[IPInt] Add stack overflow checks

https://bugs.webkit.org/show_bug.cgi?id=269788 Reviewed by Justin Michaud. Right now IPInt doesn't do stack overflow checks. This patch adds them by tracking the stack height after decoding each opcode. This is done by calling `changeStackSize(delta)`. We will validate after each opcode that the stack height matches what the Parser sees on debug builds. Also, this patch removes some IPInt stress tests that take a long time to run. * JSTests/wasm/ipint-tests/ipint-stress-i32.js: Removed. * JSTests/wasm/ipint-tests/ipint-stress-i32.wasm: Removed. * JSTests/wasm/ipint-tests/ipint-stress-lol.js: Removed. * JSTests/wasm/ipint-tests/ipint-test-stress.js: Removed. * Source/JavaScriptCore/llint/InPlaceInterpreter.asm: * Source/JavaScriptCore/wasm/WasmCallee.cpp: (JSC::Wasm::IPIntCallee::IPIntCallee): * Source/JavaScriptCore/wasm/WasmCallee.h: * Source/JavaScriptCore/wasm/WasmFunctionIPIntMetadataGenerator.h: * Source/JavaScriptCore/wasm/WasmFunctionParser.h: (JSC::Wasm::FunctionParser::getStackHeightInValues const): (JSC::Wasm::FunctionParser::getControlEntryStackHeightInValues const): * Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp: (JSC::Wasm::IPIntControlType::IPIntControlType): (JSC::Wasm::IPIntControlType::stackSize const): (JSC::Wasm::IPIntGenerator::didParseOpcode): (JSC::Wasm::IPIntGenerator::changeStackSize): (JSC::Wasm::IPIntGenerator::addDrop): (JSC::Wasm::IPIntGenerator::addConstant): (JSC::Wasm::IPIntGenerator::addExtractLane): (JSC::Wasm::IPIntGenerator::addRefIsNull): (JSC::Wasm::IPIntGenerator::addRefFunc): (JSC::Wasm::IPIntGenerator::addRefAsNonNull): (JSC::Wasm::IPIntGenerator::addRefEq): (JSC::Wasm::IPIntGenerator::addTableGet): (JSC::Wasm::IPIntGenerator::addTableSet): (JSC::Wasm::IPIntGenerator::addTableInit): (JSC::Wasm::IPIntGenerator::addElemDrop): (JSC::Wasm::IPIntGenerator::addTableSize): (JSC::Wasm::IPIntGenerator::addTableGrow): (JSC::Wasm::IPIntGenerator::addTableFill): (JSC::Wasm::IPIntGenerator::addTableCopy): (JSC::Wasm::IPIntGenerator::addArguments): (JSC::Wasm::IPIntGenerator::addLocal): (JSC::Wasm::IPIntGenerator::getLocal): (JSC::Wasm::IPIntGenerator::setLocal): (JSC::Wasm::IPIntGenerator::getGlobal): (JSC::Wasm::IPIntGenerator::setGlobal): (JSC::Wasm::IPIntGenerator::load): (JSC::Wasm::IPIntGenerator::store): (JSC::Wasm::IPIntGenerator::addGrowMemory): (JSC::Wasm::IPIntGenerator::addCurrentMemory): (JSC::Wasm::IPIntGenerator::addMemoryFill): (JSC::Wasm::IPIntGenerator::addMemoryCopy): (JSC::Wasm::IPIntGenerator::addMemoryInit): (JSC::Wasm::IPIntGenerator::addDataDrop): (JSC::Wasm::IPIntGenerator::atomicLoad): (JSC::Wasm::IPIntGenerator::atomicStore): (JSC::Wasm::IPIntGenerator::atomicBinaryRMW): (JSC::Wasm::IPIntGenerator::atomicCompareExchange): (JSC::Wasm::IPIntGenerator::atomicWait): (JSC::Wasm::IPIntGenerator::atomicNotify): (JSC::Wasm::IPIntGenerator::atomicFence): (JSC::Wasm::IPIntGenerator::addArrayFill): (JSC::Wasm::IPIntGenerator::addArrayCopy): (JSC::Wasm::IPIntGenerator::addArrayInitElem): (JSC::Wasm::IPIntGenerator::addArrayInitData): (JSC::Wasm::IPIntGenerator::addI32Add): (JSC::Wasm::IPIntGenerator::addI64Add): (JSC::Wasm::IPIntGenerator::addI32Sub): (JSC::Wasm::IPIntGenerator::addI64Sub): (JSC::Wasm::IPIntGenerator::addI32Mul): (JSC::Wasm::IPIntGenerator::addI64Mul): (JSC::Wasm::IPIntGenerator::addI32DivS): (JSC::Wasm::IPIntGenerator::addI32DivU): (JSC::Wasm::IPIntGenerator::addI64DivS): (JSC::Wasm::IPIntGenerator::addI64DivU): (JSC::Wasm::IPIntGenerator::addI32RemS): (JSC::Wasm::IPIntGenerator::addI32RemU): (JSC::Wasm::IPIntGenerator::addI64RemS): (JSC::Wasm::IPIntGenerator::addI64RemU): (JSC::Wasm::IPIntGenerator::addI32And): (JSC::Wasm::IPIntGenerator::addI64And): (JSC::Wasm::IPIntGenerator::addI32Xor): (JSC::Wasm::IPIntGenerator::addI64Xor): (JSC::Wasm::IPIntGenerator::addI32Or): (JSC::Wasm::IPIntGenerator::addI64Or): (JSC::Wasm::IPIntGenerator::addI32Shl): (JSC::Wasm::IPIntGenerator::addI32ShrU): (JSC::Wasm::IPIntGenerator::addI32ShrS): (JSC::Wasm::IPIntGenerator::addI64Shl): (JSC::Wasm::IPIntGenerator::addI64ShrU): (JSC::Wasm::IPIntGenerator::addI64ShrS): (JSC::Wasm::IPIntGenerator::addI32Rotl): (JSC::Wasm::IPIntGenerator::addI64Rotl): (JSC::Wasm::IPIntGenerator::addI32Rotr): (JSC::Wasm::IPIntGenerator::addI64Rotr): (JSC::Wasm::IPIntGenerator::addI32Popcnt): (JSC::Wasm::IPIntGenerator::addI64Popcnt): (JSC::Wasm::IPIntGenerator::addI32Clz): (JSC::Wasm::IPIntGenerator::addI64Clz): (JSC::Wasm::IPIntGenerator::addI32Ctz): (JSC::Wasm::IPIntGenerator::addI64Ctz): (JSC::Wasm::IPIntGenerator::addF32Add): (JSC::Wasm::IPIntGenerator::addF64Add): (JSC::Wasm::IPIntGenerator::addF32Sub): (JSC::Wasm::IPIntGenerator::addF64Sub): (JSC::Wasm::IPIntGenerator::addF32Mul): (JSC::Wasm::IPIntGenerator::addF64Mul): (JSC::Wasm::IPIntGenerator::addF32Div): (JSC::Wasm::IPIntGenerator::addF64Div): (JSC::Wasm::IPIntGenerator::addF32Min): (JSC::Wasm::IPIntGenerator::addF32Max): (JSC::Wasm::IPIntGenerator::addF64Min): (JSC::Wasm::IPIntGenerator::addF64Max): (JSC::Wasm::IPIntGenerator::addF32Nearest): (JSC::Wasm::IPIntGenerator::addF64Nearest): (JSC::Wasm::IPIntGenerator::addF32Floor): (JSC::Wasm::IPIntGenerator::addF64Floor): (JSC::Wasm::IPIntGenerator::addF32Ceil): (JSC::Wasm::IPIntGenerator::addF64Ceil): (JSC::Wasm::IPIntGenerator::addF32Copysign): (JSC::Wasm::IPIntGenerator::addF64Copysign): (JSC::Wasm::IPIntGenerator::addF32Sqrt): (JSC::Wasm::IPIntGenerator::addF64Sqrt): (JSC::Wasm::IPIntGenerator::addF32Neg): (JSC::Wasm::IPIntGenerator::addF64Neg): (JSC::Wasm::IPIntGenerator::addF32Abs): (JSC::Wasm::IPIntGenerator::addF64Abs): (JSC::Wasm::IPIntGenerator::addI32Eq): (JSC::Wasm::IPIntGenerator::addI32Ne): (JSC::Wasm::IPIntGenerator::addI32LtS): (JSC::Wasm::IPIntGenerator::addI32LtU): (JSC::Wasm::IPIntGenerator::addI32LeS): (JSC::Wasm::IPIntGenerator::addI32LeU): (JSC::Wasm::IPIntGenerator::addI32GtS): (JSC::Wasm::IPIntGenerator::addI32GtU): (JSC::Wasm::IPIntGenerator::addI32GeU): (JSC::Wasm::IPIntGenerator::addI32GeS): (JSC::Wasm::IPIntGenerator::addI32Eqz): (JSC::Wasm::IPIntGenerator::addI64Eq): (JSC::Wasm::IPIntGenerator::addI64Ne): (JSC::Wasm::IPIntGenerator::addI64GtS): (JSC::Wasm::IPIntGenerator::addI64GtU): (JSC::Wasm::IPIntGenerator::addI64GeS): (JSC::Wasm::IPIntGenerator::addI64GeU): (JSC::Wasm::IPIntGenerator::addI64LtS): (JSC::Wasm::IPIntGenerator::addI64LtU): (JSC::Wasm::IPIntGenerator::addI64LeS): (JSC::Wasm::IPIntGenerator::addI64LeU): (JSC::Wasm::IPIntGenerator::addI64Eqz): (JSC::Wasm::IPIntGenerator::addF32Eq): (JSC::Wasm::IPIntGenerator::addF32Ne): (JSC::Wasm::IPIntGenerator::addF32Lt): (JSC::Wasm::IPIntGenerator::addF32Le): (JSC::Wasm::IPIntGenerator::addF32Gt): (JSC::Wasm::IPIntGenerator::addF32Ge): (JSC::Wasm::IPIntGenerator::addF64Eq): (JSC::Wasm::IPIntGenerator::addF64Ne): (JSC::Wasm::IPIntGenerator::addF64Lt): (JSC::Wasm::IPIntGenerator::addF64Le): (JSC::Wasm::IPIntGenerator::addF64Gt): (JSC::Wasm::IPIntGenerator::addF64Ge): (JSC::Wasm::IPIntGenerator::addI64ExtendSI32): (JSC::Wasm::IPIntGenerator::addI64ExtendUI32): (JSC::Wasm::IPIntGenerator::addI32Extend8S): (JSC::Wasm::IPIntGenerator::addI32Extend16S): (JSC::Wasm::IPIntGenerator::addI64Extend8S): (JSC::Wasm::IPIntGenerator::addI64Extend16S): (JSC::Wasm::IPIntGenerator::addI64Extend32S): (JSC::Wasm::IPIntGenerator::addF64Trunc): (JSC::Wasm::IPIntGenerator::addF32Trunc): (JSC::Wasm::IPIntGenerator::addI32TruncSF64): (JSC::Wasm::IPIntGenerator::addI32TruncSF32): (JSC::Wasm::IPIntGenerator::addI32TruncUF64): (JSC::Wasm::IPIntGenerator::addI32TruncUF32): (JSC::Wasm::IPIntGenerator::addI64TruncSF64): (JSC::Wasm::IPIntGenerator::addI64TruncSF32): (JSC::Wasm::IPIntGenerator::addI64TruncUF64): (JSC::Wasm::IPIntGenerator::addI64TruncUF32): (JSC::Wasm::IPIntGenerator::truncSaturated): (JSC::Wasm::IPIntGenerator::addI32WrapI64): (JSC::Wasm::IPIntGenerator::addF32DemoteF64): (JSC::Wasm::IPIntGenerator::addF64PromoteF32): (JSC::Wasm::IPIntGenerator::addF32ReinterpretI32): (JSC::Wasm::IPIntGenerator::addI32ReinterpretF32): (JSC::Wasm::IPIntGenerator::addF64ReinterpretI64): (JSC::Wasm::IPIntGenerator::addI64ReinterpretF64): (JSC::Wasm::IPIntGenerator::addF32ConvertSI32): (JSC::Wasm::IPIntGenerator::addF32ConvertUI32): (JSC::Wasm::IPIntGenerator::addF32ConvertSI64): (JSC::Wasm::IPIntGenerator::addF32ConvertUI64): (JSC::Wasm::IPIntGenerator::addF64ConvertSI32): (JSC::Wasm::IPIntGenerator::addF64ConvertUI32): (JSC::Wasm::IPIntGenerator::addF64ConvertSI64): (JSC::Wasm::IPIntGenerator::addF64ConvertUI64): (JSC::Wasm::IPIntGenerator::addTopLevel): (JSC::Wasm::IPIntGenerator::addSelect): (JSC::Wasm::IPIntGenerator::addBlock): (JSC::Wasm::IPIntGenerator::addLoop): (JSC::Wasm::IPIntGenerator::addIf): (JSC::Wasm::IPIntGenerator::addElseToUnreachable): (JSC::Wasm::IPIntGenerator::addTry): (JSC::Wasm::IPIntGenerator::convertTryToCatch): (JSC::Wasm::IPIntGenerator::addCatchToUnreachable): (JSC::Wasm::IPIntGenerator::addCatchAllToUnreachable): (JSC::Wasm::IPIntGenerator::addReturn): (JSC::Wasm::IPIntGenerator::addBranch): (JSC::Wasm::IPIntGenerator::addEndToUnreachable): (JSC::Wasm::IPIntGenerator::addCall): (JSC::Wasm::IPIntGenerator::addCallIndirect): (JSC::Wasm::IPIntGenerator::addCallRef): (JSC::Wasm::IPIntGenerator::addUnreachable): (JSC::Wasm::IPIntGenerator::addCrash): (JSC::Wasm::IPIntGenerator::finalize): (JSC::Wasm::IPIntGenerator::addSIMDLoad): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDStore): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDSplat): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDShuffle): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDShift): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDExtmul): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDLoadSplat): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDLoadLane): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDStoreLane): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDLoadExtend): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDLoadPad): Deleted. (JSC::Wasm::IPIntGenerator::addReplaceLane): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDI_V): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDV_V): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDBitwiseSelect): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDRelOp): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDV_VV): Deleted. (JSC::Wasm::IPIntGenerator::addSIMDRelaxedFMA): Deleted. (JSC::Wasm::IPIntGenerator::addRefI31): Deleted. (JSC::Wasm::IPIntGenerator::addI31GetS): Deleted. (JSC::Wasm::IPIntGenerator::addI31GetU): Deleted. (JSC::Wasm::IPIntGenerator::addArrayNew): Deleted. (JSC::Wasm::IPIntGenerator::addArrayNewData): Deleted. (JSC::Wasm::IPIntGenerator::addArrayNewElem): Deleted. (JSC::Wasm::IPIntGenerator::addArrayNewFixed): Deleted. (JSC::Wasm::IPIntGenerator::addArrayNewDefault): Deleted. (JSC::Wasm::IPIntGenerator::addArrayGet): Deleted. (JSC::Wasm::IPIntGenerator::addArraySet): Deleted. (JSC::Wasm::IPIntGenerator::addArrayLen): Deleted. (JSC::Wasm::IPIntGenerator::addStructNew): Deleted. (JSC::Wasm::IPIntGenerator::addStructNewDefault): Deleted. (JSC::Wasm::IPIntGenerator::addStructGet): Deleted. (JSC::Wasm::IPIntGenerator::addStructSet): Deleted. (JSC::Wasm::IPIntGenerator::addRefTest): Deleted. (JSC::Wasm::IPIntGenerator::addRefCast): Deleted. (JSC::Wasm::IPIntGenerator::addAnyConvertExtern): Deleted. (JSC::Wasm::IPIntGenerator::addExternConvertAny): Deleted. (JSC::Wasm::IPIntGenerator::addBranchNull): Deleted. (JSC::Wasm::IPIntGenerator::addBranchCast): Deleted. Canonical link: https://commits.webkit.org/275066@main
WebKit · Feb 20, 2024 · fb47415 · fb47415
1 parent fc6c4eb
commit fb47415
Show file tree

