83191 2012-04-04 12:28:39 -0700 Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP 2014-02-20 05:55:21 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Critical --- 129101 1 msaboff msaboff oldest_to_newest 595801 0 msaboff 2012-04-04 12:28:39 -0700 ARMv7 and therefore the ARMv7Assembler::add() method has a special case for SP destination register. It assumes that any immediate is word aligned. When constant blinding is used, the immediate value could be any value since it starts as a random number. The same is true for ARMv7Assembler::sub(). 595802 1 135652 msaboff 2012-04-04 12:33:33 -0700 Created attachment 135652 Patch 595812 2 135652 buildbot 2012-04-04 12:46:43 -0700 Comment on attachment 135652 Patch Attachment 135652 did not pass win-ews (win): Output: http://queues.webkit.org/results/12330014 596034 3 135702 msaboff 2012-04-04 15:40:51 -0700 Created attachment 135702 Updated Patch with ASSERT Added Added ASSERTs in ARMv7Assembler::add() and ARMv7Assembler::sub(). These ASSERTs rubber stamped by Oliver. 596037 4 msaboff 2012-04-04 15:42:59 -0700 Committed r113253: <http://trac.webkit.org/changeset/113253> 135652 2012-04-04 12:33:33 -0700 2012-04-04 15:40:51 -0700 Patch 83191.patch text/plain 1845 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTEzMjI0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBA CisyMDEyLTA0LTA0ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIENvbnN0YW50IEJsaW5kaW5nIGZvciBhZGQvc3ViIGltbWVkaWF0ZSBjcmFzaGVzIGluIEFy bVY3IHdoZW4gZGVzdCBpcyBTUAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9ODMxOTEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICBNYWtlIGFyZSB0aGF0IGJsaW5kZWQgY29uc3RhbnQgcGFpcnMgYXJlIHNpbWls YXJseSBhbGlnbmVkIHRvIHRoZQorICAgICAgICBvcmlnaW5hbCBpbW1lZGlhdGUgdmFsdWVzIHNv IHRoYXQgaW5zdHJ1Y3Rpb25zIHRoYXQgZXhwZWN0IHRoYXQKKyAgICAgICAgYWxpZ25tZW50IHdv cmsgY29ycmVjdGx5LiAgT25lIGV4YW1wbGUgaXMgQVJNdjcgYWRkL3N1YiBpbW0gdG8gU1AuCisK KyAgICAgICAgKiBhc3NlbWJsZXIvTWFjcm9Bc3NlbWJsZXIuaDoKKyAgICAgICAgKEpTQzo6TWFj cm9Bc3NlbWJsZXI6OmFkZGl0aW9uQmxpbmRlZENvbnN0YW50KToKKyAgICAgICAgTWFrZSBzdXJl IHRoZSByYW5kb20ga2V5IGlzIGFsaWduZWQgc2ltaWxhciB0byB0aGUgb3JpZ2luYWwgaW1tIHZh bHVlLgorCiAyMDEyLTA0LTA0ICBHZW9mZnJleSBHYXJlbiAgPGdnYXJlbkBhcHBsZS5jb20+CiAK ICAgICAgICAgW1F0XSBSRUdSRVNTSU9OKHIxMTMxNDEpOiBBbGwgdGVzdHMgYXNzZXJ0IG9uIDMy IGJpdCBkZWJ1ZyBtb2RlCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYXNzZW1ibGVyL01h Y3JvQXNzZW1ibGVyLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2Fzc2Vt Ymxlci9NYWNyb0Fzc2VtYmxlci5oCShyZXZpc2lvbiAxMTMwODEpCisrKyBTb3VyY2UvSmF2YVNj cmlwdENvcmUvYXNzZW1ibGVyL01hY3JvQXNzZW1ibGVyLmgJKHdvcmtpbmcgY29weSkKQEAgLTY5 