Bug 83191 - Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
Summary: Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Critical
Assignee: Michael Saboff
Depends on: 129101
  Show dependency treegraph
Reported: 2012-04-04 12:28 PDT by Michael Saboff
Modified: 2014-02-20 05:55 PST (History)
0 users

See Also:

Patch (1.80 KB, patch)
2012-04-04 12:33 PDT, Michael Saboff
oliver: review+
buildbot: commit-queue-
Details | Formatted Diff | Diff
Updated Patch with ASSERT Added (3.27 KB, patch)
2012-04-04 15:40 PDT, Michael Saboff
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2012-04-04 12:28:39 PDT
ARMv7 and therefore the ARMv7Assembler::add() method has a special case for SP destination register.  It assumes that any immediate is word aligned. When constant blinding is used, the immediate value could be any value since it starts as a random number.  The same is true for ARMv7Assembler::sub().
Comment 1 Michael Saboff 2012-04-04 12:33:33 PDT
Created attachment 135652 [details]
Comment 2 Build Bot 2012-04-04 12:46:43 PDT
Comment on attachment 135652 [details]

Attachment 135652 [details] did not pass win-ews (win):
Output: http://queues.webkit.org/results/12330014
Comment 3 Michael Saboff 2012-04-04 15:40:51 PDT
Created attachment 135702 [details]
Updated Patch with ASSERT Added

Added ASSERTs in ARMv7Assembler::add() and ARMv7Assembler::sub().

These ASSERTs rubber stamped by Oliver.
Comment 4 Michael Saboff 2012-04-04 15:42:59 PDT
Committed r113253: <http://trac.webkit.org/changeset/113253>