[turbofan] Remove branch_load_poisoning flag.

The goal is to remove CL to remove the confusing implications for full poisoning. This is an alternative to https://chromium-review.googlesource.com/c/chromium/src/+/1253341 where chrome has to work around our implication system. In the optimizing compiler, we already have a bottleneck for setting mitigation level in src/compiler/pipeline.cc, so it is easy to change back to partial mitigations. Bug: chromium:888892 Change-Id: I01de7ed7bb91e8b06f8f79cc2d90657a0600892a Reviewed-on: https://chromium-review.googlesource.com/c/1252985Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#56374}

[turbofan] Remove branch_load_poisoning flag.
The goal is to remove CL to remove the confusing implications for full poisoning. This is an alternative to https://chromium-review.googlesource.com/c/chromium/src/+/1253341 where chrome has to work around our implication system. In the optimizing compiler, we already have a bottleneck for setting mitigation level in src/compiler/pipeline.cc, so it is easy to change back to partial mitigations. Bug: chromium:888892 Change-Id: I01de7ed7bb91e8b06f8f79cc2d90657a0600892a Reviewed-on: https://chromium-review.googlesource.com/c/1252985Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#56374}
b048c16b · Jaroslav Sevcik · Commit Bot · 48fd454c · b048c16b · b048c16b
Commit b048c16b authored Oct 01, 2018 by Jaroslav Sevcik Committed by Commit Bot Oct 04, 2018
9 changed files
--- a/src/builtins/arm/builtins-arm.cc
+++ b/src/builtins/arm/builtins-arm.cc
@@ -2373,9 +2373,9 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  __ str(cp, MemOperand(fp, StandardFrameConstants::kContextOffset), ne);
  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_branch_load_poisoning} to make the snapshot work with
+  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // both configurations. It is safe to always do this, because the underlying
+  // with both configurations. It is safe to always do this, because the
-  // register is caller-saved and can be arbitrarily clobbered.
+  // underlying register is caller-saved and can be arbitrarily clobbered.
  __ ResetSpeculationPoisonRegister();
  // Compute the handler entry address and jump to it.

--- a/src/builtins/arm64/builtins-arm64.cc
+++ b/src/builtins/arm64/builtins-arm64.cc
@@ -2895,9 +2895,9 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  __ Bind(&not_js_frame);
  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_branch_load_poisoning} to make the snapshot work with
+  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // both configurations. It is safe to always do this, because the underlying
+  // with both configurations. It is safe to always do this, because the
-  // register is caller-saved and can be arbitrarily clobbered.
+  // underlying register is caller-saved and can be arbitrarily clobbered.
  __ ResetSpeculationPoisonRegister();
  // Compute the handler entry address and jump to it.

--- a/src/builtins/ia32/builtins-ia32.cc
+++ b/src/builtins/ia32/builtins-ia32.cc
@@ -2681,12 +2681,11 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
 #ifdef V8_EMBEDDED_BUILTINS
  STATIC_ASSERT(kRootRegister == kSpeculationPoisonRegister);
  CHECK(!FLAG_untrusted_code_mitigations);
-  CHECK(!FLAG_branch_load_poisoning);
 #else
  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_branch_load_poisoning} to make the snapshot work with
+  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // both configurations. It is safe to always do this, because the underlying
+  // with both configurations. It is safe to always do this, because the
-  // register is caller-saved and can be arbitrarily clobbered.
+  // underlying register is caller-saved and can be arbitrarily clobbered.
  __ ResetSpeculationPoisonRegister();
 #endif

--- a/src/builtins/mips/builtins-mips.cc
+++ b/src/builtins/mips/builtins-mips.cc
@@ -2436,9 +2436,9 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  __ bind(&zero);
  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_branch_load_poisoning} to make the snapshot work with
+  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // both configurations. It is safe to always do this, because the underlying
+  // with both configurations. It is safe to always do this, because the
-  // register is caller-saved and can be arbitrarily clobbered.
+  // underlying register is caller-saved and can be arbitrarily clobbered.
  __ ResetSpeculationPoisonRegister();
  // Compute the handler entry address and jump to it.

--- a/src/builtins/mips64/builtins-mips64.cc
+++ b/src/builtins/mips64/builtins-mips64.cc
@@ -2454,9 +2454,9 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  __ bind(&zero);
  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_branch_load_poisoning} to make the snapshot work with
+  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // both configurations. It is safe to always do this, because the underlying
+  // with both configurations. It is safe to always do this, because the
-  // register is caller-saved and can be arbitrarily clobbered.
+  // underlying register is caller-saved and can be arbitrarily clobbered.
  __ ResetSpeculationPoisonRegister();
  // Compute the handler entry address and jump to it.