OSw4ICs2OTksMTEgQEAgcHVibGljOgogCiAgICAgQmxpbmRlZEltbTMyIGFkZGl0aW9uQmxpbmRl ZENvbnN0YW50KEltbTMyIGltbSkKICAgICB7CisgICAgICAgIC8vIFRoZSBhZGRpdGlvbiBpbW1l ZGlhdGUgbWF5IGJlIHVzZWQgYXMgYSBwb2ludGVyIG9mZnNldC4gS2VlcCBhbGlnbmVkIGJhc2Vk IG9uICJpbW0iLgorICAgICAgICBzdGF0aWMgdWludDMyX3QgbWFza1RhYmxlWzRdID0geyAweGZm ZmZmZmZjLCAweGZmZmZmZmZmLCAweGZmZmZmZmZlLCAweGZmZmZmZmZmIH07CisgICAgICAgIAog ICAgICAgICB1aW50MzJfdCBiYXNlVmFsdWUgPSBpbW0uYXNUcnVzdGVkSW1tMzIoKS5tX3ZhbHVl OwotICAgICAgICB1aW50MzJfdCBrZXkgPSBrZXlGb3JDb25zdGFudChiYXNlVmFsdWUpOworICAg ICAgICB1aW50MzJfdCBrZXkgPSBrZXlGb3JDb25zdGFudChiYXNlVmFsdWUpICYgbWFza1RhYmxl W2Jhc2VWYWx1ZSAmIDNdOwogICAgICAgICBpZiAoa2V5ID4gYmFzZVZhbHVlKQogICAgICAgICAg ICAga2V5ID0ga2V5IC0gYmFzZVZhbHVlOwogICAgICAgICByZXR1cm4gQmxpbmRlZEltbTMyKGJh c2VWYWx1ZSAtIGtleSwga2V5KTsK 135702 2012-04-04 15:40:51 -0700 2012-04-04 15:40:51 -0700 Updated Patch with ASSERT Added 83191-1.patch text/plain 3344 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTEzMjQyKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIxIEBA CisyMDEyLTA0LTA0ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIENvbnN0YW50IEJsaW5kaW5nIGZvciBhZGQvc3ViIGltbWVkaWF0ZSBjcmFzaGVzIGluIEFy bVY3IHdoZW4gZGVzdCBpcyBTUAorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93 X2J1Zy5jZ2k/aWQ9ODMxOTEKKworICAgICAgICBSZXZpZXdlZCBieSBPbGl2ZXIgSHVudC4KKwor ICAgICAgICBNYWtlIGFyZSB0aGF0IGJsaW5kZWQgY29uc3RhbnQgcGFpcnMgYXJlIHNpbWlsYXJs eSBhbGlnbmVkIHRvIHRoZQorICAgICAgICBvcmlnaW5hbCBpbW1lZGlhdGUgdmFsdWVzIHNvIHRo YXQgaW5zdHJ1Y3Rpb25zIHRoYXQgZXhwZWN0IHRoYXQKKyAgICAgICAgYWxpZ25tZW50IHdvcmsg Y29ycmVjdGx5LiAgT25lIGV4YW1wbGUgaXMgQVJNdjcgYWRkL3N1YiBpbW0gdG8gU1AuCisKKyAg ICAgICAgKiBhc3NlbWJsZXIvQVJNdjdBc3NlbWJsZXIuaDoKKyAgICAgICAgKEpTQzo6QVJNdjdB c3NlbWJsZXI6OmFkZCk6IEFkZGVkIEFTU0VSVCB0aGF0IGltbWVkaWF0ZSBpcyB3b3JkIGFsaWdu ZWQuCisgICAgICAgIChKU0M6OkFSTXY3QXNzZW1ibGVyOjpzdWIpOiBBZGRlZCBBU1NFUlQgdGhh dCBpbW1lZGlhdGUgaXMgd29yZCBhbGlnbmVkLgorICAgICAgICAoSlNDOjpBUk12N0Fzc2VtYmxl cjo6c3ViX1MpOiBBZGRlZCBBU1NFUlQgdGhhdCBpbW1lZGlhdGUgaXMgd29yZCBhbGlnbmVkLgor ICAgICAgICAqIGFzc2VtYmxlci9NYWNyb0Fzc2VtYmxlci5oOgorICAgICAgICAoSlNDOjpNYWNy b0Fzc2VtYmxlcjo6YWRkaXRpb25CbGluZGVkQ29uc3RhbnQpOgorCiAyMDEyLTA0LTA0ICBGaWxp cCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CiAKICAgICAgICAgREZHIHNob3VsZCBzaG9ydC1j aXJjdWl0IEJyYW5jaChMb2dpY2FsTm90KC4uLikpCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENv cmUvYXNzZW1ibGVyL0FSTXY3QXNzZW1ibGVyLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFT Y3JpcHRDb3JlL2Fzc2VtYmxlci9BUk12N0Fzc2VtYmxlci5oCShyZXZpc2lvbiAxMTMwODEpCisr KyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvYXNzZW1ibGVyL0FSTXY3QXNzZW1ibGVyLmgJKHdvcmtp bmcgY29weSkKQEAgLTczOSw2ICs3MzksNyBAQCBwdWJsaWM6CiAgICAgICAgIEFTU0VSVChpbW0u aXNWYWxpZCgpKTsKIAogICAgICAgICBpZiAocm4gPT0gQVJNUmVnaXN0ZXJzOjpzcCkgeworICAg ICAgICAgICAgQVNTRVJUKCEoaW1tLmdldFVJbnQxNigpICYgMykpOwogICAgICAgICAgICAgaWYg KCEocmQgJiA4KSAmJiBpbW0uaXNVSW50MTAoKSkgewogICAgICAgICAgICAgICAgIG1fZm9ybWF0 dGVyLm9uZVdvcmRPcDVSZWczSW1tOChPUF9BRERfU1BfaW1tX1QxLCByZCwgc3RhdGljX2Nhc3Q8 dWludDhfdD4oaW1tLmdldFVJbnQxMCgpID4+IDIpKTsKICAgICAgICAgICAgICAgICByZXR1cm47 CkBAIC0xNTExLDYgKzE1MTIsNyBAQCBwdWJsaWM6CiAgICAgICAgIEFTU0VSVChpbW0uaXNWYWxp ZCgpKTsKIAogICAgICAgICBpZiAoKHJuID09IEFSTVJlZ2lzdGVyczo6c3ApICYmIChyZCA9PSBB Uk1SZWdpc3RlcnM6OnNwKSAmJiBpbW0uaXNVSW50OSgpKSB7CisgICAgICAgICAgICBBU1NFUlQo IShpbW0uZ2V0VUludDE2KCkgJiAzKSk7CiAgICAgICAgICAgICBtX2Zvcm1hdHRlci5vbmVXb3Jk T3A5SW1tNyhPUF9TVUJfU1BfaW1tX1QxLCBzdGF0aWNfY2FzdDx1aW50OF90PihpbW0uZ2V0VUlu dDkoKSA+PiAyKSk7CiAgICAgICAgICAgICByZXR1cm47CiAgICAgICAgIH0gZWxzZSBpZiAoISgo cmQgfCBybikgJiA4KSkgewpAQCAtMTU3Miw2ICsxNTc0LDcgQEAgcHVibGljOgogICAgICAgICBB U1NFUlQoaW1tLmlzVmFsaWQoKSk7CiAKICAgICAgICAgaWYgKChybiA9PSBBUk1SZWdpc3RlcnM6 OnNwKSAmJiAocmQgPT0gQVJNUmVnaXN0ZXJzOjpzcCkgJiYgaW1tLmlzVUludDkoKSkgeworICAg ICAgICAgICAgQVNTRVJUKCEoaW1tLmdldFVJbnQxNigpICYgMykpOwogICAgICAgICAgICAgbV9m b3JtYXR0ZXIub25lV29yZE9wOUltbTcoT1BfU1VCX1NQX2ltbV9UMSwgc3RhdGljX2Nhc3Q8dWlu dDhfdD4oaW1tLmdldFVJbnQ5KCkgPj4gMikpOwogICAgICAgICAgICAgcmV0dXJuOwogICAgICAg ICB9IGVsc2UgaWYgKCEoKHJkIHwgcm4pICYgOCkpIHsKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS9hc3NlbWJsZXIvTWFjcm9Bc3NlbWJsZXIuaAo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2 YVNjcmlwdENvcmUvYXNzZW1ibGVyL01hY3JvQXNzZW1ibGVyLmgJKHJldmlzaW9uIDExMzA4MSkK KysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9hc3NlbWJsZXIvTWFjcm9Bc3NlbWJsZXIuaAkod29y a2luZyBjb3B5KQpAQCAtNjk5LDggKzY5OSwxMSBAQCBwdWJsaWM6CiAKICAgICBCbGluZGVkSW1t MzIgYWRkaXRpb25CbGluZGVkQ29uc3RhbnQoSW1tMzIgaW1tKQogICAgIHsKKyAgICAgICAgLy8g VGhlIGFkZGl0aW9uIGltbWVkaWF0ZSBtYXkgYmUgdXNlZCBhcyBhIHBvaW50ZXIgb2Zmc2V0LiBL ZWVwIGFsaWduZWQgYmFzZWQgb24gImltbSIuCisgICAgICAgIHN0YXRpYyB1aW50MzJfdCBtYXNr VGFibGVbNF0gPSB7IDB4ZmZmZmZmZmMsIDB4ZmZmZmZmZmYsIDB4ZmZmZmZmZmUsIDB4ZmZmZmZm ZmYgfTsKKyAgICAgICAgCiAgICAgICAgIHVpbnQzMl90IGJhc2VWYWx1ZSA9IGltbS5hc1RydXN0 ZWRJbW0zMigpLm1fdmFsdWU7Ci0gICAgICAgIHVpbnQzMl90IGtleSA9IGtleUZvckNvbnN0YW50 KGJhc2VWYWx1ZSk7CisgICAgICAgIHVpbnQzMl90IGtleSA9IGtleUZvckNvbnN0YW50KGJhc2VW YWx1ZSkgJiBtYXNrVGFibGVbYmFzZVZhbHVlICYgM107CiAgICAgICAgIGlmIChrZXkgPiBiYXNl VmFsdWUpCiAgICAgICAgICAgICBrZXkgPSBrZXkgLSBiYXNlVmFsdWU7CiAgICAgICAgIHJldHVy biBCbGluZGVkSW1tMzIoYmFzZVZhbHVlIC0ga2V5LCBrZXkpOwo=