Title: [113253] trunk/Source/_javascript_Core
- Revision
- 113253
- Author
- msab...@apple.com
- Date
- 2012-04-04 15:42:29 -0700 (Wed, 04 Apr 2012)
Log Message
Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
https://bugs.webkit.org/show_bug.cgi?id=83191
Reviewed by Oliver Hunt.
Make are that blinded constant pairs are similarly aligned to the
original immediate values so that instructions that expect that
alignment work correctly. One example is ARMv7 add/sub imm to SP.
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
(JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
(JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::additionBlindedConstant):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (113252 => 113253)
--- trunk/Source/_javascript_Core/ChangeLog 2012-04-04 22:41:56 UTC (rev 113252)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-04-04 22:42:29 UTC (rev 113253)
@@ -1,3 +1,21 @@
+2012-04-04 Michael Saboff <msab...@apple.com>
+
+ Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
+ https://bugs.webkit.org/show_bug.cgi?id=83191
+
+ Reviewed by Oliver Hunt.
+
+ Make are that blinded constant pairs are similarly aligned to the
+ original immediate values so that instructions that expect that
+ alignment work correctly. One example is ARMv7 add/sub imm to SP.
+
+ * assembler/ARMv7Assembler.h:
+ (JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
+ (JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
+ (JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::additionBlindedConstant):
+
2012-04-04 Filip Pizlo <fpi...@apple.com>
DFG should short-circuit Branch(LogicalNot(...))
Modified: trunk/Source/_javascript_Core/assembler/ARMv7Assembler.h (113252 => 113253)
--- trunk/Source/_javascript_Core/assembler/ARMv7Assembler.h 2012-04-04 22:41:56 UTC (rev 113252)
+++ trunk/Source/_javascript_Core/assembler/ARMv7Assembler.h 2012-04-04 22:42:29 UTC (rev 113253)
@@ -739,6 +739,7 @@
ASSERT(imm.isValid());
if (rn == ARMRegisters::sp) {
+ ASSERT(!(imm.getUInt16() & 3));
if (!(rd & 8) && imm.isUInt10()) {
m_formatter.oneWordOp5Reg3Imm8(OP_ADD_SP_imm_T1, rd, static_cast<uint8_t>(imm.getUInt10() >> 2));
return;
@@ -1511,6 +1512,7 @@
ASSERT(imm.isValid());
if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
+ ASSERT(!(imm.getUInt16() & 3));
m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
return;
} else if (!((rd | rn) & 8)) {
@@ -1572,6 +1574,7 @@
ASSERT(imm.isValid());
if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
+ ASSERT(!(imm.getUInt16() & 3));
m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
return;
} else if (!((rd | rn) & 8)) {
Modified: trunk/Source/_javascript_Core/assembler/MacroAssembler.h (113252 => 113253)
--- trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2012-04-04 22:41:56 UTC (rev 113252)
+++ trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2012-04-04 22:42:29 UTC (rev 113253)
@@ -699,8 +699,11 @@
BlindedImm32 additionBlindedConstant(Imm32 imm)
{
+ // The addition immediate may be used as a pointer offset. Keep aligned based on "imm".
+ static uint32_t maskTable[4] = { 0xfffffffc, 0xffffffff, 0xfffffffe, 0xffffffff };
+
uint32_t baseValue = imm.asTrustedImm32().m_value;
- uint32_t key = keyForConstant(baseValue);
+ uint32_t key = keyForConstant(baseValue) & maskTable[baseValue & 3];
if (key > baseValue)
key = key - baseValue;
return BlindedImm32(baseValue - key, key);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes