diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-10-23 09:44:24 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-10-23 09:44:24 +0200 |
| commit | 980b7e4da5d80f09cf805674b8822b260870b8d3 (patch) | |
| tree | 976c68df9149b23bd20a7dd52d33dd5004d8f26a /js/src/jit | |
| parent | 1d3233c49d8153761d55204ce615f554395435b4 (diff) | |
| download | uxp-980b7e4da5d80f09cf805674b8822b260870b8d3.tar.gz | |
Improve graph edge resolution code.
This is a follow-up to ca7ecd37c94e268972697a37eec4e46771c6e6f2 further improving the DiD resolution for CVE-2018-12386.
Diffstat (limited to 'js/src/jit')
| -rw-r--r-- | js/src/jit/BacktrackingAllocator.cpp | 38 | ||||
| -rw-r--r-- | js/src/jit/BacktrackingAllocator.h | 3 |
2 files changed, 24 insertions, 17 deletions
diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp index 741ed1592d..645aefc4f7 100644 --- a/js/src/jit/BacktrackingAllocator.cpp +++ b/js/src/jit/BacktrackingAllocator.cpp @@ -1736,6 +1736,18 @@ BacktrackingAllocator::deadRange(LiveRange* range) } bool +BacktrackingAllocator::moveAtEdge(LBlock* predecessor, LBlock* successor, LiveRange* from, + LiveRange* to, LDefinition::Type type) +{ + if (successor->mir()->numPredecessors() > 1) { + MOZ_ASSERT(predecessor->mir()->numSuccessors() == 1); + return moveAtExit(predecessor, from, to, type); + } + + return moveAtEntry(successor, from, to, type); +} + +bool BacktrackingAllocator::resolveControlFlow() { // Add moves to handle changing assignments for vregs over their lifetime. @@ -1846,15 +1858,11 @@ BacktrackingAllocator::resolveControlFlow() if (!alloc().ensureBallast()) { return false; } - if (mSuccessor->numPredecessors() > 1) { - MOZ_ASSERT(predecessor->mir()->numSuccessors() == 1); - if (!moveAtExit(predecessor, from, to, def->type())) { - return false; - } - } else { - if (!moveAtEntry(successor, from, to, def->type())) { - return false; - } + + // Note: we have to use moveAtEdge both here and below (for edge + // resolution) to avoid conflicting moves. See bug 1493900. + if (!moveAtEdge(predecessor, successor, from, to, def->type())) { + return false; } } } @@ -1884,16 +1892,12 @@ BacktrackingAllocator::resolveControlFlow() if (targetRange->covers(exitOf(predecessor))) continue; - if (!alloc().ensureBallast()) + if (!alloc().ensureBallast()) { return false; + } LiveRange* from = reg.rangeFor(exitOf(predecessor), true); - if (successor->mir()->numPredecessors() > 1) { - MOZ_ASSERT(predecessor->mir()->numSuccessors() == 1); - if (!moveAtExit(predecessor, from, targetRange, reg.type())) - return false; - } else { - if (!moveAtEntry(successor, from, targetRange, reg.type())) - return false; + if (!moveAtEdge(predecessor, successor, from, targetRange, reg.type())) { + return false; } } } diff --git a/js/src/jit/BacktrackingAllocator.h b/js/src/jit/BacktrackingAllocator.h index 9910498fb6..ef3c2a5720 100644 --- a/js/src/jit/BacktrackingAllocator.h +++ b/js/src/jit/BacktrackingAllocator.h @@ -774,6 +774,9 @@ class BacktrackingAllocator : protected RegisterAllocator return addMove(moves, from, to, type); } + MOZ_MUST_USE bool moveAtEdge(LBlock* predecessor, LBlock* successor, LiveRange* from, + LiveRange* to, LDefinition::Type type); + // Debugging methods. void dumpAllocations(); |