Changeset 145931 in webkit

Timestamp:

Mar 15, 2013 12:33:25 PM (11 years ago)

Author:

msaboff@apple.com

Message:

Add runtime check for improper register allocations in DFG
​https://bugs.webkit.org/show_bug.cgi?id=112380

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Added framework to check for register allocation within a branch source - target range. All register allocations
are saved using the offset in the code stream where the allocation occurred. Later when a jump is linked, the
currently saved register allocations are checked to make sure that they didn't occur in the range of code that was
jumped over. This protects against the case where an allocation could have spilled register contents to free up
a register and that spill only occurs on one path of a many through the code. A subsequent fill of the spilled
register may load garbage. See ​https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug.
This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION).
The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees.

• assembler/AbstractMacroAssembler.h:

(JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link.
(JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link.
(AbstractMacroAssembler):
(RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a
jump range.
(JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset):
(JSC::AbstractMacroAssembler::RegisterAllocationOffset::check):
(JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset):
(JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets):
(JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::allocate):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Source/WTF:

• wtf/Platform.h: Added new ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION compilation flag to

enable generation of register allocation checking. This is on for debug builds.

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/assembler/AbstractMacroAssembler.h (modified) (4 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/Platform.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-03-15  Michael Saboff  <msaboff@apple.com>
+
+        Add runtime check for improper register allocations in DFG
+        https://bugs.webkit.org/show_bug.cgi?id=112380
+
+        Reviewed by Geoffrey Garen.
+
+        Added framework to check for register allocation within a branch source - target range.  All register allocations
+        are saved using the offset in the code stream where the allocation occurred.  Later when a jump is linked, the
+        currently saved register allocations are checked to make sure that they didn't occur in the range of code that was
+        jumped over.  This protects against the case where an allocation could have spilled register contents to free up 
+        a register and that spill only occurs on one path of a many through the code.  A subsequent fill of the spilled
+        register may load garbage.  See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug.
+        This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION).
+        The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees.
+ 
+        * assembler/AbstractMacroAssembler.h:
+        (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link.
+        (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link.
+        (AbstractMacroAssembler):
+        (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a 
+        jump range.
+        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset):
+        (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check):
+        (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset):
+        (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets): 
+        (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::allocate):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2013-03-14  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h

@@ -539 +539 @@
         void link(AbstractMacroAssembler<AssemblerType>* masm) const
         {
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+            masm->checkRegisterAllocationAgainstBranchRange(m_label.m_offset, masm->debugOffset());
+#endif
+
 #if CPU(ARM_THUMB2)
             masm->m_assembler.linkJump(m_label, masm->m_assembler.label(), m_type, m_condition);
@@ -550 +554 @@
         void linkTo(Label label, AbstractMacroAssembler<AssemblerType>* masm) const
         {
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+            masm->checkRegisterAllocationAgainstBranchRange(label.m_label.m_offset, m_label.m_offset);
+#endif
+
 #if CPU(ARM_THUMB2)
             masm->m_assembler.linkJump(m_label, label.m_label, m_type, m_condition);
@@ -684 +692 @@
     }
 
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+    class RegisterAllocationOffset {
+    public:
+        RegisterAllocationOffset(unsigned offset)
+            : m_offset(offset)
+        {
+        }
+
+        void check(unsigned low, unsigned high)
+        {
+            RELEASE_ASSERT_WITH_MESSAGE(!(low <= m_offset && m_offset <= high), "Unsafe branch over register allocation at instruction offset %u in jump offset range %u..%u", m_offset, low, high);
+        }
+
+    private:
+        unsigned m_offset;
+    };
+
+    void addRegisterAllocationAtOffset(unsigned offset)
+    {
+        m_registerAllocationForOffsets.append(RegisterAllocationOffset(offset));
+    }
+
+    void clearRegisterAllocationOffsets()
+    {
+        m_registerAllocationForOffsets.clear();
+    }
+
+    void checkRegisterAllocationAgainstBranchRange(unsigned offset1, unsigned offset2)
+    {
+        if (offset1 > offset2)
+            std::swap(offset1, offset2);
+
+        size_t size = m_registerAllocationForOffsets.size();
+        for (size_t i = 0; i < size; ++i)
+            m_registerAllocationForOffsets[i].check(offset1, offset2);
+    }
+#endif
+
     template<typename T, typename U>
     static ptrdiff_t differenceBetween(T from, U to)
@@ -715 +761 @@
 
     WeakRandom m_randomSource;
+
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+    Vector<RegisterAllocationOffset, 10> m_registerAllocationForOffsets;
+#endif
 
 #if ENABLE(JIT_CONSTANT_BLINDING)

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -174 +174 @@
     GPRReg allocate()
     {
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+        m_jit.addRegisterAllocationAtOffset(m_jit.debugOffset());
+#endif
         VirtualRegister spillMe;
         GPRReg gpr = m_gprs.allocate(spillMe);
@@ -189 +192 @@
     GPRReg allocate(GPRReg specific)
     {
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+        m_jit.addRegisterAllocationAtOffset(m_jit.debugOffset());
+#endif
         VirtualRegister spillMe = m_gprs.allocateSpecific(specific);
         if (spillMe != InvalidVirtualRegister) {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -1923 +1923 @@
 {
     NodeType op = node->op();
+
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+    m_jit.clearRegisterAllocationOffsets();
+#endif
 
     switch (op) {
@@ -4924 +4928 @@
         break;
     }
-    
+
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+    m_jit.clearRegisterAllocationOffsets();
+#endif
+
     if (!m_compileOkay)
         return;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -1889 +1889 @@
     NodeType op = node->op();
     
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+    m_jit.clearRegisterAllocationOffsets();
+#endif
+
     switch (op) {
     case JSConstant:
@@ -4774 +4778 @@
     }
 
+#if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
+    m_jit.clearRegisterAllocationOffsets();
+#endif
+
     if (!m_compileOkay)
         return;

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2013-03-15  Michael Saboff  <msaboff@apple.com>
+
+        Add runtime check for improper register allocations in DFG
+        https://bugs.webkit.org/show_bug.cgi?id=112380
+
+        Reviewed by Geoffrey Garen.
+
+        * wtf/Platform.h: Added new ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION compilation flag to
+        enable generation of register allocation checking.  This is on for debug builds.
+
 2013-03-13  Jessie Berlin  <jberlin@apple.com>
 

trunk/Source/WTF/wtf/Platform.h

@@ -851 +851 @@
 #endif
 
+/* Enable verification that that register allocations are not made within generated control flow.
+   Turned on for debug builds. */
+#if !defined(ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION) && ENABLE(DFG_JIT)
+#if !defined(NDEBUG)
+#define ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION 1
+#else
+#define ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION 0
+#endif
+#endif
+
 /* Configure the JIT */
 #if CPU(X86) && COMPILER(MSVC)