From bd1b0d74bbf40c69e47863fab7ea99eac418c515 Mon Sep 17 00:00:00 2001 From: Douglas Leung Date: Wed, 1 Aug 2012 12:00:33 -0700 Subject: Fix an array out-of-bound read in the JIT compiler. Without the fix the compiler is still safe since the offending memory access is a read, though the hoisted distance is non-deterministic. The easiest and safest fix is to unconditionally hoist a load when it can reach the scheduling barrier. Change-Id: I021161cb2a6e011301ab65ba62bc2a74af1cb552 Signed-off-by: Douglas Leung --- vm/compiler/codegen/mips/LocalOptimizations.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'vm/compiler/codegen/mips/LocalOptimizations.cpp') diff --git a/vm/compiler/codegen/mips/LocalOptimizations.cpp b/vm/compiler/codegen/mips/LocalOptimizations.cpp index 2ccd40dcd..1ef0d1744 100644 --- a/vm/compiler/codegen/mips/LocalOptimizations.cpp +++ b/vm/compiler/codegen/mips/LocalOptimizations.cpp @@ -400,7 +400,10 @@ static void applyLoadHoisting(CompilationUnit *cUnit, MipsLIR *curLIR = prevInstList[slot]; MipsLIR *prevLIR = prevInstList[slot+1]; - /* Check the highest instruction */ + /* + * Check the highest instruction. + * ENCODE_ALL represents a scheduling barrier. + */ if (prevLIR->defMask == ENCODE_ALL) { /* * If the first instruction is a load, don't hoist anything @@ -408,10 +411,13 @@ static void applyLoadHoisting(CompilationUnit *cUnit, */ if (EncodingMap[curLIR->opcode].flags & IS_LOAD) continue; /* - * If the remaining number of slots is less than LD_LATENCY, - * insert the hoisted load here. + * Need to unconditionally break here even if the hoisted + * distance is greater than LD_LATENCY (ie more than enough + * cycles are inserted to hide the load latency) since theu + * subsequent code doesn't expect to compare against a + * pseudo opcode (whose opcode value is negative). */ - if (slot < LD_LATENCY) break; + break; } /* -- cgit v1.2.3