[webkit-changes] [WebKit/WebKit] e09543: BBQJIT OSR Entry throws stack overflow from invali...

Wed, 20 Mar 2024 06:45:50 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e0954318753da3a4c14b63c1a20d36a16c1053b2
      
https://github.com/WebKit/WebKit/commit/e0954318753da3a4c14b63c1a20d36a16c1053b2
  Author: Justin Michaud <[email protected]>
  Date:   2024-03-20 (Wed, 20 Mar 2024)

  Changed paths:
    A JSTests/wasm/stress/repro_1289.js
    A JSTests/wasm/stress/repro_1289.wasm
    A JSTests/wasm/stress/repro_1289.wat
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmInstance.h
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.h
    M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp
    M Source/JavaScriptCore/wasm/WasmThunks.cpp
    M Source/JavaScriptCore/wasm/WasmThunks.h

  Log Message:
  -----------
  BBQJIT OSR Entry throws stack overflow from invalid frame
https://bugs.webkit.org/show_bug.cgi?id=268424
rdar://121251778

Reviewed by Yusuke Suzuki.

In this test case, we end up in a situation where the current LLInt frame is
above the soft stack limit. We then loop osr entry into BBQ, where we
perform a stack check and fail, but before we finish writing the OSR
entry buffer into our stack frame. The stack unwinder sees the BBQ callee
and we jump to that, but the frame is uninitialized.

The fix is two fold; we first make BBQ crash in this case to avoid a
security issue. We do the same for OMG, just in case this bug is
exploitable there too.

Second, we do a stack check before performing OSR entry, and fail early.

* JSTests/wasm/stress/repro_1289.js: Added.
(debuggingHelper):
(instantiateJsc):
(async let):
* JSTests/wasm/stress/repro_1289.wasm: Added.
* JSTests/wasm/stress/repro_1289.wat: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::stackCheckSize const):
(JSC::Wasm::BBQJIT::addLoopOSREntrypoint):
(JSC::Wasm::parseAndCompileBBQ):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmInstance.h:
(JSC::Wasm::Instance::softStackLimit const):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmOperations.h:
* Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:
(JSC::LLInt::WASM_SLOW_PATH_DECL):
* Source/JavaScriptCore/wasm/WasmThunks.cpp:
(JSC::Wasm::crashDueToBBQStackOverflow):
* Source/JavaScriptCore/wasm/WasmThunks.h:

Originally-landed-as: 272448.466@safari-7618-branch (a08ba6e8c208). 
rdar://124558656
Canonical link: https://commits.webkit.org/276403@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to