[arm64][cfi] Use x16/x17 for tail calls

Using x16/x17 for tail calls allows us to use a "BTI c" instead of "BTI jc" landing pad. This means that we cannot enter functions with a jump to a register other than x16/x17 anymore. Bug: v8:10026 Change-Id: If5af1af861acc19f9e0dfc19c38d6a57a6fb6b6d Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2276049 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Georgia Kouveli <georgia.kouveli@arm.com> Cr-Commit-Position: refs/heads/master@{#68655}
2020-06-30 15:58:02 +01:00 · 2020-06-30 15:58:02 +01:00 · ee229d9e96
commit ee229d9e96
parent a487261196
6 changed files with 51 additions and 21 deletions
--- a/src/builtins/arm64/builtins-arm64.cc
+++ b/src/builtins/arm64/builtins-arm64.cc
@ -1064,7 +1064,13 @@ static void TailCallOptimizedCodeSlot(MacroAssembler* masm,
  ReplaceClosureCodeWithOptimizedCode(masm, optimized_code_entry, closure);
  static_assert(kJavaScriptCallCodeStartRegister == x2, "ABI mismatch");
  __ LoadCodeObjectEntry(x2, optimized_code_entry);
-  __ Jump(x2);
+
+  {
+    UseScratchRegisterScope temps(masm);
+    temps.Exclude(x17);
+    __ Mov(x17, x2);
+    __ Jump(x17);
+  }

  // Optimized code slot contains deoptimized code, evict it and re-enter the
  // closure's code.
@ -1673,7 +1679,11 @@ static void Generate_InterpreterEnterBytecode(MacroAssembler* masm) {
  __ Mov(x1, Operand(x23, LSL, kSystemPointerSizeLog2));
  __ Ldr(kJavaScriptCallCodeStartRegister,
         MemOperand(kInterpreterDispatchTableRegister, x1));
-  __ Jump(kJavaScriptCallCodeStartRegister);
+
+  UseScratchRegisterScope temps(masm);
+  temps.Exclude(x17);
+  __ Mov(x17, kJavaScriptCallCodeStartRegister);
+  __ Jump(x17);
 }

 void Builtins::Generate_InterpreterEnterBytecodeAdvance(MacroAssembler* masm) {
@ -3353,6 +3363,8 @@ void Builtins::Generate_WasmCompileLazy(MacroAssembler* masm) {
          kWasmCompileLazyFuncIndexRegister.W());
  __ SmiTag(kWasmCompileLazyFuncIndexRegister,
            kWasmCompileLazyFuncIndexRegister);
+
+  UseScratchRegisterScope temps(masm);
  {
    HardAbortScope hard_abort(masm);  // Avoid calls to Abort.
    FrameScope scope(masm, StackFrame::WASM_COMPILE_LAZY);
@ -3374,15 +3386,19 @@ void Builtins::Generate_WasmCompileLazy(MacroAssembler* masm) {
    // set the current context on the isolate.
    __ Mov(cp, Smi::zero());
    __ CallRuntime(Runtime::kWasmCompileLazy, 2);
+
+    // Exclude x17 from the scope, there are hardcoded uses of it below.
+    temps.Exclude(x17);
+
    // The entrypoint address is the return value.
-    __ mov(x8, kReturnRegister0);
+    __ Mov(x17, kReturnRegister0);

    // Restore registers.
    __ PopDRegList(fp_regs);
    __ PopXRegList(gp_regs);
  }
  // Finally, jump to the entrypoint.
-  __ Jump(x8);
+  __ Jump(x17);
 }

 void Builtins::Generate_WasmDebugBreak(MacroAssembler* masm) {
@ -3605,10 +3621,15 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  // underlying register is caller-saved and can be arbitrarily clobbered.
  __ ResetSpeculationPoisonRegister();

-  // Compute the handler entry address and jump to it.
-  __ Mov(x10, pending_handler_entrypoint_address);
-  __ Ldr(x10, MemOperand(x10));
-  __ Br(x10);
+  // Compute the handler entry address and jump to it. We use x17 here for the
+  // jump target, as this jump can occasionally end up at the start of
+  // InterpreterEnterBytecodeDispatch, which when CFI is enabled starts with
+  // a "BTI c".
+  UseScratchRegisterScope temps(masm);
+  temps.Exclude(x17);
+  __ Mov(x17, pending_handler_entrypoint_address);
+  __ Ldr(x17, MemOperand(x17));
+  __ Br(x17);
 }

 void Builtins::Generate_DoubleToI(MacroAssembler* masm) {
--- a/src/codegen/arm64/macro-assembler-arm64-inl.h
+++ b/src/codegen/arm64/macro-assembler-arm64-inl.h
@ -326,15 +326,7 @@ void TurboAssembler::Bind(Label* label, BranchTargetIdentifier id) {
  }
 }

