summaryrefslogtreecommitdiffstats
path: root/js/src/jit/BacktrackingAllocator.cpp
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-10-23 09:44:24 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-10-23 09:44:24 +0200
commit980b7e4da5d80f09cf805674b8822b260870b8d3 (patch)
tree976c68df9149b23bd20a7dd52d33dd5004d8f26a /js/src/jit/BacktrackingAllocator.cpp
parent1d3233c49d8153761d55204ce615f554395435b4 (diff)
downloadUXP-980b7e4da5d80f09cf805674b8822b260870b8d3.tar
UXP-980b7e4da5d80f09cf805674b8822b260870b8d3.tar.gz
UXP-980b7e4da5d80f09cf805674b8822b260870b8d3.tar.lz
UXP-980b7e4da5d80f09cf805674b8822b260870b8d3.tar.xz
UXP-980b7e4da5d80f09cf805674b8822b260870b8d3.zip
Improve graph edge resolution code.
This is a follow-up to ca7ecd37c94e268972697a37eec4e46771c6e6f2 further improving the DiD resolution for CVE-2018-12386.
Diffstat (limited to 'js/src/jit/BacktrackingAllocator.cpp')
-rw-r--r--js/src/jit/BacktrackingAllocator.cpp38
1 files changed, 21 insertions, 17 deletions
diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp
index 741ed1592..645aefc4f 100644
--- a/js/src/jit/BacktrackingAllocator.cpp
+++ b/js/src/jit/BacktrackingAllocator.cpp
@@ -1736,6 +1736,18 @@ BacktrackingAllocator::deadRange(LiveRange* range)
}
bool
+BacktrackingAllocator::moveAtEdge(LBlock* predecessor, LBlock* successor, LiveRange* from,
+ LiveRange* to, LDefinition::Type type)
+{
+ if (successor->mir()->numPredecessors() > 1) {
+ MOZ_ASSERT(predecessor->mir()->numSuccessors() == 1);
+ return moveAtExit(predecessor, from, to, type);
+ }
+
+ return moveAtEntry(successor, from, to, type);
+}
+
+bool
BacktrackingAllocator::resolveControlFlow()
{
// Add moves to handle changing assignments for vregs over their lifetime.
@@ -1846,15 +1858,11 @@ BacktrackingAllocator::resolveControlFlow()
if (!alloc().ensureBallast()) {
return false;
}
- if (mSuccessor->numPredecessors() > 1) {
- MOZ_ASSERT(predecessor->mir()->numSuccessors() == 1);
- if (!moveAtExit(predecessor, from, to, def->type())) {
- return false;
- }
- } else {
- if (!moveAtEntry(successor, from, to, def->type())) {
- return false;
- }
+
+ // Note: we have to use moveAtEdge both here and below (for edge
+ // resolution) to avoid conflicting moves. See bug 1493900.
+ if (!moveAtEdge(predecessor, successor, from, to, def->type())) {
+ return false;
}
}
}
@@ -1884,16 +1892,12 @@ BacktrackingAllocator::resolveControlFlow()
if (targetRange->covers(exitOf(predecessor)))
continue;
- if (!alloc().ensureBallast())
+ if (!alloc().ensureBallast()) {
return false;
+ }
LiveRange* from = reg.rangeFor(exitOf(predecessor), true);
- if (successor->mir()->numPredecessors() > 1) {
- MOZ_ASSERT(predecessor->mir()->numSuccessors() == 1);
- if (!moveAtExit(predecessor, from, targetRange, reg.type()))
- return false;
- } else {
- if (!moveAtEntry(successor, from, targetRange, reg.type()))
- return false;
+ if (!moveAtEdge(predecessor, successor, from, targetRange, reg.type())) {
+ return false;
}
}
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-07 05:03:06 +0000