Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 75aed5e343cdfbd4713ff3267d7476a9b884648c
https://github.com/WebKit/WebKit/commit/75aed5e343cdfbd4713ff3267d7476a9b884648c
Author: Mark Lam <mark....@apple.com>
Date: 2025-10-08 (Wed, 08 Oct 2025)
Changed paths:
M Source/JavaScriptCore/bytecode/RepatchInlines.h
M Source/JavaScriptCore/interpreter/CallFrame.cpp
M Source/JavaScriptCore/interpreter/CallFrame.h
M Source/JavaScriptCore/interpreter/CallFrameInlines.h
M Source/JavaScriptCore/interpreter/StackVisitor.cpp
M Source/JavaScriptCore/jit/JITOperations.cpp
M Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
M Source/JavaScriptCore/runtime/Error.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
M Source/JavaScriptCore/runtime/VMInlines.h
Log Message:
-----------
Throwing TerminationException from a function prologue should zombify the top
frame.
https://bugs.webkit.org/show_bug.cgi?id=298402
rdar://159864802
Reviewed by Keith Miller and Dan Hecht.
298805@main added the ability to check VMTraps via the stack check mechanism in
function
prologues. As a result, it is now possible to throw a TerminationException from
there.
However, the top CallFrame isn't fully initialized yet at the point of the
stack check.
During the exception unwinding process and when WebInspector is engaged,
ShadowChicken
is invoked to track the stack frame changes due to the unwinding.
ShadowChicken assumes
that the top CallFrame is fully initialized, but it is not (as explained above).
As a result, ShadowChicken is sad, and some crashes may ensue.
This same problem already existed with StackOverflowError, which is also thrown
from the
stack check point in function prologues. However, the issue has already been
solved for
StackOverflowErrors because stack overflow code will convert the top CallFrame
into a
"PartiallyInitializedFrame" (with a partiallyInitializedFrameCallee) by calling
convertToStackOverflowFrame() on it. StackVisitor already knows to ignore
PartiallyInitializedFrames, and that keeps ShadowChicken happy. We just need
to make
the relevant code that throws the TerminationException there do the same i.e.
convert
the top CallFrame to a PartiallyInitializedFrame, and everything will just work.
This patch makes a few additional changes to improve the code:
1. Renamed PartiallyInitializedFrame to ZombieFrame. PartiallyInitializedFrame
doesn't
really describe the purpose of the frame i.e. that StackVisitor should
ignore this
frame. Calling it a ZombieFrame communicates better that the frame is
effectively
dead, and should not be visited.
Additionally, the whole reason for needing the conversion is because the top
CallFrame
is a partially initialized frame to begin with. Calling it a
PartiallyInitializedFrame
doesn't really communicate that we're converting anything here. ZombieFrame
is just
a better name as it's clearly distinct from the "partially initialized"
state that
the frame already is in to begin with.
Similarly, partiallyInitializedFrameCallee() is renamed to
zombieFrameCallee().
isPartiallyInitializedFrame() is renamed to isZombieFrame().
2. Renamed convertToStackOverflowFrame() to convertToZombieFrame().
As a name, convertToStackOverflowFrame() used to make some sense back when
the only
reason a ZombieFrame can be produced was due to a StackOverflow. That is
now no longer
the case. So, calling it convertToZombieFrame() communicates better its
intent, and
does not inaccurately tie it to StackOverflows.
3. Fixed an ASSERT in operationLookupExceptionHandlerFromCallerFrame() that was
assuming
that it will only be called for StackOverflowErrors. While this is still
currently
true (because JIT stack checks still don't check VMTraps yet), eventually,
this ASSERT
will be inaccurate. So, we're preemptively updating it to allow the
TerminationException as well.
This issue was found by random failures in pre-existing tests under
LayoutTests/inspector/worker due to workers being terminated. Hence, existing
tests
already cover this issue.
* Source/JavaScriptCore/bytecode/RepatchInlines.h:
(JSC::handleHostCall):
(JSC::linkFor):
(JSC::virtualForWithFunction):
* Source/JavaScriptCore/interpreter/CallFrame.cpp:
(JSC::CallFrame::convertToZombieFrame):
(JSC::CallFrame::convertToStackOverflowFrame): Deleted.
* Source/JavaScriptCore/interpreter/CallFrame.h:
* Source/JavaScriptCore/interpreter/CallFrameInlines.h:
(JSC::CallFrame::isZombieFrame const):
(JSC::CallFrame::isPartiallyInitializedFrame const): Deleted.
* Source/JavaScriptCore/interpreter/StackVisitor.cpp:
(JSC::StackVisitor::StackVisitor):
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::ICSlowPathCallFrameTracer::ICSlowPathCallFrameTracer):
(JSC::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
* Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_check_stack_and_vm_traps):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* Source/JavaScriptCore/runtime/Error.cpp:
(JSC::getBytecodeIndex):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::zombieFrameCallee const):
(JSC::JSGlobalObject::partiallyInitializedFrameCallee const): Deleted.
* Source/JavaScriptCore/runtime/VMInlines.h:
(JSC::VM::topJSCallFrame const):
Canonical link: https://commits.webkit.org/301218@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
