Bug 83191

Summary: Constant Blinding for add/sub immediate crashes in ArmV7 when dest is SP
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Critical    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 129101    
Bug Blocks:    
Attachments:
Description Flags
Patch
oliver: review+, buildbot: commit-queue-
Updated Patch with ASSERT Added none

Michael Saboff
Reported 2012-04-04 12:28:39 PDT
ARMv7 and therefore the ARMv7Assembler::add() method has a special case for SP destination register. It assumes that any immediate is word aligned. When constant blinding is used, the immediate value could be any value since it starts as a random number. The same is true for ARMv7Assembler::sub().
Attachments
Patch (1.80 KB, patch)
2012-04-04 12:33 PDT, Michael Saboff 		oliver: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Updated Patch with ASSERT Added (3.27 KB, patch)
2012-04-04 15:40 PDT, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2012-04-04 12:33:33 PDT
Created attachment 135652 [details] Patch
Build Bot
Comment 2 2012-04-04 12:46:43 PDT
Comment on attachment 135652 [details] Patch Attachment 135652 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/12330014
Michael Saboff
Comment 3 2012-04-04 15:40:51 PDT
Created attachment 135702 [details] Updated Patch with ASSERT Added Added ASSERTs in ARMv7Assembler::add() and ARMv7Assembler::sub(). These ASSERTs rubber stamped by Oliver.
Michael Saboff
Comment 4 2012-04-04 15:42:59 PDT
Committed r113253: <http://trac.webkit.org/changeset/113253>
Note You need to log in before you can comment on or make changes to this bug.