Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 84c4c7bf347e4984a6ab69abf2a384dbc6d25267
https://github.com/WebKit/WebKit/commit/84c4c7bf347e4984a6ab69abf2a384dbc6d25267
Author: Vassili Bykov <[email protected]>
Date: 2026-05-05 (Tue, 05 May 2026)
Changed paths:
M Source/JavaScriptCore/llint/InPlaceInterpreter.asm
M Source/JavaScriptCore/runtime/PinballCompletion.cpp
M Source/JavaScriptCore/runtime/PinballHandlerContext.h
Log Message:
-----------
[JSC][JSPI] Throw on stack overflow instead of crashing
https://bugs.webkit.org/show_bug.cgi?id=307563
rdar://170647866
Reviewed by Yusuke Suzuki.
If the fulfillment or the rejection handler of a suspending promise tries to
implant
an evacuated stack slice, and the slice is larger than the available room on
the stack,
the existing implementation crashes.
Currently such a crash is impossible in practice because the main event loop and
microtasks use the same stack, and a microtask starts with a nearly empty
stack. If a
stack slice previously was able to fit the main event loop stack, it should be
able to fit
a microtask stack now. But it's still better to handle this gracefully, in case
something
changes in the future.
This patch adds logic to throw a stack overflow error instead of crashing.
Key changes:
- The code that allocates stack space for the slice about to be implanted
checks for stack
overflow as before, but if an overflow is detected, instead of crashing it sets
a flag in
the current PinballHandlerContext to indicate that a stack overflow was
detected and then
returns to the caller.
- Promise resolution handlers check that flag after trying to execute or unwind
the
evacuated slice. If the flag is set, they call to C++ code to throw the stack
overflow
error.
- Renamed top-level local labels in .asm code to avoid potential future name
conflicts.
Testing:
- Regression-tested by existing tests.
- The actual stack overflow-throwing logic can't directly be tested by a stress
test. As
explained above, we can't in plain .js code create a situation in which a
suspended stack
fits the stack before evacuation, but is too large to fit the stack later in
the microtask
which implants it. I tested the throwing logic manually by instrumenting the
handler code
to move SP way down before trying to implant the slice, and verifying that the
stack
overflow error is thrown as expected.
* Source/JavaScriptCore/llint/InPlaceInterpreter.asm:
* Source/JavaScriptCore/runtime/PinballCompletion.cpp:
(JSC::pinballHandlerRejectWithStackOverflow):
* Source/JavaScriptCore/runtime/PinballHandlerContext.h:
Canonical link: https://commits.webkit.org/312623@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
