Context Navigation

← Previous Changeset
Next Changeset →

Changeset 113253 in webkit

Timestamp:

Apr 4, 2012 3:42:29 PM (12 years ago)

Author:

msaboff@apple.com

Message:

Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
https://bugs.webkit.org/show_bug.cgi?id=83191

Reviewed by Oliver Hunt.

Make are that blinded constant pairs are similarly aligned to the
original immediate values so that instructions that expect that
alignment work correctly. One example is ARMv7 add/sub imm to SP.

assembler/ARMv7Assembler.h:

(JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
(JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
(JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.

assembler/MacroAssembler.h:

(JSC::MacroAssembler::additionBlindedConstant):

Location:

trunk/Source/JavaScriptCore

Files:

: 3 edited

ChangeLog (modified) (1 diff)
assembler/ARMv7Assembler.h (modified) (3 diffs)
assembler/MacroAssembler.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/ChangeLog

-                      r113240
+                      r113253
+-04-04  Michael Saboff  <msaboff@apple.com>
+        Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
+        https://bugs.webkit.org/show_bug.cgi?id=83191
+        Reviewed by Oliver Hunt.
+        Make are that blinded constant pairs are similarly aligned to the
+        original immediate values so that instructions that expect that
+        alignment work correctly.  One example is ARMv7 add/sub imm to SP.
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
+        (JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
+        (JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.
+        * assembler/MacroAssembler.h:
+        (JSC::MacroAssembler::additionBlindedConstant):
 -04-04  Filip Pizlo  <fpizlo@apple.com>

trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h

-                      r109038
+                      r113253
         if (rn == ARMRegisters::sp) {
+            ASSERT(!(imm.getUInt16() & 3));
             if (!(rd & 8) && imm.isUInt10()) {
                 m_formatter.oneWordOp5Reg3Imm8(OP_ADD_SP_imm_T1, rd, static_cast<uint8_t>(imm.getUInt10() >> 2));
 …
         if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
+            ASSERT(!(imm.getUInt16() & 3));
             m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
             return;
 …
         if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
+            ASSERT(!(imm.getUInt16() & 3));
             m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
             return;

trunk/Source/JavaScriptCore/assembler/MacroAssembler.h

-                      r110751
+                      r113253
     BlindedImm32 additionBlindedConstant(Imm32 imm)
+    {
+        // The addition immediate may be used as a pointer offset. Keep aligned based on "imm".
+        static uint32_t maskTable[4] = { 0xfffffffc, 0xffffffff, 0xfffffffe, 0xffffffff };
         uint32_t baseValue = imm.asTrustedImm32().m_value;
         uint32_t key = keyForConstant(baseValue);
+        uint32_t key = keyForConstant(baseValue) & maskTable[baseValue & 3];
         if (key > baseValue)
             key = key - baseValue;

Note: See TracChangeset for help on using the changeset viewer.