Attachment #247095 for bug #271081




  setNormalIonWarmUpThreshold(defaultValues.normalIonWarmUpThreshold);
}

void DefaultJitOptions::maybeSetWriteProtectCode(bool val) {
#ifdef JS_USE_APPLE_FAST_WX
  // On Apple Silicon we always use pthread_jit_write_protect_np.
  MOZ_ASSERT(!writeProtectCode);
#else
  writeProtectCode = val;
#endif
}

}  // namespace jit
}  // namespace js




  bool spectreValueMasking;
  bool spectreJitToCxxCalls;

  bool writeProtectCode;

  bool supportsUnalignedAccesses;
  BaseRegForAddress baseRegForLocals;


  void resetNormalIonWarmUpThreshold();
  void enableGvn(bool val);
  void setFastWarmUp();

  void maybeSetWriteProtectCode(bool val);

  bool eagerIonCompilation() const { return normalIonWarmUpThreshold == 0; }
};




}

static DWORD ProtectionSettingToFlags(ProtectionSetting protection) {
  if (!JitOptions.writeProtectCode) {
    return PAGE_EXECUTE_READWRITE;
  }
  switch (protection) {
    case ProtectionSetting::Writable:
      return PAGE_READWRITE;

}

static unsigned ProtectionSettingToFlags(ProtectionSetting protection) {
  if (!JitOptions.writeProtectCode) {
    return PROT_READ | PROT_WRITE | PROT_EXEC;
  }
#  ifdef MOZ_VALGRIND
  // If we're configured for Valgrind and running on it, use a slacker
  // scheme that doesn't change execute permissions, since doing so causes

  MOZ_CRASH("NYI FOR WASI.");
#else
  std::atomic_thread_fence(std::memory_order_seq_cst);

  if (!JitOptions.writeProtectCode) {
    return true;
  }

#  ifdef JS_USE_APPLE_FAST_WX
  MOZ_CRASH("writeProtectCode should always be false on Apple Silicon");
#  endif

#  ifdef XP_WIN
  DWORD flags = ProtectionSettingToFlags(protection);




    case JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS:
      jit::JitOptions.spectreJitToCxxCalls = !!value;
      break;
    case JSJITCOMPILER_WRITE_PROTECT_CODE:
      jit::JitOptions.maybeSetWriteProtectCode(!!value);
      break;
    case JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC:
      jit::JitOptions.enableWatchtowerMegamorphic = !!value;
      break;

      break;
    case JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS:
      *valueOut = jit::JitOptions.spectreJitToCxxCalls ? 1 : 0;
      break;
    case JSJITCOMPILER_WRITE_PROTECT_CODE:
      *valueOut = jit::JitOptions.writeProtectCode ? 1 : 0;
      break;
    case JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC:
      *valueOut = jit::JitOptions.enableWatchtowerMegamorphic ? 1 : 0;

Lines 867-873 extern JS_PUBLIC_API void JS_SetOffthreadIonCompilatio Link Here

(-)js/src/jsapi.h (-1 lines)
867	Register(SPECTRE_STRING_MITIGATIONS, "spectre.string-mitigations") \	867	Register(SPECTRE_STRING_MITIGATIONS, "spectre.string-mitigations") \
868	Register(SPECTRE_VALUE_MASKING, "spectre.value-masking") \	868	Register(SPECTRE_VALUE_MASKING, "spectre.value-masking") \
869	Register(SPECTRE_JIT_TO_CXX_CALLS, "spectre.jit-to-cxx-calls") \	869	Register(SPECTRE_JIT_TO_CXX_CALLS, "spectre.jit-to-cxx-calls") \
870	Register(WRITE_PROTECT_CODE, "write-protect-code") \
871	Register(WATCHTOWER_MEGAMORPHIC, "watchtower.megamorphic") \	870	Register(WATCHTOWER_MEGAMORPHIC, "watchtower.megamorphic") \
872	Register(WASM_FOLD_OFFSETS, "wasm.fold-offsets") \	871	Register(WASM_FOLD_OFFSETS, "wasm.fold-offsets") \
873	Register(WASM_DELAY_TIER2, "wasm.delay-tier2") \	872	Register(WASM_DELAY_TIER2, "wasm.delay-tier2") \

