[webkit-changes] [WebKit/WebKit] fb4741: [IPInt] Add stack overflow checks

[Keith Miller]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fb47415c1ad4bfc008367fffe637384f93757531
      https://github.com/WebKit/WebKit/commit/fb47415c1ad4bfc008367fffe637384f93757531
  Author: Keith Miller <keith_miller at apple.com>
  Date:   2024-02-20 (Tue, 20 Feb 2024)

  Changed paths:
    R JSTests/wasm/ipint-tests/ipint-stress-i32.js
    R JSTests/wasm/ipint-tests/ipint-stress-i32.wasm
    R JSTests/wasm/ipint-tests/ipint-stress-lol.js
    R JSTests/wasm/ipint-tests/ipint-test-stress.js
    M Source/JavaScriptCore/llint/InPlaceInterpreter.asm
    M Source/JavaScriptCore/wasm/WasmCallee.cpp
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmFunctionIPIntMetadataGenerator.h
    M Source/JavaScriptCore/wasm/WasmFunctionParser.h
    M Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp

  Log Message:
  -----------
  [IPInt] Add stack overflow checks
https://bugs.webkit.org/show_bug.cgi?id=269788

Reviewed by Justin Michaud.

Right now IPInt doesn't do stack overflow checks. This patch adds them by tracking the
stack height after decoding each opcode. This is done by calling `changeStackSize(delta)`.
We will validate after each opcode that the stack height matches what the Parser sees on
debug builds.

Also, this patch removes some IPInt stress tests that take a long time to run.

* JSTests/wasm/ipint-tests/ipint-stress-i32.js: Removed.
* JSTests/wasm/ipint-tests/ipint-stress-i32.wasm: Removed.
* JSTests/wasm/ipint-tests/ipint-stress-lol.js: Removed.
* JSTests/wasm/ipint-tests/ipint-test-stress.js: Removed.
* Source/JavaScriptCore/llint/InPlaceInterpreter.asm:
* Source/JavaScriptCore/wasm/WasmCallee.cpp:
(JSC::Wasm::IPIntCallee::IPIntCallee):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmFunctionIPIntMetadataGenerator.h:
* Source/JavaScriptCore/wasm/WasmFunctionParser.h:
(JSC::Wasm::FunctionParser::getStackHeightInValues const):
(JSC::Wasm::FunctionParser::getControlEntryStackHeightInValues const):
* Source/JavaScriptCore/wasm/WasmIPIntGenerator.cpp:
(JSC::Wasm::IPIntControlType::IPIntControlType):
(JSC::Wasm::IPIntControlType::stackSize const):
(JSC::Wasm::IPIntGenerator::didParseOpcode):
(JSC::Wasm::IPIntGenerator::changeStackSize):
(JSC::Wasm::IPIntGenerator::addDrop):
(JSC::Wasm::IPIntGenerator::addConstant):
(JSC::Wasm::IPIntGenerator::addExtractLane):
(JSC::Wasm::IPIntGenerator::addRefIsNull):
(JSC::Wasm::IPIntGenerator::addRefFunc):
(JSC::Wasm::IPIntGenerator::addRefAsNonNull):
(JSC::Wasm::IPIntGenerator::addRefEq):
(JSC::Wasm::IPIntGenerator::addTableGet):
(JSC::Wasm::IPIntGenerator::addTableSet):
(JSC::Wasm::IPIntGenerator::addTableInit):
(JSC::Wasm::IPIntGenerator::addElemDrop):
(JSC::Wasm::IPIntGenerator::addTableSize):
(JSC::Wasm::IPIntGenerator::addTableGrow):
(JSC::Wasm::IPIntGenerator::addTableFill):
(JSC::Wasm::IPIntGenerator::addTableCopy):
(JSC::Wasm::IPIntGenerator::addArguments):
(JSC::Wasm::IPIntGenerator::addLocal):
(JSC::Wasm::IPIntGenerator::getLocal):
(JSC::Wasm::IPIntGenerator::setLocal):
(JSC::Wasm::IPIntGenerator::getGlobal):
(JSC::Wasm::IPIntGenerator::setGlobal):
(JSC::Wasm::IPIntGenerator::load):
(JSC::Wasm::IPIntGenerator::store):
(JSC::Wasm::IPIntGenerator::addGrowMemory):
(JSC::Wasm::IPIntGenerator::addCurrentMemory):
(JSC::Wasm::IPIntGenerator::addMemoryFill):
(JSC::Wasm::IPIntGenerator::addMemoryCopy):
(JSC::Wasm::IPIntGenerator::addMemoryInit):
(JSC::Wasm::IPIntGenerator::addDataDrop):
(JSC::Wasm::IPIntGenerator::atomicLoad):
(JSC::Wasm::IPIntGenerator::atomicStore):
(JSC::Wasm::IPIntGenerator::atomicBinaryRMW):
(JSC::Wasm::IPIntGenerator::atomicCompareExchange):
(JSC::Wasm::IPIntGenerator::atomicWait):
(JSC::Wasm::IPIntGenerator::atomicNotify):
(JSC::Wasm::IPIntGenerator::atomicFence):
(JSC::Wasm::IPIntGenerator::addArrayFill):
(JSC::Wasm::IPIntGenerator::addArrayCopy):
(JSC::Wasm::IPIntGenerator::addArrayInitElem):
(JSC::Wasm::IPIntGenerator::addArrayInitData):
(JSC::Wasm::IPIntGenerator::addI32Add):
(JSC::Wasm::IPIntGenerator::addI64Add):
(JSC::Wasm::IPIntGenerator::addI32Sub):
(JSC::Wasm::IPIntGenerator::addI64Sub):
(JSC::Wasm::IPIntGenerator::addI32Mul):
(JSC::Wasm::IPIntGenerator::addI64Mul):
(JSC::Wasm::IPIntGenerator::addI32DivS):
(JSC::Wasm::IPIntGenerator::addI32DivU):
(JSC::Wasm::IPIntGenerator::addI64DivS):
(JSC::Wasm::IPIntGenerator::addI64DivU):
(JSC::Wasm::IPIntGenerator::addI32RemS):
(JSC::Wasm::IPIntGenerator::addI32RemU):
(JSC::Wasm::IPIntGenerator::addI64RemS):
(JSC::Wasm::IPIntGenerator::addI64RemU):
(JSC::Wasm::IPIntGenerator::addI32And):
(JSC::Wasm::IPIntGenerator::addI64And):
(JSC::Wasm::IPIntGenerator::addI32Xor):
(JSC::Wasm::IPIntGenerator::addI64Xor):
(JSC::Wasm::IPIntGenerator::addI32Or):
(JSC::Wasm::IPIntGenerator::addI64Or):
(JSC::Wasm::IPIntGenerator::addI32Shl):
(JSC::Wasm::IPIntGenerator::addI32ShrU):
(JSC::Wasm::IPIntGenerator::addI32ShrS):
(JSC::Wasm::IPIntGenerator::addI64Shl):
(JSC::Wasm::IPIntGenerator::addI64ShrU):
(JSC::Wasm::IPIntGenerator::addI64ShrS):
(JSC::Wasm::IPIntGenerator::addI32Rotl):
(JSC::Wasm::IPIntGenerator::addI64Rotl):
(JSC::Wasm::IPIntGenerator::addI32Rotr):
(JSC::Wasm::IPIntGenerator::addI64Rotr):
(JSC::Wasm::IPIntGenerator::addI32Popcnt):
(JSC::Wasm::IPIntGenerator::addI64Popcnt):
(JSC::Wasm::IPIntGenerator::addI32Clz):
(JSC::Wasm::IPIntGenerator::addI64Clz):
(JSC::Wasm::IPIntGenerator::addI32Ctz):
(JSC::Wasm::IPIntGenerator::addI64Ctz):
(JSC::Wasm::IPIntGenerator::addF32Add):
(JSC::Wasm::IPIntGenerator::addF64Add):
(JSC::Wasm::IPIntGenerator::addF32Sub):
(JSC::Wasm::IPIntGenerator::addF64Sub):
(JSC::Wasm::IPIntGenerator::addF32Mul):
(JSC::Wasm::IPIntGenerator::addF64Mul):
(JSC::Wasm::IPIntGenerator::addF32Div):
(JSC::Wasm::IPIntGenerator::addF64Div):
(JSC::Wasm::IPIntGenerator::addF32Min):
(JSC::Wasm::IPIntGenerator::addF32Max):
(JSC::Wasm::IPIntGenerator::addF64Min):
(JSC::Wasm::IPIntGenerator::addF64Max):
(JSC::Wasm::IPIntGenerator::addF32Nearest):
(JSC::Wasm::IPIntGenerator::addF64Nearest):
(JSC::Wasm::IPIntGenerator::addF32Floor):
(JSC::Wasm::IPIntGenerator::addF64Floor):
(JSC::Wasm::IPIntGenerator::addF32Ceil):
(JSC::Wasm::IPIntGenerator::addF64Ceil):
(JSC::Wasm::IPIntGenerator::addF32Copysign):
(JSC::Wasm::IPIntGenerator::addF64Copysign):
(JSC::Wasm::IPIntGenerator::addF32Sqrt):
(JSC::Wasm::IPIntGenerator::addF64Sqrt):
(JSC::Wasm::IPIntGenerator::addF32Neg):
(JSC::Wasm::IPIntGenerator::addF64Neg):
(JSC::Wasm::IPIntGenerator::addF32Abs):
(JSC::Wasm::IPIntGenerator::addF64Abs):
(JSC::Wasm::IPIntGenerator::addI32Eq):
(JSC::Wasm::IPIntGenerator::addI32Ne):
(JSC::Wasm::IPIntGenerator::addI32LtS):
(JSC::Wasm::IPIntGenerator::addI32LtU):
(JSC::Wasm::IPIntGenerator::addI32LeS):
(JSC::Wasm::IPIntGenerator::addI32LeU):
(JSC::Wasm::IPIntGenerator::addI32GtS):
(JSC::Wasm::IPIntGenerator::addI32GtU):
(JSC::Wasm::IPIntGenerator::addI32GeU):
(JSC::Wasm::IPIntGenerator::addI32GeS):
(JSC::Wasm::IPIntGenerator::addI32Eqz):
(JSC::Wasm::IPIntGenerator::addI64Eq):
(JSC::Wasm::IPIntGenerator::addI64Ne):
(JSC::Wasm::IPIntGenerator::addI64GtS):
(JSC::Wasm::IPIntGenerator::addI64GtU):
(JSC::Wasm::IPIntGenerator::addI64GeS):
(JSC::Wasm::IPIntGenerator::addI64GeU):
(JSC::Wasm::IPIntGenerator::addI64LtS):
(JSC::Wasm::IPIntGenerator::addI64LtU):
(JSC::Wasm::IPIntGenerator::addI64LeS):
(JSC::Wasm::IPIntGenerator::addI64LeU):
(JSC::Wasm::IPIntGenerator::addI64Eqz):
(JSC::Wasm::IPIntGenerator::addF32Eq):
(JSC::Wasm::IPIntGenerator::addF32Ne):
(JSC::Wasm::IPIntGenerator::addF32Lt):
(JSC::Wasm::IPIntGenerator::addF32Le):
(JSC::Wasm::IPIntGenerator::addF32Gt):
(JSC::Wasm::IPIntGenerator::addF32Ge):
(JSC::Wasm::IPIntGenerator::addF64Eq):
(JSC::Wasm::IPIntGenerator::addF64Ne):
(JSC::Wasm::IPIntGenerator::addF64Lt):
(JSC::Wasm::IPIntGenerator::addF64Le):
(JSC::Wasm::IPIntGenerator::addF64Gt):
(JSC::Wasm::IPIntGenerator::addF64Ge):
(JSC::Wasm::IPIntGenerator::addI64ExtendSI32):
(JSC::Wasm::IPIntGenerator::addI64ExtendUI32):
(JSC::Wasm::IPIntGenerator::addI32Extend8S):
(JSC::Wasm::IPIntGenerator::addI32Extend16S):
(JSC::Wasm::IPIntGenerator::addI64Extend8S):
(JSC::Wasm::IPIntGenerator::addI64Extend16S):
(JSC::Wasm::IPIntGenerator::addI64Extend32S):
(JSC::Wasm::IPIntGenerator::addF64Trunc):
(JSC::Wasm::IPIntGenerator::addF32Trunc):
(JSC::Wasm::IPIntGenerator::addI32TruncSF64):
(JSC::Wasm::IPIntGenerator::addI32TruncSF32):
(JSC::Wasm::IPIntGenerator::addI32TruncUF64):
(JSC::Wasm::IPIntGenerator::addI32TruncUF32):
(JSC::Wasm::IPIntGenerator::addI64TruncSF64):
(JSC::Wasm::IPIntGenerator::addI64TruncSF32):
(JSC::Wasm::IPIntGenerator::addI64TruncUF64):
(JSC::Wasm::IPIntGenerator::addI64TruncUF32):
(JSC::Wasm::IPIntGenerator::truncSaturated):
(JSC::Wasm::IPIntGenerator::addI32WrapI64):
(JSC::Wasm::IPIntGenerator::addF32DemoteF64):
(JSC::Wasm::IPIntGenerator::addF64PromoteF32):
