Skip to site navigation (Press enter)

[webkit-changes] [89729] trunk/Source/JavaScriptCore

msaboff Fri, 24 Jun 2011 19:15:41 -0700

Title: [89729] trunk/Source/_javascript_Core

Revision: 89729
Author: [email protected]
Date: 2011-06-24 19:15:35 -0700 (Fri, 24 Jun 2011)

Log Message

2011-06-24  Michael Saboff  <[email protected]>

        Reviewed by Gavin Barraclough.


        Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
        https://bugs.webkit.org/show_bug.cgi?id=63345

        The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
        return 9 and 10 bit quantities, therefore changed their return type from
        uint8_t to uint16_t.  Also casted the places where they are used as they
        are currently shifted and used as 7 or 8 bit values.

        These methods are currently used for literals for stack offsets, 
        including creating and destroying stack frames.  The prior truncation of
        the upper bits caused stack frames to be too small, thus allowing a
        JIT'ed function to access and overwrite stack space outside of the
        incorrectly sized stack frame.

        * assembler/ARMv7Assembler.h:
        (JSC::ARMThumbImmediate::getUInt9):
        (JSC::ARMThumbImmediate::getUInt10):
        (JSC::ARMv7Assembler::add):
        (JSC::ARMv7Assembler::ldr):
        (JSC::ARMv7Assembler::str):
        (JSC::ARMv7Assembler::sub):
        (JSC::ARMv7Assembler::sub_S):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/assembler/ARMv7Assembler.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (89728 => 89729)


--- trunk/Source/_javascript_Core/ChangeLog	2011-06-25 02:14:56 UTC (rev 89728)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-06-25 02:15:35 UTC (rev 89729)
@@ -1,5 +1,32 @@
 2011-06-24  Michael Saboff  <[email protected]>
 
+        Reviewed by Gavin Barraclough.
+
+        Arm Assembler, Immediate stack offset values truncated to 8 bits for add & sub
+        https://bugs.webkit.org/show_bug.cgi?id=63345
+
+        The methods ARMThumbImmediate::getUInt9 and ARMThumbImmediate::getUInt10
+        return 9 and 10 bit quantities, therefore changed their return type from
+        uint8_t to uint16_t.  Also casted the places where they are used as they
+        are currently shifted and used as 7 or 8 bit values.
+
+        These methods are currently used for literals for stack offsets, 
+        including creating and destroying stack frames.  The prior truncation of
+        the upper bits caused stack frames to be too small, thus allowing a
+        JIT'ed function to access and overwrite stack space outside of the
+        incorrectly sized stack frame.
+
+        * assembler/ARMv7Assembler.h:
+        (JSC::ARMThumbImmediate::getUInt9):
+        (JSC::ARMThumbImmediate::getUInt10):
+        (JSC::ARMv7Assembler::add):
+        (JSC::ARMv7Assembler::ldr):
+        (JSC::ARMv7Assembler::str):
+        (JSC::ARMv7Assembler::sub):
+        (JSC::ARMv7Assembler::sub_S):
+
+2011-06-24  Michael Saboff  <[email protected]>
+
         Reviewed by Geoffrey Garen.
 
         releaseFastMallocFreeMemory doesn't adjust free counts for scavenger

Modified: trunk/Source/_javascript_Core/assembler/ARMv7Assembler.h (89728 => 89729)


--- trunk/Source/_javascript_Core/assembler/ARMv7Assembler.h	2011-06-25 02:14:56 UTC (rev 89728)
+++ trunk/Source/_javascript_Core/assembler/ARMv7Assembler.h	2011-06-25 02:15:35 UTC (rev 89729)
@@ -359,8 +359,8 @@
     uint8_t getUInt6() { ASSERT(isUInt6()); return m_value.asInt; }
     uint8_t getUInt7() { ASSERT(isUInt7()); return m_value.asInt; }
     uint8_t getUInt8() { ASSERT(isUInt8()); return m_value.asInt; }
-    uint8_t getUInt9() { ASSERT(isUInt9()); return m_value.asInt; }
-    uint8_t getUInt10() { ASSERT(isUInt10()); return m_value.asInt; }
+    uint16_t getUInt9() { ASSERT(isUInt9()); return m_value.asInt; }
+    uint16_t getUInt10() { ASSERT(isUInt10()); return m_value.asInt; }
     uint16_t getUInt12() { ASSERT(isUInt12()); return m_value.asInt; }
     uint16_t getUInt16() { ASSERT(isUInt16()); return m_value.asInt; }
 