Lines 50-57 --spectre-mitigations=on Link Here

(-)js/src/shell/fuzz-flags.txt (-2 lines)
50	--nursery-bigints=on	50	--nursery-bigints=on
51	--spectre-mitigations=off	51	--spectre-mitigations=off
52	--spectre-mitigations=on	52	--spectre-mitigations=on
53	--write-protect-code=off
54	--write-protect-code=on
55	--more-compartments	53	--more-compartments
56	--fast-warmup	54	--fast-warmup
57	--no-jit-backend	55	--no-jit-backend




      !op.addStringOption('\0', "spectre-mitigations", "on/off",
                          "Whether Spectre mitigations are enabled (default: "
                          "off, on to enable)") ||
      !op.addStringOption('\0', "write-protect-code", "on/off",
                          "Whether the W^X policy is enforced to mark JIT code "
                          "pages as either writable or executable but never "
                          "both at the same time (default: on, off to "
                          "disable)") ||
      !op.addStringOption('\0', "cache-ir-stubs", "on/off/call",
                          "Use CacheIR stubs (default: on, off to disable, "
                          "call to enable work-in-progress call ICs)") ||

      jit::JitOptions.spectreJitToCxxCalls = false;
    } else {
      return OptionFailure("spectre-mitigations", str);
    }
  }

  if (const char* str = op.getStringOption("write-protect-code")) {
    if (strcmp(str, "on") == 0) {
      jit::JitOptions.maybeSetWriteProtectCode(true);
    } else if (strcmp(str, "off") == 0) {
      jit::JitOptions.maybeSetWriteProtectCode(false);
    } else {
      return OptionFailure("write-protect-code", str);
    }
  }





            "--no-sse3",
            "--no-threads",
        ],
        ["--baseline-eager"],
        ["--no-blinterp", "--no-baseline", "--no-ion", "--more-compartments"],
        ["--blinterp-eager"],
    ],

            "--ion-offthread-compile=off",  # implies --baseline-eager
            "--more-compartments",
        ],
        ["--baseline-eager"],
        ["--no-blinterp", "--no-baseline", "--no-ion", "--more-compartments"],
    ],
    # used by jit_test.py
    "ion": [
        ["--baseline-eager"],
        ["--ion-eager", "--ion-offthread-compile=off", "--more-compartments"],
    ],
    # Run reduced variants on debug builds, since they take longer time.

            "--ion-offthread-compile=off",  # implies --baseline-eager
            "--more-compartments",
        ],
        ["--baseline-eager"],
    ],
    # Cover cases useful for tsan. Note that we test --ion-eager without
    # --ion-offthread-compile=off here, because it helps catch races.




          javascript_options_spectre_jit_to_cxx_calls_DoNotUseDirectly());
#endif

  bool writeProtectCode = true;
  if (XRE_IsContentProcess()) {
    writeProtectCode =
        StaticPrefs::javascript_options_content_process_write_protect_code();
  }
  JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_WRITE_PROTECT_CODE,
                                writeProtectCode);

  JS_SetGlobalJitCompilerOption(
      cx, JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC,
      StaticPrefs::





# Separate pref to override the values of the Spectre-related prefs above for
# isolated web content processes, where we don't need these mitigations.
- name: javascript.options.spectre.disable_for_isolated_content
  type: bool
  value: true
  mirror: always

# Whether the W^X policy is enforced to mark JIT code pages as either writable
# or executable but never both at the same time. OpenBSD defaults to W^X.
- name: javascript.options.content_process_write_protect_code
  type: bool
#if defined(XP_OPENBSD)
  value: true
#else
  value: false
#endif
  mirror: always

# Whether to use the XPCOM thread pool for JS helper tasks.
- name: javascript.options.external_thread_pool
  type: bool

Return to bug 271081

Lines 441-454 void DefaultJitOptions::resetNormalIonWarmUpThreshold( Link Here

(-)js/src/jit/JitOptions.cpp (-9 lines)
441	setNormalIonWarmUpThreshold(defaultValues.normalIonWarmUpThreshold);	441	setNormalIonWarmUpThreshold(defaultValues.normalIonWarmUpThreshold);
442	}	442	}
443		443
444	void DefaultJitOptions::maybeSetWriteProtectCode(bool val) {
445	#ifdef JS_USE_APPLE_FAST_WX
446	// On Apple Silicon we always use pthread_jit_write_protect_np.
447	MOZ_ASSERT(!writeProtectCode);
448	#else
449	writeProtectCode = val;
450	#endif
451	}
452
453	} // namespace jit	444	} // namespace jit
454	} // namespace js	445	} // namespace js

Lines 128-135 struct DefaultJitOptions { Link Here

(-)js/src/jit/JitOptions.h (-4 lines)
128	bool spectreValueMasking;	128	bool spectreValueMasking;
129	bool spectreJitToCxxCalls;	129	bool spectreJitToCxxCalls;
130		130
131	bool writeProtectCode;
132
133	bool supportsUnalignedAccesses;	131	bool supportsUnalignedAccesses;
134	BaseRegForAddress baseRegForLocals;	132	BaseRegForAddress baseRegForLocals;
135		133
Lines 156-163 struct DefaultJitOptions { Link Here
156	void resetNormalIonWarmUpThreshold();	154	void resetNormalIonWarmUpThreshold();
157	void enableGvn(bool val);	155	void enableGvn(bool val);
158	void setFastWarmUp();	156	void setFastWarmUp();
159
160	void maybeSetWriteProtectCode(bool val);
161		157
162	bool eagerIonCompilation() const { return normalIonWarmUpThreshold == 0; }	158	bool eagerIonCompilation() const { return normalIonWarmUpThreshold == 0; }
163	};	159	};

Lines 366-374 static DWORD ProtectionSettingToFlags(ProtectionSettin Link Here

(-)js/src/jit/ProcessExecutableMemory.cpp (-14 lines)
366	}	366	}
367		367
368	static DWORD ProtectionSettingToFlags(ProtectionSetting protection) {	368	static DWORD ProtectionSettingToFlags(ProtectionSetting protection) {
369	if (!JitOptions.writeProtectCode) {
370	return PAGE_EXECUTE_READWRITE;
371	}
372	switch (protection) {	369	switch (protection) {
373	case ProtectionSetting::Writable:	370	case ProtectionSetting::Writable:
374	return PAGE_READWRITE;	371	return PAGE_READWRITE;
Lines 516-524 static unsigned ProtectionSettingToFlags(ProtectionSet Link Here
516	}	513	}
517		514
518	static unsigned ProtectionSettingToFlags(ProtectionSetting protection) {	515	static unsigned ProtectionSettingToFlags(ProtectionSetting protection) {
519	if (!JitOptions.writeProtectCode) {
520	return PROT_READ \| PROT_WRITE \| PROT_EXEC;
521	}
522	# ifdef MOZ_VALGRIND	516	# ifdef MOZ_VALGRIND
523	// If we're configured for Valgrind and running on it, use a slacker	517	// If we're configured for Valgrind and running on it, use a slacker
524	// scheme that doesn't change execute permissions, since doing so causes	518	// scheme that doesn't change execute permissions, since doing so causes
Lines 930-943 bool js::jit::ReprotectRegion(void* start, size_t size Link Here
930	MOZ_CRASH("NYI FOR WASI.");	924	MOZ_CRASH("NYI FOR WASI.");
931	#else	925	#else
932	std::atomic_thread_fence(std::memory_order_seq_cst);	926	std::atomic_thread_fence(std::memory_order_seq_cst);
933
934	if (!JitOptions.writeProtectCode) {
935	return true;
936	}
937
938	# ifdef JS_USE_APPLE_FAST_WX
939	MOZ_CRASH("writeProtectCode should always be false on Apple Silicon");
940	# endif
941		927
942	# ifdef XP_WIN	928	# ifdef XP_WIN
943	DWORD flags = ProtectionSettingToFlags(protection);	929	DWORD flags = ProtectionSettingToFlags(protection);

