[turbofan] Re-enable stack pointer poisoning.

This re-enables stack pointer poisoning with untrusted code mitigations. Bug: chromium:798964 Change-Id: I68b60641efefccbf0c4fd81c54809777feabc4be Reviewed-on: https://chromium-review.googlesource.com/1002563Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#52518}

[turbofan] Re-enable stack pointer poisoning.
This re-enables stack pointer poisoning with untrusted code mitigations. Bug: chromium:798964 Change-Id: I68b60641efefccbf0c4fd81c54809777feabc4be Reviewed-on: https://chromium-review.googlesource.com/1002563Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#52518}
963062fb · Jaroslav Sevcik · Commit Bot · 297c0b75 · 963062fb · 963062fb
Commit 963062fb authored Apr 10, 2018 by Jaroslav Sevcik Committed by Commit Bot Apr 10, 2018
4 changed files
--- a/src/compiler/code-generator.cc
+++ b/src/compiler/code-generator.cc
@@ -44,7 +44,7 @@ CodeGenerator::CodeGenerator(Zone* codegen_zone, Frame* frame, Linkage* linkage,
                             int start_source_position,
                             JumpOptimizationInfo* jump_opt,
                             WasmCompilationData* wasm_compilation_data,
-                             PoisoningMitigationLevel poisoning_enabled)
+                             CodeGeneratorPoisoningLevel poisoning_level)
    : zone_(codegen_zone),
      isolate_(isolate),
      frame_access_state_(nullptr),
@@ -77,7 +77,7 @@ CodeGenerator::CodeGenerator(Zone* codegen_zone, Frame* frame, Linkage* linkage,
          SourcePositionTableBuilder::RECORD_SOURCE_POSITIONS),
      wasm_compilation_data_(wasm_compilation_data),
      result_(kSuccess),
-      poisoning_enabled_(poisoning_enabled) {
+      poisoning_level_(poisoning_level) {
  for (int i = 0; i < code->InstructionBlockCount(); ++i) {
    new (&labels_[i]) Label;
  }
@@ -1192,7 +1192,7 @@ DeoptimizationExit* CodeGenerator::AddDeoptimizationExit(
 }

 void CodeGenerator::InitializeSpeculationPoison() {
-  if (poisoning_enabled_ == PoisoningMitigationLevel::kOff) return;
+  if (poisoning_level_ == CodeGeneratorPoisoningLevel::kDontPoison) return;

  // Initialize {kSpeculationPoisonRegister} either by comparing the expected
  // with the actual call target, or by unconditionally using {-1} initially.
@@ -1209,7 +1209,7 @@ void CodeGenerator::InitializeSpeculationPoison() {
 }

 void CodeGenerator::ResetSpeculationPoison() {
-  if (poisoning_enabled_ != PoisoningMitigationLevel::kOff) {
+  if (poisoning_level_ == CodeGeneratorPoisoningLevel::kPoisonAll) {
    tasm()->ResetSpeculationPoisonRegister();
  }
 }

--- a/src/compiler/code-generator.h
+++ b/src/compiler/code-generator.h
@@ -74,6 +74,12 @@ class DeoptimizationLiteral {
  double number_;
 };

+enum class CodeGeneratorPoisoningLevel {
+  kDontPoison,
+  kPoisonStackPointerInPrologue,
+  kPoisonAll
+};
+
 // Generates native code for a sequence of instructions.
 class CodeGenerator final : public GapResolver::Assembler {
 public:
@@ -84,7 +90,7 @@ class CodeGenerator final : public GapResolver::Assembler {
                         int start_source_position,
                         JumpOptimizationInfo* jump_opt,
                         WasmCompilationData* wasm_compilation_data,
-                         PoisoningMitigationLevel poisoning_enabled);
+                         CodeGeneratorPoisoningLevel poisoning_level);

  // Generate native code. After calling AssembleCode, call FinalizeCode to
  // produce the actual code object. If an error occurs during either phase,
@@ -415,7 +421,7 @@ class CodeGenerator final : public GapResolver::Assembler {
  SourcePositionTableBuilder source_position_table_builder_;
  WasmCompilationData* wasm_compilation_data_;
  CodeGenResult result_;
-  PoisoningMitigationLevel poisoning_enabled_;
+  CodeGeneratorPoisoningLevel poisoning_level_;
 };

 }  // namespace compiler

--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@@ -342,12 +342,20 @@ class PipelineData {

  void InitializeCodeGenerator(Linkage* linkage) {
    DCHECK_NULL(code_generator_);
+
+    CodeGeneratorPoisoningLevel poisoning =
+        CodeGeneratorPoisoningLevel::kDontPoison;
+    if (info()->has_untrusted_code_mitigations()) {
+      poisoning = CodeGeneratorPoisoningLevel::kPoisonStackPointerInPrologue;
+    }
+    if (info()->is_poison_loads()) {
+      poisoning = CodeGeneratorPoisoningLevel::kPoisonAll;
+    }
+
    code_generator_ = new CodeGenerator(
        codegen_zone(), frame(), linkage, sequence(), info(), isolate(),
        osr_helper_, start_source_position_, jump_optimization_info_,
-        wasm_compilation_data_,
-        info()->is_poison_loads() ? PoisoningMitigationLevel::kOn
-                                  : PoisoningMitigationLevel::kOff);
+        wasm_compilation_data_, poisoning);
  }

  void BeginPhaseKind(const char* phase_kind_name) {

--- a/test/cctest/compiler/test-code-generator.cc
+++ b/test/cctest/compiler/test-code-generator.cc
@@ -985,7 +985,8 @@ class CodeGeneratorTester {
    generator_ = new CodeGenerator(
        environment->main_zone(), &frame_, &linkage_, environment->code(),
        &info_, environment->main_isolate(), base::Optional<OsrHelper>(),
-        kNoSourcePosition, nullptr, nullptr, PoisoningMitigationLevel::kOff);
+        kNoSourcePosition, nullptr, nullptr,
+        CodeGeneratorPoisoningLevel::kDontPoison);

    // Force a frame to be created.
    generator_->frame_access_state()->MarkHasFrame(true);