• Jaroslav Sevcik's avatar
    Replace array index masking with the poisoning approach. · f53dfd93
    Jaroslav Sevcik authored
    The idea is to mark all the branches and loads participating in array
    bounds checks, and let them contribute-to/use the poisoning register.
    In the code, the marks for array indexing operations now contain
    "Critical" in their name. By default (--untrusted-code-mitigations),
    we only instrument the "critical" operations with poisoning.
    
    With that in place, we also remove the array masking approach based
    on arithmetic.
    
    Since we do not propagate the poison through function calls,
    we introduce a node for poisoning an index that is passed through
    function call - the typical example is the bounds-checked index
    that is passed to the CharCodeAt builtin.
    
    Most of the code in this CL is threads through the three levels of
    protection (safe, critical, unsafe) for loads, branches and flags.
    
    Bug: chromium:798964
    
    Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
    Reviewed-on: https://chromium-review.googlesource.com/995413
    Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
    Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#52883}
    f53dfd93
access-builder.cc 38.9 KB