Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
BBQJIT OSR Entry throws stack overflow from invalid frame
https://bugs.webkit.org/show_bug.cgi?id=268424 rdar://121251778 Reviewed by Yusuke Suzuki. In this test case, we end up in a situation where the current LLInt frame is above the soft stack limit. We then loop osr entry into BBQ, where we perform a stack check and fail, but before we finish writing the OSR entry buffer into our stack frame. The stack unwinder sees the BBQ callee and we jump to that, but the frame is uninitialized. The fix is two fold; we first make BBQ crash in this case to avoid a security issue. We do the same for OMG, just in case this bug is exploitable there too. Second, we do a stack check before performing OSR entry, and fail early. * JSTests/wasm/stress/repro_1289.js: Added. (debuggingHelper): (instantiateJsc): (async let): * JSTests/wasm/stress/repro_1289.wasm: Added. * JSTests/wasm/stress/repro_1289.wat: Added. * Source/JavaScriptCore/wasm/WasmBBQJIT.cpp: (JSC::Wasm::BBQJIT::stackCheckSize const): (JSC::Wasm::BBQJIT::addLoopOSREntrypoint): (JSC::Wasm::parseAndCompileBBQ): * Source/JavaScriptCore/wasm/WasmCallee.h: * Source/JavaScriptCore/wasm/WasmInstance.h: (JSC::Wasm::Instance::softStackLimit const): * Source/JavaScriptCore/wasm/WasmOperations.cpp: (JSC::Wasm::JSC_DEFINE_JIT_OPERATION): * Source/JavaScriptCore/wasm/WasmOperations.h: * Source/JavaScriptCore/wasm/WasmSlowPaths.cpp: (JSC::LLInt::WASM_SLOW_PATH_DECL): * Source/JavaScriptCore/wasm/WasmThunks.cpp: (JSC::Wasm::crashDueToBBQStackOverflow): * Source/JavaScriptCore/wasm/WasmThunks.h: Originally-landed-as: 272448.466@safari-7618-branch (a08ba6e). rdar://124558656 Canonical link: https://commits.webkit.org/276403@main
- Loading branch information