Commit f7e46890 authored by Benedikt Meurer's avatar Benedikt Meurer

[turbofan] Fix unsafe out-of-bounds check for checked loads/stores.

BUG=chromium:443744
LOG=y
TEST=mjsunit/compiler/regress-443744
R=svenpanne@chromium.org

Review URL: https://codereview.chromium.org/804993004

Cr-Commit-Position: refs/heads/master@{#25901}
parent 50b7ca55
...@@ -176,9 +176,9 @@ class Arm64OperandConverter FINAL : public InstructionOperandConverter { ...@@ -176,9 +176,9 @@ class Arm64OperandConverter FINAL : public InstructionOperandConverter {
namespace { namespace {
class OutOfLineLoadFloat32 FINAL : public OutOfLineCode { class OutOfLineLoadNaN32 FINAL : public OutOfLineCode {
public: public:
OutOfLineLoadFloat32(CodeGenerator* gen, DoubleRegister result) OutOfLineLoadNaN32(CodeGenerator* gen, DoubleRegister result)
: OutOfLineCode(gen), result_(result) {} : OutOfLineCode(gen), result_(result) {}
void Generate() FINAL { void Generate() FINAL {
...@@ -190,9 +190,9 @@ class OutOfLineLoadFloat32 FINAL : public OutOfLineCode { ...@@ -190,9 +190,9 @@ class OutOfLineLoadFloat32 FINAL : public OutOfLineCode {
}; };
class OutOfLineLoadFloat64 FINAL : public OutOfLineCode { class OutOfLineLoadNaN64 FINAL : public OutOfLineCode {
public: public:
OutOfLineLoadFloat64(CodeGenerator* gen, DoubleRegister result) OutOfLineLoadNaN64(CodeGenerator* gen, DoubleRegister result)
: OutOfLineCode(gen), result_(result) {} : OutOfLineCode(gen), result_(result) {}
void Generate() FINAL { void Generate() FINAL {
...@@ -204,9 +204,9 @@ class OutOfLineLoadFloat64 FINAL : public OutOfLineCode { ...@@ -204,9 +204,9 @@ class OutOfLineLoadFloat64 FINAL : public OutOfLineCode {
}; };
class OutOfLineLoadInteger FINAL : public OutOfLineCode { class OutOfLineLoadZero FINAL : public OutOfLineCode {
public: public:
OutOfLineLoadInteger(CodeGenerator* gen, Register result) OutOfLineLoadZero(CodeGenerator* gen, Register result)
: OutOfLineCode(gen), result_(result) {} : OutOfLineCode(gen), result_(result) {}
void Generate() FINAL { __ Mov(result_, 0); } void Generate() FINAL { __ Mov(result_, 0); }
...@@ -218,53 +218,59 @@ class OutOfLineLoadInteger FINAL : public OutOfLineCode { ...@@ -218,53 +218,59 @@ class OutOfLineLoadInteger FINAL : public OutOfLineCode {
} // namespace } // namespace
#define ASSEMBLE_CHECKED_LOAD_FLOAT(width) \ #define ASSEMBLE_CHECKED_LOAD_FLOAT(width) \
do { \ do { \
auto result = i.OutputFloat##width##Register(); \ auto result = i.OutputFloat##width##Register(); \
auto offset = i.InputRegister32(0); \ auto buffer = i.InputRegister(0); \
auto length = i.InputOperand32(1); \ auto offset = i.InputRegister32(1); \
__ Cmp(offset, length); \ auto length = i.InputOperand32(2); \
auto ool = new (zone()) OutOfLineLoadFloat##width(this, result); \ __ Cmp(offset, length); \
__ B(hs, ool->entry()); \ auto ool = new (zone()) OutOfLineLoadNaN##width(this, result); \
__ Ldr(result, i.MemoryOperand(2)); \ __ B(hs, ool->entry()); \
__ Bind(ool->exit()); \ __ Ldr(result, MemOperand(buffer, offset, UXTW)); \
__ Bind(ool->exit()); \
} while (0) } while (0)
#define ASSEMBLE_CHECKED_LOAD_INTEGER(asm_instr) \ #define ASSEMBLE_CHECKED_LOAD_INTEGER(asm_instr) \
do { \ do { \
auto result = i.OutputRegister32(); \ auto result = i.OutputRegister32(); \
auto offset = i.InputRegister32(0); \ auto buffer = i.InputRegister(0); \
