Diff
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (234534 => 234535)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-08-03 02:10:58 UTC (rev 234535)
@@ -1,3 +1,76 @@
+2018-08-02 Babak Shafiei <[email protected]>
+
+ Cherry-pick r234528. rdar://problem/42883788
+
+ Source/_javascript_Core:
+ Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
+ https://bugs.webkit.org/show_bug.cgi?id=188271
+ <rdar://problem/42850884>
+
+ Reviewed by Michael Saboff.
+
+ This patch defends against the instructionPointer containing garbage bits.
+ See radar for details.
+
+ * runtime/MachineContext.h:
+ (JSC::MachineContext::instructionPointer):
+ * runtime/SamplingProfiler.cpp:
+ (JSC::SamplingProfiler::takeSample):
+ * runtime/VMTraps.cpp:
+ (JSC::SignalContext::SignalContext):
+ (JSC::SignalContext::tryCreate):
+ * tools/CodeProfiling.cpp:
+ (JSC::profilingTimer):
+ * tools/SigillCrashAnalyzer.cpp:
+ (JSC::SignalContext::SignalContext):
+ (JSC::SignalContext::tryCreate):
+ (JSC::SignalContext::dump):
+ (JSC::installCrashHandler):
+ * wasm/WasmFaultSignalHandler.cpp:
+ (JSC::Wasm::trapHandler):
+
+ Source/WTF:
+ Reading instructionPointer from PlatformRegisters may fail when using pointer tagging
+ https://bugs.webkit.org/show_bug.cgi?id=188271
+ <rdar://problem/42850884>
+
+ Reviewed by Michael Saboff.
+
+ * wtf/PtrTag.h:
+ (WTF::isTaggedWith):
+ (WTF::usesPointerTagging):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234528 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-08-02 Saam Barati <[email protected]>
+
+ Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
+ https://bugs.webkit.org/show_bug.cgi?id=188271
+ <rdar://problem/42850884>
+
+ Reviewed by Michael Saboff.
+
+ This patch defends against the instructionPointer containing garbage bits.
+ See radar for details.
+
+ * runtime/MachineContext.h:
+ (JSC::MachineContext::instructionPointer):
+ * runtime/SamplingProfiler.cpp:
+ (JSC::SamplingProfiler::takeSample):
+ * runtime/VMTraps.cpp:
+ (JSC::SignalContext::SignalContext):
+ (JSC::SignalContext::tryCreate):
+ * tools/CodeProfiling.cpp:
+ (JSC::profilingTimer):
+ * tools/SigillCrashAnalyzer.cpp:
+ (JSC::SignalContext::SignalContext):
+ (JSC::SignalContext::tryCreate):
+ (JSC::SignalContext::dump):
+ (JSC::installCrashHandler):
+ * wasm/WasmFaultSignalHandler.cpp:
+ (JSC::Wasm::trapHandler):
+
2018-07-26 Babak Shafiei <[email protected]>
Cherry-pick r234269. rdar://problem/42650430
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/MachineContext.h (234534 => 234535)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/MachineContext.h 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/MachineContext.h 2018-08-03 02:10:58 UTC (rev 234535)
@@ -29,6 +29,7 @@
#include "GPRInfo.h"
#include "LLIntPCRanges.h"
#include "MacroAssemblerCodeRef.h"
+#include <wtf/Optional.h>
#include <wtf/PlatformRegisters.h>
#include <wtf/PointerPreparations.h>
#include <wtf/StdLibExtras.h>
@@ -44,7 +45,7 @@
template<typename T = void*> void setFramePointer(PlatformRegisters&, T);
inline MacroAssemblerCodePtr<CFunctionPtrTag> linkRegister(const PlatformRegisters&);
inline void setLinkRegister(PlatformRegisters&, MacroAssemblerCodePtr<CFunctionPtrTag>);
-inline MacroAssemblerCodePtr<CFunctionPtrTag> instructionPointer(const PlatformRegisters&);
+inline std::optional<MacroAssemblerCodePtr<CFunctionPtrTag>> instructionPointer(const PlatformRegisters&);
inline void setInstructionPointer(PlatformRegisters&, MacroAssemblerCodePtr<CFunctionPtrTag>);
template<size_t N> void*& argumentPointer(PlatformRegisters&);
@@ -431,7 +432,7 @@
}