-void TurboAssembler::CodeEntry() {
-  // Since `kJavaScriptCallCodeStartRegister` is the target register for tail
-  // calls, we have to allow for jumps too, with "BTI jc". We also allow the
-  // register allocator to pick the target register for calls made from
-  // WebAssembly.
-  // TODO(v8:10026): Consider changing this so that we can use CallTarget(),
-  // which maps to "BTI c", here instead.
-  JumpOrCallTarget();
-}
+void TurboAssembler::CodeEntry() { CallTarget(); }

 void TurboAssembler::ExceptionHandler() { JumpTarget(); }

--- a/src/codegen/arm64/macro-assembler-arm64.cc
+++ b/src/codegen/arm64/macro-assembler-arm64.cc
@ -1953,7 +1953,13 @@ void TurboAssembler::CallCodeObject(Register code_object) {

 void TurboAssembler::JumpCodeObject(Register code_object) {
  LoadCodeObjectEntry(code_object, code_object);
-  Jump(code_object);
+
+  UseScratchRegisterScope temps(this);
+  if (code_object != x17) {
+    temps.Exclude(x17);
+    Mov(x17, code_object);
+  }
+  Jump(x17);
 }

 void TurboAssembler::StoreReturnAddressAndCall(Register target) {
--- a/src/compiler/backend/arm64/code-generator-arm64.cc
+++ b/src/compiler/backend/arm64/code-generator-arm64.cc
@ -736,7 +736,10 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
        __ Jump(wasm_code, constant.rmode());
      } else {
        Register target = i.InputRegister(0);
-        __ Jump(target);
+        UseScratchRegisterScope temps(tasm());
+        temps.Exclude(x17);
+        __ Mov(x17, target);
+        __ Jump(x17);
      }
      unwinding_info_writer_.MarkBlockWillExit();
      frame_access_state()->ClearSPDelta();
@ -749,7 +752,10 @@ CodeGenerator::CodeGenResult CodeGenerator::AssembleArchInstruction(
      DCHECK_IMPLIES(
          HasCallDescriptorFlag(instr, CallDescriptor::kFixedTargetRegister),
          reg == kJavaScriptCallCodeStartRegister);
-      __ Jump(reg);
+      UseScratchRegisterScope temps(tasm());
+      temps.Exclude(x17);
+      __ Mov(x17, reg);
+      __ Jump(x17);
      unwinding_info_writer_.MarkBlockWillExit();
      frame_access_state()->ClearSPDelta();
      frame_access_state()->SetFrameAccessToDefault();
--- a/src/deoptimizer/arm64/deoptimizer-arm64.cc
+++ b/src/deoptimizer/arm64/deoptimizer-arm64.cc
@ -290,7 +290,9 @@ void Deoptimizer::GenerateDeoptimizationEntries(MacroAssembler* masm,
  RestoreRegList(masm, saved_registers, last_output_frame,
                 FrameDescription::registers_offset());

-  Register continuation = x7;
+  UseScratchRegisterScope temps(masm);
+  temps.Exclude(x17);
+  Register continuation = x17;
  __ Ldr(continuation, MemOperand(last_output_frame,
                                  FrameDescription::continuation_offset()));
  __ Ldr(lr, MemOperand(last_output_frame, FrameDescription::pc_offset()));
--- a/test/cctest/wasm/test-jump-table-assembler.cc
+++ b/test/cctest/wasm/test-jump-table-assembler.cc
@ -102,6 +102,9 @@ void CompileJumpTableThunk(Address thunk, Address jump_target) {
  __ b(ne, &exit);
  __ Jump(jump_target, RelocInfo::NONE);
 #elif V8_TARGET_ARCH_ARM64
+  UseScratchRegisterScope temps(&masm);
+  temps.Exclude(x16);
+  scratch = x16;
  __ Mov(scratch, Operand(stop_bit_address, RelocInfo::NONE));
  __ Ldr(scratch, MemOperand(scratch, 0));
  __ Tbnz(scratch, 0, &exit);