Lines 4370-4378 JS_PUBLIC_API void JS_SetGlobalJitCompilerOption(JSCon Link Here

(-)js/src/jsapi.cpp (-6 lines)
4370	case JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS:	4370	case JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS:
4371	jit::JitOptions.spectreJitToCxxCalls = !!value;	4371	jit::JitOptions.spectreJitToCxxCalls = !!value;
4372	break;	4372	break;
4373	case JSJITCOMPILER_WRITE_PROTECT_CODE:
4374	jit::JitOptions.maybeSetWriteProtectCode(!!value);
4375	break;
4376	case JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC:	4373	case JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC:
4377	jit::JitOptions.enableWatchtowerMegamorphic = !!value;	4374	jit::JitOptions.enableWatchtowerMegamorphic = !!value;
4378	break;	4375	break;
Lines 4461-4469 JS_PUBLIC_API bool JS_GetGlobalJitCompilerOption(JSCon Link Here
4461	break;	4458	break;
4462	case JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS:	4459	case JSJITCOMPILER_SPECTRE_JIT_TO_CXX_CALLS:
4463	*valueOut = jit::JitOptions.spectreJitToCxxCalls ? 1 : 0;	4460	*valueOut = jit::JitOptions.spectreJitToCxxCalls ? 1 : 0;
4464	break;
4465	case JSJITCOMPILER_WRITE_PROTECT_CODE:
4466	*valueOut = jit::JitOptions.writeProtectCode ? 1 : 0;
4467	break;	4461	break;
4468	case JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC:	4462	case JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC:
4469	*valueOut = jit::JitOptions.enableWatchtowerMegamorphic ? 1 : 0;	4463	*valueOut = jit::JitOptions.enableWatchtowerMegamorphic ? 1 : 0;

Lines 11701-11711 bool InitOptionParser(OptionParser& op) { Link Here

(-)js/src/shell/js.cpp (-15 lines)
11701	!op.addStringOption('\0', "spectre-mitigations", "on/off",	11701	!op.addStringOption('\0', "spectre-mitigations", "on/off",
11702	"Whether Spectre mitigations are enabled (default: "	11702	"Whether Spectre mitigations are enabled (default: "
11703	"off, on to enable)") \|\|	11703	"off, on to enable)") \|\|
11704	!op.addStringOption('\0', "write-protect-code", "on/off",
11705	"Whether the W^X policy is enforced to mark JIT code "
11706	"pages as either writable or executable but never "
11707	"both at the same time (default: on, off to "
11708	"disable)") \|\|
11709	!op.addStringOption('\0', "cache-ir-stubs", "on/off/call",	11704	!op.addStringOption('\0', "cache-ir-stubs", "on/off/call",
11710	"Use CacheIR stubs (default: on, off to disable, "	11705	"Use CacheIR stubs (default: on, off to disable, "
11711	"call to enable work-in-progress call ICs)") \|\|	11706	"call to enable work-in-progress call ICs)") \|\|
Lines 12425-12440 bool SetContextJITOptions(JSContext* cx, const OptionP Link Here
12425	jit::JitOptions.spectreJitToCxxCalls = false;	12420	jit::JitOptions.spectreJitToCxxCalls = false;
12426	} else {	12421	} else {
12427	return OptionFailure("spectre-mitigations", str);	12422	return OptionFailure("spectre-mitigations", str);
12428	}
12429	}
12430
12431	if (const char* str = op.getStringOption("write-protect-code")) {
12432	if (strcmp(str, "on") == 0) {
12433	jit::JitOptions.maybeSetWriteProtectCode(true);
12434	} else if (strcmp(str, "off") == 0) {
12435	jit::JitOptions.maybeSetWriteProtectCode(false);
12436	} else {
12437	return OptionFailure("write-protect-code", str);
12438	}	12423	}
12439	}	12424	}
12440		12425

