.cpp: (JSC::DataView::DataView): * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/DirectArguments.cpp: (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::unmapArgument): * runtime/DirectArguments.h: * runtime/GenericArguments.h: * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::visitChildren): (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): * runtime/GenericTypedArrayView.h: * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::slowDownAndWasteMemory): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::isNeutered): (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::hasVector const): Deleted. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): * runtime/Options.h: * runtime/ScopedArgumentsTable.cpp: (JSC::ScopedArgumentsTable::clone): (JSC::ScopedArgumentsTable::setLength): * runtime/ScopedArgumentsTable.h: * runtime/SymbolTable.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::cachedMemory const): (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::grow): (JSC::Wasm::Memory::dump const): * wasm/WasmMemory.h: (JSC::Wasm::Memory::memory const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): Source/WTF: * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator=): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): (WTF::CagedPtr::operator[] const): (WTF::CagedPtr::getUnsafe const): Deleted. (WTF::CagedPtr::at const): Deleted. (WTF::CagedPtr::recage): Deleted. * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::operator=): (WTF::CagedUniquePtr::~CagedUniquePtr): (WTF::CagedUniquePtr::destroy): * wtf/Gigacage.h: (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. * wtf/PtrTag.h: (WTF::tagArrayPtr): Deleted. (WTF::untagArrayPtr): Deleted. (WTF::removeArrayPtrTag): Deleted. (WTF::retagArrayPtr): Deleted. * wtf/TaggedArrayStoragePtr.h: (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted. (WTF::TaggedArrayStoragePtr::get const): Deleted. (WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted. (WTF::TaggedArrayStoragePtr::resize): Deleted. (WTF::TaggedArrayStoragePtr::operator bool const): Deleted. Canonical link: https://commits.webkit.org/212738@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246322 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-11 17:18:47 +00:00
{
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
auto ptr = get(oldSize);
ASSERT(ptr == getUnsafe());
*this = CagedPtr(ptr, newSize);
Roll out PAC cage https://bugs.webkit.org/show_bug.cgi?id=198726 Reviewed by Keith Miller. Source/bmalloc: * bmalloc/Gigacage.h: (Gigacage::isEnabled): (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. Source/JavaScriptCore: This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. The resulting state we're in is we have Gigacage enabled on arm64. There is no more PAC caging. We're doing this because there are performance issues with PAC caging that we haven't resolved yet. * assembler/CPU.h: (JSC::isARM64E): Deleted. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): (JSC::B3::ValueRep::isReg const): * dfg/DFGOperations.cpp: (JSC::DFG::newTypedArrayWithSize): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): (JSC::FTL::DFG::LowerDFGToB3::caged): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::clearCallLinkInfo): * jit/RegisterSet.h: * llint/LowLevelInterpreter64.asm: * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::SharedArrayBufferContents): (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::ArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): (JSC::ArrayBuffer::byteLength const): * runtime/ArrayBufferView.cpp: (JSC::ArrayBufferView::ArrayBufferView): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): (JSC::ArrayBufferView::setRangeImpl): (JSC::ArrayBufferView::getRangeImpl): (JSC::ArrayBufferView::byteLength const): Deleted. * runtime/CachedTypes.cpp: (JSC::CachedScopedArgumentsTable::encode): (JSC::CachedScopedArgumentsTable::decode const): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::operator== const): (JSC::CagedBarrierPtr::operator!= const): (JSC::CagedBarrierPtr::operator bool const): (JSC::CagedBarrierPtr::setWithoutBarrier): (JSC::CagedBarrierPtr::operator* const): (JSC::CagedBarrierPtr::operator-> const): (JSC::CagedBarrierPtr::operator[] const): (JSC::CagedBarrierPtr::getUnsafe const): Deleted. (JSC::CagedBarrierPtr::at const): Deleted. * runtime/DataView.cpp: (JSC::DataView::DataView): * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/DirectArguments.cpp: (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::unmapArgument): * runtime/DirectArguments.h: * runtime/GenericArguments.h: * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::visitChildren): (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): * runtime/GenericTypedArrayView.h: * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::slowDownAndWasteMemory): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::isNeutered): (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::hasVector const): Deleted. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): * runtime/Options.h: * runtime/ScopedArgumentsTable.cpp: (JSC::ScopedArgumentsTable::clone): (JSC::ScopedArgumentsTable::setLength): * runtime/ScopedArgumentsTable.h: * runtime/SymbolTable.