Bug 1518210 - Wasm: Bounds checking support for ARM64. r=lth

The only observed change needed to get bounds checking working on ARM64 was to implement `wasmBoundsCheck` in MacroAssembler-arm64. ARM64 doesn't support predicated instructions like ARM32, so to support spectre mitigations `wasmBoundsCheck` emits a 'csel' instruction. I'm not familiar with how ARM performs speculative execution or how spidermonkey mitigates it, so this was only a guess. Differential Revision: https://phabricator.services.mozilla.com/D41864 --HG-- extra : moz-landing-system : lando
2024-10-19 08:15:31 +00:00 · 2019-08-30 02:35:42 +00:00 · 2019-08-30 02:35:42 +00:00 · bda6e43374
commit bda6e43374
parent 21846c8c78
3 changed files with 24 additions and 4 deletions
--- a/js/src/jit/MacroAssembler.h
+++ b/js/src/jit/MacroAssembler.h
@ -1116,6 +1116,9 @@ class MacroAssembler : public MacroAssemblerSpecific {
  inline void branch32(Condition cond, Register lhs, Imm32 rhs,
                       L label) PER_SHARED_ARCH;

+  inline void branch32(Condition cond, Register lhs, const Address& rhs,
+                       Label* label) DEFINED_ON(arm64);
+
  inline void branch32(Condition cond, const Address& lhs, Register rhs,
                       Label* label) PER_SHARED_ARCH;
  inline void branch32(Condition cond, const Address& lhs, Imm32 rhs,
--- a/js/src/jit/arm64/MacroAssembler-arm64-inl.h
+++ b/js/src/jit/arm64/MacroAssembler-arm64-inl.h
@ -800,6 +800,16 @@ void MacroAssembler::branch32(Condition cond, Register lhs, Imm32 imm,
  B(label, cond);
 }

+void MacroAssembler::branch32(Condition cond, Register lhs, const Address& rhs,
+                              Label* label) {
+  vixl::UseScratchRegisterScope temps(this);
+  const Register scratch = temps.AcquireX().asUnsized();
+  MOZ_ASSERT(scratch != lhs);
+  MOZ_ASSERT(scratch != rhs.base);
+  load32(rhs, scratch);
+  branch32(cond, lhs, scratch, label);
+}
+
 void MacroAssembler::branch32(Condition cond, const Address& lhs, Register rhs,
                              Label* label) {
  vixl::UseScratchRegisterScope temps(this);
--- a/js/src/jit/arm64/MacroAssembler-arm64.cpp
+++ b/js/src/jit/arm64/MacroAssembler-arm64.cpp
@ -1091,14 +1091,21 @@ CodeOffset MacroAssembler::wasmTrapInstruction() {

 void MacroAssembler::wasmBoundsCheck(Condition cond, Register index,
                                     Register boundsCheckLimit, Label* label) {
-  // Not used on ARM64, we rely on signal handling instead
-  MOZ_CRASH("NYI - wasmBoundsCheck");
+  branch32(cond, index, boundsCheckLimit, label);
+  if (JitOptions.spectreIndexMasking) {
+    csel(ARMRegister(index, 32), vixl::wzr, ARMRegister(index, 32), cond);
+  }
 }

 void MacroAssembler::wasmBoundsCheck(Condition cond, Register index,
                                     Address boundsCheckLimit, Label* label) {
-  // Not used on ARM64, we rely on signal handling instead
-  MOZ_CRASH("NYI - wasmBoundsCheck");
+  MOZ_ASSERT(boundsCheckLimit.offset ==
+             offsetof(wasm::TlsData, boundsCheckLimit));
+
+  branch32(cond, index, boundsCheckLimit, label);
+  if (JitOptions.spectreIndexMasking) {
+    csel(ARMRegister(index, 32), vixl::wzr, ARMRegister(index, 32), cond);
+  }
 }

 // FCVTZU behaves as follows: