Bug 214953 - validate untagArrayPtr
Summary: validate untagArrayPtr
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
: 210733 (view as bug list)
Depends on: 215074
Blocks:
  Show dependency treegraph
 
Reported: 2020-07-29 17:51 PDT by Saam Barati
Modified: 2021-07-05 13:04 PDT (History)
16 users (show)

See Also:

Attachments
patch (22.95 KB, patch)
2020-07-30 15:10 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
patch (23.01 KB, patch)
2020-07-30 18:03 PDT, Saam Barati 		keith_miller: review+
Details | Formatted Diff | Diff
patch for landing (23.05 KB, patch)
2020-07-31 11:09 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
patch (31.39 KB, patch)
2021-03-25 12:55 PDT, Saam Barati 		mark.lam: review+
Details | Formatted Diff | Diff
patch for landing (31.10 KB, patch)
2021-03-25 14:59 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2020-07-29 17:51:09 PDT 
....
Comment 1 Saam Barati 2020-07-30 15:10:47 PDT 
Created attachment 405627 [details]
patch
Comment 2 Saam Barati 2020-07-30 15:11:29 PDT 
Comment on attachment 405627 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=405627&action=review

> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:135
> +        TrustedImm32 shiftAmount { 64 - OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) };

Will switch to using Keith's new constant once it lands.

> Source/JavaScriptCore/jit/AssemblyHelpers.cpp:1152
> +        skip = branchPtr(Equal, storage, TrustedImmPtr(JSArrayBufferView::nullVectorPtr()));

this is the change.

> Source/JavaScriptCore/jit/AssemblyHelpers.cpp:1188
> +            done.append(branchPtr(Equal, storage, TrustedImmPtr(JSArrayBufferView::nullVectorPtr())));

this is the changed line.
Comment 3 Saam Barati 2020-07-30 18:03:50 PDT 
Created attachment 405646 [details]
patch
Comment 4 Keith Miller 2020-07-31 10:13:34 PDT 
Comment on attachment 405646 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=405646&action=review

r=me with some comments.

> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:135
> +        TrustedImm32 shiftAmount { 64 - OS_CONSTANT(EFFECTIVE_ADDRESS_WIDTH) };

Nit: Can you use numberOfPACBits?

> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:137
> +        lshift64(shiftAmount, target);
> +        urshift64(shiftAmount, target);

I think this can probably be a single and instruction for each of the constants we currently use.
Comment 5 Saam Barati 2020-07-31 11:09:41 PDT 
Created attachment 405710 [details]
patch for landing
Comment 6 EWS 2020-07-31 11:46:23 PDT 
Committed r265151: <https://trac.webkit.org/changeset/265151>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 405710 [details].
Comment 7 Radar WebKit Bug Importer 2020-07-31 11:47:19 PDT 
<rdar://problem/66391434>
Comment 8 WebKit Commit Bot 2020-08-02 01:21:33 PDT 
Re-opened since this is blocked by bug 215074
Comment 9 Saam Barati 2021-03-25 12:55:00 PDT 
Created attachment 424271 [details]
patch
Comment 10 Mark Lam 2021-03-25 13:23:40 PDT 
Comment on attachment 424271 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=424271&action=review

> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:149
> +        auto scratch = InvalidGPRReg; 
> +        if (validateAuth) {
> +            scratch = getCachedMemoryTempRegisterIDAndInvalidate();
> +            move(target, scratch);
> +        }
> +
>          m_assembler.autdb(target, lengthGPR);
> +
> +        if (validateAuth) {
> +            ASSERT(target != ARM64Registers::sp);
> +            removeArrayPtrTag(scratch);
> +            auto isValidPtr = branch64(Equal, scratch, target);
> +            breakpoint(0xc473);
> +            isValidPtr.link(this);
> +        }

Let's do this instead:

        auto scratch = validateAuth ? getCachedMemoryTempRegisterIDAndInvalidate() : InvalidGPRReg;
        untagArrayPtr(length, target, validateAuth, scratch);

> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:157
> +        ASSERT(LogicalImmediate::create64(nonPACBitsMask).isValid());
> +        and64(TrustedImmPtr(nonPACBitsMask), target);

Isn't nonPACBitsMask a member of CagedPtr?  Did this actually build?

> Source/JavaScriptCore/jit/AssemblyHelpers.cpp:1074
> +#if CPU(ARM64E)
> +            done.append(branchPtr(Equal, storage, TrustedImmPtr(JSArrayBufferView::nullVectorPtr())));
> +#endif

Isn't this also needed for x86_64 because null != neutered?
Comment 11 Saam Barati 2021-03-25 14:12:31 PDT 
Comment on attachment 424271 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=424271&action=review

>> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:149
>> +        }
> 
> Let's do this instead:
> 
>         auto scratch = validateAuth ? getCachedMemoryTempRegisterIDAndInvalidate() : InvalidGPRReg;
>         untagArrayPtr(length, target, validateAuth, scratch);

sounds good

>> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:157
>> +        and64(TrustedImmPtr(nonPACBitsMask), target);
> 
> Isn't nonPACBitsMask a member of CagedPtr?  Did this actually build?

It's also defined above in this file:
    static constexpr uintptr_t nonPACBitsMask = (1ull << (64 - numberOfPACBits)) - 1;

>> Source/JavaScriptCore/jit/AssemblyHelpers.cpp:1074
>> +#endif
> 
> Isn't this also needed for x86_64 because null != neutered?

Detached array buffer is zero on x86:
void JSArrayBufferView::detach()
{
    auto locker = holdLock(cellLock());
    RELEASE_ASSERT(hasArrayBuffer());
    RELEASE_ASSERT(!isShared());
    m_length = 0;
    m_vector.clear();
}
Comment 12 Mark Lam 2021-03-25 14:23:57 PDT 
Comment on attachment 424271 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=424271&action=review

r=me

>>> Source/JavaScriptCore/assembler/MacroAssemblerARM64E.h:157
>>> +        and64(TrustedImmPtr(nonPACBitsMask), target);
>> 
>> Isn't nonPACBitsMask a member of CagedPtr?  Did this actually build?
> 
> It's also defined above in this file:
>     static constexpr uintptr_t nonPACBitsMask = (1ull << (64 - numberOfPACBits)) - 1;

sorry, I had a bad grep.

>>> Source/JavaScriptCore/jit/AssemblyHelpers.cpp:1074
>>> +#endif
>> 
>> Isn't this also needed for x86_64 because null != neutered?
> 
> Detached array buffer is zero on x86:
> void JSArrayBufferView::detach()
> {
>     auto locker = holdLock(cellLock());
>     RELEASE_ASSERT(hasArrayBuffer());
>     RELEASE_ASSERT(!isShared());
>     m_length = 0;
>     m_vector.clear();
> }

I think it is a bug for x86_64 to use 0 to both mean null and neutered.  But that's unrelated to this patch.  So, moving on.
Comment 13 Saam Barati 2021-03-25 14:59:59 PDT 
Created attachment 424284 [details]
patch for landing
Comment 14 EWS 2021-03-25 22:25:44 PDT 
Committed r275079: <https://commits.webkit.org/r275079>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 424284 [details].
Comment 15 Saam Barati 2021-07-05 13:04:59 PDT 
*** Bug 210733 has been marked as a duplicate of this bug. ***