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::cachedMemory const): (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::grow): (JSC::Wasm::Memory::dump const): * wasm/WasmMemory.h: (JSC::Wasm::Memory::memory const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): Source/WTF: * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator=): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): (WTF::CagedPtr::operator[] const): (WTF::CagedPtr::getUnsafe const): Deleted. (WTF::CagedPtr::at const): Deleted. (WTF::CagedPtr::recage): Deleted. * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::operator=): (WTF::CagedUniquePtr::~CagedUniquePtr): (WTF::CagedUniquePtr::destroy): * wtf/Gigacage.h: (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. * wtf/PtrTag.h: (WTF::tagArrayPtr): Deleted. (WTF::untagArrayPtr): Deleted. (WTF::removeArrayPtrTag): Deleted. (WTF::retagArrayPtr): Deleted. * wtf/TaggedArrayStoragePtr.h: (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted. (WTF::TaggedArrayStoragePtr::get const): Deleted. (WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted. (WTF::TaggedArrayStoragePtr::resize): Deleted. (WTF::TaggedArrayStoragePtr::operator bool const): Deleted. Canonical link: https://commits.webkit.org/212738@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246322 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-11 17:18:47 +00:00
}
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
CagedPtr(CagedPtr& other)
: m_ptr(other.m_ptr)
Roll out PAC cage https://bugs.webkit.org/show_bug.cgi?id=198726 Reviewed by Keith Miller. Source/bmalloc: * bmalloc/Gigacage.h: (Gigacage::isEnabled): (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. Source/JavaScriptCore: This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. The resulting state we're in is we have Gigacage enabled on arm64. There is no more PAC caging. We're doing this because there are performance issues with PAC caging that we haven't resolved yet. * assembler/CPU.h: (JSC::isARM64E): Deleted. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): (JSC::B3::ValueRep::isReg const): * dfg/DFGOperations.cpp: (JSC::DFG::newTypedArrayWithSize): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): (JSC::FTL::DFG::LowerDFGToB3::caged): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::clearCallLinkInfo): * jit/RegisterSet.h: * llint/LowLevelInterpreter64.asm: * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::SharedArrayBufferContents): (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::ArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): (JSC::ArrayBuffer::byteLength const): * runtime/ArrayBufferView.cpp: (JSC::ArrayBufferView::ArrayBufferView): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): (JSC::ArrayBufferView::setRangeImpl): (JSC::ArrayBufferView::getRangeImpl): (JSC::ArrayBufferView::byteLength const): Deleted. * runtime/CachedTypes.cpp: (JSC::CachedScopedArgumentsTable::encode): (JSC::CachedScopedArgumentsTable::decode const): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::operator== const): (JSC::CagedBarrierPtr::operator!= const): (JSC::CagedBarrierPtr::operator bool const): (JSC::CagedBarrierPtr::setWithoutBarrier): (JSC::CagedBarrierPtr::operator* const): (JSC::CagedBarrierPtr::operator-> const): (JSC::CagedBarrierPtr::operator[] const): (JSC::CagedBarrierPtr::getUnsafe const): Deleted. (JSC::CagedBarrierPtr::at const): Deleted. * runtime/DataView.cpp: (JSC::DataView::DataView): * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/DirectArguments.cpp: (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::unmapArgument): * runtime/DirectArguments.h: * runtime/GenericArguments.h: * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::visitChildren): (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): * runtime/GenericTypedArrayView.h: * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::slowDownAndWasteMemory): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::isNeutered): (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::hasVector const): Deleted. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): * runtime/Options.h: * runtime/ScopedArgumentsTable.cpp: (JSC::ScopedArgumentsTable::clone): (JSC::ScopedArgumentsTable::setLength): * runtime/ScopedArgumentsTable.h: * runtime/SymbolTable.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::cachedMemory const): (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::grow): (JSC::Wasm::Memory::dump const): * wasm/WasmMemory.h: (JSC::Wasm::Memory::memory const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): Source/WTF: * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator=): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): (WTF::CagedPtr::operator[] const): (WTF::CagedPtr::getUnsafe const): Deleted. (WTF::CagedPtr::at const): Deleted. (WTF::CagedPtr::recage): Deleted. * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::operator=): (WTF::CagedUniquePtr::~CagedUniquePtr): (WTF::CagedUniquePtr::destroy): * wtf/Gigacage.h: (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. * wtf/PtrTag.h: (WTF::tagArrayPtr): Deleted. (WTF::untagArrayPtr): Deleted. (WTF::removeArrayPtrTag): Deleted. (WTF::retagArrayPtr): Deleted. * wtf/TaggedArrayStoragePtr.h: (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted. (WTF::TaggedArrayStoragePtr::get const): Deleted. (WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted. (WTF::TaggedArrayStoragePtr::resize): Deleted. (WTF::TaggedArrayStoragePtr::operator bool const): Deleted. Canonical link: https://commits.webkit.org/212738@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246322 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-11 17:18:47 +00:00
