Title: [110200] trunk/Source/_javascript_Core
- Revision
- 110200
- Author
- [email protected]
- Date
- 2012-03-08 13:58:32 -0800 (Thu, 08 Mar 2012)
Log Message
Missing some places where we should be blinding 64bit values (and blinding something we shouldn't)
https://bugs.webkit.org/show_bug.cgi?id=80633
Reviewed by Gavin Barraclough.
Add 64-bit trap for shouldBlindForSpecificArch, so that we always blind
if there isn't a machine specific implementation (otherwise the 64bit value
got truncated and 32bit checks were used -- leaving 32bits untested).
Also add a bit of logic to ensure that we don't try to blind a few common
constants that go through the ImmPtr paths -- encoded numeric JSValues and
unencoded doubles with common "safe" values.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::shouldBlindDouble):
(MacroAssembler):
(JSC::MacroAssembler::shouldBlind):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (110199 => 110200)
--- trunk/Source/_javascript_Core/ChangeLog 2012-03-08 21:49:16 UTC (rev 110199)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-03-08 21:58:32 UTC (rev 110200)
@@ -1,3 +1,26 @@
+2012-03-08 Oliver Hunt <[email protected]>
+
+ Missing some places where we should be blinding 64bit values (and blinding something we shouldn't)
+ https://bugs.webkit.org/show_bug.cgi?id=80633
+
+ Reviewed by Gavin Barraclough.
+
+ Add 64-bit trap for shouldBlindForSpecificArch, so that we always blind
+ if there isn't a machine specific implementation (otherwise the 64bit value
+ got truncated and 32bit checks were used -- leaving 32bits untested).
+ Also add a bit of logic to ensure that we don't try to blind a few common
+ constants that go through the ImmPtr paths -- encoded numeric JSValues and
+ unencoded doubles with common "safe" values.
+
+ * assembler/AbstractMacroAssembler.h:
+ (JSC::AbstractMacroAssembler::shouldBlindForSpecificArch):
+ * assembler/MacroAssembler.h:
+ (JSC::MacroAssembler::shouldBlindDouble):
+ (MacroAssembler):
+ (JSC::MacroAssembler::shouldBlind):
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::shouldBlindForSpecificArch):
+
2012-03-08 Mark Rowe <[email protected]>
<rdar://problem/11012572> Ensure that the staged frameworks path is in the search path for _javascript_Core
Modified: trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h (110199 => 110200)
--- trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2012-03-08 21:49:16 UTC (rev 110199)
+++ trunk/Source/_javascript_Core/assembler/AbstractMacroAssembler.h 2012-03-08 21:58:32 UTC (rev 110200)
@@ -592,6 +592,7 @@
static bool scratchRegisterForBlinding() { return false; }
static bool shouldBlindForSpecificArch(uint32_t) { return true; }
+ static bool shouldBlindForSpecificArch(uint64_t) { return true; }
friend class LinkBuffer;
friend class RepatchBuffer;
Modified: trunk/Source/_javascript_Core/assembler/MacroAssembler.h (110199 => 110200)
--- trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2012-03-08 21:49:16 UTC (rev 110199)
+++ trunk/Source/_javascript_Core/assembler/MacroAssembler.h 2012-03-08 21:58:32 UTC (rev 110200)
@@ -504,6 +504,29 @@
using MacroAssemblerBase::subPtr;
using MacroAssemblerBase::xorPtr;
+ bool shouldBlindDouble(double value)
+ {
+ // Don't trust NaN or +/-Infinity
+ if (!isfinite(value))
+ return true;
+
+ // Try to force normalisation, and check that there's no change
+ // in the bit pattern
+ if (bitwise_cast<uintptr_t>(value * 1.0) != bitwise_cast<uintptr_t>(value))
+ return true;
+
+ value = abs(value);
+ // Only allow a limited set of fractional components
+ double scaledValue = value * 8;
+ if (scaledValue / 8 != value)
+ return true;
+ double frac = scaledValue - floor(scaledValue);
+ if (frac != 0.0)
+ return true;
+
+ return value > 0xff;
+ }
+
bool shouldBlind(ImmPtr imm)
{
ASSERT(!inUninterruptedSequence());
@@ -526,10 +549,21 @@
case 0xffffffffffffffL:
case 0xffffffffffffffffL:
return false;
- default:
+ default: {
if (value <= 0xff)
return false;
+#if CPU(X86_64)
+ JSValue jsValue = JSValue::decode(reinterpret_cast<void*>(value));
+ if (jsValue.isInt32())
+ return shouldBlind(Imm32(jsValue.asInt32()));
+ if (jsValue.isDouble() && !shouldBlindDouble(jsValue.asDouble()))
+ return false;
+
+ if (!shouldBlindDouble(bitwise_cast<double>(value)))
+ return false;
+#endif
}
+ }
return shouldBlindForSpecificArch(value);
#endif
}
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h (110199 => 110200)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2012-03-08 21:49:16 UTC (rev 110199)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2012-03-08 21:58:32 UTC (rev 110200)
@@ -92,6 +92,7 @@
static const RegisterID stackPointerRegister = X86Registers::esp;
static bool shouldBlindForSpecificArch(uint32_t value) { return value >= 0x00ffffff; }
+ static bool shouldBlindForSpecificArch(uintptr_t value) { return value >= 0x00ffffff; }
// Integer arithmetic operations:
//
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
