Add runtime check for improper register allocations in DFG
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Mar 2013 19:33:25 +0000 (19:33 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Mar 2013 19:33:25 +0000 (19:33 +0000)
commitc0ef33c9daf633d5bae060e71b33e19afedb684b
tree7abc5838b344ef042d4f0f72bfe1f82219a355ec
parentaae3d157649ce1d8142fab7074f27403e6ab8295
Add runtime check for improper register allocations in DFG
https://bugs.webkit.org/show_bug.cgi?id=112380

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Added framework to check for register allocation within a branch source - target range.  All register allocations
are saved using the offset in the code stream where the allocation occurred.  Later when a jump is linked, the
currently saved register allocations are checked to make sure that they didn't occur in the range of code that was
jumped over.  This protects against the case where an allocation could have spilled register contents to free up
a register and that spill only occurs on one path of a many through the code.  A subsequent fill of the spilled
register may load garbage.  See https://bugs.webkit.org/show_bug.cgi?id=111777 for one such bug.
This code is protected by the compile time check of #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION).
The check is only done during the processing of SpeculativeJIT::compile(Node* node) and its callees.

* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::Jump::link): Invoke register allocation checks using source and target of link.
(JSC::AbstractMacroAssembler::Jump::linkTo): Invoke register allocation checks using source and target of link.
(AbstractMacroAssembler):
(RegisterAllocationOffset): New helper class to store the instruction stream offset and compare against a
jump range.
(JSC::AbstractMacroAssembler::RegisterAllocationOffset::RegisterAllocationOffset):
(JSC::AbstractMacroAssembler::RegisterAllocationOffset::check):
(JSC::AbstractMacroAssembler::addRegisterAllocationAtOffset):
(JSC::AbstractMacroAssembler::clearRegisterAllocationOffsets):
(JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::allocate):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

Source/WTF:

* wtf/Platform.h: Added new ENABLE_DFG_REGISTER_ALLOCATION_VALIDATION compilation flag to
enable generation of register allocation checking.  This is on for debug builds.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@145931 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/AbstractMacroAssembler.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/WTF/ChangeLog
Source/WTF/wtf/Platform.h