{
}
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
CagedPtr& operator=(const CagedPtr& ptr)
Roll out PAC cage https://bugs.webkit.org/show_bug.cgi?id=198726 Reviewed by Keith Miller. Source/bmalloc: * bmalloc/Gigacage.h: (Gigacage::isEnabled): (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. Source/JavaScriptCore: This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. The resulting state we're in is we have Gigacage enabled on arm64. There is no more PAC caging. We're doing this because there are performance issues with PAC caging that we haven't resolved yet. * assembler/CPU.h: (JSC::isARM64E): Deleted. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): (JSC::B3::ValueRep::isReg const): * dfg/DFGOperations.cpp: (JSC::DFG::newTypedArrayWithSize): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): (JSC::FTL::DFG::LowerDFGToB3::caged): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::clearCallLinkInfo): * jit/RegisterSet.h: * llint/LowLevelInterpreter64.asm: * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::SharedArrayBufferContents): (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::ArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): (JSC::ArrayBuffer::byteLength const): * runtime/ArrayBufferView.cpp: (JSC::ArrayBufferView::ArrayBufferView): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): (JSC::ArrayBufferView::setRangeImpl): (JSC::ArrayBufferView::getRangeImpl): (JSC::ArrayBufferView::byteLength const): Deleted. * runtime/CachedTypes.cpp: (JSC::CachedScopedArgumentsTable::encode): (JSC::CachedScopedArgumentsTable::decode const): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::operator== const): (JSC::CagedBarrierPtr::operator!= const): (JSC::CagedBarrierPtr::operator bool const): (JSC::CagedBarrierPtr::setWithoutBarrier): (JSC::CagedBarrierPtr::operator* const): (JSC::CagedBarrierPtr::operator-> const): (JSC::CagedBarrierPtr::operator[] const): (JSC::CagedBarrierPtr::getUnsafe const): Deleted. (JSC::CagedBarrierPtr::at const): Deleted. * runtime/DataView.cpp: (JSC::DataView::DataView): * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/DirectArguments.cpp: (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::unmapArgument): * runtime/DirectArguments.h: * runtime/GenericArguments.h: * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::visitChildren): (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): * runtime/GenericTypedArrayView.h: * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::slowDownAndWasteMemory): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::isNeutered): (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::hasVector const): Deleted. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): * runtime/Options.h: * runtime/ScopedArgumentsTable.cpp: (JSC::ScopedArgumentsTable::clone): (JSC::ScopedArgumentsTable::setLength): * runtime/ScopedArgumentsTable.h: * runtime/SymbolTable.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::cachedMemory const): (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::grow): (JSC::Wasm::Memory::dump const): * wasm/WasmMemory.h: (JSC::Wasm::Memory::memory const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): Source/WTF: * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator=): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): (WTF::CagedPtr::operator[] const): (WTF::CagedPtr::getUnsafe const): Deleted. (WTF::CagedPtr::at const): Deleted. (WTF::CagedPtr::recage): Deleted. * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::operator=): (WTF::CagedUniquePtr::~CagedUniquePtr): (WTF::CagedUniquePtr::destroy): * wtf/Gigacage.h: (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. * wtf/PtrTag.h: (WTF::tagArrayPtr): Deleted. (WTF::untagArrayPtr): Deleted. (WTF::removeArrayPtrTag): Deleted. (WTF::retagArrayPtr): Deleted. * wtf/TaggedArrayStoragePtr.h: (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted. (WTF::TaggedArrayStoragePtr::get const): Deleted. (WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted. (WTF::TaggedArrayStoragePtr::resize): Deleted. (WTF::TaggedArrayStoragePtr::operator bool const): Deleted. Canonical link: https://commits.webkit.org/212738@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246322 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-11 17:18:47 +00:00
{
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
m_ptr = ptr.m_ptr;
return *this;
