Changeset 219885 in webkit for trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.cpp

Timestamp:

Jul 25, 2017, 1:56:04 PM (8 years ago)

Author:

[email protected]

Message:

Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
​https://bugs.webkit.org/show_bug.cgi?id=174809
<rdar://problem/33504759>

Reviewed by Filip Pizlo.

1. When the probe handler function changes the sp register to point to the region of stack in the middle of the ProbeContext on the stack, there is a bug where the ProbeContext's register values to be restored can be over-written before they can be restored. This is now fixed.

2. Added more robust probe tests for changing the sp register.

3. Made existing probe tests to ensure that probe handlers were actually called.

4. Added some verification to testProbePreservesGPRS().

5. Change all the probe tests to fail early on discovering an error instead of batching till the end of the test. This helps point a finger to the failing issue earlier.

This patch was tested on x86, x86_64, and ARMv7. ARM64 probe code will be fixed
next in ​https://bugs.webkit.org/show_bug.cgi?id=174697.

• assembler/MacroAssemblerARM.cpp:
• assembler/MacroAssemblerARMv7.cpp:
• assembler/MacroAssemblerX86Common.cpp:
• assembler/testmasm.cpp:

(JSC::testProbeReadsArgumentRegisters):
(JSC::testProbeWritesArgumentRegisters):
(JSC::testProbePreservesGPRS):
(JSC::testProbeModifiesStackPointer):
(JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
(JSC::testProbeModifiesStackPointerToNBytesBelowSP):
(JSC::testProbeModifiesProgramCounter):
(JSC::run):

File:

• trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.cpp (modified) (6 diffs)

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.cpp

@@ -172 +172 @@
     //     esp[0 * ptrSize]: eflags
     //     esp[1 * ptrSize]: return address / saved eip
-    //     esp[2 * ptrSize]: probeFunction
-    //     esp[3 * ptrSize]: arg1
+    //     esp[2 * ptrSize]: probe handler function
+    //     esp[3 * ptrSize]: probe arg
     //     esp[4 * ptrSize]: saved eax
     //     esp[5 * ptrSize]: saved esp
@@ -241 +241 @@
     // There are 6 more registers left to restore:
     //     eax, ecx, ebp, esp, eip, and eflags.
-    // We need to handle these last few restores carefully because:
-    //
-    // 1. We need to push the return address on the stack for ret to use.
-    //    That means we need to write to the stack.
-    // 2. The user probe function may have altered the restore value of esp to
-    //    point to the vicinity of one of the restore values for the remaining
-    //    registers left to be restored.
-    //    That means, for requirement 1, we may end up writing over some of the
-    //    restore values. We can check for this, and first copy the restore
-    //    values to a "safe area" on the stack before commencing with the action
-    //    for requirement 1.
-    // 3. For requirement 2, we need to ensure that the "safe area" is
-    //    protected from interrupt handlers overwriting it. Hence, the esp needs
-    //    to be adjusted to include the "safe area" before we start copying the
-    //    the restore values.
-
+
+    // The restoration process at ctiMasmProbeTrampolineEnd below works by popping
+    // 5 words off the stack into eflags, eax, ecx, ebp, and eip. These 5 words need
+    // to be pushed on top of the final esp value so that just by popping the 5 words,
+    // we'll get the esp that the probe wants to set. Let's call this area (for storing
+    // these 5 words) the restore area.
+    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%ebp), %ecx" "\n"
+    "subl $5 * " STRINGIZE_VALUE_OF(PTR_SIZE) ", %ecx" "\n"
+
+    // ecx now points to the restore area.
+
+    // Before we copy values from the ProbeContext to the restore area, we need to
+    // make sure that the restore area does not overlap any of the values that we'll
+    // be copying from in the ProbeContext. All the restore values to be copied from
+    // comes from offset <= PROBE_CPU_EFLAGS_OFFSET in the ProbeContext.
     "movl %ebp, %eax" "\n"
     "addl $" STRINGIZE_VALUE_OF(PROBE_CPU_EFLAGS_OFFSET) ", %eax" "\n"
-    "cmpl %eax, " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%ebp)" "\n"
+    "cmpl %eax, %ecx" "\n"
     "jg " SYMBOL_STRING(ctiMasmProbeTrampolineEnd) "\n"
 
-    // Locate the "safe area" at 2x sizeof(ProbeContext) below where the new
-    // rsp will be. This time we don't have to 32-byte align it because we're
-    // not using this area to store any xmm regs.
-    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%ebp), %eax" "\n"
+    // Getting here means that the restore area will overlap the ProbeContext data
+    // that we will need to get the restoration values from. So, let's move that
+    // data to a safe place before we start writing into the restore area.
+    // Let's locate the "safe area" at 2x sizeof(ProbeContext) below where the
+    // restore area. This ensures that:
+    // 1. The safe area does not overlap the restore area.
+    // 2. The safe area does not overlap the ProbeContext.
+    //    This makes it so that we can use memcpy (does not require memmove) semantics
+    //    to copy the restore values to the safe area.
+    // Note: the safe area does not have to 32-byte align it because we're not using
+    // it to store any xmm regs.
+    "movl %ecx, %eax" "\n"
     "subl $2 * " STRINGIZE_VALUE_OF(PROBE_ALIGNED_SIZE) ", %eax" "\n"
+
+    // eax now points to the safe area.
+
+    // Make sure the stack pointer points to the safe area. This ensures that the
+    // safe area is protected from interrupt handlers overwriting it.
     "movl %eax, %esp" "\n"
 
-    "subl $" STRINGIZE_VALUE_OF(PROBE_CPU_EAX_OFFSET) ", %eax" "\n"
     "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EAX_OFFSET) "(%ebp), %ecx" "\n"
     "movl %ecx, " STRINGIZE_VALUE_OF(PROBE_CPU_EAX_OFFSET) "(%eax)" "\n"
@@ -284 +295 @@
     "movl %eax, %ebp" "\n"
 
+    // We used ecx above as scratch register. Let's restore it to points to the
+    // restore area.
+    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%ebp), %ecx" "\n"
+    "subl $5 * " STRINGIZE_VALUE_OF(PTR_SIZE) ", %ecx" "\n"
+
+    // ecx now points to the restore area.
+
     SYMBOL_STRING(ctiMasmProbeTrampolineEnd) ":" "\n"
-    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%ebp), %eax" "\n"
-    "subl $5 * " STRINGIZE_VALUE_OF(PTR_SIZE) ", %eax" "\n"
-    // At this point, %esp should be < %eax.
-
-    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EFLAGS_OFFSET) "(%ebp), %ecx" "\n"
-    "movl %ecx, 0 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%eax)" "\n"
-    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EAX_OFFSET) "(%ebp), %ecx" "\n"
-    "movl %ecx, 1 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%eax)" "\n"
-    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_ECX_OFFSET) "(%ebp), %ecx" "\n"
-    "movl %ecx, 2 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%eax)" "\n"
-    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EBP_OFFSET) "(%ebp), %ecx" "\n"
-    "movl %ecx, 3 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%eax)" "\n"
-    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EIP_OFFSET) "(%ebp), %ecx" "\n"
-    "movl %ecx, 4 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%eax)" "\n"
-    "movl %eax, %esp" "\n"
-
+
+    // Copy remaining restore values from the ProbeContext to the restore area.
+    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EFLAGS_OFFSET) "(%ebp), %eax" "\n"
+    "movl %eax, 0 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%ecx)" "\n"
+    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EAX_OFFSET) "(%ebp), %eax" "\n"
+    "movl %eax, 1 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%ecx)" "\n"
+    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_ECX_OFFSET) "(%ebp), %eax" "\n"
+    "movl %eax, 2 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%ecx)" "\n"
+    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EBP_OFFSET) "(%ebp), %eax" "\n"
+    "movl %eax, 3 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%ecx)" "\n"
+    "movl " STRINGIZE_VALUE_OF(PROBE_CPU_EIP_OFFSET) "(%ebp), %eax" "\n"
+    "movl %eax, 4 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%ecx)" "\n"
+    "movl %ecx, %esp" "\n"
+
+    // Do the remaining restoration by popping off the restore area.
     "popfd" "\n"
     "popl %eax" "\n"
@@ -322 +339 @@
     //     esp[0 * ptrSize]: rflags
     //     esp[1 * ptrSize]: return address / saved rip
-    //     esp[2 * ptrSize]: probeFunction
-    //     esp[3 * ptrSize]: arg1
+    //     esp[2 * ptrSize]: probe handler function
+    //     esp[3 * ptrSize]: probe arg
     //     esp[4 * ptrSize]: saved rax
     //     esp[5 * ptrSize]: saved rsp
@@ -421 +438 @@
     // There are 6 more registers left to restore:
     //     rax, rcx, rbp, rsp, rip, and rflags.
-    // We need to handle these last few restores carefully because:
-    //
-    // 1. We need to push the return address on the stack for ret to use
-    //    That means we need to write to the stack.
-    // 2. The user probe function may have altered the restore value of esp to
-    //    point to the vicinity of one of the restore values for the remaining
-    //    registers left to be restored.
-    //    That means, for requirement 1, we may end up writing over some of the
-    //    restore values. We can check for this, and first copy the restore
-    //    values to a "safe area" on the stack before commencing with the action
-    //    for requirement 1.
-    // 3. For both requirement 2, we need to ensure that the "safe area" is
-    //    protected from interrupt handlers overwriting it. Hence, the esp needs
-    //    to be adjusted to include the "safe area" before we start copying the
-    //    the restore values.
-
+
+    // The restoration process at ctiMasmProbeTrampolineEnd below works by popping
+    // 5 words off the stack into rflags, rax, rcx, rbp, and rip. These 5 words need
+    // to be pushed on top of the final esp value so that just by popping the 5 words,
+    // we'll get the esp that the probe wants to set. Let's call this area (for storing
+    // these 5 words) the restore area.
+    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%rbp), %rcx" "\n"
+    "subq $5 * " STRINGIZE_VALUE_OF(PTR_SIZE) ", %rcx" "\n"
+
+    // rcx now points to the restore area.
+
+    // Before we copy values from the ProbeContext to the restore area, we need to
+    // make sure that the restore area does not overlap any of the values that we'll
+    // be copying from in the ProbeContext. All the restore values to be copied from
+    // comes from offset <= PROBE_CPU_EFLAGS_OFFSET in the ProbeContext.
     "movq %rbp, %rax" "\n"
     "addq $" STRINGIZE_VALUE_OF(PROBE_CPU_EFLAGS_OFFSET) ", %rax" "\n"
-    "cmpq %rax, " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%rbp)" "\n"
+    "cmpq %rax, %rcx" "\n"
     "jg " SYMBOL_STRING(ctiMasmProbeTrampolineEnd) "\n"
 