auto length = i.InputOperand32(1); \ auto offset = i.InputRegister32(1); \
__ Cmp(offset, length); \ auto length = i.InputOperand32(2); \
auto ool = new (zone()) OutOfLineLoadInteger(this, result); \ __ Cmp(offset, length); \
__ B(hs, ool->entry()); \ auto ool = new (zone()) OutOfLineLoadZero(this, result); \
__ asm_instr(result, i.MemoryOperand(2)); \ __ B(hs, ool->entry()); \
__ Bind(ool->exit()); \ __ asm_instr(result, MemOperand(buffer, offset, UXTW)); \
__ Bind(ool->exit()); \
} while (0) } while (0)
#define ASSEMBLE_CHECKED_STORE_FLOAT(width) \ #define ASSEMBLE_CHECKED_STORE_FLOAT(width) \
do { \ do { \
auto offset = i.InputRegister32(0); \ auto buffer = i.InputRegister(0); \
auto length = i.InputOperand32(1); \ auto offset = i.InputRegister32(1); \
__ Cmp(offset, length); \ auto length = i.InputOperand32(2); \
Label done; \ auto value = i.InputFloat##width##Register(3); \
__ B(hs, &done); \ __ Cmp(offset, length); \
__ Str(i.InputFloat##width##Register(2), i.MemoryOperand(3)); \ Label done; \
__ Bind(&done); \ __ B(hs, &done); \
__ Str(value, MemOperand(buffer, offset, UXTW)); \
__ Bind(&done); \
} while (0) } while (0)
#define ASSEMBLE_CHECKED_STORE_INTEGER(asm_instr) \ #define ASSEMBLE_CHECKED_STORE_INTEGER(asm_instr) \
do { \ do { \
auto offset = i.InputRegister32(0); \ auto buffer = i.InputRegister(0); \
auto length = i.InputOperand32(1); \ auto offset = i.InputRegister32(1); \
__ Cmp(offset, length); \ auto length = i.InputOperand32(2); \
Label done; \ auto value = i.InputRegister32(3); \
__ B(hs, &done); \ __ Cmp(offset, length); \
__ asm_instr(i.InputRegister32(2), i.MemoryOperand(3)); \ Label done; \
__ Bind(&done); \ __ B(hs, &done); \
__ asm_instr(value, MemOperand(buffer, offset, UXTW)); \
__ Bind(&done); \
} while (0) } while (0)
......
...@@ -390,10 +390,8 @@ void InstructionSelector::VisitCheckedLoad(Node* node) { ...@@ -390,10 +390,8 @@ void InstructionSelector::VisitCheckedLoad(Node* node) {
UNREACHABLE(); UNREACHABLE();
return; return;
} }
InstructionOperand* offset_operand = g.UseRegister(offset); Emit(opcode, g.DefineAsRegister(node), g.UseRegister(buffer),
Emit(opcode | AddressingModeField::encode(kMode_MRR), g.UseRegister(offset), g.UseOperand(length, kArithmeticImm));
g.DefineAsRegister(node), offset_operand, g.UseRegister(length),
g.UseRegister(buffer), offset_operand);
} }
...@@ -425,10 +423,8 @@ void InstructionSelector::VisitCheckedStore(Node* node) { ...@@ -425,10 +423,8 @@ void InstructionSelector::VisitCheckedStore(Node* node) {
UNREACHABLE(); UNREACHABLE();
return; return;
} }
InstructionOperand* offset_operand = g.UseRegister(offset); Emit(opcode, nullptr, g.UseRegister(buffer), g.UseRegister(offset),
Emit(opcode | AddressingModeField::encode(kMode_MRR), nullptr, offset_operand, g.UseOperand(length, kArithmeticImm), g.UseRegister(value));
g.UseRegister(length), g.UseRegister(value), g.UseRegister(buffer),
offset_operand);
} }
......
This diff is collapsed.
// Copyright 2014 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var m = (function(stdlib, foreign, heap) {
"use asm";
var MEM = new stdlib.Uint8Array(heap);
function f(x) {
x = x | 0;
MEM[x] = 0;
}
return {f: f};
})(this, {}, new ArrayBuffer(1));
m.f(-926416896 * 32 * 1024);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment