Use movw/movt instead of constant pool on ARMv7

src/arm/assembler-arm-inl.h

 // Copyright (c) 1994-2006 Sun Microsystems Inc.
 // All Rights Reserved.
 //
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions
 // are met:
 //
 // - Redistributions of source code must retain the above copyright notice,
 // this list of conditions and the following disclaimer.
 //
@@ skipping 79 matching lines @@
   if (mode == UPDATE_WRITE_BARRIER && host() != NULL && IsCodeTarget(rmode_)) {
     Object* target_code = Code::GetCodeFromTargetAddress(target);
     host()->GetHeap()->incremental_marking()->RecordWriteIntoCode(
         host(), this, HeapObject::cast(target_code));
   }
 }
 
 
 Object* RelocInfo::target_object() {
   ASSERT(IsCodeTarget(rmode_) || rmode_ == EMBEDDED_OBJECT);
-  return Memory::Object_at(Assembler::target_address_address_at(pc_));
+  return reinterpret_cast<Object*>(Assembler::target_address_at(pc_));
 }
 
 
 Handle<Object> RelocInfo::target_object_handle(Assembler* origin) {
   ASSERT(IsCodeTarget(rmode_) || rmode_ == EMBEDDED_OBJECT);
-  return Memory::Object_Handle_at(Assembler::target_address_address_at(pc_));
+  return Handle<Object>(reinterpret_cast<Object**>(
+      Assembler::target_address_at(pc_)));
 }
 
 
 Object** RelocInfo::target_object_address() {
+  // Provide a "natural pointer" to the embedded object,
+  // which can be de-referenced during heap iteration.
   ASSERT(IsCodeTarget(rmode_) || rmode_ == EMBEDDED_OBJECT);
-  return reinterpret_cast<Object**>(Assembler::target_address_address_at(pc_));
+  reconstructed_obj_ptr_ =
+      reinterpret_cast<Object*>(Assembler::target_address_at(pc_));
+  return &reconstructed_obj_ptr_;
 }
 
 
 void RelocInfo::set_target_object(Object* target, WriteBarrierMode mode) {
   ASSERT(IsCodeTarget(rmode_) || rmode_ == EMBEDDED_OBJECT);
   Assembler::set_target_address_at(pc_, reinterpret_cast<Address>(target));
   if (mode == UPDATE_WRITE_BARRIER &&
       host() != NULL &&
       target->IsHeapObject()) {
     host()->GetHeap()->incremental_marking()->RecordWrite(
         host(), &Memory::Object_at(pc_), HeapObject::cast(target));
   }
 }
 
 
 Address* RelocInfo::target_reference_address() {
   ASSERT(rmode_ == EXTERNAL_REFERENCE);
-  return reinterpret_cast<Address*>(Assembler::target_address_address_at(pc_));
+  reconstructed_adr_ptr_ = Assembler::target_address_at(pc_);
+  return &reconstructed_adr_ptr_;
 }
 
 
 Handle<JSGlobalPropertyCell> RelocInfo::target_cell_handle() {
   ASSERT(rmode_ == RelocInfo::GLOBAL_PROPERTY_CELL);
   Address address = Memory::Address_at(pc_);
   return Handle<JSGlobalPropertyCell>(
       reinterpret_cast<JSGlobalPropertyCell**>(address));
 }
 
@@ skipping 209 matching lines @@
   ASSERT(IsLdrPcImmediateOffset(instr));
   int offset = instr & 0xfff;  // offset_12 is unsigned
   if ((instr & (1 << 23)) == 0) offset = -offset;  // U bit defines offset sign
   // Verify that the constant pool comes after the instruction referencing it.
   ASSERT(offset >= -4);
   return target_pc + offset + 8;
 }
 
 
 Address Assembler::target_address_at(Address pc) {
+  if (IsMovW(Memory::int32_at(pc))) {
+    ASSERT(IsMovT(Memory::int32_at(pc + 4)));

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

+ kInstrSize

[danno, 2012/10/17 10:04:44]

Done.

+    Instruction* instr = Instruction::At(pc);
+    Instruction* next_instr = Instruction::At(pc + 4);

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

+ kInstrSize

[danno, 2012/10/17 10:04:44]

Done.

+    return reinterpret_cast<Address>(
+        (next_instr->ImmedMovwMovtValue() << 16) |
+        instr->ImmedMovwMovtValue());

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

The bottom two bits should be zero, which might be an easy JIT-hardening. If the
bottom bit isn't zero and we pass the address to BX or BLX then we're switching
to Thumb, which is a nice exploit vector.

I'd just & ~3

[danno, 2012/10/17 10:04:44]

Done.

+  }
   return Memory::Address_at(target_address_address_at(pc));
 }
 
 
+Address Assembler::target_address_from_return_address(Address pc) {
+  // Returns the address of the call target from the return address that will
+  // be returned to after a call.
+#ifdef USE_BLX
+  // Call sequence on V7 or later is :
+  //  movw  ip, #... @ call address low 16   
+  //  movt  ip, #... @ call address high 16
+  //  blx   ip
+  //                      @ return address
+  // Or pre v8:

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

Pre v8?

[danno, 2012/10/17 10:04:44]

Done.

+  //  ldr   ip, [pc, #...] @ call address
+  //  blx   ip
+  //                      @ return address
+  Address candidate = pc - 2 * Assembler::kInstrSize;
+  Instr candidate_instr(Memory::int32_at(candidate));
+  if (IsLdrPcImmediateOffset(candidate_instr)) {
+    return candidate;
+  }
+  candidate = pc - 3 * Assembler::kInstrSize;
+  ASSERT(IsMovW(Memory::int32_at(candidate)) &&
+         IsMovT(Memory::int32_at(candidate + 4)));

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

+ kInstrSize

[danno, 2012/10/17 10:04:44]

Done.

+  return candidate;
+#else
+  // Call sequence is:
+  //  mov  lr, pc
+  //  ldr  pc, [pc, #...] @ call address
+  //                      @ return address
+  return pc - kInstrSize;
+#endif
+}
+
+
+Address Assembler::return_address_from_call_start(Address pc) {
+#ifdef USE_BLX
+  if (IsLdrPcImmediateOffset(Memory::int32_at(pc))) {
+    return pc + kInstrSize * 2;
+  } else {
+    ASSERT(IsMovW(Memory::int32_at(pc)));
+    ASSERT(IsMovT(Memory::int32_at(pc+4)));
+    return pc + kInstrSize * 3;
+  }
+#else
+  return pc + kInstrSize;
+#endif
+}
+
+
 void Assembler::deserialization_set_special_target_at(
     Address constant_pool_entry, Address target) {
   Memory::Address_at(constant_pool_entry) = target;
 }
 
 
 void Assembler::set_external_target_at(Address constant_pool_entry,
                                        Address target) {
   Memory::Address_at(constant_pool_entry) = target;
 }
 
 
+static Instr EncodeMovwImmediate(uint32_t immediate) {
+  ASSERT(immediate < 0x10000);
+  return ((immediate & 0xf000) << 4) | (immediate & 0xfff);
+}
+
+
 void Assembler::set_target_address_at(Address pc, Address target) {

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

As noted above:
  target &= ~3;

[danno, 2012/10/17 10:04:44]

Done.

-  Memory::Address_at(target_address_address_at(pc)) = target;
-  // Intuitively, we would think it is necessary to flush the instruction cache
-  // after patching a target address in the code as follows:
-  //   CPU::FlushICache(pc, sizeof(target));
-  // However, on ARM, no instruction was actually patched by the assignment
-  // above; the target address is not part of an instruction, it is patched in
-  // the constant pool and is read via a data access; the instruction accessing
-  // this address in the constant pool remains unchanged.
+  if (IsMovW(Memory::int32_at(pc))) {
+    ASSERT(IsMovT(Memory::int32_at(pc + 4)));

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

+ kInstrSize

[danno, 2012/10/17 10:04:44]

Done.

+    uint32_t* instr_ptr = reinterpret_cast<uint32_t*>(pc);
+    uint32_t immediate = reinterpret_cast<uint32_t>(target);
+    uint32_t intermediate = instr_ptr[0];
+    intermediate &= ~EncodeMovwImmediate(0xFFFF);
+    intermediate |= EncodeMovwImmediate(immediate & 0xFFFF);
+    instr_ptr[0] = intermediate;
+    intermediate = instr_ptr[1];
+    intermediate &= ~EncodeMovwImmediate(0xFFFF);
+    intermediate |= EncodeMovwImmediate(immediate >> 16);
+    instr_ptr[1] = intermediate;
+    ASSERT(IsMovW(Memory::int32_at(pc)));
+    ASSERT(IsMovT(Memory::int32_at(pc + 4)));

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

+ kInstrSize

[danno, 2012/10/17 10:04:44]

Done.

+    CPU::FlushICache(pc, 2 * kInstrSize);
+  } else {
+    Memory::Address_at(target_address_address_at(pc)) = target;
+    // Intuitively, we would think it is necessary to flush the instruction
+    // cache after patching a target address in the code as follows:
+    //   CPU::FlushICache(pc, sizeof(target));
+    // However, on ARM, no instruction was actually patched by the assignment
+    // above; the target address is not part of an instruction, it is patched in
+    // the constant pool and is read via a data access; the instruction
+    // accessing this address in the constant pool remains unchanged.

[Please use jfb - chromium.org, 2012/10/10 13:56:52]

Is this actually true? I can't find a reference to that effect.

[danno, 2012/10/17 10:04:44]

Done.

+  }
 }
 
 } }  // namespace v8::internal
 
 #endif  // V8_ARM_ASSEMBLER_ARM_INL_H_