Description: Fix JIT crash on x86-64 (avoid 32-bit branch offset overflow) . Cherry-picked from webkit commit a5b3261a8c4386b4e14ce40a34c7fc933a5f7001 Origin: commit ada98493bbfbd9af0d0b593017e29d39bcd3495e Author: Kent Hansen Forwarded: not-needed Applied-Upstream: yes Reviewed-by: Simon Hausmann Reviewed-by: Kent Hansen --- .../javascriptcore/JavaScriptCore/ChangeLog | 27 +++++++++++++++++ .../JavaScriptCore/JavaScriptCore.pri | 1 + .../JavaScriptCore/jit/ExecutableAllocator.cpp | 21 +++++++++++++ .../jit/ExecutableAllocatorFixedVMPool.cpp | 31 +++++++++++++------- .../jit/ExecutableAllocatorPosix.cpp | 29 ++---------------- .../jit/ExecutableAllocatorSymbian.cpp | 2 +- .../JavaScriptCore/jit/ExecutableAllocatorWin.cpp | 2 +- .../javascriptcore/JavaScriptCore/wtf/Platform.h | 10 +++++++ 8 files changed, 84 insertions(+), 39 deletions(-) diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog index 9cbf0c1..5ab23e6 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog +++ b/src/3rdparty/javascriptcore/JavaScriptCore/ChangeLog @@ -1,3 +1,30 @@ +2010-07-08 Gavin Barraclough + + Reviewed by Sam Weinig. + + https://bugs.webkit.org/show_bug.cgi?id=41641 + + Update compile flags to allow use of ExecutableAllocatorFixedVMPool on platforms + other than x86-64 (this may be useful on 32-bit platforms, too). + + Simplify ifdefs by dividing into thwo broad allocation strategies + (ENABLE_EXECUTABLE_ALLOCATOR_FIXED & ENABLE_EXECUTABLE_ALLOCATOR_DEMAND). + + Rename constant used in the code to have names descriptive of their purpose, + rather than their specific value on a given platform. + + * jit/ExecutableAllocator.cpp: + (JSC::ExecutableAllocator::reprotectRegion): + (JSC::ExecutableAllocator::cacheFlush): + * jit/ExecutableAllocatorFixedVMPool.cpp: + (JSC::FixedVMPoolAllocator::FixedVMPoolAllocator): + (JSC::FixedVMPoolAllocator::free): + (JSC::ExecutablePool::systemAlloc): + * jit/ExecutableAllocatorPosix.cpp: + * jit/ExecutableAllocatorSymbian.cpp: + * jit/ExecutableAllocatorWin.cpp: + * wtf/Platform.h: + 2010-08-24 Oliver Hunt Reviewed by Geoff Garen. diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri b/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri index b061321..847f69c 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri +++ b/src/3rdparty/javascriptcore/JavaScriptCore/JavaScriptCore.pri @@ -100,6 +100,7 @@ SOURCES += \ interpreter/CallFrame.cpp \ interpreter/Interpreter.cpp \ interpreter/RegisterFile.cpp \ + jit/ExecutableAllocatorFixedVMPool.cpp \ jit/ExecutableAllocatorPosix.cpp \ jit/ExecutableAllocatorSymbian.cpp \ jit/ExecutableAllocatorWin.cpp \ diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp index f6b27ec..f0ebbab 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocator.cpp @@ -33,6 +33,27 @@ namespace JSC { size_t ExecutableAllocator::pageSize = 0; +#if ENABLE(ASSEMBLER_WX_EXCLUSIVE) +void ExecutableAllocator::reprotectRegion(void* start, size_t size, ProtectionSeting setting) +{ + if (!pageSize) + intializePageSize(); + + // Calculate the start of the page containing this region, + // and account for this extra memory within size. + intptr_t startPtr = reinterpret_cast(start); + intptr_t pageStartPtr = startPtr & ~(pageSize - 1); + void* pageStart = reinterpret_cast(pageStartPtr); + size += (startPtr - pageStartPtr); + + // Round size up + size += (pageSize - 1); + size &= ~(pageSize - 1); + + mprotect(pageStart, size, (setting == Writable) ? PROTECTION_FLAGS_RW : PROTECTION_FLAGS_RX); +} +#endif + } #endif // HAVE(ASSEMBLER) diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp index dd1db4e..16d0fb1 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp @@ -27,25 +27,33 @@ #include "ExecutableAllocator.h" -#include +#if ENABLE(EXECUTABLE_ALLOCATOR_FIXED) -#if ENABLE(ASSEMBLER) && OS(DARWIN) && CPU(X86_64) +#include #include "TCSpinLock.h" -#include -#include #include #include #include #include +#if CPU(X86_64) + // These limits suitable on 64-bit platforms (particularly x86-64, where we require all jumps to have a 2Gb max range). + #define VM_POOL_SIZE (2u * 1024u * 1024u * 1024u) // 2Gb + #define COALESCE_LIMIT (16u * 1024u * 1024u) // 16Mb +#else + // These limits are hopefully sensible on embedded platforms. + #define VM_POOL_SIZE (32u * 1024u * 1024u) // 32Mb + #define COALESCE_LIMIT (4u * 1024u * 1024u) // 4Mb +#endif + +// ASLR currently only works on darwin (due to arc4random) & 64-bit (due to address space size). +#define VM_POOL_ASLR (OS(DARWIN) && CPU(X86_64)) + using namespace WTF; namespace JSC { -#define TWO_GB (2u * 1024u * 1024u * 1024u) -#define SIXTEEN_MB (16u * 1024u * 1024u) - // FreeListEntry describes a free chunk of memory, stored in the freeList. struct FreeListEntry { FreeListEntry(void* pointer, size_t size) @@ -291,9 +299,12 @@ public: // for now instead of 2^26 bits of ASLR lets stick with 25 bits of randomization plus // 2^24, which should put up somewhere in the middle of usespace (in the address range // 0x200000000000 .. 