Wasm should cage the memory base pointers in structs
https://bugs.webkit.org/show_bug.cgi?id=197620
Reviewed by Saam Barati.
Source/bmalloc:
Fix signature to take Gigacage::Kind, which matches GIGACAGE_ENABLED build.
* bmalloc/Gigacage.h:
(Gigacage::isEnabled):
Source/JavaScriptCore:
Currently, we use cageConditionally; this only matters for API
users since the web content process cannot disable primitive
gigacage. This patch also adds a set helper for union/intersection
of RegisterSets.
* assembler/CPU.h:
(JSC::isARM64E):
* jit/RegisterSet.h:
(JSC::RegisterSet::set):
* wasm/WasmAirIRGenerator.cpp:
(JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::AirIRGenerator::addCallIndirect):
* wasm/WasmB3IRGenerator.cpp:
(JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
(JSC::Wasm::B3IRGenerator::addCallIndirect):
* wasm/WasmBinding.cpp:
(JSC::Wasm::wasmToWasm):
* wasm/WasmInstance.h:
(JSC::Wasm::Instance::cachedMemory const):
(JSC::Wasm::Instance::updateCachedMemory):
* wasm/WasmMemory.cpp:
(JSC::Wasm::Memory::grow):
* wasm/WasmMemory.h:
(JSC::Wasm::Memory::memory const):
* wasm/js/JSToWasm.cpp:
(JSC::Wasm::createJSToWasmWrapper):
* wasm/js/WebAssemblyFunction.cpp:
(JSC::WebAssemblyFunction::jsCallEntrypointSlow):
Source/WTF:
Rename reauthenticate to recage.
* wtf/CagedPtr.h:
(WTF::CagedPtr::recage):
(WTF::CagedPtr::reauthenticate): Deleted.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@245432 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index a2de4b77..9fc25a8 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,39 @@
+2019-05-16 Keith Miller <keith_miller@apple.com>
+
+ Wasm should cage the memory base pointers in structs
+ https://bugs.webkit.org/show_bug.cgi?id=197620
+
+ Reviewed by Saam Barati.
+
+ Currently, we use cageConditionally; this only matters for API
+ users since the web content process cannot disable primitive
+ gigacage. This patch also adds a set helper for union/intersection
+ of RegisterSets.
+
+ * assembler/CPU.h:
+ (JSC::isARM64E):
+ * jit/RegisterSet.h:
+ (JSC::RegisterSet::set):
+ * wasm/WasmAirIRGenerator.cpp:
+ (JSC::Wasm::AirIRGenerator::restoreWebAssemblyGlobalState):
+ (JSC::Wasm::AirIRGenerator::addCallIndirect):
+ * wasm/WasmB3IRGenerator.cpp:
+ (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
+ (JSC::Wasm::B3IRGenerator::addCallIndirect):
+ * wasm/WasmBinding.cpp:
+ (JSC::Wasm::wasmToWasm):
+ * wasm/WasmInstance.h:
+ (JSC::Wasm::Instance::cachedMemory const):
+ (JSC::Wasm::Instance::updateCachedMemory):
+ * wasm/WasmMemory.cpp:
+ (JSC::Wasm::Memory::grow):
+ * wasm/WasmMemory.h:
+ (JSC::Wasm::Memory::memory const):
+ * wasm/js/JSToWasm.cpp:
+ (JSC::Wasm::createJSToWasmWrapper):
+ * wasm/js/WebAssemblyFunction.cpp:
+ (JSC::WebAssemblyFunction::jsCallEntrypointSlow):
+
2019-05-16 David Kilzer <ddkilzer@apple.com>
REGRESSION (r15133): Fix leak of JSStringRef in minidom
diff --git a/Source/JavaScriptCore/assembler/CPU.h b/Source/JavaScriptCore/assembler/CPU.h
index ddccd00a..c1674ec 100644
--- a/Source/JavaScriptCore/assembler/CPU.h
+++ b/Source/JavaScriptCore/assembler/CPU.h
@@ -56,6 +56,15 @@
#endif
}
+constexpr bool isARM64E()
+{
+#if CPU(ARM64E)
+ return true;
+#else
+ return false;
+#endif
+}
+
constexpr bool isX86()
{
#if CPU(X86_64) || CPU(X86)
diff --git a/Source/JavaScriptCore/jit/RegisterSet.h b/Source/JavaScriptCore/jit/RegisterSet.h
index ae42323..8c01842 100644
--- a/Source/JavaScriptCore/jit/RegisterSet.h
+++ b/Source/JavaScriptCore/jit/RegisterSet.h
@@ -84,7 +84,9 @@
set(regs.tagGPR(), value);
set(regs.payloadGPR(), value);
}
-
+
+ void set(const RegisterSet& other, bool value = true) { value ? merge(other) : exclude(other); }
+
void clear(Reg reg)
{
ASSERT(!!reg);
diff --git a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp
index 26a400d..475e926 100644
--- a/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp
+++ b/Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp
@@ -40,6 +40,7 @@
#include "B3Procedure.h"
#include "B3ProcedureInlines.h"
#include "BinarySwitch.h"
+#include "DisallowMacroScratchRegisterUsage.h"
#include "ScratchRegisterAllocator.h"
#include "VirtualRegister.h"
#include "WasmCallingConvention.h"
@@ -822,6 +823,8 @@
RegisterSet clobbers;
