From c159a1464000d8e05bf826fd50af0ef25a3bc6cb Mon Sep 17 00:00:00 2001
From: Justin Michaud <justin_michaud@apple.com>
Date: Wed, 1 Feb 2023 13:49:14 -0800
Subject: [PATCH] Cherry-pick 259548.25@safari-7615-branch (1a20160f826c).
 rdar://104692168

    Locals should update max stack size
    rdar://104692168

    Reviewed by Yusuke Suzuki.

    We can forget to update the max stack size, causing an OOB stack read in
    OSR entry. This only happens if you create a bunch of locals and never
    push anything to the stack, so it should be very rare and difficult to
    abuse.

    * JSTests/wasm/stress/many-locals-small-wasm-stack.js: Added.
    (async let):
    * JSTests/wasm/stress/many-locals-small-wasm-stack.wasm: Added.
    * JSTests/wasm/stress/many-locals-small-wasm-stack.wat: Added.
    * Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp:
    (JSC::Wasm::LLIntGenerator::addLocal):

    Canonical link: https://commits.webkit.org/259548.25@safari-7615-branch
---
 .../wasm/stress/many-locals-small-wasm-stack.js    |   8 ++++++++
 .../wasm/stress/many-locals-small-wasm-stack.wasm  | Bin 0 -> 71 bytes
 .../wasm/stress/many-locals-small-wasm-stack.wat   |   9 +++++++++
 Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp  |   2 ++
 4 files changed, 19 insertions(+)
 create mode 100644 JSTests/wasm/stress/many-locals-small-wasm-stack.js
 create mode 100644 JSTests/wasm/stress/many-locals-small-wasm-stack.wasm
 create mode 100644 JSTests/wasm/stress/many-locals-small-wasm-stack.wat

diff --git a/JSTests/wasm/stress/many-locals-small-wasm-stack.js b/JSTests/wasm/stress/many-locals-small-wasm-stack.js
new file mode 100644
index 000000000000..c294d712fc24
--- /dev/null
+++ b/JSTests/wasm/stress/many-locals-small-wasm-stack.js
@@ -0,0 +1,8 @@
+//@ skip
+// This is an infinite loop, so untill watchdog works we have to skip it.
+(async function () {
+  let bytes = readFile('many-locals-small-wasm-stack.wasm', 'binary');
+  let importObject = { };
+  let i = await WebAssembly.instantiate(bytes, importObject);
+  i.instance.exports.main(0n, 0);
+})();
diff --git a/JSTests/wasm/stress/many-locals-small-wasm-stack.wasm b/JSTests/wasm/stress/many-locals-small-wasm-stack.wasm
new file mode 100644
index 0000000000000000000000000000000000000000..7287e941884cea78dc26b2fa15c0c59dd0475b5f
GIT binary patch
literal 71
zcmWN_K@NZ*3<SX47QtA*VEl^wM2;RXCSIX@UFSF`ZzTXmp5hHEM2sBFurxE&a^1kP
WbF)8PpD<EWXO|&8w8`~YVfF!f;tOy9

literal 0
HcmV?d00001

diff --git a/JSTests/wasm/stress/many-locals-small-wasm-stack.wat b/JSTests/wasm/stress/many-locals-small-wasm-stack.wat
new file mode 100644
index 000000000000..2b6b1749ce70
--- /dev/null
+++ b/JSTests/wasm/stress/many-locals-small-wasm-stack.wat
@@ -0,0 +1,9 @@
+(module
+  (global $g (mut i32) (i32.const 0))
+  (func $fn16 (export "main") (param $p0 i64) (param $p1 f64)
+    (local $l2 i32) (local $l3 i64) (local $l4 funcref) (local $l5 funcref) (local $l6 funcref) (local $l7 i32) (local $l8 i32) (local $l9 i32) (local $l10 i32) (local $l11 f64) (local $l12 f64) (local $l13 f64) (local $l14 f64) (local $l15 f64) (local $l16 f64) (local $l17 f64) (local $l18 i64) (local $l19 i64) (local $l20 i64) (local $l21 f32) (local $l22 i32) (local $l23 i32) (local $l24 f32) (local $l25 f32) (local $l26 f64) (local $l27 f64) (local $l28 f64) (local $l29 f64) (local $l30 i64) (local $l31 i64) (local $l32 i64) (local $l33 i64) (local $l34 i64)
+    (loop $L0
+      br $L0
+    )
+  )
+)
diff --git a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
index ec53a8a8829e..03fefb7a554d 100644
--- a/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
+++ b/Source/JavaScriptCore/wasm/WasmLLIntGenerator.cpp
@@ -900,6 +900,8 @@ auto LLIntGenerator::addLocal(Type type, uint32_t count) -> PartialResult
             m_uninitializedLocals.append(push(NoConsistencyCheck));
     } else
         m_stackSize += count;
+    if (m_maxStackSize < m_stackSize)
+        m_maxStackSize = m_stackSize;
     return { };
 }