#endif // !USE(PLATFORM_REGISTERS_WITH_PROFILE)
-inline MacroAssemblerCodePtr<CFunctionPtrTag> instructionPointer(const PlatformRegisters& regs)
+inline std::optional<MacroAssemblerCodePtr<CFunctionPtrTag>> instructionPointer(const PlatformRegisters& regs)
{
#if USE(PLATFORM_REGISTERS_WITH_PROFILE)
void* value = WTF_READ_PLATFORM_REGISTERS_PC_WITH_PROFILE(regs);
@@ -440,7 +441,11 @@
#endif
if (!value)
return MacroAssemblerCodePtr<CFunctionPtrTag>(nullptr);
- return MacroAssemblerCodePtr<CFunctionPtrTag>(value);
+ if (!usesPointerTagging())
+ return MacroAssemblerCodePtr<CFunctionPtrTag>(value);
+ if (isTaggedWith(value, CFunctionPtrTag))
+ return MacroAssemblerCodePtr<CFunctionPtrTag>(value);
+ return std::nullopt;
}
inline void setInstructionPointer(PlatformRegisters& regs, MacroAssemblerCodePtr<CFunctionPtrTag> value)
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/SamplingProfiler.cpp (234534 => 234535)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/SamplingProfiler.cpp 2018-08-03 02:10:58 UTC (rev 234535)
@@ -356,7 +356,11 @@
m_jscExecutionThread->getRegisters(registers);
machineFrame = MachineContext::framePointer(registers);
callFrame = static_cast<ExecState*>(machineFrame);
- machinePC = MachineContext::instructionPointer(registers).untaggedExecutableAddress();
+ auto instructionPointer = MachineContext::instructionPointer(registers);
+ if (instructionPointer)
+ machinePC = instructionPointer->untaggedExecutableAddress();
+ else
+ machinePC = nullptr;
llintPC = removeCodePtrTag(MachineContext::llintInstructionPointer(registers));
assertIsNotTagged(machinePC);
}
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/VMTraps.cpp (234534 => 234535)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/VMTraps.cpp 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/VMTraps.cpp 2018-08-03 02:10:58 UTC (rev 234535)
@@ -55,13 +55,23 @@
#if ENABLE(SIGNAL_BASED_VM_TRAPS)
struct SignalContext {
- SignalContext(PlatformRegisters& registers)
+private:
+ SignalContext(PlatformRegisters& registers, MacroAssemblerCodePtr<CFunctionPtrTag> trapPC)
: registers(registers)
- , trapPC(MachineContext::instructionPointer(registers))
+ , trapPC(trapPC)
, stackPointer(MachineContext::stackPointer(registers))
, framePointer(MachineContext::framePointer(registers))
{ }
+public:
+ static std::optional<SignalContext> tryCreate(PlatformRegisters& registers)
+ {
+ auto instructionPointer = MachineContext::instructionPointer(registers);
+ if (!instructionPointer)
+ return std::nullopt;
+ return SignalContext(registers, *instructionPointer);
+ }
+
PlatformRegisters& registers;
MacroAssemblerCodePtr<CFunctionPtrTag> trapPC;
void* stackPointer;
@@ -186,9 +196,11 @@
static std::once_flag once;
std::call_once(once, [] {
installSignalHandler(Signal::BadAccess, [] (Signal, SigInfo&, PlatformRegisters& registers) -> SignalAction {
- SignalContext context(registers);
+ auto signalContext = SignalContext::tryCreate(registers);
+ if (!signalContext)
+ return SignalAction::NotHandled;
- void* trapPC = context.trapPC.untaggedExecutableAddress();
+ void* trapPC = signalContext->trapPC.untaggedExecutableAddress();
if (!isJITPC(trapPC))
return SignalAction::NotHandled;
@@ -249,7 +261,9 @@
auto optionalOwnerThread = vm.ownerThread();
if (optionalOwnerThread) {
sendMessage(*optionalOwnerThread.value().get(), [&] (PlatformRegisters& registers) -> void {
- SignalContext context(registers);
+ auto signalContext = SignalContext::tryCreate(registers);
+ if (!signalContext)
+ return;
auto ownerThread = vm.apiLock().ownerThread();
// We can't mess with a thread unless it's the one we suspended.