clobbers.set(pinnedRegs->baseMemoryPointer);
clobbers.set(pinnedRegs->sizeRegister);
+ if (!isARM64())
+ clobbers.set(RegisterSet::macroScratchRegisters());
auto* patchpoint = addPatchpoint(B3::Void);
B3::Effects effects = B3::Effects::none();
@@ -829,13 +832,18 @@
effects.reads = B3::HeapRange::top();
patchpoint->effects = effects;
patchpoint->clobber(clobbers);
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
+ GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
- jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), pinnedRegs->baseMemoryPointer);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs->sizeRegister, pinnedRegs->baseMemoryPointer);
-#endif
+ jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
emitPatchpoint(block, patchpoint, Tmp(), instance);
@@ -1844,6 +1852,8 @@
// FIXME: We shouldn't have to do this: https://bugs.webkit.org/show_bug.cgi?id=172181
patchpoint->clobber(PinnedRegisterInfo::get().toSave(MemoryMode::BoundsChecking));
patchpoint->clobber(RegisterSet::macroScratchRegisters());
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+
patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
GPRReg newContextInstance = params[0].gpr();
@@ -1857,11 +1867,12 @@
// FIXME: We should support more than one memory size register
// see: https://bugs.webkit.org/show_bug.cgi?id=162952
ASSERT(pinnedRegs.sizeRegister != newContextInstance);
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
emitPatchpoint(doContextSwitch, patchpoint, Tmp(), newContextInstance, instanceValue());
diff --git a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
index aee8b4d..15f464f 100644
--- a/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
+++ b/Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp
@@ -47,6 +47,7 @@
#include "B3VariableValue.h"
#include "B3WasmAddressValue.h"
#include "B3WasmBoundsCheckValue.h"
+#include "DisallowMacroScratchRegisterUsage.h"
#include "JSCInlines.h"
#include "ScratchRegisterAllocator.h"
#include "VirtualRegister.h"
@@ -468,6 +469,8 @@
RegisterSet clobbers;
clobbers.set(pinnedRegs->baseMemoryPointer);
clobbers.set(pinnedRegs->sizeRegister);
+ if (!isARM64())
+ clobbers.set(RegisterSet::macroScratchRegisters());
B3::PatchpointValue* patchpoint = block->appendNew<B3::PatchpointValue>(proc, B3::Void, origin());
Effects effects = Effects::none();
@@ -475,16 +478,19 @@
effects.reads = B3::HeapRange::top();
patchpoint->effects = effects;
patchpoint->clobber(clobbers);
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
patchpoint->append(instance, ValueRep::SomeRegister);
-
patchpoint->setGenerator([pinnedRegs] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
+ RELEASE_ASSERT(!Gigacage::isEnabled(Gigacage::Primitive) || !isARM64());
+ AllowMacroScratchRegisterUsageIf allowScratch(jit, !isARM64());
GPRReg baseMemory = pinnedRegs->baseMemoryPointer;
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs->sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemorySize()), pinnedRegs->sizeRegister);
jit.loadPtr(CCallHelpers::Address(params[0].gpr(), Instance::offsetOfCachedMemory()), baseMemory);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs->sizeRegister, baseMemory);
-#endif
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
}
}
@@ -1272,6 +1278,8 @@
patchpoint->clobber(RegisterSet::macroScratchRegisters());
patchpoint->append(newContextInstance, ValueRep::SomeRegister);
patchpoint->append(instanceValue(), ValueRep::SomeRegister);
+ patchpoint->numGPScratchRegisters = Gigacage::isEnabled(Gigacage::Primitive) ? 1 : 0;
+
patchpoint->setGenerator([=] (CCallHelpers& jit, const B3::StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
GPRReg newContextInstance = params[0].gpr();
@@ -1286,11 +1294,12 @@
// FIXME: We should support more than one memory size register
// see: https://bugs.webkit.org/show_bug.cgi?id=162952
ASSERT(pinnedRegs.sizeRegister != newContextInstance);
+ GPRReg scratchOrSize = Gigacage::isEnabled(Gigacage::Primitive) ? params.gpScratch(0) : pinnedRegs.sizeRegister;
+
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
jit.loadPtr(CCallHelpers::Address(newContextInstance, Instance::offsetOfCachedMemory()), baseMemory); // Memory::void*.