Roll out PAC cage https://bugs.webkit.org/show_bug.cgi?id=198726 Reviewed by Keith Miller. Source/bmalloc: * bmalloc/Gigacage.h: (Gigacage::isEnabled): (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. Source/JavaScriptCore: This patch rolls out: r245064, r245145, r245168, r245313, r245432, r245622. The resulting state we're in is we have Gigacage enabled on arm64. There is no more PAC caging. We're doing this because there are performance issues with PAC caging that we haven't resolved yet. * assembler/CPU.h: (JSC::isARM64E): Deleted. * assembler/MacroAssemblerARM64E.h: (JSC::MacroAssemblerARM64E::tagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::untagArrayPtr): Deleted. (JSC::MacroAssemblerARM64E::removeArrayPtrTag): Deleted. * b3/B3LowerToAir.cpp: * b3/B3PatchpointSpecial.cpp: (JSC::B3::PatchpointSpecial::admitsStack): * b3/B3StackmapSpecial.cpp: (JSC::B3::StackmapSpecial::forEachArgImpl): (JSC::B3::StackmapSpecial::isArgValidForRep): * b3/B3Validate.cpp: * b3/B3ValueRep.cpp: (JSC::B3::ValueRep::addUsedRegistersTo const): (JSC::B3::ValueRep::dump const): (WTF::printInternal): * b3/B3ValueRep.h: (JSC::B3::ValueRep::ValueRep): (JSC::B3::ValueRep::isReg const): * dfg/DFGOperations.cpp: (JSC::DFG::newTypedArrayWithSize): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * dfg/DFGSpeculativeJIT.h: * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewGet): (JSC::FTL::DFG::LowerDFGToB3::compileDataViewSet): (JSC::FTL::DFG::LowerDFGToB3::caged): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::untagArrayPtr): Deleted. (JSC::FTL::DFG::LowerDFGToB3::removeArrayPtrTag): Deleted. * heap/ConservativeRoots.cpp: (JSC::ConservativeRoots::genericAddPointer): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitDirectArgumentsGetByVal): (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::clearCallLinkInfo): * jit/RegisterSet.h: * llint/LowLevelInterpreter64.asm: * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::SharedArrayBufferContents): (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::ArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): (JSC::ArrayBuffer::byteLength const): * runtime/ArrayBufferView.cpp: (JSC::ArrayBufferView::ArrayBufferView): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): (JSC::ArrayBufferView::setRangeImpl): (JSC::ArrayBufferView::getRangeImpl): (JSC::ArrayBufferView::byteLength const): Deleted. * runtime/CachedTypes.cpp: (JSC::CachedScopedArgumentsTable::encode): (JSC::CachedScopedArgumentsTable::decode const): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::CagedBarrierPtr): (JSC::CagedBarrierPtr::set): (JSC::CagedBarrierPtr::get const): (JSC::CagedBarrierPtr::getMayBeNull const): (JSC::CagedBarrierPtr::operator== const): (JSC::CagedBarrierPtr::operator!= const): (JSC::CagedBarrierPtr::operator bool const): (JSC::CagedBarrierPtr::setWithoutBarrier): (JSC::CagedBarrierPtr::operator* const): (JSC::CagedBarrierPtr::operator-> const): (JSC::CagedBarrierPtr::operator[] const): (JSC::CagedBarrierPtr::getUnsafe const): Deleted. (JSC::CagedBarrierPtr::at const): Deleted. * runtime/DataView.cpp: (JSC::DataView::DataView): * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/DirectArguments.cpp: (JSC::DirectArguments::visitChildren): (JSC::DirectArguments::overrideThings): (JSC::DirectArguments::unmapArgument): * runtime/DirectArguments.h: * runtime/GenericArguments.h: * runtime/GenericArgumentsInlines.h: (JSC::GenericArguments<Type>::visitChildren): (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor): (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor): (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor): * runtime/GenericTypedArrayView.h: * runtime/GenericTypedArrayViewInlines.h: (JSC::GenericTypedArrayView<Adaptor>::GenericTypedArrayView): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::slowDownAndWasteMemory): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::isNeutered): (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::hasVector const): Deleted. * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::createUninitialized): (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): * runtime/Options.h: * runtime/ScopedArgumentsTable.cpp: (JSC::ScopedArgumentsTable::clone): (JSC::ScopedArgumentsTable::setLength): * runtime/ScopedArgumentsTable.h: * runtime/SymbolTable.h: * wasm/WasmAirIRGenerator.cpp: (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::AirIRGenerator::addCallIndirect): * wasm/WasmB3IRGenerator.cpp: (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState): (JSC::Wasm::B3IRGenerator::addCallIndirect): * wasm/WasmBBQPlan.cpp: (JSC::Wasm::BBQPlan::complete): * wasm/WasmBinding.cpp: (JSC::Wasm::wasmToWasm): * wasm/WasmInstance.h: (JSC::Wasm::Instance::cachedMemory const): (JSC::Wasm::Instance::updateCachedMemory): * wasm/WasmMemory.cpp: (JSC::Wasm::Memory::Memory): (JSC::Wasm::Memory::~Memory): (JSC::Wasm::Memory::grow): (JSC::Wasm::Memory::dump const): * wasm/WasmMemory.h: (JSC::Wasm::Memory::memory const): * wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmWrapper): * wasm/js/WebAssemblyFunction.cpp: (JSC::WebAssemblyFunction::jsCallEntrypointSlow): Source/WTF: * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator=): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): (WTF::CagedPtr::operator[] const): (WTF::CagedPtr::getUnsafe const): Deleted. (WTF::CagedPtr::at const): Deleted. (WTF::CagedPtr::recage): Deleted. * wtf/CagedUniquePtr.h: (WTF::CagedUniquePtr::CagedUniquePtr): (WTF::CagedUniquePtr::create): (WTF::CagedUniquePtr::operator=): (WTF::CagedUniquePtr::~CagedUniquePtr): (WTF::CagedUniquePtr::destroy): * wtf/Gigacage.h: (Gigacage::caged): (Gigacage::cagedMayBeNull): Deleted. * wtf/PtrTag.h: (WTF::tagArrayPtr): Deleted. (WTF::untagArrayPtr): Deleted. (WTF::removeArrayPtrTag): Deleted. (WTF::retagArrayPtr): Deleted. * wtf/TaggedArrayStoragePtr.h: (WTF::TaggedArrayStoragePtr::TaggedArrayStoragePtr): Deleted. (WTF::TaggedArrayStoragePtr::get const): Deleted. (WTF::TaggedArrayStoragePtr::getUnsafe const): Deleted. (WTF::TaggedArrayStoragePtr::resize): Deleted. (WTF::TaggedArrayStoragePtr::operator bool const): Deleted. Canonical link: https://commits.webkit.org/212738@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246322 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-11 17:18:47 +00:00
}
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
CagedPtr(CagedPtr&& other)
: m_ptr(PtrTraits::exchange(other.m_ptr, nullptr))
All of the different ArrayBuffer::data's should be CagedPtr<> https://bugs.webkit.org/show_bug.cgi?id=175515 Reviewed by Michael Saboff. Source/JavaScriptCore: This straightforwardly implements what the title says. * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createFromBytes): (JSC::ArrayBuffer::transferTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid. * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::vector const): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Source/WTF: Added a specialization so that CagedPtr<void> is valid. * wtf/CagedPtr.h: Canonical link: https://commits.webkit.org/192841@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-31 20:46:58 +00:00
{
}
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
CagedPtr& operator=(CagedPtr&& ptr)
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
{
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
m_ptr = PtrTraits::exchange(ptr.m_ptr, nullptr);
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
return *this;
}
All of the different ArrayBuffer::data's should be CagedPtr<> https://bugs.webkit.org/show_bug.cgi?id=175515 Reviewed by Michael Saboff. Source/JavaScriptCore: This straightforwardly implements what the title says. * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createFromBytes): (JSC::ArrayBuffer::transferTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid. * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::vector const): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Source/WTF: Added a specialization so that CagedPtr<void> is valid. * wtf/CagedPtr.h: Canonical link: https://commits.webkit.org/192841@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-31 20:46:58 +00:00
bool operator==(const CagedPtr& other) const
{
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
bool result = m_ptr == other.m_ptr;
ASSERT(result == (getUnsafe() == other.getUnsafe()));
return result;
All of the different ArrayBuffer::data's should be CagedPtr<> https://bugs.webkit.org/show_bug.cgi?id=175515 Reviewed by Michael Saboff. Source/JavaScriptCore: This straightforwardly implements what the title says. * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createFromBytes): (JSC::ArrayBuffer::transferTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid. * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::vector const): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Source/WTF: Added a specialization so that CagedPtr<void> is valid. * wtf/CagedPtr.h: Canonical link: https://commits.webkit.org/192841@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-31 20:46:58 +00:00
}
bool operator!=(const CagedPtr& other) const
{
return !(*this == other);
}
explicit operator bool() const
{
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
return getUnsafe() != nullptr;
All of the different ArrayBuffer::data's should be CagedPtr<> https://bugs.webkit.org/show_bug.cgi?id=175515 Reviewed by Michael Saboff. Source/JavaScriptCore: This straightforwardly implements what the title says. * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createFromBytes): (JSC::ArrayBuffer::transferTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid. * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::vector const): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Source/WTF: Added a specialization so that CagedPtr<void> is valid. * wtf/CagedPtr.h: Canonical link: https://commits.webkit.org/192841@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-31 20:46:58 +00:00
}
GetTypedArrayByteOffset is broken on arm64e https://bugs.webkit.org/show_bug.cgi?id=210631 Reviewed by Mark Lam. JSTests: * stress/byte-offset-on-wasteful-neutered-arm64e.js: Added. (foo): (assert): (transferArrayBuffer.array.buffer): Source/JavaScriptCore: The vector of JSArrayBufferView is signed even when null on arm64e. However, we were comparing against zero, which is wrong. This patch changes it so we do the right thing and instead compare against whatever constant (ptr=nullptr,size=0) signs as. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): * runtime/CagedBarrierPtr.h: (JSC::CagedBarrierPtr::rawBits const): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::nullVectorPtr): Source/WTF: * wtf/CagedPtr.h: (WTF::CagedPtr::rawBits const): Canonical link: https://commits.webkit.org/223554@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@260289 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-04-17 21:48:21 +00:00
