From d574456eec9b19b849814c985f95cdfd9236f075 Mon Sep 17 00:00:00 2001
From: Nika Layzell <nika@thelayzells.com>
Date: Mon, 25 Mar 2024 17:12:53 +0000
Subject: [PATCH] Bug 1883457 - Part 2: Use be_memory_inline_jit_restrict_*
 APIs for JIT on iOS, r=jandem

This change enables the JS_USE_APPLE_FAST_WX option for iOS, but uses the
BrowserEngineKit APIs rather than the pthread_jit APIs which are available on
macOS. It is unclear to me if there are other differences with these APIs which
would need to be handled beyond what has been written so far, as this is just a
naive substitution.

Given these functions are explicitly "inline", it may be desirable at some
point to refactor the code to allow the calls to be made inline within
ProcessExecutableMemory.h, however that was left out-of-scope.

Differential Revision: https://phabricator.services.mozilla.com/D203499
---
 js/moz.configure                       | 11 ++++++-----
 js/src/jit/JitOptions.cpp              |  3 ++-
 js/src/jit/ProcessExecutableMemory.cpp | 12 ++++++++++++
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/js/moz.configure b/js/moz.configure
index 9629d6eea6bd..675736a797ac 100644
--- a/js/moz.configure
+++ b/js/moz.configure
@@ -591,13 +591,14 @@ set_define("MOZ_AARCH64_JSCVT", aarch64_jscvt)
 
 
 @depends(target)
-def has_pthread_jit_write_protect_np(target):
-    return target.os == "OSX" and target.cpu == "aarch64"
+def has_apple_fast_wx(target):
+    return target.kernel == "Darwin" and target.cpu == "aarch64"
 
 
-# On Apple Silicon we use MAP_JIT with pthread_jit_write_protect_np to implement
-# JIT code write protection.
-set_define("JS_USE_APPLE_FAST_WX", True, when=has_pthread_jit_write_protect_np)
+# On Apple Silicon macOS we use MAP_JIT with pthread_jit_write_protect_np to
+# implement JIT code write protection, while on iOS we use MAP_JIT with
+# be_memory_inline_jit_restrict_*.
+set_define("JS_USE_APPLE_FAST_WX", True, when=has_apple_fast_wx)
 
 
 # CTypes
diff --git a/js/src/jit/JitOptions.cpp b/js/src/jit/JitOptions.cpp
index e9d389cf60b7..053cf868a7d7 100644
--- a/js/src/jit/JitOptions.cpp
+++ b/js/src/jit/JitOptions.cpp
@@ -447,7 +447,8 @@ void DefaultJitOptions::resetNormalIonWarmUpThreshold() {
 
 void DefaultJitOptions::maybeSetWriteProtectCode(bool val) {
 #ifdef JS_USE_APPLE_FAST_WX
-  // On Apple Silicon we always use pthread_jit_write_protect_np.
+  // On Apple Silicon we always use pthread_jit_write_protect_np, or
+  // be_memory_inline_jit_restrict_*.
   MOZ_ASSERT(!writeProtectCode);
 #else
   writeProtectCode = val;
diff --git a/js/src/jit/ProcessExecutableMemory.cpp b/js/src/jit/ProcessExecutableMemory.cpp
index 830d15f7fb72..0c00b17c73be 100644
--- a/js/src/jit/ProcessExecutableMemory.cpp
+++ b/js/src/jit/ProcessExecutableMemory.cpp
@@ -46,6 +46,10 @@
 #  include <valgrind/valgrind.h>
 #endif
 
+#if defined(XP_IOS)
+#  include <BrowserEngineCore/BEMemory.h>
+#endif
+
 using namespace js;
 using namespace js::jit;
 
@@ -990,11 +994,19 @@ bool js::jit::ReprotectRegion(void* start, size_t size,
 #ifdef JS_USE_APPLE_FAST_WX
 void js::jit::AutoMarkJitCodeWritableForThread::markExecutable(
     bool executable) {
+#  if defined(XP_IOS)
+  if (executable) {
+    be_memory_inline_jit_restrict_rwx_to_rx_with_witness();
+  } else {
+    be_memory_inline_jit_restrict_rwx_to_rw_with_witness();
+  }
+#  else
   if (__builtin_available(macOS 11.0, *)) {
     pthread_jit_write_protect_np(executable);
   } else {
     MOZ_CRASH("pthread_jit_write_protect_np must be available");
   }
+#  endif
 }
 #endif