Bug 1376819 Perform constant blinding in the JIT on move32 and move64 immediates
MozReview-Commit-ID: 349AZPVGd6h
old mode 100644
new mode 100755
--- a/js/src/jit/x64/MacroAssembler-x64-inl.h
+++ b/js/src/jit/x64/MacroAssembler-x64-inl.h
@@ -15,17 +15,30 @@ namespace js {
namespace jit {
//{{{ check_macroassembler_style
// ===============================================================
void
MacroAssembler::move64(Imm64 imm, Register64 dest)
{
- movq(ImmWord(imm.value), dest.reg);
+ // Wipe out the top bit to avoid any potential sign extension problems
+ uint64_t blind = 0x7FFFFFFF7FFFFFFFULL & js::GenerateRandomSeed() ;
+ uint32_t blind_top = 0x7FFFFFFF & (blind >> 32);
+ uint32_t blind_bot = 0x7FFFFFFF & (blind);
+
+ uint64_t blinded = imm.value ^ blind;
+ // pre-rotate to save us one emitted assembly instruction
+ blinded = (blinded >> 32) | (blinded << 32);
+
+ movq(ImmWord(blinded), dest.reg);
+
+ xorq(Imm32(blind_top), dest.reg);
+ rorq(Imm32(32), dest.reg);
+ xorq(Imm32(blind_bot), dest.reg);
}
void
MacroAssembler::move64(Register64 src, Register64 dest)
{
movq(src.reg, dest.reg);
}
old mode 100644
new mode 100755
--- a/js/src/jit/x86-shared/MacroAssembler-x86-shared.h
+++ b/js/src/jit/x86-shared/MacroAssembler-x86-shared.h
@@ -122,20 +122,24 @@ class MacroAssemblerX86Shared : public A
else
vucomiss(rhs, lhs);
}
void branchNegativeZero(FloatRegister reg, Register scratch, Label* label, bool maybeNonZero = true);
void branchNegativeZeroFloat32(FloatRegister reg, Register scratch, Label* label);
void move32(Imm32 imm, Register dest) {
+ uint32_t blind = js::GenerateRandomSeed();
+ uint32_t blinded = imm.value ^ blind;
+
// Use the ImmWord version of mov to register, which has special
- // optimizations. Casting to uint32_t here ensures that the value
+ // optimizations. Using uint32_t here ensures that the value
// is zero-extended.
- mov(ImmWord(uint32_t(imm.value)), dest);
+ mov(ImmWord(blinded), dest);
+ xorl(Imm32(blind), dest);
}
void move32(Imm32 imm, const Operand& dest) {
movl(imm, dest);
}
void move32(Register src, Register dest) {
movl(src, dest);
}
void move32(Register src, const Operand& dest) {