Fix crashes related to pointer authentication for primitive gigacage
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 May 2019 02:02:31 +0000 (02:02 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 10 May 2019 02:02:31 +0000 (02:02 +0000)
https://bugs.webkit.org/show_bug.cgi?id=197763
<rdar://problem/50629257>

Reviewed by Saam Barati.

This fixes two bugs related to PAC for caging. The first is that
we didn't clear the high bits of the size register going into the
patchpoint to tag the new buffer for NewArrayBuffer. The second is
that the GC needs to strip all stack pointers when considering
them as a conservative root.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddPointer):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245168 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/heap/ConservativeRoots.cpp

index 8895238..5c788c2 100644 (file)
@@ -1,5 +1,24 @@
 2019-05-09  Keith Miller  <keith_miller@apple.com>
 
+        Fix crashes related to pointer authentication for primitive gigacage
+        https://bugs.webkit.org/show_bug.cgi?id=197763
+        <rdar://problem/50629257>
+
+        Reviewed by Saam Barati.
+
+        This fixes two bugs related to PAC for caging. The first is that
+        we didn't clear the high bits of the size register going into the
+        patchpoint to tag the new buffer for NewArrayBuffer. The second is
+        that the GC needs to strip all stack pointers when considering
+        them as a conservative root.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+        * heap/ConservativeRoots.cpp:
+        (JSC::ConservativeRoots::genericAddPointer):
+
+2019-05-09  Keith Miller  <keith_miller@apple.com>
+
         parseStatementListItem needs a stack overflow check
         https://bugs.webkit.org/show_bug.cgi?id=197749
         <rdar://problem/50302697>
index 5600781..473a038 100644 (file)
@@ -6468,14 +6468,17 @@ private:
                 m_heaps.typedArrayProperties);
 
 #if !GIGACAGE_ENABLED && CPU(ARM64E)
-            PatchpointValue* authenticate = m_out.patchpoint(pointerType());
-            authenticate->appendSomeRegister(storage);
-            authenticate->append(size, B3::ValueRep(B3::ValueRep::SomeLateRegister));
-            authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
-                jit.move(params[1].gpr(), params[0].gpr());
-                jit.tagArrayPtr(params[2].gpr(), params[0].gpr());
-            });
-            storage = authenticate;
+            {
+                LValue sizePtr = m_out.zeroExtPtr(size);
+                PatchpointValue* authenticate = m_out.patchpoint(pointerType());
+                authenticate->appendSomeRegister(storage);
+                authenticate->append(sizePtr, B3::ValueRep(B3::ValueRep::SomeLateRegister));
+                authenticate->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
+                    jit.move(params[1].gpr(), params[0].gpr());
+                    jit.tagArrayPtr(params[2].gpr(), params[0].gpr());
+                });
+                storage = authenticate;
+            }
 #endif
 
             ValueFromBlock haveStorage = m_out.anchor(storage);
index a420fe8..2a55892 100644 (file)
@@ -68,6 +68,7 @@ void ConservativeRoots::grow()
 template<typename MarkHook>
 inline void ConservativeRoots::genericAddPointer(void* p, HeapVersion markingVersion, HeapVersion newlyAllocatedVersion, TinyBloomFilter filter, MarkHook& markHook)
 {
+    p = removeArrayPtrTag(p);
     markHook.mark(p);
 
     HeapUtil::findGCObjectPointersForMarking(