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
});
doContextSwitch->appendNewControlValue(m_proc, Jump, origin(), continuation);
diff --git a/Source/JavaScriptCore/wasm/WasmBinding.cpp b/Source/JavaScriptCore/wasm/WasmBinding.cpp
index 0647a63..0c53cb6 100644
--- a/Source/JavaScriptCore/wasm/WasmBinding.cpp
+++ b/Source/JavaScriptCore/wasm/WasmBinding.cpp
@@ -45,7 +45,7 @@
const PinnedRegisterInfo& pinnedRegs = PinnedRegisterInfo::get();
JIT jit;
- GPRReg scratch = GPRInfo::nonPreservedNonArgumentGPR0;
+ GPRReg scratch = wasmCallingConventionAir().prologueScratch(0);
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
ASSERT(baseMemory != scratch);
ASSERT(pinnedRegs.sizeRegister != baseMemory);
@@ -65,11 +65,13 @@
// FIXME the following code assumes that all Wasm::Instance have the same pinned registers. https://bugs.webkit.org/show_bug.cgi?id=162952
// Set up the callee's baseMemory register as well as the memory size registers.
- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
- jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+ {
+ GPRReg scratchOrSize = isARM64E() ? pinnedRegs.sizeRegister : wasmCallingConventionAir().prologueScratch(1);
+
+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister); // Memory size.
+ jit.loadPtr(JIT::Address(baseMemory, Wasm::Instance::offsetOfCachedMemory()), baseMemory); // Wasm::Memory::TaggedArrayStoragePtr<void> (void*).
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
+ }
// Tail call into the callee WebAssembly function.
jit.loadPtr(scratch, scratch);
diff --git a/Source/JavaScriptCore/wasm/WasmInstance.h b/Source/JavaScriptCore/wasm/WasmInstance.h
index 387bdd1..cd34a64 100644
--- a/Source/JavaScriptCore/wasm/WasmInstance.h
+++ b/Source/JavaScriptCore/wasm/WasmInstance.h
@@ -64,7 +64,7 @@
Memory* memory() { return m_memory.get(); }
Table* table() { return m_table.get(); }
- void* cachedMemory() const { return m_cachedMemory.get(cachedMemorySize()); }
+ void* cachedMemory() const { return m_cachedMemory.getMayBeNull(cachedMemorySize()); }
size_t cachedMemorySize() const { return m_cachedMemorySize; }
void setMemory(Ref<Memory>&& memory)
@@ -76,7 +76,7 @@
void updateCachedMemory()
{
if (m_memory != nullptr) {
- m_cachedMemory = TaggedArrayStoragePtr<void>(memory()->memory(), memory()->size());
+ m_cachedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>(memory()->memory(), memory()->size());
m_cachedMemorySize = memory()->size();
}
}
@@ -143,7 +143,7 @@
}
void* m_owner { nullptr }; // In a JS embedding, this is a JSWebAssemblyInstance*.