@@ -695,10 +695,10 @@
 
         if (rn == ARMRegisters::sp) {
             if (!(rd & 8) && imm.isUInt10()) {
-                m_formatter.oneWordOp5Reg3Imm8(OP_ADD_SP_imm_T1, rd, imm.getUInt10() >> 2);
+                m_formatter.oneWordOp5Reg3Imm8(OP_ADD_SP_imm_T1, rd, static_cast<uint8_t>(imm.getUInt10() >> 2));
                 return;
             } else if ((rd == ARMRegisters::sp) && imm.isUInt9()) {
-                m_formatter.oneWordOp9Imm7(OP_ADD_SP_imm_T2, imm.getUInt9() >> 2);
+                m_formatter.oneWordOp9Imm7(OP_ADD_SP_imm_T2, static_cast<uint8_t>(imm.getUInt9() >> 2));
                 return;
             }
         } else if (!((rd | rn) & 8)) {
@@ -950,7 +950,7 @@
         if (!((rt | rn) & 8) && imm.isUInt7())
             m_formatter.oneWordOp5Imm5Reg3Reg3(OP_LDR_imm_T1, imm.getUInt7() >> 2, rn, rt);
         else if ((rn == ARMRegisters::sp) && !(rt & 8) && imm.isUInt10())
-            m_formatter.oneWordOp5Reg3Imm8(OP_LDR_imm_T2, rt, imm.getUInt10() >> 2);
+            m_formatter.oneWordOp5Reg3Imm8(OP_LDR_imm_T2, rt, static_cast<uint8_t>(imm.getUInt10() >> 2));
         else
             m_formatter.twoWordOp12Reg4Reg4Imm12(OP_LDR_imm_T3, rn, rt, imm.getUInt12());
     }
@@ -1288,7 +1288,7 @@
         if (!((rt | rn) & 8) && imm.isUInt7())
             m_formatter.oneWordOp5Imm5Reg3Reg3(OP_STR_imm_T1, imm.getUInt7() >> 2, rn, rt);
         else if ((rn == ARMRegisters::sp) && !(rt & 8) && imm.isUInt10())
-            m_formatter.oneWordOp5Reg3Imm8(OP_STR_imm_T2, rt, imm.getUInt10() >> 2);
+            m_formatter.oneWordOp5Reg3Imm8(OP_STR_imm_T2, rt, static_cast<uint8_t>(imm.getUInt10() >> 2));
         else
             m_formatter.twoWordOp12Reg4Reg4Imm12(OP_STR_imm_T3, rn, rt, imm.getUInt12());
     }
@@ -1348,7 +1348,7 @@
         ASSERT(imm.isValid());
 
         if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
-            m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, imm.getUInt9() >> 2);
+            m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
             return;
         } else if (!((rd | rn) & 8)) {
             if (imm.isUInt3()) {
@@ -1409,7 +1409,7 @@
         ASSERT(imm.isValid());
 
         if ((rn == ARMRegisters::sp) && (rd == ARMRegisters::sp) && imm.isUInt9()) {
-            m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, imm.getUInt9() >> 2);
+            m_formatter.oneWordOp9Imm7(OP_SUB_SP_imm_T1, static_cast<uint8_t>(imm.getUInt9() >> 2));
             return;
         } else if (!((rd | rn) & 8)) {
             if (imm.isUInt3()) {

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes