Changeset 189411 in webkit for trunk/Source/JavaScriptCore/jit/JITExceptions.cpp

Timestamp:

Sep 4, 2015, 6:03:45 PM (10 years ago)

Author:

[email protected]

Message:

StackOverflow stack unwinding should stop at native frames.
​https://bugs.webkit.org/show_bug.cgi?id=148749

Reviewed by Michael Saboff.

In the present code, after ping-pong'ing back and forth between native and JS
code a few times, if we have a stack overflow on re-entry into the VM to run
JS code's whose stack frame would overflow the JS stack, the code will end up
unwinding past the native function that is making the call to re-enter the VM.
As a result, any clean up code (e.g. destructors for stack variables) in the
skipped native function frame (and its chain of native function callers) will
not be called.

This patch is based on the Michael Saboff's fix of this issue landed on the
jsc-tailcall branch: ​http://trac.webkit.org/changeset/188555

We now check for the case where there are no JS frames to unwind since the
last native frame, and treat the exception as an unhandled exception. The
native function is responsible for further propagating the exception if needed.

Other supporting work:

1. Remove vm->vmEntryFrameForThrow. It should always be the same as vm->topVMEntryFrame.
2. Change operationThrowStackOverflowError() to use the throwStackOverflowError() helper function instead of rolling its own.
3. In the LLINT vm entry, set vm->topVMEntryFrame as soon as the entry frame is fully initialized (instead of waiting). With this, we can always reliably tell which VMEntryFrame is on top.
4. Added a test that exercises this edge case. The test should not hang or crash.

• API/tests/PingPongStackOverflowTest.cpp: Added.

(PingPongStackOverflowObject_hasInstance):
(testPingPongStackOverflow):

• API/tests/PingPongStackOverflowTest.h: Added.
• API/tests/testapi.c:

(main):

• JavaScriptCore.xcodeproj/project.pbxproj:
• interpreter/Interpreter.cpp:

(JSC::unwindCallFrame):
(JSC::getStackFrameCodeType):
(JSC::UnwindFunctor::UnwindFunctor):
(JSC::UnwindFunctor::operator()):
(JSC::Interpreter::unwind):

• interpreter/Interpreter.h:

(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
(JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
(JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
(JSC::Interpreter::sampler):

• jit/CCallHelpers.h:

(JSC::CCallHelpers::jumpToExceptionHandler):

• jit/JITExceptions.cpp:

(JSC::genericUnwind):

• jit/JITExceptions.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_catch):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_catch):

• jit/JITOperations.cpp:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/VM.h:

(JSC::VM::exceptionOffset):
(JSC::VM::callFrameForThrowOffset):
(JSC::VM::vmEntryFrameForThrowOffset): Deleted.
(JSC::VM::topVMEntryFrameOffset): Deleted.

File:

• trunk/Source/JavaScriptCore/jit/JITExceptions.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/jit/JITExceptions.cpp

@@ -41 +41 @@
 namespace JSC {
 
-void genericUnwind(VM* vm, ExecState* callFrame)
+void genericUnwind(VM* vm, ExecState* callFrame, UnwindStart unwindStart)
 {
     if (Options::breakOnThrow()) {
@@ -50 +50 @@
     Exception* exception = vm->exception();
     RELEASE_ASSERT(exception);
-    VMEntryFrame* vmEntryFrame = vm->topVMEntryFrame;
-    HandlerInfo* handler = vm->interpreter->unwind(vmEntryFrame, callFrame, exception); // This may update vmEntryFrame and callFrame.
+    HandlerInfo* handler = vm->interpreter->unwind(*vm, callFrame, exception, unwindStart); // This may update callFrame.
 
     void* catchRoutine;
@@ -65 +64 @@
         catchRoutine = LLInt::getCodePtr(handleUncaughtException);
     
-    vm->vmEntryFrameForThrow = vmEntryFrame;
     vm->callFrameForThrow = callFrame;
     vm->targetMachinePCForThrow = catchRoutine;