Context* m_context { nullptr };
- TaggedArrayStoragePtr<void> m_cachedMemory;
+ CagedPtr<Gigacage::Primitive, void, tagCagedPtr> m_cachedMemory;
size_t m_cachedMemorySize { 0 };
Ref<Module> m_module;
RefPtr<CodeBlock> m_codeBlock;
diff --git a/Source/JavaScriptCore/wasm/WasmMemory.cpp b/Source/JavaScriptCore/wasm/WasmMemory.cpp
index 4ca54ac..5910382 100644
--- a/Source/JavaScriptCore/wasm/WasmMemory.cpp
+++ b/Source/JavaScriptCore/wasm/WasmMemory.cpp
@@ -423,7 +423,7 @@
memcpy(newMemory, memory(), m_size);
if (m_memory)
Gigacage::freeVirtualPages(Gigacage::Primitive, memory(), m_size);
- m_memory = TaggedArrayStoragePtr<void>(newMemory, desiredSize);
+ m_memory = CagedMemory(newMemory, desiredSize);
m_mappedCapacity = desiredSize;
m_size = desiredSize;
ASSERT(memory() == newMemory);
@@ -439,7 +439,7 @@
dataLog("mprotect failed: ", strerror(errno), "\n");
RELEASE_ASSERT_NOT_REACHED();
}
- m_memory.resize(m_size, desiredSize);
+ m_memory.recage(m_size, desiredSize);
m_size = desiredSize;
return success();
}
diff --git a/Source/JavaScriptCore/wasm/WasmMemory.h b/Source/JavaScriptCore/wasm/WasmMemory.h
index 9adbb11..9670838 100644
--- a/Source/JavaScriptCore/wasm/WasmMemory.h
+++ b/Source/JavaScriptCore/wasm/WasmMemory.h
@@ -30,11 +30,11 @@
#include "WasmMemoryMode.h"
#include "WasmPageCount.h"
+#include <wtf/CagedPtr.h>
#include <wtf/Expected.h>
#include <wtf/Function.h>
#include <wtf/RefCounted.h>
#include <wtf/RefPtr.h>
-#include <wtf/TaggedArrayStoragePtr.h>
#include <wtf/Vector.h>
#include <wtf/WeakPtr.h>
@@ -69,7 +69,7 @@
static size_t fastMappedBytes(); // Includes redzone.
static bool addressIsInActiveFastMemory(void*);
- void* memory() const { ASSERT(m_memory.get(size()) == m_memory.getUnsafe()); return m_memory.get(size()); }
+ void* memory() const { ASSERT(m_memory.getMayBeNull(size()) == m_memory.getUnsafe()); return m_memory.getMayBeNull(size()); }
size_t size() const { return m_size; }
PageCount sizeInPages() const { return PageCount::fromBytes(m_size); }
@@ -97,7 +97,8 @@
Memory(void* memory, PageCount initial, PageCount maximum, size_t mappedCapacity, MemoryMode, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
Memory(PageCount initial, PageCount maximum, WTF::Function<void(NotifyPressure)>&& notifyMemoryPressure, WTF::Function<void(SyncTryToReclaim)>&& syncTryToReclaimMemory, WTF::Function<void(GrowSuccess, PageCount, PageCount)>&& growSuccessCallback);
- TaggedArrayStoragePtr<void> m_memory;
+ using CagedMemory = CagedPtr<Gigacage::Primitive, void, tagCagedPtr>;
+ CagedMemory m_memory;
size_t m_size { 0 };
PageCount m_initial;
PageCount m_maximum;
diff --git a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp
index e036cef..774bce0 100644
--- a/Source/JavaScriptCore/wasm/js/JSToWasm.cpp
+++ b/Source/JavaScriptCore/wasm/js/JSToWasm.cpp
@@ -210,28 +210,23 @@
if (!!info.memory) {
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
+ GPRReg scratchOrSize = wasmCallingConventionAir().prologueScratch(0);
if (Context::useFastTLS())
jit.loadWasmContextInstance(baseMemory);
GPRReg currentInstanceGPR = Context::useFastTLS() ? baseMemory : wasmContextInstanceGPR;
- if (mode != MemoryMode::Signaling) {
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+ if (isARM64E()) {
+ if (mode != Wasm::MemoryMode::Signaling)
+ scratchOrSize = pinnedRegs.sizeRegister;
+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
} else {
-#if CPU(ARM64E)
- GPRReg scratch = wasmCallingConventionAir().prologueScratch(0);
-
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch);
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
- jit.untagArrayPtr(scratch, baseMemory);
-#else
- jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#endif
+ if (mode != Wasm::MemoryMode::Signaling)
+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
}
+
+ jit.loadPtr(CCallHelpers::Address(currentInstanceGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