Lines 25-31 JITFLAGS = { Link Here

(-)js/src/tests/lib/tests.py (-4 / +4 lines)
25	"--no-sse3",	25	"--no-sse3",
26	"--no-threads",	26	"--no-threads",
27	],	27	],
28	["--baseline-eager", "--write-protect-code=off"],	28	["--baseline-eager"],
29	["--no-blinterp", "--no-baseline", "--no-ion", "--more-compartments"],	29	["--no-blinterp", "--no-baseline", "--no-ion", "--more-compartments"],
30	["--blinterp-eager"],	30	["--blinterp-eager"],
31	],	31	],
Lines 38-49 JITFLAGS = { Link Here
38	"--ion-offthread-compile=off", # implies --baseline-eager	38	"--ion-offthread-compile=off", # implies --baseline-eager
39	"--more-compartments",	39	"--more-compartments",
40	],	40	],
41	["--baseline-eager", "--write-protect-code=off"],	41	["--baseline-eager"],
42	["--no-blinterp", "--no-baseline", "--no-ion", "--more-compartments"],	42	["--no-blinterp", "--no-baseline", "--no-ion", "--more-compartments"],
43	],	43	],
44	# used by jit_test.py	44	# used by jit_test.py
45	"ion": [	45	"ion": [
46	["--baseline-eager", "--write-protect-code=off"],	46	["--baseline-eager"],
47	["--ion-eager", "--ion-offthread-compile=off", "--more-compartments"],	47	["--ion-eager", "--ion-offthread-compile=off", "--more-compartments"],
48	],	48	],
49	# Run reduced variants on debug builds, since they take longer time.	49	# Run reduced variants on debug builds, since they take longer time.
Lines 54-60 JITFLAGS = { Link Here
54	"--ion-offthread-compile=off", # implies --baseline-eager	54	"--ion-offthread-compile=off", # implies --baseline-eager
55	"--more-compartments",	55	"--more-compartments",
56	],	56	],
57	["--baseline-eager", "--write-protect-code=off"],	57	["--baseline-eager"],
58	],	58	],
59	# Cover cases useful for tsan. Note that we test --ion-eager without	59	# Cover cases useful for tsan. Note that we test --ion-eager without
60	# --ion-offthread-compile=off here, because it helps catch races.	60	# --ion-offthread-compile=off here, because it helps catch races.

Lines 968-981 static void LoadStartupJSPrefs(XPCJSContext* xpccx) { Link Here

(-)js/xpconnect/src/XPCJSContext.cpp (-8 lines)
968	javascript_options_spectre_jit_to_cxx_calls_DoNotUseDirectly());	968	javascript_options_spectre_jit_to_cxx_calls_DoNotUseDirectly());
969	#endif	969	#endif
970		970
971	bool writeProtectCode = true;
972	if (XRE_IsContentProcess()) {
973	writeProtectCode =
974	StaticPrefs::javascript_options_content_process_write_protect_code();
975	}
976	JS_SetGlobalJitCompilerOption(cx, JSJITCOMPILER_WRITE_PROTECT_CODE,
977	writeProtectCode);
978
979	JS_SetGlobalJitCompilerOption(	971	JS_SetGlobalJitCompilerOption(
980	cx, JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC,	972	cx, JSJITCOMPILER_WATCHTOWER_MEGAMORPHIC,
981	StaticPrefs::	973	StaticPrefs::

Lines 7692-7713 - name: javascript.options.spectre.jit_to_cxx_calls Link Here

(-)modules/libpref/init/StaticPrefList.yaml (-16 lines)
7692		7692
7693	# Separate pref to override the values of the Spectre-related prefs above for	7693	# Separate pref to override the values of the Spectre-related prefs above for
7694	# isolated web content processes, where we don't need these mitigations.	7694	# isolated web content processes, where we don't need these mitigations.
7695	- name: javascript.options.spectre.disable_for_isolated_content
7696	type: bool
7697	value: true
7698	mirror: always
7699
7700	# Whether the W^X policy is enforced to mark JIT code pages as either writable
7701	# or executable but never both at the same time. OpenBSD defaults to W^X.
7702	- name: javascript.options.content_process_write_protect_code
7703	type: bool
7704	#if defined(XP_OPENBSD)
7705	value: true
7706	#else
7707	value: false
7708	#endif
7709	mirror: always
7710
7711	# Whether to use the XPCOM thread pool for JS helper tasks.	7695	# Whether to use the XPCOM thread pool for JS helper tasks.
7712	- name: javascript.options.external_thread_pool	7696	- name: javascript.options.external_thread_pool
7713	type: bool	7697	type: bool