diff options
| author | Stephan Herhut <herhut@chromium.org> | 2019-01-08 11:15:10 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-12-02 18:25:19 +0000 |
| commit | 2b330f66bb27d347b20314851178f8146ab5eb27 (patch) | |
| tree | 0136c18c9687cbb5e327f56ffb5f96a22a1b8823 | |
| parent | c51cc20f9708f84ef57985dfde03635dd394a9fa (diff) | |
| download | qtwebengine-chromium-2b330f66bb27d347b20314851178f8146ab5eb27.tar.gz | |
[Backport] Security Bug 919572
Enfore valid register for SignExtendWord8ToInt32.
On ia32, the instruction selector uses movsx_b to compile the wasm
SignExtendWord8ToInt32 instruction. movsx_b requires a byte register
as input. However, not all allocatable registers on ia32 are. As we
cannot currently express constraints on subsets of registers, this
change now forces the input to movsx_b into eax.
Bug: chromium:919572
Change-Id: I40b128958b5994bdcba5c313a8d5f1986565fa64
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc b/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc index c827c68a5ff..01d0babf7dc 100644 --- a/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc +++ b/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc @@ -169,7 +169,11 @@ namespace { void VisitRO(InstructionSelector* selector, Node* node, ArchOpcode opcode) { IA32OperandGenerator g(selector); - selector->Emit(opcode, g.DefineAsRegister(node), g.Use(node->InputAt(0))); + Node* input = node->InputAt(0); + // We have to use a byte register as input to movsxb. + InstructionOperand input_op = + opcode == kIA32Movsxbl ? g.UseFixed(input, eax) : g.Use(input); + selector->Emit(opcode, g.DefineAsRegister(node), input_op); } |