Skip to content

Commit 35fcf78

Browse files
alexcrichtonalexcrichton
authored
winch: Fix spectre-related table indexing comparison size (#12930)
This commit fixes a minor issue in the Winch backend when loading a value from a table when spectre mitigations are enabled. In this situation an extra comparison and conditional move is executed after the original bounds check and load to specifically handle the speculation case and ensure that out-of-bounds values can't be speculated on. The comparison performed on this path, however, was an incorrect one where it unconditionally used a 32-bit comparison. The comparison instead needs to use `bound_size` to handle platform/table differences. This matches the actual bounds check, for example, which occurs prior to the spectre-related mitigation.
1 parent 517c028 commit 35fcf78

9 files changed

Lines changed: 113 additions & 113 deletions

File tree

tests/disas/winch/aarch64/call_indirect/call_indirect.wat

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@
7373
;; ldur x2, [x2, #0x30]
7474
;; mov x4, x2
7575
;; add x2, x2, x16, uxtx
76-
;; cmp w1, w3, uxtx
76+
;; cmp x1, x3, uxtx
7777
;; csel x2, x4, x2, hs
7878
;; ldur x0, [x2]
7979
;; tst x0, x0
@@ -139,7 +139,7 @@
139139
;; ldur x2, [x2, #0x30]
140140
;; mov x4, x2
141141
;; add x2, x2, x16, uxtx
142-
;; cmp w1, w3, uxtx
142+
;; cmp x1, x3, uxtx
143143
;; csel x2, x4, x2, hs
144144
;; ldur x0, [x2]
145145
;; tst x0, x0

tests/disas/winch/aarch64/call_indirect/local_arg.wat

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@
7979
;; ldur x2, [x2, #0x30]
8080
;; mov x4, x2
8181
;; add x2, x2, x16, uxtx
82-
;; cmp w1, w3, uxtx
82+
;; cmp x1, x3, uxtx
8383
;; csel x2, x4, x2, hs
8484
;; ldur x0, [x2]
8585
;; tst x0, x0

tests/disas/winch/x64/call_indirect/call_indirect.wat

Lines changed: 26 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@
3737
;; movq 0x18(%r11), %r11
3838
;; addq $0x30, %r11
3939
;; cmpq %rsp, %r11
40-
;; ja 0x229
40+
;; ja 0x22b
4141
;; 1c: movq %rdi, %r14
4242
;; subq $0x20, %rsp
4343
;; movq %rdi, 0x18(%rsp)
@@ -50,7 +50,7 @@
5050
;; testl %eax, %eax
5151
;; je 0x55
5252
;; 4b: movl $1, %eax
53-
;; jmp 0x220
53+
;; jmp 0x222
5454
;; 55: movl 0xc(%rsp), %eax
5555
;; subl $2, %eax
5656
;; subq $4, %rsp
@@ -59,37 +59,37 @@
5959
;; movq %r14, %rdx
6060
;; movq 0x38(%rdx), %rbx
6161
;; cmpq %rbx, %rcx
62-
;; jae 0x22b
62+
;; jae 0x22d
6363
;; 7d: movq %rcx, %r11
6464
;; imulq $8, %r11, %r11
6565
;; movq 0x30(%rdx), %rdx
6666
;; movq %rdx, %rsi
6767
;; addq %r11, %rdx
68-
;; cmpl %ebx, %ecx
68+
;; cmpq %rbx, %rcx
6969
;; cmovaeq %rsi, %rdx
7070
;; movq (%rdx), %rax
7171
;; testq %rax, %rax
72-
;; jne 0xdd
73-
;; a3: subq $4, %rsp
72+
;; jne 0xde
73+
;; a4: subq $4, %rsp
7474
;; movl %ecx, (%rsp)
7575
;; subq $8, %rsp
7676
;; movq %r14, %rdi
7777
;; movl $0, %esi
7878
;; movl 8(%rsp), %edx
79-
;; callq 0x334
79+
;; callq 0x336
8080
;; addq $8, %rsp
8181
;; addq $4, %rsp
8282
;; movq 0x1c(%rsp), %r14
83-
;; jmp 0xe3
84-
;; dd: andq $0xfffffffffffffffe, %rax
83+
;; jmp 0xe4
84+
;; de: andq $0xfffffffffffffffe, %rax
8585
;; testq %rax, %rax
86-
;; je 0x22d
87-
;; ec: movq 0x28(%r14), %r11
86+
;; je 0x22f
87+
;; ed: movq 0x28(%r14), %r11
8888
;; movl (%r11), %ecx
8989
;; movl 0x10(%rax), %edx
9090
;; cmpl %edx, %ecx
91-
;; jne 0x22f
92-
;; fe: pushq %rax
91+
;; jne 0x231
92+
;; ff: pushq %rax
9393
;; popq %rcx
9494
;; movq 0x18(%rcx), %r8
9595
;; movq 8(%rcx), %rbx
@@ -111,37 +111,37 @@
111111
;; movq %r14, %rdx
112112
;; movq 0x38(%rdx), %rbx
113113
;; cmpq %rbx, %rcx
114-
;; jae 0x231
115-
;; 161: movq %rcx, %r11
114+
;; jae 0x233
115+
;; 162: movq %rcx, %r11
116116
;; imulq $8, %r11, %r11
117117
;; movq 0x30(%rdx), %rdx
118118
;; movq %rdx, %rsi
119119
;; addq %r11, %rdx
120-
;; cmpl %ebx, %ecx
120+
;; cmpq %rbx, %rcx
121121
;; cmovaeq %rsi, %rdx
122122
;; movq (%rdx), %rax
123123
;; testq %rax, %rax
124-
;; jne 0x1c1
125-
;; 187: subq $4, %rsp
124+
;; jne 0x1c3
125+
;; 189: subq $4, %rsp
126126
;; movl %ecx, (%rsp)
127127
;; subq $4, %rsp
128128
;; movq %r14, %rdi
129129
;; movl $0, %esi
130130
;; movl 4(%rsp), %edx
131-
;; callq 0x334
131+
;; callq 0x336
132132
;; addq $4, %rsp
133133
;; addq $4, %rsp
134134
;; movq 0x20(%rsp), %r14
135-
;; jmp 0x1c7
136-
;; 1c1: andq $0xfffffffffffffffe, %rax
135+
;; jmp 0x1c9
136+
;; 1c3: andq $0xfffffffffffffffe, %rax
137137
;; testq %rax, %rax
138-
;; je 0x233
139-
;; 1d0: movq 0x28(%r14), %r11
138+
;; je 0x235
139+
;; 1d2: movq 0x28(%r14), %r11
140140
;; movl (%r11), %ecx
141141
;; movl 0x10(%rax), %edx
142142
;; cmpl %edx, %ecx
143-
;; jne 0x235
144-
;; 1e2: pushq %rax
143+
;; jne 0x237
144+
;; 1e4: pushq %rax
145145
;; popq %rcx
146146
;; movq 0x18(%rcx), %r8
147147
;; movq 8(%rcx), %rbx
@@ -160,10 +160,10 @@
160160
;; addq $0x20, %rsp
161161
;; popq %rbp
162162
;; retq
163-
;; 229: ud2
164163
;; 22b: ud2
165164
;; 22d: ud2
166165
;; 22f: ud2
167166
;; 231: ud2
168167
;; 233: ud2
169168
;; 235: ud2
169+
;; 237: ud2

tests/disas/winch/x64/call_indirect/local_arg.wat

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@
4242
;; movq 0x18(%r11), %r11
4343
;; addq $0x30, %r11
4444
;; cmpq %rsp, %r11
45-
;; ja 0x156
45+
;; ja 0x157
4646
;; 5c: movq %rdi, %r14
4747
;; subq $0x20, %rsp
4848
;; movq %rdi, 0x18(%rsp)
@@ -55,37 +55,37 @@
5555
;; movq %r14, %rdx
5656
;; movq 0x38(%rdx), %rbx
5757
;; cmpq %rbx, %rcx
58-
;; jae 0x158
58+
;; jae 0x159
5959
;; 9e: movq %rcx, %r11
6060
;; imulq $8, %r11, %r11
6161
;; movq 0x30(%rdx), %rdx
6262
;; movq %rdx, %rsi
6363
;; addq %r11, %rdx
64-
;; cmpl %ebx, %ecx
64+
;; cmpq %rbx, %rcx
6565
;; cmovaeq %rsi, %rdx
6666
;; movq (%rdx), %rax
6767
;; testq %rax, %rax
68-
;; jne 0xfe
69-
;; c4: subq $4, %rsp
68+
;; jne 0xff
69+
;; c5: subq $4, %rsp
7070
;; movl %ecx, (%rsp)
7171
;; subq $8, %rsp
7272
;; movq %r14, %rdi
7373
;; movl $0, %esi
7474
;; movl 8(%rsp), %edx
75-
;; callq 0x31d
75+
;; callq 0x31e
7676
;; addq $8, %rsp
7777
;; addq $4, %rsp
7878
;; movq 0x1c(%rsp), %r14
79-
;; jmp 0x104
80-
;; fe: andq $0xfffffffffffffffe, %rax
79+
;; jmp 0x105
80+
;; ff: andq $0xfffffffffffffffe, %rax
8181
;; testq %rax, %rax
82-
;; je 0x15a
83-
;; 10d: movq 0x28(%r14), %r11
82+
;; je 0x15b
83+
;; 10e: movq 0x28(%r14), %r11
8484
;; movl (%r11), %ecx
8585
;; movl 0x10(%rax), %edx
8686
;; cmpl %edx, %ecx
87-
;; jne 0x15c
88-
;; 11f: movq 0x18(%rax), %rbx
87+
;; jne 0x15d
88+
;; 120: movq 0x18(%rax), %rbx
8989
;; movq 8(%rax), %rcx
9090
;; subq $0xc, %rsp
9191
;; movq %rbx, %rdi
@@ -98,7 +98,7 @@
9898
;; addq $0x20, %rsp
9999
;; popq %rbp
100100
;; retq
101-
;; 156: ud2
102-
;; 158: ud2
103-
;; 15a: ud2
104-
;; 15c: ud2
101+
;; 157: ud2
102+
;; 159: ud2
103+
;; 15b: ud2
104+
;; 15d: ud2

tests/disas/winch/x64/table/fill.wat

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@
7878
;; movq 0x18(%r11), %r11
7979
;; addq $0x40, %r11
8080
;; cmpq %rsp, %r11
81-
;; ja 0x1f9
81+
;; ja 0x1fa
8282
;; dc: movq %rdi, %r14
8383
;; subq $0x30, %rsp
8484
;; movq %rdi, 0x28(%rsp)
@@ -96,29 +96,29 @@
9696
;; movq %r14, %rdx
9797
;; movq 0x38(%rdx), %rbx
9898
;; cmpq %rbx, %rcx
99-
;; jae 0x1fb
99+
;; jae 0x1fc
100100
;; 138: movq %rcx, %r11
101101
;; imulq $8, %r11, %r11
102102
;; movq 0x30(%rdx), %rdx
103103
;; movq %rdx, %rsi
104104
;; addq %r11, %rdx
105-
;; cmpl %ebx, %ecx
105+
;; cmpq %rbx, %rcx
106106
;; cmovaeq %rsi, %rdx
107107
;; movq (%rdx), %rax
108108
;; testq %rax, %rax
109-
;; jne 0x198
110-
;; 15e: subq $4, %rsp
109+
;; jne 0x199
110+
;; 15f: subq $4, %rsp
111111
;; movl %ecx, (%rsp)
112112
;; subq $0xc, %rsp
113113
;; movq %r14, %rdi
114114
;; movl $0, %esi
115115
;; movl 0xc(%rsp), %edx
116-
;; callq 0x4e6
116+
;; callq 0x4e7
117117
;; addq $0xc, %rsp
118118
;; addq $4, %rsp
119119
;; movq 0x28(%rsp), %r14
120-
;; jmp 0x19e
121-
;; 198: andq $0xfffffffffffffffe, %rax
120+
;; jmp 0x19f
121+
;; 199: andq $0xfffffffffffffffe, %rax
122122
;; movq %rax, 0xc(%rsp)
123123
;; movl 0x1c(%rsp), %r11d
124124
;; subq $4, %rsp
@@ -133,11 +133,11 @@
133133
;; movl 0xc(%rsp), %edx
134134
;; movq 4(%rsp), %rcx
135135
;; movl (%rsp), %r8d
136-
;; callq 0x511
136+
;; callq 0x512
137137
;; addq $0x10, %rsp
138138
;; movq 0x28(%rsp), %r14
139139
;; addq $0x30, %rsp
140140
;; popq %rbp
141141
;; retq
142-
;; 1f9: ud2
143-
;; 1fb: ud2
142+
;; 1fa: ud2
143+
;; 1fc: ud2

tests/disas/winch/x64/table/get.wat

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@
3434
;; movq 0x18(%r11), %r11
3535
;; addq $0x30, %r11
3636
;; cmpq %rsp, %r11
37-
;; ja 0x10d
37+
;; ja 0x10e
3838
;; 5c: movq %rdi, %r14
3939
;; subq $0x20, %rsp
4040
;; movq %rdi, 0x18(%rsp)
@@ -48,31 +48,31 @@
4848
;; movq %r14, %rdx
4949
;; movq 0x38(%rdx), %rbx
5050
;; cmpq %rbx, %rcx
51-
;; jae 0x10f
51+
;; jae 0x110
5252
;; 9e: movq %rcx, %r11
5353
;; imulq $8, %r11, %r11
5454
;; movq 0x30(%rdx), %rdx
5555
;; movq %rdx, %rsi
5656
;; addq %r11, %rdx
57-
;; cmpl %ebx, %ecx
57+
;; cmpq %rbx, %rcx
5858
;; cmovaeq %rsi, %rdx
5959
;; movq (%rdx), %rax
6060
;; testq %rax, %rax
61-
;; jne 0xfe
62-
;; c4: subq $4, %rsp
61+
;; jne 0xff
62+
;; c5: subq $4, %rsp
6363
;; movl %ecx, (%rsp)
6464
;; subq $0xc, %rsp
6565
;; movq %r14, %rdi
6666
;; movl $0, %esi
6767
;; movl 0xc(%rsp), %edx
68-
;; callq 0x2e5
68+
;; callq 0x2e6
6969
;; addq $0xc, %rsp
7070
;; addq $4, %rsp
7171
;; movq 0x18(%rsp), %r14
72-
;; jmp 0x104
73-
;; fe: andq $0xfffffffffffffffe, %rax
72+
;; jmp 0x105
73+
;; ff: andq $0xfffffffffffffffe, %rax
7474
;; addq $0x20, %rsp
7575
;; popq %rbp
7676
;; retq
77-
;; 10d: ud2
78-
;; 10f: ud2
77+
;; 10e: ud2
78+
;; 110: ud2

0 commit comments

Comments
 (0)