[JSC] Should not rotate constant with 64
authoryusukesuzuki@slowstart.org <yusukesuzuki@slowstart.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Aug 2018 17:16:31 +0000 (17:16 +0000)
committeryusukesuzuki@slowstart.org <yusukesuzuki@slowstart.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 14 Aug 2018 17:16:31 +0000 (17:16 +0000)
commit35fc77cd76fa47176dc50f7732feda00a7c08d3f
tree2fd6164cc3f591228a17870d7e38a8ccc2936a6d
parentfe8e82dfc7bf32da26be5e319cdf1ca9f32c658e
[JSC] Should not rotate constant with 64
https://bugs.webkit.org/show_bug.cgi?id=188556

Reviewed by Mark Lam.

To defend against JIT splaying, we rotate a constant with a randomly generated seed.
But if a seed becomes 64, the following code performs `value << 64` where value's type
is uint64_t, and it causes undefined behaviors (UBs). This patch limits the seed in the
range of [0, 64) not to generate code causing UBs. This is found by UBSan.

* assembler/MacroAssembler.h:
(JSC::MacroAssembler::generateRotationSeed):
(JSC::MacroAssembler::rotationBlindConstant):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234852 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssembler.h