Changeset 113253 in webkit for trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h

Timestamp:

Apr 4, 2012, 3:42:29 PM (13 years ago)

Author:

[email protected]

Message:

Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
​https://bugs.webkit.org/show_bug.cgi?id=83191

Reviewed by Oliver Hunt.

Make are that blinded constant pairs are similarly aligned to the
original immediate values so that instructions that expect that
alignment work correctly. One example is ARMv7 add/sub imm to SP.

• assembler/ARMv7Assembler.h:

(JSC::ARMv7Assembler::add): Added ASSERT that immediate is word aligned.
(JSC::ARMv7Assembler::sub): Added ASSERT that immediate is word aligned.
(JSC::ARMv7Assembler::sub_S): Added ASSERT that immediate is word aligned.

• assembler/MacroAssembler.h:

(JSC::MacroAssembler::additionBlindedConstant):

File:

• trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/assembler/ARMv7Assembler.h

@@ -740 +740 @@
 
         if (rn == ARMRegisters::sp) {
+            ASSERT(!(imm.getUInt16() & 3));
             if (!(rd & 8) && imm.isUInt10()) {
                 m_formatter.oneWordOp5Reg3Imm8(OP_ADD_SP_imm_T1, rd, static_cast<uint8_t>(imm.getUInt10() >> 2));
@@ -1512 +1513 @@
 
         if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
+            ASSERT(!(imm.getUInt16() & 3));
             m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
             return;
@@ -1573 +1575 @@
 
         if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
+            ASSERT(!(imm.getUInt16() & 3));
             m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
             return;