--- a/src/builtins/x64/builtins-x64.cc
+++ b/src/builtins/x64/builtins-x64.cc
@@ -2517,9 +2517,9 @@ void Builtins::Generate_CEntry(MacroAssembler* masm, int result_size,
  __ bind(&skip);
  // Reset the masking register. This is done independent of the underlying
-  // feature flag {FLAG_branch_load_poisoning} to make the snapshot work with
+  // feature flag {FLAG_untrusted_code_mitigations} to make the snapshot work
-  // both configurations. It is safe to always do this, because the underlying
+  // with both configurations. It is safe to always do this, because the
-  // register is caller-saved and can be arbitrarily clobbered.
+  // underlying register is caller-saved and can be arbitrarily clobbered.
  __ ResetSpeculationPoisonRegister();
  // Compute the handler entry address and jump to it.

--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@@ -911,13 +911,14 @@ PipelineCompilationJob::Status PipelineCompilationJob::PrepareJobImpl(
    compilation_info()->MarkAsAccessorInliningEnabled();
  }
-  // Compute and set poisoning level.
+  // This is the bottleneck for computing and setting poisoning level in the
+  // optimizing compiler.
  PoisoningMitigationLevel load_poisoning =
      PoisoningMitigationLevel::kDontPoison;
-  if (FLAG_branch_load_poisoning) {
+  if (FLAG_untrusted_code_mitigations) {
+    // For partial mitigations, this can be changed to
+    // PoisoningMitigationLevel::kPoisonCriticalOnly.
    load_poisoning = PoisoningMitigationLevel::kPoisonAll;
-  } else if (FLAG_untrusted_code_mitigations) {
-    load_poisoning = PoisoningMitigationLevel::kPoisonCriticalOnly;
  }
  compilation_info()->SetPoisoningMitigationLevel(load_poisoning);
@@ -2458,7 +2459,6 @@ bool PipelineImpl::SelectInstructions(Linkage* linkage) {
    // it cooperates with restricted allocatable registers above.
    static_assert(kRootRegister == kSpeculationPoisonRegister,
                  "The following checks assume root equals poison register");
-    CHECK_IMPLIES(FLAG_embedded_builtins, !FLAG_branch_load_poisoning);
    CHECK_IMPLIES(FLAG_embedded_builtins, !FLAG_untrusted_code_mitigations);
    AllocateRegisters(RegisterConfiguration::PreserveRootIA32(),
                      call_descriptor, run_verifier);

--- a/src/compiler/simplified-operator.cc
+++ b/src/compiler/simplified-operator.cc
@@ -79,7 +79,7 @@ std::ostream& operator<<(std::ostream& os, FieldAccess const& access) {
 #endif
  os << access.type << ", " << access.machine_type << ", "
     << access.write_barrier_kind;
-  if (FLAG_untrusted_code_mitigations || FLAG_branch_load_poisoning) {
+  if (FLAG_untrusted_code_mitigations) {
    os << ", " << access.load_sensitivity;
  }
  os << "]";
@@ -118,7 +118,7 @@ std::ostream& operator<<(std::ostream& os, ElementAccess const& access) {
  os << access.base_is_tagged << ", " << access.header_size << ", "
     << access.type << ", " << access.machine_type << ", "
     << access.write_barrier_kind;
-  if (FLAG_untrusted_code_mitigations || FLAG_branch_load_poisoning) {
+  if (FLAG_untrusted_code_mitigations) {
    os << ", " << access.load_sensitivity;
  }
  return os;

--- a/src/flag-definitions.h
+++ b/src/flag-definitions.h
@@ -524,9 +524,6 @@ DEFINE_BOOL(untrusted_code_mitigations, V8_DEFAULT_UNTRUSTED_CODE_MITIGATIONS,
            "Enable mitigations for executing untrusted code")
 #undef V8_DEFAULT_UNTRUSTED_CODE_MITIGATIONS
-DEFINE_BOOL(branch_load_poisoning, false, "Mask loads with branch conditions.")
-DEFINE_IMPLICATION(untrusted_code_mitigations, branch_load_poisoning)
 // Flags to help platform porters
 DEFINE_BOOL(minimal, false,
            "simplifies execution model to make porting "