Commit b5d79304 authored by Joey Gouly's avatar Joey Gouly Committed by Commit Bot

[arm64] Intentionally corrupt the upper half of decompressed SMIs

For arm64 decompressing a TaggedSigned results in a 64-bit value, with
the top 32 bits zeroed and the lower 32 bits being the SMI. This patch,
with the --debug-code flag enabled, will corrupt the top 32 bits to try
and catch places that are using 64-bit operations instead of 32-bit operations.

Change-Id: I3d3048c4f4b87f3bce26d0c7eb41789ec6b99f5b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1917099Reviewed-by: 's avatarSantiago Aboy Solanes <solanes@chromium.org>
Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Joey Gouly <joey.gouly@arm.com>
Cr-Commit-Position: refs/heads/master@{#65035}
parent 8d6f2b47
......@@ -2644,6 +2644,11 @@ void TurboAssembler::DecompressTaggedSigned(const Register& destination,
const MemOperand& field_operand) {
RecordComment("[ DecompressTaggedSigned");
Ldr(destination.W(), field_operand);
if (FLAG_debug_code) {
// Corrupt the top 32 bits. Made up of 16 fixed bits and 16 pc offset bits.
Add(destination, destination,
((kDebugZapValue << 16) | (pc_offset() & 0xffff)) << 32);
}
RecordComment("]");
}
......@@ -2651,6 +2656,11 @@ void TurboAssembler::DecompressTaggedSigned(const Register& destination,
const Register& source) {
RecordComment("[ DecompressTaggedSigned");
Mov(destination.W(), source.W());
if (FLAG_debug_code) {
// Corrupt the top 32 bits. Made up of 16 fixed bits and 16 pc offset bits.
Add(destination, destination,
((kDebugZapValue << 16) | (pc_offset() & 0xffff)) << 32);
}
RecordComment("]");
}
......
......@@ -29,6 +29,7 @@ TEST(DisasmPoisonMonomorphicLoad) {
i::FLAG_allow_natives_syntax = true;
i::FLAG_untrusted_code_mitigations = true;
i::FLAG_debug_code = false;
CcTest::InitializeVM();
v8::HandleScope scope(CcTest::isolate());
......@@ -78,6 +79,7 @@ TEST(DisasmPoisonPolymorphicLoad) {
i::FLAG_allow_natives_syntax = true;
i::FLAG_untrusted_code_mitigations = true;
i::FLAG_debug_code = false;
CcTest::InitializeVM();
v8::HandleScope scope(CcTest::isolate());
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment