Change compiler to safely write unsafe smis when they are spilled from...

src/codegen-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 1299 matching lines @@
       Result result = frame_->CallStub(&stub, &left_side, &right_side, 0);
       result.ToRegister();
       __ cmp(result.reg(), 0);
       result.Unuse();
       dest->true_target()->Branch(cc);
       dest->false_target()->Jump();
 
       is_smi.Bind(&left_side, &right_side);
       left_side.ToRegister();
       // Test smi equality and comparison by signed int comparison.
+      if (IsUnsafeSmi(right_side.handle())) {
+        right_side.ToRegister();
+        ASSERT(right_side.is_valid());
+        __ cmp(left_side.reg(), Operand(right_side.reg()));
+      } else {
       __ cmp(Operand(left_side.reg()), Immediate(right_side.handle()));
+      }

[iposva, 2009/02/17 17:27:06]

This apparently survived your purge of unrelated single 4-byte user controlled
sequences.

[William Hesse, 2009/02/18 09:04:56]

This is not an unrelated change.  It is one of the few places where a constant
result is used as an immediate operand.  All these places should be guarded with
an unsafe smi check, and load unsafe smis with ToRegister or LoadUnsafeSmi. 
When other operations implement constant folding by treating constant results as
a special case, they will also need to use this guard.  Right now, binary
operations (and some comparisons) catch constants earlier, by spotting the
literal AST node type.  That code is being changed to recognize constant results
instead, like this does.

       left_side.Unuse();
       right_side.Unuse();
       dest->Split(cc);
     }
   } else {  // Neither side is a constant Smi, normal comparison operation.
     left_side.ToRegister();
     right_side.ToRegister();
     ASSERT(left_side.is_valid());
     ASSERT(right_side.is_valid());
     // Check for the smi case.
@@ skipping 1707 matching lines @@
   } else {
     ASSERT(var->is_global());
     Reference ref(this, node);
     ref.GetValue(typeof_state());
   }
 }
 
 
 void CodeGenerator::VisitLiteral(Literal* node) {
   Comment cmnt(masm_, "[ Literal");
-  if (node->handle()->IsSmi() && !IsInlineSmi(node)) {
-    // To prevent long attacker-controlled byte sequences in code, larger
-    // Smis are loaded in two steps via a temporary register.
-    Result temp = allocator_->Allocate();
-    ASSERT(temp.is_valid());
-    int bits = reinterpret_cast<int>(*node->handle());
-    __ Set(temp.reg(), Immediate(bits & 0x0000FFFF));
-    __ xor_(temp.reg(), bits & 0xFFFF0000);
-    frame_->Push(&temp);
-  } else {
     frame_->Push(node->handle());
   }
+
+
+void CodeGenerator::LoadUnsafeSmi(Register target, Handle<Object> value) {
+  ASSERT(target.is_valid());
+  ASSERT(value->IsSmi());
+  int bits = reinterpret_cast<int>(*value);
+  __ Set(target, Immediate(bits & 0x0000FFFF));
+  __ xor_(target, bits & 0xFFFF0000);
+}
+
+
+bool CodeGenerator::IsUnsafeSmi(Handle<Object> value) {
+  if (!value->IsSmi()) return false;
+  int int_value = Smi::cast(*value)->value();
+  return !is_intn(int_value, kMaxSmiInlinedBits);
 }
 
 
 class DeferredRegExpLiteral: public DeferredCode {
  public:
   DeferredRegExpLiteral(CodeGenerator* generator, RegExpLiteral* node)
       : DeferredCode(generator), node_(node) {
     set_comment("[ DeferredRegExpLiteral");
   }
 
@@ skipping 3485 matching lines @@
 
   // Slow-case: Go through the JavaScript implementation.
   __ bind(&slow);
   __ InvokeBuiltin(Builtins::INSTANCE_OF, JUMP_FUNCTION);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal