diff options
| author | Stephan Herhut <herhut@chromium.org> | 2019-01-08 11:15:10 +0100 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2019-03-28 15:23:27 +0000 |
| commit | e54c1076009a61d8885457fec2f6541ad2a856bd (patch) | |
| tree | 26baf1b0877a7b742581c6353cce8f85a87ae0ce | |
| parent | dd18af1614f606475d9e7ab2a141f58fe2ede9b6 (diff) | |
| download | qtwebengine-chromium-e54c1076009a61d8885457fec2f6541ad2a856bd.tar.gz | |
[Backport] Security Bug 919572
Enfore valid register for SignExtendWord8ToInt32.
On ia32, the instruction selector uses movsx_b to compile the wasm
SignExtendWord8ToInt32 instruction. movsx_b requires a byte register
as input. However, not all allocatable registers on ia32 are. As we
cannot currently express constraints on subsets of registers, this
change now forces the input to movsx_b into eax.
Bug: chromium:919572
Reviewed-on: https://chromium-review.googlesource.com/c/1400409
Change-Id: I40b128958b5994bdcba5c313a8d5f1986565fa64
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc b/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc index 41442542850..d523a70e99a 100644 --- a/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc +++ b/chromium/v8/src/compiler/ia32/instruction-selector-ia32.cc @@ -174,7 +174,11 @@ namespace { void VisitRO(InstructionSelector* selector, Node* node, ArchOpcode opcode) { IA32OperandGenerator g(selector); - selector->Emit(opcode, g.DefineAsRegister(node), g.Use(node->InputAt(0))); + Node* input = node->InputAt(0); + // We have to use a byte register as input to movsxb. + InstructionOperand input_op = + opcode == kIA32Movsxbl ? g.UseFixed(input, eax) : g.Use(input); + selector->Emit(opcode, g.DefineAsRegister(node), input_op); } |