• Jaroslav Sevcik's avatar
    [turbofan] IA32 port of branch load poisoning. · 383ec7b5
    Jaroslav Sevcik authored
    The tricky part here is to take away one register from register
    allocation for the mask. The only problem is with calls that need
    an input operand to be passed in the poison register. For such calls,
    we change the register constraint in the instruction selector
    to pass the value in whatever place the register allocator sees fit.
    During code generation, we then copy the value from that place
    to the poison register. By that time, the mask is not necessary
    (once we bake the mask into the target, it should be done before
    this move).
    
    For the branches, the mask update does not use cmov (unlike x64)
    because cmov does not take an immediate and we do not have
    a scratch register. Instead we use bit-twiddling tricks
    (suggested by @tebbi). For example, here is the code for masking
    register update after a bailout on non-zero:
    
      jnz deopt_bailout    ;; Bailout branch
      setnz bl             ;; These three instructions update the mask
      add  ebx, 255
      sar  ebx, 31
    
    (On x64, the sequence is:
    
      jnz deopt_bailout
      mov r10, 0      ;; We have a scratch register for zero
      cmovnz r9, r10  ;; Set to zero if we execute this branch
                      ;; in branch mis-speculation
    )
    
    
    This CL also fixes a bug in register configuration, where we used
    to wrongly restrict the array of register name.
    
    Change-Id: I5fceff2faf8bdc527d9934afc284b749574ab69e
    Bug: chromium:798964
    Reviewed-on: https://chromium-review.googlesource.com/946251
    Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
    Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
    Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#51798}
    383ec7b5
instruction-selector-ia32.cc 72.6 KB