Changeset 252239 in webkit for trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

Timestamp:

Nov 8, 2019, 8:58:49 AM (6 years ago)

Author:

[email protected]

Message:

Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction().
​https://bugs.webkit.org/show_bug.cgi?id=203936
<rdar://problem/56624724>

Reviewed by Saam Barati.

JSTests:

This issue originally manifested as incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
failing on iOS devices due to its smaller stack. We adapted the original test
here using $vm.callWithStackSize() to reproduce the issue on x86_64 though it
has a much larger physical stack to work with. This new test will crash while
stepping on the guard page beyond the end of the stack if the fix is not applied.

• stress/stack-overflow-in-yarr-byteCompile.js: Added.

Source/JavaScriptCore:

Basically, any functions below Yarr::ByteCompiler::compile() that recurses need
to check if it's safe to recurse before doing so. This patch adds the stack
checks in Yarr::ByteCompiler::compile() because it is the entry point to this
sub-system, and Yarr::ByteCompiler::emitDisjunction() because it is the only
function that recurses. All other functions called below compile() are either
leaf functions or have shallow stack usage. Hence, their stack needs are covered
by the DefaultReservedZone, and they do not need stack checks.

This patch also does the following:

1. Added $vm.callWithStackSize() which can be used to call a test function near the end of the physical stack. This enables is to simulate the smaller stack size of more resource constrained devices.

$vm.callWithStackSize() uses inline asm to adjust the stack pointer and
does the callback via the JIT probe trampoline.

2. Added the --disableOptionsFreezingForTesting to the jsc shell to make it possible to disable freezing of JSC options. $vm.callWithStackSize() relies on this to modify the VM's stack limits.

3. Removed the inline modifier on VM::updateStackLimits() so that we can call it from $vm.callWithStackSize() as well. It is not a performance critical function and is rarely called.

4. Added a JSDollarVMHelper class that other parts of the system can declare as a friend. This gives $vm a backdoor into the private functions and fields of classes for its debugging work. In this patch, we're only using it to access VM::updateVMStackLimits().

• jsc.cpp:

(CommandLine::parseArguments):

• runtime/VM.cpp:

(JSC::VM::updateStackLimits):

• runtime/VM.h:
• tools/JSDollarVM.cpp:

(JSC::JSDollarVMHelper::JSDollarVMHelper):
(JSC::JSDollarVMHelper::vmStackStart):
(JSC::JSDollarVMHelper::vmStackLimit):
(JSC::JSDollarVMHelper::vmSoftStackLimit):
(JSC::JSDollarVMHelper::updateVMStackLimits):
(JSC::callWithStackSizeProbeFunction):
(JSC::functionCallWithStackSize):
(JSC::JSDollarVM::finishCreation):
(IGNORE_WARNINGS_BEGIN): Deleted.

• yarr/YarrInterpreter.cpp:

(JSC::Yarr::ByteCompiler::compile):
(JSC::Yarr::ByteCompiler::emitDisjunction):
(JSC::Yarr::ByteCompiler::isSafeToRecurse):

Source/WTF:

1. Add a StackCheck utility class so that we don't have to keep reinventing this every time we need to add stack checking somewhere.
2. Rename some arguments and constants in StackBounds to be more descriptive of what they actually are.

• WTF.xcodeproj/project.pbxproj:
• wtf/CMakeLists.txt:
• wtf/StackBounds.h:

(WTF::StackBounds::recursionLimit const):

• wtf/StackCheck.h: Added.

(WTF::StackCheck::StackCheck):
(WTF::StackCheck::isSafeToRecurse):

File:

• trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (5 diffs)

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -32 +32 @@
 #include "DOMJITGetterSetter.h"
 #include "Debugger.h"
+#include "Error.h"
 #include "FrameTracers.h"
 #include "FunctionCodeBlock.h"
@@ -44 +45 @@
 #include "Options.h"
 #include "Parser.h"
+#include "ProbeContext.h"
 #include "ShadowChicken.h"
 #include "Snippet.h"
@@ -64 +66 @@
 
 IGNORE_WARNINGS_BEGIN("frame-address")
+
+extern "C" void ctiMasmProbeTrampoline();
+
+namespace JSC {
+
+// This class is only here as a simple way to grant JSDollarVM friend privileges
+// to all the classes that it needs special access to.
+class JSDollarVMHelper {
+public:
+    JSDollarVMHelper(VM& vm)
+        : m_vm(vm)
+    { }
+
+    void updateVMStackLimits() { return m_vm.updateStackLimits(); };
+
+private:
+    VM& m_vm;
+};
+
+} // namespace JSC
 
