Reviewers: schuh_chromium.org, Mads Ager, Søren Gjesse, Vyacheslav Egorov,
http://codereview.chromium.org/3169050/diff/15001/16001
File src/ia32/codegen-ia32.cc (right):
http://codereview.chromium.org/3169050/diff/15001/16001#newcode5351
src/ia32/codegen-ia32.cc:5351: __ lea(target, Operand(target,
jit_cookie_));
Additional optimizations (elsewhere) may be possible because lea does
not modify any flags.
http://codereview.chromium.org/3169050/diff/15001/16002
File src/ia32/codegen-ia32.h (right):
http://codereview.chromium.org/3169050/diff/15001/16002#newcode600
src/ia32/codegen-ia32.h:600: static const int kMaxSmiInlinedBits = 7;
This value was changed from 17 => 7 because 16 bits is still too much
controllable data. I believe it should be at most 7.
Description:
This feature implements IMM32 encoding for user defined values with a new
random
value for each CodeGenerator instance.
-------------------------------
RESULTS:
-------------------------------
--- Raw source ---
()
{
var a = 0x00000001;
var b = 0x00000011;
var c = 0x00000111;
var d = 0x00001111;
var e = 0x00011111;
return 0xFFFFFFFF;
}
------------------
Without this patch
------------------
--- Code ---
kind = FUNCTION
name = ENCODE_StoreUnsafeSmiToLocal
Instructions (size = 98)
4E7D54E0 0 55 push ebp
4E7D54E1 1 8bec mov ebp,esp
...
4E7D54FB 27 c745f422220000 mov [ebp+0xf4],0x2222 ;; debug:
statement
155
4E7D5502 34 814df400000200 or [ebp+0xf4],0x20000
4E7D5509 41 c745f002000000 mov [ebp+0xf0],0x2
4E7D5510 48 c745ec22220000 mov [ebp+0xec],0x2222
4E7D5517 55 834dec00 or [ebp+0xec],0x0
4E7D551B 59 c745e822020000 mov [ebp+0xe8],0x222
4E7D5522 66 834de800 or [ebp+0xe8],0x0
4E7D5526 70 c745e422000000 mov [ebp+0xe4],0x22
4E7D552D 77 b869952000 mov eax,00209569 ;; object:
00209569
<Number: 4294967295>
4E7D5532 82 8be5 mov esp,ebp ;; js return
4E7D5534 84 5d pop ebp
4E7D5535 85 c20400 ret 0x4
------------------
With this patch
------------------
--- Code ---
kind = FUNCTION
name = ENCODE_StoreUnsafeSmiToLocal
Instructions (size = 104)
4EAA54E0 0 55 push ebp
4EAA54E1 1 8bec mov ebp,esp
...
4EAA54FB 27 c745f4ba73d8a0 mov [ebp+0xf4],0xa0d873ba ;; debug:
statement
155
4EAA5502 34 8175f49851daa0 xor [ebp+0xf4],0xa0da5198
4EAA5509 41 c745f002000000 mov [ebp+0xf0],0x2
4EAA5510 48 c745ecba73daa0 mov [ebp+0xec],0xa0da73ba
4EAA5517 55 8175ec9851daa0 xor [ebp+0xec],0xa0da5198
4EAA551E 62 c745e8ba53daa0 mov [ebp+0xe8],0xa0da53ba
4EAA5525 69 8175e89851daa0 xor [ebp+0xe8],0xa0da5198
4EAA552C 76 c745e422000000 mov [ebp+0xe4],0x22
4EAA5533 83 b869952000 mov eax,00209569 ;; object:
00209569
<Number: 4294967295>
4EAA5538 88 8be5 mov esp,ebp ;; js return
4EAA553A 90 5d pop ebp
4EAA553B 91 c20400 ret 0x4
-------------------------------
BUG=53433
TEST=Verify that user controlled values (greater than 1 <<
kMaxSmiInlinedBits)
are encoded by checking the output from a shell debug build with the options
'--nolazy --print_code script.js'
Please review this at http://codereview.chromium.org/3169050/show
SVN Base: http://v8.googlecode.com/svn/trunk/
Affected files:
M src/ia32/codegen-ia32.h
M src/ia32/codegen-ia32.cc
Index: src/ia32/codegen-ia32.cc
===================================================================
--- src/ia32/codegen-ia32.cc (revision 5348)
+++ src/ia32/codegen-ia32.cc (working copy)
@@ -154,6 +154,7 @@
safe_int32_mode_enabled_(true),
function_return_is_shadowed_(false),
in_spilled_code_(false) {
+ jit_cookie_ = V8::Random();
}
@@ -5329,16 +5330,16 @@
void CodeGenerator::PushUnsafeSmi(Handle<Object> value) {
ASSERT(value->IsSmi());
int bits = reinterpret_cast<int>(*value);
- __ push(Immediate(bits & 0x0000FFFF));
- __ or_(Operand(esp, 0), Immediate(bits & 0xFFFF0000));
+ __ push(Immediate(bits ^ jit_cookie_));
+ __ xor_(Operand(esp, 0), Immediate(jit_cookie_));
}
void CodeGenerator::StoreUnsafeSmiToLocal(int offset, Handle<Object>
value) {
ASSERT(value->IsSmi());
int bits = reinterpret_cast<int>(*value);
- __ mov(Operand(ebp, offset), Immediate(bits & 0x0000FFFF));
- __ or_(Operand(ebp, offset), Immediate(bits & 0xFFFF0000));
+ __ mov(Operand(ebp, offset), Immediate(bits ^ jit_cookie_));
+ __ xor_(Operand(ebp, offset), Immediate(jit_cookie_));
}
@@ -5346,8 +5347,8 @@
ASSERT(target.is_valid());
ASSERT(value->IsSmi());
int bits = reinterpret_cast<int>(*value);
- __ Set(target, Immediate(bits & 0x0000FFFF));
- __ or_(target, bits & 0xFFFF0000);
+ __ Set(target, Immediate(bits - jit_cookie_));
+ __ lea(target, Operand(target, jit_cookie_));
}
Index: src/ia32/codegen-ia32.h
===================================================================
--- src/ia32/codegen-ia32.h (revision 5348)
+++ src/ia32/codegen-ia32.h (working copy)
@@ -596,8 +596,8 @@
// To prevent long attacker-controlled byte sequences, integer constants
// from the JavaScript source are loaded in two parts if they are larger
- // than 17 bits.
- static const int kMaxSmiInlinedBits = 17;
+ // than 7 bits.
+ static const int kMaxSmiInlinedBits = 7;
bool IsUnsafeSmi(Handle<Object> value);
// Load an integer constant x into a register target or into the stack
using
// at most 16 bits of user-controlled data per assembly operation.
@@ -769,6 +769,7 @@
int loop_nesting_;
bool in_safe_int32_mode_;
bool safe_int32_mode_enabled_;
+ int jit_cookie_;
// Jump targets.
// The target of the return from the function.
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
