Subzero: Fix x86-64 memory sandboxing.

Subzero: Fix x86-64 memory sandboxing.

Commit 2e4b960 (https://codereview.chromium.org/2084793002), which made address mode inference more aggressive, exposed a long-standing bug in memory sandboxing, which now manifests in 164.gzip.

The problem is in sandboxed code like this:

  movl %eax, %eax
  movb 64(%rsp,%rax), %cl

If %eax starts out -1, the mov address is something close to %rsp+4GB, instead of %rsp+63.

To fix this, we need to use an lea instruction in more cases - specifically when the sandboxed address has an index register and the non-symbolic portion of the offset is nonzero.

BUG= none
R=jpp@chromium.org

Committed: https://gerrit.chromium.org/gerrit/gitweb?p=native_client/pnacl-subzero.git;a=commit;h=ecbf2c4b314b07c7d4472be0a01b17c92007a9c7

[Jim Stichnoth, 2016-06-25 15:05:34]

Description was changed from

==========
Subzero: Fix x86-64 memory sandboxing.

BUG= none
==========

to

==========
Subzero: Fix x86-64 memory sandboxing.

Commit 2e4b960 (https://codereview.chromium.org/2084793002), which made address
mode inference more aggressive, exposed a long-standing bug in memory
sandboxing, which now manifests in 164.gzip.

The problem is in sandboxed code like this:

  movl %eax, %eax
  movb 64(%rsp,%rax), %cl

If %eax starts out -1, the mov address is something close to %rsp+4GB, instead
of %rsp+63.

To fix this, we need to use an lea instruction in more cases - specifically when
the sandboxed address has an index register and the non-symbolic portion of the
offset is nonzero.

BUG= none
==========

[Jim Stichnoth, 2016-06-25 15:06:32]

stichnot@chromium.org changed reviewers:
+ eholk@chromium.org, jpp@chromium.org, kschimpf@google.com, manasijm@google.com

[John, 2016-06-25 15:53:18]

lgtm

[Jim Stichnoth, 2016-06-25 17:01:29]

Description was changed from

==========
Subzero: Fix x86-64 memory sandboxing.

Commit 2e4b960 (https://codereview.chromium.org/2084793002), which made address
mode inference more aggressive, exposed a long-standing bug in memory
sandboxing, which now manifests in 164.gzip.

The problem is in sandboxed code like this:

  movl %eax, %eax
  movb 64(%rsp,%rax), %cl

If %eax starts out -1, the mov address is something close to %rsp+4GB, instead
of %rsp+63.

To fix this, we need to use an lea instruction in more cases - specifically when
the sandboxed address has an index register and the non-symbolic portion of the
offset is nonzero.

BUG= none
==========

to

==========
Subzero: Fix x86-64 memory sandboxing.

Commit 2e4b960 (https://codereview.chromium.org/2084793002), which made address
mode inference more aggressive, exposed a long-standing bug in memory
sandboxing, which now manifests in 164.gzip.

The problem is in sandboxed code like this:

  movl %eax, %eax
  movb 64(%rsp,%rax), %cl

If %eax starts out -1, the mov address is something close to %rsp+4GB, instead
of %rsp+63.

To fix this, we need to use an lea instruction in more cases - specifically when
the sandboxed address has an index register and the non-symbolic portion of the
offset is nonzero.

BUG= none
R=jpp@chromium.org

Committed:
https://gerrit.chromium.org/gerrit/gitweb?p=native_client/pnacl-subzero.git;a...
==========

[Jim Stichnoth, 2016-06-25 17:01:36]

Committed patchset #1 (id:1) manually as
ecbf2c4b314b07c7d4472be0a01b17c92007a9c7 (presubmit successful).