}
CCallHelpers::Call call = jit.threadSafePatchableNearCall();
diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
index cf7c779..6dcec80 100644
--- a/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
+++ b/Source/JavaScriptCore/wasm/js/WebAssemblyFunction.cpp
@@ -395,22 +395,20 @@
if (!!moduleInformation.memory) {
GPRReg baseMemory = pinnedRegs.baseMemoryPointer;
+ GPRReg scratchOrSize = scratch2GPR;
+ auto mode = instance()->memoryMode();
- if (instance()->memoryMode() != Wasm::MemoryMode::Signaling) {
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#if CPU(ARM64E)
- jit.untagArrayPtr(pinnedRegs.sizeRegister, baseMemory);
-#endif
+ if (isARM64E()) {
+ if (mode != Wasm::MemoryMode::Signaling)
+ scratchOrSize = pinnedRegs.sizeRegister;
+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratchOrSize);
} else {
-#if CPU(ARM64E)
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), scratch2GPR);
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
- jit.untagArrayPtr(scratch2GPR, baseMemory);
-#else
- jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
-#endif
+ if (mode != Wasm::MemoryMode::Signaling)
+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemorySize()), pinnedRegs.sizeRegister);
}
+
+ jit.loadPtr(CCallHelpers::Address(scratchGPR, Wasm::Instance::offsetOfCachedMemory()), baseMemory);
+ jit.cageConditionally(Gigacage::Primitive, baseMemory, scratchOrSize);
}
// We use this callee to indicate how to unwind past these types of frames:
diff --git a/Source/WTF/ChangeLog b/Source/WTF/ChangeLog
index 16876d1..33b0db1 100644
--- a/Source/WTF/ChangeLog
+++ b/Source/WTF/ChangeLog
@@ -1,3 +1,16 @@
+2019-05-16 Keith Miller <keith_miller@apple.com>
+
+ Wasm should cage the memory base pointers in structs
+ https://bugs.webkit.org/show_bug.cgi?id=197620
+
+ Reviewed by Saam Barati.
+
+ Rename reauthenticate to recage.
+
+ * wtf/CagedPtr.h:
+ (WTF::CagedPtr::recage):
+ (WTF::CagedPtr::reauthenticate): Deleted.
+
2019-05-16 Alex Christensen <achristensen@webkit.org>
Add a unit test for client certificate authentication
diff --git a/Source/WTF/wtf/CagedPtr.h b/Source/WTF/wtf/CagedPtr.h
index 7c80efb..71ec51e 100644
--- a/Source/WTF/wtf/CagedPtr.h
+++ b/Source/WTF/wtf/CagedPtr.h
@@ -78,7 +78,7 @@
typename std::enable_if<!std::is_same<void, U>::value, T>::type&
/* T& */ at(unsigned index, unsigned size) const { return get(size)[index]; }
- void reauthenticate(unsigned oldSize, unsigned newSize)
+ void recage(unsigned oldSize, unsigned newSize)
{
auto ptr = get(oldSize);
ASSERT(ptr == getUnsafe());
diff --git a/Source/bmalloc/ChangeLog b/Source/bmalloc/ChangeLog
index 128c1ff..988eb70 100644
--- a/Source/bmalloc/ChangeLog
+++ b/Source/bmalloc/ChangeLog
@@ -1,3 +1,15 @@
+2019-05-16 Keith Miller <keith_miller@apple.com>
+
+ Wasm should cage the memory base pointers in structs
+ https://bugs.webkit.org/show_bug.cgi?id=197620
+
+ Reviewed by Saam Barati.
+
+ Fix signature to take Gigacage::Kind, which matches GIGACAGE_ENABLED build.
+
+ * bmalloc/Gigacage.h:
+ (Gigacage::isEnabled):
+
2019-05-08 Keith Miller <keith_miller@apple.com>
Remove Gigacage from arm64 and use PAC for arm64e instead
diff --git a/Source/bmalloc/bmalloc/Gigacage.h b/Source/bmalloc/bmalloc/Gigacage.h
index bcde37c..76d72df 100644
--- a/Source/bmalloc/bmalloc/Gigacage.h
+++ b/Source/bmalloc/bmalloc/Gigacage.h
@@ -226,7 +226,7 @@
BINLINE void ensureGigacage() { }
BINLINE bool wasEnabled() { return false; }
BINLINE bool isCaged(Kind, const void*) { return true; }
-BINLINE bool isEnabled() { return false; }
+BINLINE bool isEnabled(Kind) { return false; }
template<typename T> BINLINE T* caged(Kind, T* ptr) { return ptr; }
template<typename T> BINLINE T* cagedMayBeNull(Kind, T* ptr) { return ptr; }
BINLINE void disableDisablingPrimitiveGigacageIfShouldBeEnabled() { }