T* rawBits() const
{
return bitwise_cast<T*>(m_ptr);
}
All of the different ArrayBuffer::data's should be CagedPtr<> https://bugs.webkit.org/show_bug.cgi?id=175515 Reviewed by Michael Saboff. Source/JavaScriptCore: This straightforwardly implements what the title says. * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createFromBytes): (JSC::ArrayBuffer::transferTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid. * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::vector const): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Source/WTF: Added a specialization so that CagedPtr<void> is valid. * wtf/CagedPtr.h: Canonical link: https://commits.webkit.org/192841@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-31 20:46:58 +00:00
protected:
PACCage should first cage leaving PAC bits intact then authenticate https://bugs.webkit.org/show_bug.cgi?id=199372 Reviewed by Saam Barati. Source/bmalloc: * bmalloc/ProcessCheck.mm: (bmalloc::shouldProcessUnconditionallyUseBmalloc): Source/JavaScriptCore: This ordering prevents someone from taking a signed pointer from outside the gigacage and using it in a struct that expects a caged pointer. Previously, the PACCaging just double checked that the PAC bits were valid for the original pointer. +---------------------------+ | | | | | "PAC" | "base" | "offset" +----+ | | | | | +---------------------------+ | Caging | | | | | v | +---------------------------+ | | | | | | Bit Merge | 00000 | base | "offset" | | | | | | | +---------------------------+ | | | | v | Bit Merge +---------------------------+ | | | | | | | "PAC" | base | "offset" +<--------+ | | | | +---------------------------+ | | | Authenticate | v +---------------------------+ | | | | | Auth | base | "offset" | | | | | +---------------------------+ The above ascii art graph shows how the PACCage system works. The key take away is that even if someone passes in a valid, signed pointer outside the cage it will still fail to authenticate as the "base" bits will change before authentication. * assembler/MacroAssemblerARM64E.h: * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::caged): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * llint/LowLevelInterpreter64.asm: Source/WTF: * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213370@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247101 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-07-03 20:25:14 +00:00
static inline T* mergePointers(T* sourcePtr, T* cagedPtr)
CagedPtr doesn't merge PAC bits back into the resulting caged pointer. https://bugs.webkit.org/show_bug.cgi?id=199214 Reviewed by Yusuke Suzuki. The current code means that caging will just strip the any failed authentication bits. Adding this code doesn't appear to be a regression on iPhone Xs. * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::getUnsafe const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213179@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-26 02:25:19 +00:00
{
PACCage should first cage leaving PAC bits intact then authenticate https://bugs.webkit.org/show_bug.cgi?id=199372 Reviewed by Saam Barati. Source/bmalloc: * bmalloc/ProcessCheck.mm: (bmalloc::shouldProcessUnconditionallyUseBmalloc): Source/JavaScriptCore: This ordering prevents someone from taking a signed pointer from outside the gigacage and using it in a struct that expects a caged pointer. Previously, the PACCaging just double checked that the PAC bits were valid for the original pointer. +---------------------------+ | | | | | "PAC" | "base" | "offset" +----+ | | | | | +---------------------------+ | Caging | | | | | v | +---------------------------+ | | | | | | Bit Merge | 00000 | base | "offset" | | | | | | | +---------------------------+ | | | | v | Bit Merge +---------------------------+ | | | | | | | "PAC" | base | "offset" +<--------+ | | | | +---------------------------+ | | | Authenticate | v +---------------------------+ | | | | | Auth | base | "offset" | | | | | +---------------------------+ The above ascii art graph shows how the PACCage system works. The key take away is that even if someone passes in a valid, signed pointer outside the cage it will still fail to authenticate as the "base" bits will change before authentication. * assembler/MacroAssemblerARM64E.h: * assembler/testmasm.cpp: (JSC::testCagePreservesPACFailureBit): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::caged): * jit/AssemblyHelpers.h: (JSC::AssemblyHelpers::cageConditionally): * llint/LowLevelInterpreter64.asm: Source/WTF: * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213370@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@247101 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-07-03 20:25:14 +00:00
#if CPU(ARM64E)
return reinterpret_cast<T*>((reinterpret_cast<uintptr_t>(sourcePtr) & ~nonPACBitsMask) | (reinterpret_cast<uintptr_t>(cagedPtr) & nonPACBitsMask));
#else
UNUSED_PARAM(sourcePtr);
return cagedPtr;
#endif
