AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
d6c49a7251
v8/test/cctest/compiler/code-assembler-tester.h
Jaroslav Sevcik f53dfd934d Replace array index masking with the poisoning approach. 
The idea is to mark all the branches and loads participating in array
bounds checks, and let them contribute-to/use the poisoning register.
In the code, the marks for array indexing operations now contain
"Critical" in their name. By default (--untrusted-code-mitigations),
we only instrument the "critical" operations with poisoning.

With that in place, we also remove the array masking approach based
on arithmetic.

Since we do not propagate the poison through function calls,
we introduce a node for poisoning an index that is passed through
function call - the typical example is the bounds-checked index
that is passed to the CharCodeAt builtin.

Most of the code in this CL is threads through the three levels of
protection (safe, critical, unsafe) for loads, branches and flags.

Bug: chromium:798964

Change-Id: Ief68e2329528277b3ba9156115b2a6dcc540d52b
Reviewed-on: https://chromium-review.googlesource.com/995413
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52883}
2018-04-30 13:22:44 +00:00

76 lines
2.6 KiB
C++
Raw Blame History

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef V8_TEST_CCTEST_COMPILER_CODE_ASSEMBLER_TESTER_H_
#define V8_TEST_CCTEST_COMPILER_CODE_ASSEMBLER_TESTER_H_
#include "src/compiler/code-assembler.h"
#include "src/compiler/raw-machine-assembler.h"
#include "src/handles.h"
#include "src/interface-descriptors.h"
#include "src/isolate.h"
#include "test/cctest/compiler/function-tester.h"
namespace v8 {
namespace internal {
namespace compiler {
class CodeAssemblerTester {
public:
// Test generating code for a stub. Assumes VoidDescriptor call interface.
explicit CodeAssemblerTester(Isolate* isolate, const char* name = "test")
: zone_(isolate->allocator(), ZONE_NAME),
scope_(isolate),
state_(isolate, &zone_, VoidDescriptor(isolate), Code::STUB, name,
PoisoningMitigationLevel::kDontPoison) {}
// Test generating code for a JS function (e.g. builtins).
CodeAssemblerTester(Isolate* isolate, int parameter_count,
Code::Kind kind = Code::BUILTIN,
const char* name = "test")
: zone_(isolate->allocator(), ZONE_NAME),
scope_(isolate),
state_(isolate, &zone_, parameter_count, kind, name,
PoisoningMitigationLevel::kDontPoison) {}
CodeAssemblerTester(Isolate* isolate, Code::Kind kind,
const char* name = "test")
: zone_(isolate->allocator(), ZONE_NAME),
scope_(isolate),
state_(isolate, &zone_, 0, kind, name,
PoisoningMitigationLevel::kDontPoison) {}
CodeAssemblerTester(Isolate* isolate, CallDescriptor* call_descriptor,
const char* name = "test")
: zone_(isolate->allocator(), ZONE_NAME),
scope_(isolate),
state_(isolate, &zone_, call_descriptor, Code::STUB, name,
PoisoningMitigationLevel::kDontPoison, 0, -1) {}
CodeAssemblerState* state() { return &state_; }
// Direct low-level access to the machine assembler, for testing only.
RawMachineAssembler* raw_assembler_for_testing() {
return state_.raw_assembler_.get();
}
Handle<Code> GenerateCode() { return CodeAssembler::GenerateCode(&state_); }
Handle<Code> GenerateCodeCloseAndEscape() {
return scope_.CloseAndEscape(GenerateCode());
}
private:
Zone zone_;
HandleScope scope_;
LocalContext context_;
CodeAssemblerState state_;
};
} // namespace compiler
} // namespace internal
} // namespace v8
#endif // V8_TEST_CCTEST_COMPILER_CODE_ASSEMBLER_TESTER_H_
Reference in New Issue View Git Blame Copy Permalink