0x5fffffffffff). - intptr_t randomLocation = arc4random() & ((1 << 25) - 1); + intptr_t randomLocation = 0; +#if VM_POOL_ASLR + randomLocation = arc4random() & ((1 << 25) - 1); randomLocation += (1 << 24); randomLocation <<= 21; +#endif m_base = mmap(reinterpret_cast(randomLocation), m_totalHeapSize, INITIAL_PROTECTION_FLAGS, MAP_PRIVATE | MAP_ANON, VM_TAG_FOR_EXECUTABLEALLOCATOR_MEMORY, 0); if (!m_base) CRASH(); @@ -387,7 +398,7 @@ public: // 16MB of allocations have been freed, sweep m_freeList // coalescing any neighboring fragments. m_countFreedSinceLastCoalesce += size; - if (m_countFreedSinceLastCoalesce >= SIXTEEN_MB) { + if (m_countFreedSinceLastCoalesce >= COALESCE_LIMIT) { m_countFreedSinceLastCoalesce = 0; coalesceFreeSpace(); } @@ -429,7 +440,7 @@ ExecutablePool::Allocation ExecutablePool::systemAlloc(size_t size) SpinLockHolder lock_holder(&spinlock); if (!allocator) - allocator = new FixedVMPoolAllocator(JIT_ALLOCATOR_LARGE_ALLOC_SIZE, TWO_GB); + allocator = new FixedVMPoolAllocator(JIT_ALLOCATOR_LARGE_ALLOC_SIZE, VM_POOL_SIZE); ExecutablePool::Allocation alloc = {reinterpret_cast(allocator->alloc(size)), size}; return alloc; } diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp index 2eb0c87..b04049c 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorPosix.cpp @@ -27,7 +27,7 @@ #include "ExecutableAllocator.h" -#if ENABLE(ASSEMBLER) && OS(UNIX) && !OS(SYMBIAN) +#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && !OS(WINDOWS) && !OS(SYMBIAN) #include #include @@ -35,8 +35,6 @@ namespace JSC { -#if !(OS(DARWIN) && !PLATFORM(QT) && CPU(X86_64)) - void ExecutableAllocator::intializePageSize() { ExecutableAllocator::pageSize = getpagesize(); @@ -57,29 +55,6 @@ void ExecutablePool::systemRelease(const ExecutablePool::Allocation& alloc) ASSERT_UNUSED(result, !result); } -#endif // !(OS(DARWIN) && !PLATFORM(QT) && CPU(X86_64)) - -#if ENABLE(ASSEMBLER_WX_EXCLUSIVE) -void ExecutableAllocator::reprotectRegion(void* start, size_t size, ProtectionSeting setting) -{ - if (!pageSize) - intializePageSize(); - - // Calculate the start of the page containing this region, - // and account for this extra memory within size. - intptr_t startPtr = reinterpret_cast(start); - intptr_t pageStartPtr = startPtr & ~(pageSize - 1); - void* pageStart = reinterpret_cast(pageStartPtr); - size += (startPtr - pageStartPtr); - - // Round size up - size += (pageSize - 1); - size &= ~(pageSize - 1); - - mprotect(pageStart, size, (setting == Writable) ? PROTECTION_FLAGS_RW : PROTECTION_FLAGS_RX); -} -#endif - } -#endif // HAVE(ASSEMBLER) +#endif diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp index e82975c..9028f50 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorSymbian.cpp @@ -22,7 +22,7 @@ #include "ExecutableAllocator.h" -#if ENABLE(ASSEMBLER) && OS(SYMBIAN) +#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && OS(SYMBIAN) #include #include diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp index e38323c..72a1d5f 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp +++ b/src/3rdparty/javascriptcore/JavaScriptCore/jit/ExecutableAllocatorWin.cpp @@ -27,7 +27,7 @@ #include "ExecutableAllocator.h" -#if ENABLE(ASSEMBLER) && OS(WINDOWS) +#if ENABLE(EXECUTABLE_ALLOCATOR_DEMAND) && OS(WINDOWS) #include "windows.h" diff --git a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h index 700977e..d930ed7 100644 --- a/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h +++ b/src/3rdparty/javascriptcore/JavaScriptCore/wtf/Platform.h @@ -1016,6 +1016,16 @@ on MinGW. See https://bugs.webkit.org/show_bug.cgi?id=29268 */ #define ENABLE_ASSEMBLER_WX_EXCLUSIVE 0 #endif +/* Pick which allocator to use; we only need an executable allocator if the assembler is compiled in. + On x86-64 we use a single fixed mmap, on other platforms we mmap on demand. */ +#if ENABLE(ASSEMBLER) +#if CPU(X86_64) +#define ENABLE_EXECUTABLE_ALLOCATOR_FIXED 1 +#else +#define ENABLE_EXECUTABLE_ALLOCATOR_DEMAND 1 +#endif +#endif + #if !defined(ENABLE_PAN_SCROLLING) && OS(WINDOWS) #define ENABLE_PAN_SCROLLING 1 #endif -- 1.7.10.4