CagedPtr doesn't merge PAC bits back into the resulting caged pointer. https://bugs.webkit.org/show_bug.cgi?id=199214 Reviewed by Yusuke Suzuki. The current code means that caging will just strip the any failed authentication bits. Adding this code doesn't appear to be a regression on iPhone Xs. * wtf/CagedPtr.h: (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::getUnsafe const): (WTF::CagedPtr::mergePointers): Canonical link: https://commits.webkit.org/213179@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-26 02:25:19 +00:00
}
Apply poisoning to TypedArray vector pointers. https://bugs.webkit.org/show_bug.cgi?id=182155 <rdar://problem/36286266> Reviewed by JF Bastien. Source/JavaScriptCore: The TypeArray's vector pointer is now poisoned. The poison value is chosen based on a TypeArray's jsType. The JSType must be between FirstTypedArrayType and LastTypedArrayType. At runtime, we enforce that the index is well-behaved by masking it against TypedArrayPoisonIndexMask. TypedArrayPoisonIndexMask (16) is the number of TypedArray types (10) rounded up to the next power of 2. Accordingly, we reserve an array of TypedArrayPoisonIndexMask poisons so that we can use index masking on the index, and be guaranteed that the masked index will be within bounds of the poisons array. 1. Fixed both DFG and FTL versions of compileGetTypedArrayByteOffset() to not do any unnecessary work if the TypedArray vector is null. FTL's cagedMayBeNull() is no longer needed because it is only used by compileGetTypedArrayByteOffset(), and we need to enhance it to handle unpoisoning in a TypedArray specific way. So, might as well do the work inline in compileGetTypedArrayByteOffset() instead. 2. Removed an unnecessary null-check in DFGSpeculativeJIT's compileNewTypedArrayWithSize() because there's already a null check above it that ensures that sizeGPR is never null. 3. In LLInt's _llint_op_get_by_val, move the TypedArray length check before the loading of the vector for unpoisoning and uncaging. We don't need the vector if the length is 0. Implementation notes on the need to null check the TypeArray vector: 1. DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds() does not need a m_poisonedVector null check because the function is a null check. 2. DFG::SpeculativeJIT::compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to cageTypedArrayStorage() which assumes that storageReg cannot be null. 3. DFG::SpeculativeJIT::compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 4. DFG::SpeculativeJIT::compileNewTypedArrayWithSize() does not need a vector null check because the poisoning code is preceded by a sizeGPR null check, which ensures that the storageGPR (vector to be poisoned) is not null. 5. FTL's compileGetIndexedPropertyStorage() does not need a m_poisonedVector null check because it is followed by a call to caged() which assumes that the vector cannot be null. 6. FTL's compileGetTypedArrayByteOffset() already has a m_poisonedVector null check. 7. FTL's compileNewTypedArray() does not need a vector null check because the poisoning code is preceded by a size null check, which ensures that the storage (vector to be poisoned) is not null. 8. FTL's speculateTypedArrayIsNotNeutered() does not need a m_poisonedVector null check because the function is a null check. 9. IntrinsicGetterAccessCase::emitIntrinsicGetter()'s TypedArrayByteOffsetIntrinsic case needs a null check so that it does not try to unpoison a null vector. 10. JIT::emitIntTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 11. JIT::emitFloatTypedArrayGetByVal() does not need a vector null check because we already do a length check even before loading the vector. 12. JIT::emitIntTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 13. JIT::emitFloatTypedArrayPutByVal() does not need a vector null check because we already do a length check even before loading the vector. 14. LLInt's loadTypedArrayCaged() does not need a vector null check because its client will do a TypedArray length check before calling it. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::checkArray): * dfg/DFGNode.h: (JSC::DFG::Node::hasArrayMode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::jumpForTypedArrayIsNeuteredIfOutOfBounds): (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage): (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset): (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize): * ftl/FTLAbstractHeapRepository.h: * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage): (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset): (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray): (JSC::FTL::DFG::LowerDFGToB3::speculateTypedArrayIsNotNeutered): (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull): Deleted. * jit/IntrinsicEmitter.cpp: (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter): * jit/JITPropertyAccess.cpp: (JSC::JIT::emitIntTypedArrayGetByVal): (JSC::JIT::emitFloatTypedArrayGetByVal): (JSC::JIT::emitIntTypedArrayPutByVal): (JSC::JIT::emitFloatTypedArrayPutByVal): * llint/LowLevelInterpreter.asm: * llint/LowLevelInterpreter64.asm: * offlineasm/arm64.rb: * offlineasm/x86.rb: * runtime/CagedBarrierPtr.h: * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::JSArrayBufferView): (JSC::JSArrayBufferView::finalize): (JSC::JSArrayBufferView::neuter): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::vector const): (JSC::JSArrayBufferView::offsetOfPoisonedVector): (JSC::JSArrayBufferView::poisonFor): (JSC::JSArrayBufferView::Poison::key): (JSC::JSArrayBufferView::offsetOfVector): Deleted. * runtime/JSCPoison.cpp: (JSC::initializePoison): * runtime/JSCPoison.h: * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize): (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): * runtime/JSObject.h: Source/WTF: 1. Added the ability to poison a CagedPtr. 