-
msaboff@apple.com authored
https://bugs.webkit.org/show_bug.cgi?id=112380 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Added framework to check for register allocation within a branch source - target range. All register allocations are saved using the offset in the code stream where the allocation occurred. Later when a jump is linked, the currently saved register allocations are checked to make sure that they didn't occur in the range of code that was jumped over. This protects against the case where an allocation could have spilled register contents to free up a register and that spill only occurs on one path of a many through the code. A subsequent fill of the spilled register may load garbage. See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug. This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION). The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link. (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link. (AbstractMacroAssembler): (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a jump range. (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset): (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check): (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset): (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets): (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::allocate): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Source/WTF: * wtf/Platform.h: Added new ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION compilation flag to enable generation of register allocation checking. This is on for debug builds. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@145931 268f45cc-cd09-0410-ab3c-d52691b4dbfc
msaboff@apple.com authoredhttps://bugs.webkit.org/show_bug.cgi?id=112380 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Added framework to check for register allocation within a branch source - target range. All register allocations are saved using the offset in the code stream where the allocation occurred. Later when a jump is linked, the currently saved register allocations are checked to make sure that they didn't occur in the range of code that was jumped over. This protects against the case where an allocation could have spilled register contents to free up a register and that spill only occurs on one path of a many through the code. A subsequent fill of the spilled register may load garbage. See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug. This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION). The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees. * assembler/AbstractMacroAssembler.h: (JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link. (JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link. (AbstractMacroAssembler): (RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a jump range. (JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset): (JSC::AbstractMacroAssembler::RegisterAllocationOffset::check): (JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset): (JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets): (JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::allocate): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Source/WTF: * wtf/Platform.h: Added new ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION compilation flag to enable generation of register allocation checking. This is on for debug builds. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@145931 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Loading