diff options
| author | Clemens Backes <clemensb@chromium.org> | 2022-12-13 22:37:27 +0100 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2023-01-20 14:54:26 +0000 |
| commit | 2d32104d812ef4497878bcb31b5d3dd32ba5cfdb (patch) | |
| tree | 5bce098aa64515b0aee4c4a0d25ca1d2c6fd99aa | |
| parent | 83f89843310c5e690b6fa01faf67bca409669cbd (diff) | |
| download | qtwebengine-chromium-2d32104d812ef4497878bcb31b5d3dd32ba5cfdb.tar.gz | |
[Backport] Security bug 1399424
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/4102800:
Do not emit the constant pool before a branch
After computing the branch offset but before emitting the actual branch,
we should not emit a constant pool. Otherwise the previously computed
offset would be off.
Instead of handling this indirectly via the Assembler::branch_offset
method, do this directly in the Assembler::b method (and friends), so it
is not missed on other call sites.
R=jkummerow@chromium.org
Bug: chromium:1399424
Change-Id: I0cbb219ced5b671001a296b1cc7c339f395abffe
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4102800
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#84828}
(cherry picked from commit 9be597d194e108ba718610b9a611fe19a0fbfde5)
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/454384
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/v8/src/codegen/arm/assembler-arm.cc | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/chromium/v8/src/codegen/arm/assembler-arm.cc b/chromium/v8/src/codegen/arm/assembler-arm.cc index 00d0644f734..e2caa355b16 100644 --- a/chromium/v8/src/codegen/arm/assembler-arm.cc +++ b/chromium/v8/src/codegen/arm/assembler-arm.cc @@ -1392,10 +1392,6 @@ int Assembler::branch_offset(Label* L) { L->link_to(pc_offset()); } - // Block the emission of the constant pool, since the branch instruction must - // be emitted at the pc offset recorded by the label. - if (!is_const_pool_blocked()) BlockConstPoolFor(1); - return target_pos - (pc_offset() + Instruction::kPcLoadDelta); } @@ -1406,6 +1402,11 @@ void Assembler::b(int branch_offset, Condition cond, RelocInfo::Mode rmode) { int imm24 = branch_offset >> 2; const bool b_imm_check = is_int24(imm24); CHECK(b_imm_check); + + // Block the emission of the constant pool before the next instruction. + // Otherwise the passed-in branch offset would be off. + BlockConstPoolFor(1); + emit(cond | B27 | B25 | (imm24 & kImm24Mask)); if (cond == al) { @@ -1420,6 +1421,11 @@ void Assembler::bl(int branch_offset, Condition cond, RelocInfo::Mode rmode) { int imm24 = branch_offset >> 2; const bool bl_imm_check = is_int24(imm24); CHECK(bl_imm_check); + + // Block the emission of the constant pool before the next instruction. + // Otherwise the passed-in branch offset would be off. + BlockConstPoolFor(1); + emit(cond | B27 | B25 | B24 | (imm24 & kImm24Mask)); } @@ -1429,6 +1435,11 @@ void Assembler::blx(int branch_offset) { int imm24 = branch_offset >> 2; const bool blx_imm_check = is_int24(imm24); CHECK(blx_imm_check); + + // Block the emission of the constant pool before the next instruction. + // Otherwise the passed-in branch offset would be off. + BlockConstPoolFor(1); + emit(kSpecialCondition | B27 | B25 | h | (imm24 & kImm24Mask)); } |