• Jaroslav Sevcik's avatar
    Replace array index masking with the poisoning approach. · f53dfd93
    Jaroslav Sevcik authored
    The idea is to mark all the branches and loads participating in array
    bounds checks, and let them contribute-to/use the poisoning register.
    In the code, the marks for array indexing operations now contain
    "Critical" in their name. By default (--untrusted-code-mitigations),
    we only instrument the "critical" operations with poisoning.
    
    With that in place, we also remove the array masking approach based
    on arithmetic.
    
    Since we do not propagate the poison through function calls,
    we introduce a node for poisoning an index that is passed through
    function call - the typical example is the bounds-checked index
    that is passed to the CharCodeAt builtin.
    
    Most of the code in this CL is threads through the three levels of
    protection (safe, critical, unsafe) for loads, branches and flags.
    
    Bug: chromium:798964
    
    Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
    Reviewed-on: https://chromium-review.googlesource.com/995413
    Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
    Reviewed-by: 's avatarMichael Starzinger <mstarzinger@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#52883}
    f53dfd93
Name
Last commit
Last update
..
benchmarks Loading commit data...
cctest Loading commit data...
common Loading commit data...
debugger Loading commit data...
fuzzer Loading commit data...
inspector Loading commit data...
intl Loading commit data...
js-perf-test Loading commit data...
memory Loading commit data...
message Loading commit data...
mjsunit Loading commit data...
mkgrokdump Loading commit data...
mozilla Loading commit data...
preparser Loading commit data...
test262 Loading commit data...
unittests Loading commit data...
wasm-spec-tests Loading commit data...
webkit Loading commit data...
BUILD.gn Loading commit data...