 namespace {
@@ -1969 +1991 @@
 }
 
+// Calls the specified test function after adjusting the stack to have the specified
+// remaining size from the end of the physical stack.
+// Usage: $vm.callWithStackSize(funcToCall, desiredStackSize)
+//
+// This function will only work in test configurations, specifically, only if JSC
+// options are not frozen. For the jsc shell, the --disableOptionsFreezingForTesting
+// argument needs to be passed in on the command line.
+
+#if ENABLE(MASM_PROBE)
+static void callWithStackSizeProbeFunction(Probe::State* state)
+{
+    JSGlobalObject* globalObject = bitwise_cast<JSGlobalObject*>(state->arg);
+    JSFunction* function = bitwise_cast<JSFunction*>(state->probeFunction);
+    state->initializeStackFunction = nullptr;
+    state->initializeStackArg = nullptr;
+
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+
+    CallData callData;
+    CallType callType = getCallData(vm, function, callData);
+    MarkedArgumentBuffer args;
+    call(globalObject, function, callType, callData, jsUndefined(), args);
+}
+#endif // ENABLE(MASM_PROBE)
+
+static EncodedJSValue JSC_HOST_CALL functionCallWithStackSize(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+    JSLockHolder lock(vm);
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
+#if OS(DARWIN) && CPU(X86_64)
+    constexpr bool isSupportedByPlatform = true;
+#else
+    constexpr bool isSupportedByPlatform = false;
+#endif
+
+    if (!isSupportedByPlatform)
+        return throwVMError(globalObject, throwScope, "Not supported for this platform");
+
+#if ENABLE(MASM_PROBE)
+    if (g_jscConfig.isPermanentlyFrozen || !g_jscConfig.disabledFreezingForTesting)
+        return throwVMError(globalObject, throwScope, "Options are frozen");
+
+    if (callFrame->argumentCount() < 2)
+        return throwVMError(globalObject, throwScope, "Invalid number of arguments");
+    JSValue arg0 = callFrame->argument(0);
+    JSValue arg1 = callFrame->argument(1);
+    if (!arg0.isFunction(vm))
+        return throwVMError(globalObject, throwScope, "arg0 should be a function");
+    if (!arg1.isNumber())
+        return throwVMError(globalObject, throwScope, "arg1 should be a number");
+
+    JSFunction* function = jsCast<JSFunction*>(arg0.toObject(globalObject));
+    size_t desiredStackSize = arg1.asNumber();
+
+    const StackBounds& bounds = Thread::current().stack();
+    uint8_t* currentStackPosition = bitwise_cast<uint8_t*>(currentStackPointer());
+    uint8_t* end = bitwise_cast<uint8_t*>(bounds.end());
+    uint8_t* desiredStart = end + desiredStackSize;
+    if (desiredStart >= currentStackPosition)
+        return throwVMError(globalObject, throwScope, "Unable to setup desired stack size");
+
+    JSDollarVMHelper helper(vm);
+
+    unsigned originalMaxPerThreadStackUsage = Options::maxPerThreadStackUsage();
+    void* originalVMSoftStackLimit = vm.softStackLimit();
+    void* originalVMStackLimit = vm.stackLimit();
+
+    // This is a hack to make the VM think it's stack limits are near the end
+    // of the physical stack.
+    uint8_t* vmStackStart = bitwise_cast<uint8_t*>(vm.stackPointerAtVMEntry());
+    uint8_t* vmStackEnd = vmStackStart - originalMaxPerThreadStackUsage;
+    ptrdiff_t sizeDiff = vmStackEnd - end;
+    RELEASE_ASSERT(sizeDiff >= 0);
+    RELEASE_ASSERT(sizeDiff < UINT_MAX);
+
+    Options::maxPerThreadStackUsage() = originalMaxPerThreadStackUsage + sizeDiff;
+    helper.updateVMStackLimits();
+
+#if OS(DARWIN) && CPU(X86_64)
+    __asm__ volatile (
+        "subq %[sizeDiff], %%rsp" "\n"
+        "pushq %%rax" "\n"
+        "pushq %%rcx" "\n"
+        "pushq %%rdx" "\n"
+        "pushq %%rbx" "\n"
+        "callq *%%rax" "\n"
+        "addq %[sizeDiff], %%rsp" "\n"
+        :
+        : "a" (ctiMasmProbeTrampoline)
+        , "c" (callWithStackSizeProbeFunction)
+        , "d" (function)
+        , "b" (globalObject)
+        , [sizeDiff] "rm" (sizeDiff)
+        : "memory"
+    );
+#else
+    UNUSED_PARAM(function);
+    UNUSED_PARAM(callWithStackSizeProbeFunction);
+#endif // OS(DARWIN) && CPU(X86_64)
+
+    Options::maxPerThreadStackUsage() = originalMaxPerThreadStackUsage;
+    helper.updateVMStackLimits();
+    RELEASE_ASSERT(vm.softStackLimit() == originalVMSoftStackLimit);
+    RELEASE_ASSERT(vm.stackLimit() == originalVMStackLimit);
+
+    return encodedJSUndefined();
+
+#else // not ENABLE(MASM_PROBE)
+    UNUSED_PARAM(callFrame);
+    return throwVMError(globalObject, throwScope, "Not supported for this platform");
+#endif // ENABLE(MASM_PROBE)
+}
+
 // Creates a new global object.
 // Usage: $vm.createGlobalObject()
@@ -2630 +2769 @@
     addFunction(vm, "haveABadTime", functionHaveABadTime, 1);
     addFunction(vm, "isHavingABadTime", functionIsHavingABadTime, 1);
+
+    addFunction(vm, "callWithStackSize", functionCallWithStackSize, 2);
 
     addFunction(vm, "createGlobalObject", functionCreateGlobalObject, 0);