@@ -257,7 +271,7 @@
return;
Thread& thread = *ownerThread->get();
- vm.traps().tryInstallTrapBreakpoints(context, thread.stack());
+ vm.traps().tryInstallTrapBreakpoints(*signalContext, thread.stack());
});
}
Modified: branches/safari-606-branch/Source/_javascript_Core/tools/CodeProfiling.cpp (234534 => 234535)
--- branches/safari-606-branch/Source/_javascript_Core/tools/CodeProfiling.cpp 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/_javascript_Core/tools/CodeProfiling.cpp 2018-08-03 02:10:58 UTC (rev 234535)
@@ -71,9 +71,11 @@
static void profilingTimer(int, siginfo_t*, void* uap)
{
PlatformRegisters& platformRegisters = WTF::registersFromUContext(static_cast<ucontext_t*>(uap));
- CodeProfiling::sample(
- MachineContext::instructionPointer(platformRegisters).untaggedExecutableAddress(),
- reinterpret_cast<void**>(MachineContext::framePointer(platformRegisters)));
+ if (auto instructionPointer = MachineContext::instructionPointer(platformRegisters)) {
+ CodeProfiling::sample(
+ instructionPointer->untaggedExecutableAddress(),
+ reinterpret_cast<void**>(MachineContext::framePointer(platformRegisters)));
+ }
}
#endif
Modified: branches/safari-606-branch/Source/_javascript_Core/tools/SigillCrashAnalyzer.cpp (234534 => 234535)
--- branches/safari-606-branch/Source/_javascript_Core/tools/SigillCrashAnalyzer.cpp 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/_javascript_Core/tools/SigillCrashAnalyzer.cpp 2018-08-03 02:10:58 UTC (rev 234535)
@@ -78,13 +78,23 @@
#endif // USE(OS_LOG)
struct SignalContext {
- SignalContext(PlatformRegisters& registers)
+private:
+ SignalContext(PlatformRegisters& registers, MacroAssemblerCodePtr<CFunctionPtrTag> machinePC)
: registers(registers)
- , machinePC(MachineContext::instructionPointer(registers))
+ , machinePC(machinePC)
, stackPointer(MachineContext::stackPointer(registers))
, framePointer(MachineContext::framePointer(registers))
{ }
+public:
+ static std::optional<SignalContext> tryCreate(PlatformRegisters& registers)
+ {
+ auto instructionPointer = MachineContext::instructionPointer(registers);
+ if (!instructionPointer)
+ return std::nullopt;
+ return SignalContext(registers, *instructionPointer);
+ }
+
void dump()
{
#if CPU(X86_64)
@@ -132,7 +142,7 @@
MachineContext::linkRegister(registers).untaggedExecutableAddress<uint64_t>());
log("sp: %016llx pc: %016llx cpsr: %08x",
MachineContext::stackPointer<uint64_t>(registers),
- MachineContext::instructionPointer(registers).untaggedExecutableAddress<uint64_t>(),
+ machinePC.untaggedExecutableAddress<uint64_t>(),
registers.__cpsr);
#endif
}
@@ -147,14 +157,16 @@
{
#if CPU(X86_64) || CPU(ARM64)
installSignalHandler(Signal::Ill, [] (Signal, SigInfo&, PlatformRegisters& registers) {
- SignalContext context(registers);
-
- void* machinePC = context.machinePC.untaggedExecutableAddress();
+ auto signalContext = SignalContext::tryCreate(registers);
+ if (!signalContext)
+ return SignalAction::NotHandled;
+
+ void* machinePC = signalContext->machinePC.untaggedExecutableAddress();
if (!isJITPC(machinePC))
return SignalAction::NotHandled;
SigillCrashAnalyzer& analyzer = SigillCrashAnalyzer::instance();
- analyzer.analyze(context);
+ analyzer.analyze(*signalContext);
return SignalAction::NotHandled;
});
#endif
Modified: branches/safari-606-branch/Source/_javascript_Core/wasm/WasmFaultSignalHandler.cpp (234534 => 234535)
--- branches/safari-606-branch/Source/_javascript_Core/wasm/WasmFaultSignalHandler.cpp 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/_javascript_Core/wasm/WasmFaultSignalHandler.cpp 2018-08-03 02:10:58 UTC (rev 234535)
@@ -56,7 +56,10 @@
static SignalAction trapHandler(Signal, SigInfo& sigInfo, PlatformRegisters& context)
{
- void* faultingInstruction = MachineContext::instructionPointer(context).untaggedExecutableAddress();
+ auto instructionPointer = MachineContext::instructionPointer(context);
+ if (!instructionPointer)
+ return SignalAction::NotHandled;
+ void* faultingInstruction = instructionPointer->untaggedExecutableAddress();
dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "starting handler for fault at: ", RawPointer(faultingInstruction));
dataLogLnIf(WasmFaultSignalHandlerInternal::verbose, "JIT memory start: ", RawPointer(startOfFixedExecutableMemoryPool()), " end: ", RawPointer(endOfFixedExecutableMemoryPool()));
Modified: branches/safari-606-branch/Source/WTF/ChangeLog (234534 => 234535)
--- branches/safari-606-branch/Source/WTF/ChangeLog 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/WTF/ChangeLog 2018-08-03 02:10:58 UTC (rev 234535)
@@ -1,3 +1,60 @@
+2018-08-02 Babak Shafiei <[email protected]>
+
+ Cherry-pick r234528. rdar://problem/42883788
+
+ Source/_javascript_Core:
+ Reading instructionPointer from PlatformRegisters may fail when using pointer profiling
+ https://bugs.webkit.org/show_bug.cgi?id=188271
+ <rdar://problem/42850884>
+
+ Reviewed by Michael Saboff.