(JSC::Wasm::IPIntGenerator::addF32ReinterpretI32):
(JSC::Wasm::IPIntGenerator::addI32ReinterpretF32):
(JSC::Wasm::IPIntGenerator::addF64ReinterpretI64):
(JSC::Wasm::IPIntGenerator::addI64ReinterpretF64):
(JSC::Wasm::IPIntGenerator::addF32ConvertSI32):
(JSC::Wasm::IPIntGenerator::addF32ConvertUI32):
(JSC::Wasm::IPIntGenerator::addF32ConvertSI64):
(JSC::Wasm::IPIntGenerator::addF32ConvertUI64):
(JSC::Wasm::IPIntGenerator::addF64ConvertSI32):
(JSC::Wasm::IPIntGenerator::addF64ConvertUI32):
(JSC::Wasm::IPIntGenerator::addF64ConvertSI64):
(JSC::Wasm::IPIntGenerator::addF64ConvertUI64):
(JSC::Wasm::IPIntGenerator::addTopLevel):
(JSC::Wasm::IPIntGenerator::addSelect):
(JSC::Wasm::IPIntGenerator::addBlock):
(JSC::Wasm::IPIntGenerator::addLoop):
(JSC::Wasm::IPIntGenerator::addIf):
(JSC::Wasm::IPIntGenerator::addElseToUnreachable):
(JSC::Wasm::IPIntGenerator::addTry):
(JSC::Wasm::IPIntGenerator::convertTryToCatch):
(JSC::Wasm::IPIntGenerator::addCatchToUnreachable):
(JSC::Wasm::IPIntGenerator::addCatchAllToUnreachable):
(JSC::Wasm::IPIntGenerator::addReturn):
(JSC::Wasm::IPIntGenerator::addBranch):
(JSC::Wasm::IPIntGenerator::addEndToUnreachable):
(JSC::Wasm::IPIntGenerator::addCall):
(JSC::Wasm::IPIntGenerator::addCallIndirect):
(JSC::Wasm::IPIntGenerator::addCallRef):
(JSC::Wasm::IPIntGenerator::addUnreachable):
(JSC::Wasm::IPIntGenerator::addCrash):
(JSC::Wasm::IPIntGenerator::finalize):
(JSC::Wasm::IPIntGenerator::addSIMDLoad): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDStore): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDSplat): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDShuffle): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDShift): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDExtmul): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDLoadSplat): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDLoadLane): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDStoreLane): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDLoadExtend): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDLoadPad): Deleted.
(JSC::Wasm::IPIntGenerator::addReplaceLane): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDI_V): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDV_V): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDBitwiseSelect): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDRelOp): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDV_VV): Deleted.
(JSC::Wasm::IPIntGenerator::addSIMDRelaxedFMA): Deleted.
(JSC::Wasm::IPIntGenerator::addRefI31): Deleted.
(JSC::Wasm::IPIntGenerator::addI31GetS): Deleted.
(JSC::Wasm::IPIntGenerator::addI31GetU): Deleted.
(JSC::Wasm::IPIntGenerator::addArrayNew): Deleted.
(JSC::Wasm::IPIntGenerator::addArrayNewData): Deleted.
(JSC::Wasm::IPIntGenerator::addArrayNewElem): Deleted.
(JSC::Wasm::IPIntGenerator::addArrayNewFixed): Deleted.
(JSC::Wasm::IPIntGenerator::addArrayNewDefault): Deleted.
(JSC::Wasm::IPIntGenerator::addArrayGet): Deleted.
(JSC::Wasm::IPIntGenerator::addArraySet): Deleted.
(JSC::Wasm::IPIntGenerator::addArrayLen): Deleted.
(JSC::Wasm::IPIntGenerator::addStructNew): Deleted.
(JSC::Wasm::IPIntGenerator::addStructNewDefault): Deleted.
(JSC::Wasm::IPIntGenerator::addStructGet): Deleted.
(JSC::Wasm::IPIntGenerator::addStructSet): Deleted.
(JSC::Wasm::IPIntGenerator::addRefTest): Deleted.
(JSC::Wasm::IPIntGenerator::addRefCast): Deleted.
(JSC::Wasm::IPIntGenerator::addAnyConvertExtern): Deleted.
(JSC::Wasm::IPIntGenerator::addExternConvertAny): Deleted.
(JSC::Wasm::IPIntGenerator::addBranchNull): Deleted.
(JSC::Wasm::IPIntGenerator::addBranchCast): Deleted.

Canonical link: https://commits.webkit.org/275066@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications