Skip to content

Commit

Permalink
Cherry-pick 259548.25@safari-7615-branch (1a20160). rdar://104692168
Browse files Browse the repository at this point in the history 
    Locals should update max stack size
    rdar://104692168

    Reviewed by Yusuke Suzuki.

    We can forget to update the max stack size, causing an OOB stack read in
    OSR entry. This only happens if you create a bunch of locals and never
    push anything to the stack, so it should be very rare and difficult to
    abuse.

    * JSTests/wasm/stress/many-locals-small-wasm-stack.js: Added.
    (async let):
    * JSTests/wasm/stress/many-locals-small-wasm-stack.wasm: Added.
    * JSTests/wasm/stress/many-locals-small-wasm-stack.wat: Added.
    * Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
    (JSC::Wasm::LLIntGenerator::addLocal):

    Canonical link: https://commits.webkit.org/259548.25@safari-7615-branch
  • Loading branch information
@justinmichaud @aperezdc
justinmichaud authored and aperezdc committed Apr 1, 2023
1 parent 5751d86 commit c159a14
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 0 deletions.
8 changes: 8 additions & 0 deletions JSTests/wasm/stress/many-locals-small-wasm-stack.js
View file
@@ -0,0 +1,8 @@
//@ skip
// This is an infinite loop, so untill watchdog works we have to skip it.
(async function () {
let bytes = readFile('many-locals-small-wasm-stack.wasm', 'binary');
let importObject = { };
let i = await WebAssembly.instantiate(bytes, importObject);
i.instance.exports.main(0n, 0);
})();
Binary file added JSTests/wasm/stress/many-locals-small-wasm-stack.wasm
View file
Binary file not shown.
9 changes: 9 additions & 0 deletions JSTests/wasm/stress/many-locals-small-wasm-stack.wat
View file
@@ -0,0 +1,9 @@
(module
(global $g (mut i32) (i32.const 0))
(func $fn16 (export "main") (param $p0 i64) (param $p1 f64)
(local $l2 i32) (local $l3 i64) (local $l4 funcref) (local $l5 funcref) (local $l6 funcref) (local $l7 i32) (local $l8 i32) (local $l9 i32) (local $l10 i32) (local $l11 f64) (local $l12 f64) (local $l13 f64) (local $l14 f64) (local $l15 f64) (local $l16 f64) (local $l17 f64) (local $l18 i64) (local $l19 i64) (local $l20 i64) (local $l21 f32) (local $l22 i32) (local $l23 i32) (local $l24 f32) (local $l25 f32) (local $l26 f64) (local $l27 f64) (local $l28 f64) (local $l29 f64) (local $l30 i64) (local $l31 i64) (local $l32 i64) (local $l33 i64) (local $l34 i64)
(loop $L0
br $L0
)
)
)
2 changes: 2 additions & 0 deletions Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
View file
Expand Up @@ -900,6 +900,8 @@ auto LLIntGenerator::addLocal(Type type, uint32_t count) -> PartialResult
m_uninitializedLocals.append(push(NoConsistencyCheck));
} else
m_stackSize += count;
if (m_maxStackSize < m_stackSize)
m_maxStackSize = m_stackSize;
return { };
}

Expand Down

0 comments on commit c159a14

Please sign in to comment.