+
+ This patch defends against the instructionPointer containing garbage bits.
+ See radar for details.
+
+ * runtime/MachineContext.h:
+ (JSC::MachineContext::instructionPointer):
+ * runtime/SamplingProfiler.cpp:
+ (JSC::SamplingProfiler::takeSample):
+ * runtime/VMTraps.cpp:
+ (JSC::SignalContext::SignalContext):
+ (JSC::SignalContext::tryCreate):
+ * tools/CodeProfiling.cpp:
+ (JSC::profilingTimer):
+ * tools/SigillCrashAnalyzer.cpp:
+ (JSC::SignalContext::SignalContext):
+ (JSC::SignalContext::tryCreate):
+ (JSC::SignalContext::dump):
+ (JSC::installCrashHandler):
+ * wasm/WasmFaultSignalHandler.cpp:
+ (JSC::Wasm::trapHandler):
+
+ Source/WTF:
+ Reading instructionPointer from PlatformRegisters may fail when using pointer tagging
+ https://bugs.webkit.org/show_bug.cgi?id=188271
+ <rdar://problem/42850884>
+
+ Reviewed by Michael Saboff.
+
+ * wtf/PtrTag.h:
+ (WTF::isTaggedWith):
+ (WTF::usesPointerTagging):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234528 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-08-02 Saam Barati <[email protected]>
+
+ Reading instructionPointer from PlatformRegisters may fail when using pointer tagging
+ https://bugs.webkit.org/show_bug.cgi?id=188271
+ <rdar://problem/42850884>
+
+ Reviewed by Michael Saboff.
+
+ * wtf/PtrTag.h:
+ (WTF::isTaggedWith):
+ (WTF::usesPointerTagging):
+
2018-07-29 Babak Shafiei <[email protected]>
Cherry-pick r234330. rdar://problem/42721217
Modified: branches/safari-606-branch/Source/WTF/wtf/PtrTag.h (234534 => 234535)
--- branches/safari-606-branch/Source/WTF/wtf/PtrTag.h 2018-08-03 01:54:15 UTC (rev 234534)
+++ branches/safari-606-branch/Source/WTF/wtf/PtrTag.h 2018-08-03 02:10:58 UTC (rev 234535)
@@ -154,9 +154,13 @@
template<typename PtrType> void assertIsTagged(PtrType) { }
template<typename PtrType> void assertIsNullOrTagged(PtrType) { }
+template<typename PtrType> bool isTaggedWith(PtrType, PtrTag) { return false; }
+
template<typename PtrType> void assertIsTaggedWith(PtrType, PtrTag) { }
template<typename PtrType> void assertIsNullOrTaggedWith(PtrType, PtrTag) { }
+inline bool usesPointerTagging() { return false; }
+
#define CALL_WITH_PTRTAG(callInstructionString, targetRegisterString, tag) \
callInstructionString " " targetRegisterString "\n"
@@ -186,5 +190,7 @@
using WTF::assertIsNotTagged;
using WTF::assertIsTagged;
using WTF::assertIsNullOrTagged;
+using WTF::isTaggedWith;
using WTF::assertIsTaggedWith;
using WTF::assertIsNullOrTaggedWith;
+using WTF::usesPointerTagging;
