From 2aa4a82499d4becd2284cdb482213d541b8804dd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 28 Apr 2024 16:29:10 +0200 Subject: Adding upstream version 86.0.1. Signed-off-by: Daniel Baumann --- js/src/jit/ProcessExecutableMemory.h | 117 +++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 js/src/jit/ProcessExecutableMemory.h (limited to 'js/src/jit/ProcessExecutableMemory.h') diff --git a/js/src/jit/ProcessExecutableMemory.h b/js/src/jit/ProcessExecutableMemory.h new file mode 100644 index 0000000000..053934577c --- /dev/null +++ b/js/src/jit/ProcessExecutableMemory.h @@ -0,0 +1,117 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef jit_ProcessExecutableMemory_h +#define jit_ProcessExecutableMemory_h + +#include "mozilla/Attributes.h" + +#include "util/Poison.h" + +namespace js { +namespace jit { + +// Limit on the number of bytes of executable memory to prevent JIT spraying +// attacks. +#if JS_BITS_PER_WORD == 32 +static const size_t MaxCodeBytesPerProcess = 140 * 1024 * 1024; +#else +// This is the largest number which satisfies various alignment static +// asserts that is <= INT32_MAX. The INT32_MAX limit is required for making a +// single call to RtlInstallFunctionTableCallback(). (This limit could be +// relaxed in the future by making multiple calls.) +static const size_t MaxCodeBytesPerProcess = 2044 * 1024 * 1024; +#endif + +// Limit on the number of bytes of code memory per buffer. This limit comes +// about because we encode an unresolved relative unconditional branch during +// assembly as a branch instruction that carries the absolute offset of the next +// branch instruction in the chain of branches that all reference the same +// unresolved label. For this architecture to work, no branch instruction may +// lie at an offset greater than the maximum forward branch distance. This is +// true on both ARM and ARM64. +// +// Notably, even though we know that the offsets thus encoded are always +// positive offsets, we use only the positive part of the signed range of the +// branch offset. +// +// On ARM-32, we are limited by BOffImm::IsInRange(), which checks that the +// offset is no greater than 2^25-4 in the offset's 26-bit signed field. +// +// On ARM-64, we are limited by Instruction::ImmBranchMaxForwardOffset(), which +// checks that the offset is no greater than 2^27-4 in the offset's 28-bit +// signed field. +// +// On MIPS, there are no limitations because the assembler has to implement +// jump chaining to be effective at all (jump offsets are quite small). +// +// On x86 and x64, there are no limitations here because the assembler +// MOZ_CRASHes if the 32-bit offset is exceeded. + +#if defined(JS_CODEGEN_ARM) +static const size_t MaxCodeBytesPerBuffer = (1 << 25) - 4; +#elif defined(JS_CODEGEN_ARM64) +static const size_t MaxCodeBytesPerBuffer = (1 << 27) - 4; +#else +static const size_t MaxCodeBytesPerBuffer = MaxCodeBytesPerProcess; +#endif + +// Executable code is allocated in 64K chunks. ExecutableAllocator uses pools +// that are at least this big. Code we allocate does not necessarily have 64K +// alignment though. +static const size_t ExecutableCodePageSize = 64 * 1024; + +enum class ProtectionSetting { + Protected, // Not readable, writable, or executable. + Writable, + Executable, +}; + +/// Whether the instruction cache must be flushed: +//- No means no flushing will happen. +//- LocalThreadOnly means only the local thread's icache will be flushed. +//- AllThreads means all the threads' icaches will be flushed; this must be used +// when the compiling thread and the executing thread might be different. + +enum class MustFlushICache { No, LocalThreadOnly, AllThreads }; + +enum class FlushICacheSpec { LocalThreadOnly, AllThreads }; + +[[nodiscard]] extern bool ReprotectRegion(void* start, size_t size, + ProtectionSetting protection, + MustFlushICache flushICache); + +// Functions called at process start-up/shutdown to initialize/release the +// executable memory region. +[[nodiscard]] extern bool InitProcessExecutableMemory(); +extern void ReleaseProcessExecutableMemory(); + +// Allocate/deallocate executable pages. +extern void* AllocateExecutableMemory(size_t bytes, + ProtectionSetting protection, + MemCheckKind checkKind); +extern void DeallocateExecutableMemory(void* addr, size_t bytes); + +// Returns true if we can allocate a few more MB of executable code without +// hitting our code limit. This function can be used to stop compiling things +// that are optional (like Baseline and Ion code) when we're about to reach the +// limit, so we are less likely to OOM or crash. Note that the limit is +// per-process, so other threads can also allocate code after we call this +// function. +extern bool CanLikelyAllocateMoreExecutableMemory(); + +// Returns a rough guess of how much executable memory remains available, +// rounded down to MB limit. Note this can fluctuate as other threads within +// the process allocate executable memory. +extern size_t LikelyAvailableExecutableMemory(); + +// Returns whether |p| is stored in the executable code buffer. +extern bool AddressIsInExecutableMemory(const void* p); + +} // namespace jit +} // namespace js + +#endif // jit_ProcessExecutableMemory_h -- cgit v1.2.3