-    // Locate the "safe area" at 2x sizeof(ProbeContext) below where the new
-    // rsp will be. This time we don't have to 32-byte align it because we're
-    // not using to store any xmm regs.
-    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%rbp), %rax" "\n"
+    // Getting here means that the restore area will overlap the ProbeContext data
+    // that we will need to get the restoration values from. So, let's move that
+    // data to a safe place before we start writing into the restore area.
+    // Let's locate the "safe area" at 2x sizeof(ProbeContext) below where the
+    // restore area. This ensures that:
+    // 1. The safe area does not overlap the restore area.
+    // 2. The safe area does not overlap the ProbeContext.
+    //    This makes it so that we can use memcpy (does not require memmove) semantics
+    //    to copy the restore values to the safe area.
+    // Note: the safe area does not have to 32-byte align it because we're not using
+    // it to store any xmm regs.
+    "movq %rcx, %rax" "\n"
     "subq $2 * " STRINGIZE_VALUE_OF(PROBE_ALIGNED_SIZE) ", %rax" "\n"
+
+    // rax now points to the safe area.
+
+    // Make sure the stack pointer points to the safe area. This ensures that the
+    // safe area is protected from interrupt handlers overwriting it.
     "movq %rax, %rsp" "\n"
 
@@ -463 +492 @@
     "movq %rax, %rbp" "\n"
 
+    // We used rcx above as scratch register. Let's restore it to points to the
+    // restore area.
+    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%rbp), %rcx" "\n"
+    "subq $5 * " STRINGIZE_VALUE_OF(PTR_SIZE) ", %rcx" "\n"
+
+    // rcx now points to the restore area.
+
     SYMBOL_STRING(ctiMasmProbeTrampolineEnd) ":" "\n"
-    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_ESP_OFFSET) "(%rbp), %rax" "\n"
-    "subq $5 * " STRINGIZE_VALUE_OF(PTR_SIZE) ", %rax" "\n"
-    // At this point, %rsp should be < %rax.
-
-    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EFLAGS_OFFSET) "(%rbp), %rcx" "\n"
-    "movq %rcx, 0 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rax)" "\n"
-    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EAX_OFFSET) "(%rbp), %rcx" "\n"
-    "movq %rcx, 1 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rax)" "\n"
-    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_ECX_OFFSET) "(%rbp), %rcx" "\n"
-    "movq %rcx, 2 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rax)" "\n"
-    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EBP_OFFSET) "(%rbp), %rcx" "\n"
-    "movq %rcx, 3 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rax)" "\n"
-    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EIP_OFFSET) "(%rbp), %rcx" "\n"
-    "movq %rcx, 4 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rax)" "\n"
-    "movq %rax, %rsp" "\n"
-
+
+    // Copy remaining restore values from the ProbeContext to the restore area.
+    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EFLAGS_OFFSET) "(%rbp), %rax" "\n"
+    "movq %rax, 0 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rcx)" "\n"
+    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EAX_OFFSET) "(%rbp), %rax" "\n"
+    "movq %rax, 1 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rcx)" "\n"
+    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_ECX_OFFSET) "(%rbp), %rax" "\n"
+    "movq %rax, 2 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rcx)" "\n"
+    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EBP_OFFSET) "(%rbp), %rax" "\n"
+    "movq %rax, 3 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rcx)" "\n"
+    "movq " STRINGIZE_VALUE_OF(PROBE_CPU_EIP_OFFSET) "(%rbp), %rax" "\n"
+    "movq %rax, 4 * " STRINGIZE_VALUE_OF(PTR_SIZE) "(%rcx)" "\n"
+    "movq %rcx, %rsp" "\n"
+
+    // Do the remaining restoration by popping off the restore area.
     "popfq" "\n"
     "popq %rax" "\n"