[webkit-changes] [WebKit/WebKit] 441c3c: [JSC] Avoid nested LinkBuffer creation

Yusuke Suzuki noreply at github.com
Fri Dec 15 09:17:43 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 441c3cfdd95820caada392d2ccba9579b612d73c
      https://github.com/WebKit/WebKit/commit/441c3cfdd95820caada392d2ccba9579b612d73c
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-12-15 (Fri, 15 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/assembler/ARM64Assembler.h
    M Source/JavaScriptCore/assembler/ARMv7Assembler.h
    M Source/JavaScriptCore/assembler/LinkBuffer.cpp
    M Source/JavaScriptCore/jit/CCallHelpers.cpp
    M Source/JavaScriptCore/jit/CCallHelpers.h
    M Source/JavaScriptCore/jit/ExecutableAllocator.cpp
    M Source/JavaScriptCore/jit/ExecutableAllocator.h

  Log Message:
  -----------
  [JSC] Avoid nested LinkBuffer creation
https://bugs.webkit.org/show_bug.cgi?id=266461
rdar://119678858

Reviewed by Mark Lam.

Since JumpIsland needs to write nearTailCall via LinkBuffer, it is possible that we create nested LinkBuffer: LinkBuffer does linking
and linking creates JumpIsland. In this case, fast JIT memory access permission switching is broken since it disables permission when
leaving the inner LinkBuffer code. In this patch,

1. We add fillNearTailCall. Similar to fillNops, which just fill one nearTailCall. It can take copy function so it can avoid using performJITMemcpy.
2. Use memcpy version of JumpIsland creation from linking code.

* Source/JavaScriptCore/assembler/ARM64Assembler.h:
* Source/JavaScriptCore/assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::fillNearTailCall):
(JSC::ARMv7Assembler::linkBranch):
* Source/JavaScriptCore/assembler/LinkBuffer.cpp:
(JSC::memcpyWrapper): Deleted.
* Source/JavaScriptCore/jit/CCallHelpers.cpp:
(JSC::CCallHelpers::emitJITCodeOver): Deleted.
* Source/JavaScriptCore/jit/CCallHelpers.h:
* Source/JavaScriptCore/jit/ExecutableAllocator.cpp:
(JSC::ExecutableAllocator::getJumpIslandToUsingJITMemcpy):
(JSC::ExecutableAllocator::getJumpIslandToUsingMemcpy):
(JSC::ExecutableAllocator::getJumpIslandToConcurrently):
(JSC::ExecutableAllocator::getJumpIslandTo): Deleted.
* Source/JavaScriptCore/jit/ExecutableAllocator.h:
(JSC::memcpyWrapper):

Canonical link: https://commits.webkit.org/272121@main

More information about the webkit-changes mailing list