1. 17 Jul, 2019 1 commit
  2. 15 Oct, 2018 1 commit
  3. 25 Sep, 2018 1 commit
  4. 17 Sep, 2018 1 commit
  5. 07 Jun, 2018 1 commit
  6. 18 May, 2018 1 commit
  7. 30 Apr, 2018 1 commit
    • Jaroslav Sevcik's avatar
      Replace array index masking with the poisoning approach. · f53dfd93
      Jaroslav Sevcik authored
      The idea is to mark all the branches and loads participating in array
      bounds checks, and let them contribute-to/use the poisoning register.
      In the code, the marks for array indexing operations now contain
      "Critical" in their name. By default (--untrusted-code-mitigations),
      we only instrument the "critical" operations with poisoning.
      
      With that in place, we also remove the array masking approach based
      on arithmetic.
      
      Since we do not propagate the poison through function calls,
      we introduce a node for poisoning an index that is passed through
      function call - the typical example is the bounds-checked index
      that is passed to the CharCodeAt builtin.
      
      Most of the code in this CL is threads through the three levels of
      protection (safe, critical, unsafe) for loads, branches and flags.
      
      Bug: chromium:798964
      
      Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
      Reviewed-on: https://chromium-review.googlesource.com/995413
      Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
      Cr-Commit-Position: refs/heads/master@{#52883}
      f53dfd93
  8. 15 Jan, 2018 1 commit
    • Pierre Langlois's avatar
      [turbofan] Lower NumberConstant nodes to IntPtrConstant. · 7ac10da7
      Pierre Langlois authored
      If a NumberConstant can be represented as a Smi, then lower it to a
      IntPtrConstant node during simplified lowering. Thanks to this, all backends can
      match Smi values that can also be encoded as immediates in the instruction
      selector. Additionally, we can apply the same lowering to the CodeAssembler for
      the snapshot.
      
      As a result, we can remove `mov` instructions generated because Int32Matcher and
      Int64Matcher didn't not recognize Smis:
      
      For 32-bit target, it's common for Smis also be immediates: "if (a < 100) {}"
      ~~~
      mov r1, #200 -> cmp r0, #200
      cmp r0, r1   -> blt <>
      blt <>       ->
      ~~~
      
      On Arm64 particularly, we lose opportunites to use `cbz`: "if (a == 0) {}"
      ~~~
      movz x0, #0x0 -> cbz x1 <>
      cmp x1, x0    ->
      b.eq <>       ->
      ~~~
      
      Overall, we do not see an impact on benchmarks such as webtooling. However, we
      do see noteworthy code size reduction, from 0.5% to 1.5%.
      
      Bug: 
      Change-Id: I7fbb718ad51b9036c3514fa31c1326bdd6f2b0e6
      Reviewed-on: https://chromium-review.googlesource.com/848814Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
      Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
      Commit-Queue: Pierre Langlois <pierre.langlois@arm.com>
      Cr-Commit-Position: refs/heads/master@{#50569}
      7ac10da7