2. Prevent CagedPtr from being implicitly instantiated, and add operator= methods instead. This is because implicitly instantiated CagedPtrs with a poisoned trait may silently use a wrong poison value. * wtf/CagedPtr.h: (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::operator=): Canonical link: https://commits.webkit.org/198124@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227874 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2018-01-31 05:23:52 +00:00
typename PtrTraits::StorageType m_ptr;
All of the different ArrayBuffer::data's should be CagedPtr<> https://bugs.webkit.org/show_bug.cgi?id=175515 Reviewed by Michael Saboff. Source/JavaScriptCore: This straightforwardly implements what the title says. * runtime/ArrayBuffer.cpp: (JSC::SharedArrayBufferContents::~SharedArrayBufferContents): (JSC::ArrayBufferContents::destroy): (JSC::ArrayBufferContents::tryAllocate): (JSC::ArrayBufferContents::makeShared): (JSC::ArrayBufferContents::copyTo): (JSC::ArrayBuffer::createFromBytes): (JSC::ArrayBuffer::transferTo): * runtime/ArrayBuffer.h: (JSC::SharedArrayBufferContents::data const): (JSC::ArrayBufferContents::data const): (JSC::ArrayBuffer::data): (JSC::ArrayBuffer::data const): * runtime/ArrayBufferView.h: (JSC::ArrayBufferView::baseAddress const): * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid. * runtime/DataView.h: (JSC::DataView::get): (JSC::DataView::set): * runtime/JSArrayBufferView.cpp: (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext): * runtime/JSArrayBufferView.h: (JSC::JSArrayBufferView::ConstructionContext::vector const): (JSC::JSArrayBufferView::vector const): * runtime/JSGenericTypedArrayViewInlines.h: (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren): Source/WTF: Added a specialization so that CagedPtr<void> is valid. * wtf/CagedPtr.h: Canonical link: https://commits.webkit.org/192841@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@221439 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-31 20:46:58 +00:00
};
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00
} // namespace WTF
using WTF::CagedPtr;
Unreviewed, rolling out r246322. https://bugs.webkit.org/show_bug.cgi?id=198796 "It's a huge page load regression on iOS" (Requested by saamyjoon on #webkit). Reverted changeset: "Roll out PAC cage" https://bugs.webkit.org/show_bug.cgi?id=198726 https://trac.webkit.org/changeset/246322 Canonical link: https://commits.webkit.org/212777@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246368 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2019-06-12 18:40:56 +00:00
using WTF::tagCagedPtr;
All C++ accesses to JSObject::m_butterfly should do caging https://bugs.webkit.org/show_bug.cgi?id=175039 Reviewed by Keith Miller. Source/JavaScriptCore: Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API. This ensures that you can't cause C++ code to access a butterfly that has been rewired to point outside the gigacage. * runtime/JSArray.cpp: (JSC::JSArray::setLength): (JSC::JSArray::pop): (JSC::JSArray::push): (JSC::JSArray::shiftCountWithAnyIndexingType): (JSC::JSArray::unshiftCountWithAnyIndexingType): (JSC::JSArray::fillArgList): (JSC::JSArray::copyToArguments): * runtime/JSObject.cpp: (JSC::JSObject::heapSnapshot): (JSC::JSObject::createInitialIndexedStorage): (JSC::JSObject::createArrayStorage): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToArrayStorage): (JSC::JSObject::convertDoubleToContiguous): (JSC::JSObject::convertDoubleToArrayStorage): (JSC::JSObject::convertContiguousToArrayStorage): (JSC::JSObject::defineOwnIndexedProperty): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): (JSC::JSObject::ensureLengthSlow): (JSC::JSObject::allocateMoreOutOfLineStorage): * runtime/JSObject.h: (JSC::JSObject::canGetIndexQuickly): (JSC::JSObject::getIndexQuickly): (JSC::JSObject::tryGetIndexQuickly const): (JSC::JSObject::canSetIndexQuickly): (JSC::JSObject::setIndexQuickly): (JSC::JSObject::initializeIndex): (JSC::JSObject::initializeIndexWithoutBarrier): (JSC::JSObject::butterfly const): (JSC::JSObject::butterfly): Source/WTF: Adds a smart pointer class that does various kinds of caging for you. * WTF.xcodeproj/project.pbxproj: * wtf/CMakeLists.txt: * wtf/CagedPtr.h: Added. (WTF::CagedPtr::CagedPtr): (WTF::CagedPtr::get const): (WTF::CagedPtr::getMayBeNull const): (WTF::CagedPtr::operator== const): (WTF::CagedPtr::operator!= const): (WTF::CagedPtr::operator bool const): (WTF::CagedPtr::operator* const): (WTF::CagedPtr::operator-> const): Canonical link: https://commits.webkit.org/191861@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220165 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2017-08-03 01:32:07 +00:00