[webkit-changes] [WebKit/WebKit] 71841d: CLoop stack overflow detection code in llint_check...

Mon, 25 Aug 2025 15:02:30 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 71841d28721fc87b5acfbf3e3fa2a95be3e16877
      
https://github.com/WebKit/WebKit/commit/71841d28721fc87b5acfbf3e3fa2a95be3e16877
  Author: Mark Lam <mark....@apple.com>
  Date:   2025-08-25 (Mon, 25 Aug 2025)

  Changed paths:
    M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

  Log Message:
  -----------
  CLoop stack overflow detection code in llint_check_stack_and_vm_traps is 
incorrect.
https://bugs.webkit.org/show_bug.cgi?id=297868
rdar://159129933

Reviewed by Dan Hecht.

llint_check_stack_and_vm_traps can be called either because a StackOverflow is 
imminent, or
if VMTraps has requested a stop via overloading m_trapAwareSoftStackLimit.  
This function
(previously named llint_stack_check) was previously only called when a 
StackOverflow is
imminent.  As a result, the CLoopStack code in there were making such an 
assumption, but the
assumption can now be wrong.

Specifically, the fix entails:

1. Removing `ASSERT(!vm.cloopStack().containsAddress(newTopOfStackRegister));` 
which is now
   wrong because we may enter this code due a VMTraps requested stop instead of 
a
   StackOverflow.  Hence, newTopOfStackRegister is not guaranteed to be outside 
the bounds
   of the CLoop stack.

2. If the `(newTopOfStackRegister < reinterpret_cast<Register*>(callFrame))` 
check fails,
   we have an imminent stack underflow situation, which we should treat as a 
StackOverflow.
   Previously, this code would unconditionally flow into a throw of 
StackOverflow error.
   This is no longer the case.  So, we need to explicitly set the 
imminentOverflowDetected
   bool to have it handled as a StackOverflow.

This issue was found by the existing testapi test.

* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_check_stack_and_vm_traps):

Canonical link: https://commits.webkit.org/299133@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to