Hide file tree

Showing 10 changed files with 1,121 additions and 513 deletions.
diff --git a/JSTests/wasm/ipint-tests/ipint-stress-i32.js b/JSTests/wasm/ipint-tests/ipint-stress-i32.js
diff --git a/JSTests/wasm/ipint-tests/ipint-stress-i32.wasm b/JSTests/wasm/ipint-tests/ipint-stress-i32.wasm
diff --git a/JSTests/wasm/ipint-tests/ipint-stress-lol.js b/JSTests/wasm/ipint-tests/ipint-stress-lol.js
diff --git a/JSTests/wasm/ipint-tests/ipint-test-stress.js b/JSTests/wasm/ipint-tests/ipint-test-stress.js
diff --git a/Source/JavaScriptCore/llint/InPlaceInterpreter.asm b/Source/JavaScriptCore/llint/InPlaceInterpreter.asm
@@ -438,11 +438,6 @@ end
 # Exception handling
 
 macro ipintException(exception)
-    # move PL, sp
-    # loadi Wasm::IPIntCallee::m_localSizeToAlloc[ws0], PM
-    # mulq SlotSize, PM
-    # addq PM, sp
-    # restoreCallerPCAndCFR()
     storei constexpr Wasm::ExceptionType::%exception%, ArgumentCountIncludingThis + PayloadOffset[cfr]
     jmp _wasm_throw_from_slow_path_trampoline
 end
@@ -624,6 +619,20 @@ elsif X86_64
 end
 end
 
+macro checkStackOverflow(callee, scratch)
+    loadi Wasm::IPIntCallee::m_maxFrameSizeInV128[callee], scratch
+    lshiftp 4, scratch
+    subp cfr, scratch, scratch
+
+    bpa scratch, cfr, .stackOverflow
+    bpbeq Wasm::Instance::m_softStackLimit[wasmInstance], scratch, .stackHeightOK
+
+.stackOverflow:
+    ipintException(StackOverflow)
+
+.stackHeightOK:
+end
+
 global _ipint_entry
 _ipint_entry:
 if WEBASSEMBLY and (ARM64 or ARM64E or X86_64)
@@ -632,6 +641,8 @@ if WEBASSEMBLY and (ARM64 or ARM64E or X86_64)
     storep wasmInstance, CodeBlock[cfr]
     getIPIntCallee()
 
+    checkStackOverflow(ws0, csr3)
+
     # Allocate space for locals and rethrow values
     if ARM64 or ARM64E
         loadpairi Wasm::IPIntCallee::m_localSizeToAlloc[ws0], csr0, csr3
@@ -715,6 +726,8 @@ if WEBASSEMBLY and (ARM64 or ARM64E or X86_64)
     storep wasmInstance, CodeBlock[cfr]
     getIPIntCallee()
 
+    checkStackOverflow(ws0, csr3)
+
     # Allocate space for locals and rethrow values
     if ARM64 or ARM64E
         loadpairi Wasm::IPIntCallee::m_localSizeToAlloc[ws0], csr0, csr3

diff --git a/Source/JavaScriptCore/wasm/WasmCallee.cpp b/Source/JavaScriptCore/wasm/WasmCallee.cpp
@@ -201,6 +201,7 @@ IPIntCallee::IPIntCallee(FunctionIPIntMetadataGenerator& generator, size_t index
     , m_numRethrowSlotsToAlloc(generator.m_numAlignedRethrowSlots)
     , m_numLocals(generator.m_numLocals)
     , m_numArgumentsOnStack(generator.m_numArgumentsOnStack)
+    , m_maxFrameSizeInV128(generator.m_maxFrameSizeInV128)
     , m_tierUpCounter(WTFMove(generator.m_tierUpCounter))
 {
     if (size_t count = generator.m_exceptionHandlers.size()) {

diff --git a/Source/JavaScriptCore/wasm/WasmCallee.h b/Source/JavaScriptCore/wasm/WasmCallee.h
@@ -441,6 +441,7 @@ class IPIntCallee final : public Callee {
     unsigned m_numRethrowSlotsToAlloc;
     unsigned m_numLocals;
     unsigned m_numArgumentsOnStack;
+    unsigned m_maxFrameSizeInV128;
 
     IPIntTierUpCounter m_tierUpCounter;
 };

diff --git a/Source/JavaScriptCore/wasm/WasmFunctionIPIntMetadataGenerator.h b/Source/JavaScriptCore/wasm/WasmFunctionIPIntMetadataGenerator.h
@@ -107,6 +107,7 @@ class FunctionIPIntMetadataGenerator {
     uint32_t m_returnMetadata { 0 };
 
     uint32_t m_bytecodeOffset { 0 };
+    unsigned m_maxFrameSizeInV128 { 0 };
     unsigned m_numLocals { 0 };
     unsigned m_numAlignedRethrowSlots { 0 };
     unsigned m_numArguments { 0 };

diff --git a/Source/JavaScriptCore/wasm/WasmFunctionParser.h b/Source/JavaScriptCore/wasm/WasmFunctionParser.h
@@ -160,7 +160,12 @@ class FunctionParser : public Parser<void>, public FunctionParserTypes<typename
 
     uint32_t getStackHeightInValues() const
     {
-        uint32_t result = m_expressionStack.size();
+        return m_expressionStack.size() + getControlEntryStackHeightInValues();
+    }
+
+    uint32_t getControlEntryStackHeightInValues() const
+    {
+        uint32_t result = 0;
         for (const ControlEntry& entry : m_controlStack)
             result += entry.enclosedExpressionStack.size();
         return result;