Fix an array out-of-bound read in the JIT compiler.

Without the fix the compiler is still safe since the offending memory access is a read, though the hoisted distance is non-deterministic. The easiest and safest fix is to unconditionally hoist a load when it can reach the scheduling barrier. BUG: 6300640 Change-Id: Ic83de6dd1e3f602bda6809bfe840db3a097a5176
author: Ben Cheng <bccheng@google.com> 2012-04-13 16:35:41 -0700
committer: Ben Cheng <bccheng@google.com> 2012-04-13 16:35:41 -0700
commit: 513691130f0c1ab94f52127c40d0018bb7dfc529 (patch)
tree: e14a62e1c68be52dfda9fb0a734602870daec6e8
parent: ce6603b52e6b2ef947cb308b1d7157e357bcba02 (diff)
download: dalvik-513691130f0c1ab94f52127c40d0018bb7dfc529.tar.gz
1 files changed, 10 insertions, 4 deletions
diff --git a/vm/compiler/codegen/arm/LocalOptimizations.cpp b/vm/compiler/codegen/arm/LocalOptimizations.cpp
index 98848c775..8013d0059 100644
--- a/vm/compiler/codegen/arm/LocalOptimizations.cpp
+++ b/vm/compiler/codegen/arm/LocalOptimizations.cpp
@@ -400,7 +400,10 @@ static void applyLoadHoisting(CompilationUnit *cUnit,
                 ArmLIR *curLIR = prevInstList[slot];
                 ArmLIR *prevLIR = prevInstList[slot+1];
 
-                /* Check the highest instruction */
+                /*
+                 * Check the highest instruction.
+                 * ENCODE_ALL represents a scheduling barrier.
+                 */
                 if (prevLIR->defMask == ENCODE_ALL) {
                     /*
                      * If the first instruction is a load, don't hoist anything
@@ -408,10 +411,13 @@ static void applyLoadHoisting(CompilationUnit *cUnit,
                      */
                     if (EncodingMap[curLIR->opcode].flags & IS_LOAD) continue;
                     /*
-                     * If the remaining number of slots is less than LD_LATENCY,
-                     * insert the hoisted load here.
+                     * Need to unconditionally break here even if the hoisted
+                     * distance is greater than LD_LATENCY (ie more than enough
+                     * cycles are inserted to hide the load latency) since theu
+                     * subsequent code doesn't expect to compare against a
+                     * pseudo opcode (whose opcode value is negative).
                      */
-                    if (slot < LD_LATENCY) break;
+                    break;
                 }
 
                 /*
author	Ben Cheng <bccheng@google.com>	2012-04-13 16:35:41 -0700
committer	Ben Cheng <bccheng@google.com>	2012-04-13 16:35:41 -0700
commit	513691130f0c1ab94f52127c40d0018bb7dfc529 (patch)
tree	e14a62e1c68be52dfda9fb0a734602870daec6e8
parent	ce6603b52e6b2ef947cb308b1d7157e357bcba02 (diff)
download	dalvik-513691130f0c1ab94f52127c40d0018bb7dfc529.tar.gz