[webkit-changes] [WebKit/WebKit] e09543: BBQJIT OSR Entry throws stack overflow from invali...

Justin Michaud noreply at github.com
Wed Mar 20 06:45:43 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e0954318753da3a4c14b63c1a20d36a16c1053b2
      https://github.com/WebKit/WebKit/commit/e0954318753da3a4c14b63c1a20d36a16c1053b2
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2024-03-20 (Wed, 20 Mar 2024)

  Changed paths:
    A JSTests/wasm/stress/repro_1289.js
    A JSTests/wasm/stress/repro_1289.wasm
    A JSTests/wasm/stress/repro_1289.wat
    M Source/JavaScriptCore/wasm/WasmBBQJIT.cpp
    M Source/JavaScriptCore/wasm/WasmBBQJIT.h
    M Source/JavaScriptCore/wasm/WasmCallee.h
    M Source/JavaScriptCore/wasm/WasmInstance.h
    M Source/JavaScriptCore/wasm/WasmOMGIRGenerator.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.cpp
    M Source/JavaScriptCore/wasm/WasmOperations.h
    M Source/JavaScriptCore/wasm/WasmSlowPaths.cpp
    M Source/JavaScriptCore/wasm/WasmThunks.cpp
    M Source/JavaScriptCore/wasm/WasmThunks.h

  Log Message:
  -----------
  BBQJIT OSR Entry throws stack overflow from invalid frame
https://bugs.webkit.org/show_bug.cgi?id=268424
rdar://121251778

Reviewed by Yusuke Suzuki.

In this test case, we end up in a situation where the current LLInt frame is
above the soft stack limit. We then loop osr entry into BBQ, where we
perform a stack check and fail, but before we finish writing the OSR
entry buffer into our stack frame. The stack unwinder sees the BBQ callee
and we jump to that, but the frame is uninitialized.

The fix is two fold; we first make BBQ crash in this case to avoid a
security issue. We do the same for OMG, just in case this bug is
exploitable there too.

Second, we do a stack check before performing OSR entry, and fail early.

* JSTests/wasm/stress/repro_1289.js: Added.
(debuggingHelper):
(instantiateJsc):
(async let):
* JSTests/wasm/stress/repro_1289.wasm: Added.
* JSTests/wasm/stress/repro_1289.wat: Added.
* Source/JavaScriptCore/wasm/WasmBBQJIT.cpp:
(JSC::Wasm::BBQJIT::stackCheckSize const):
(JSC::Wasm::BBQJIT::addLoopOSREntrypoint):
(JSC::Wasm::parseAndCompileBBQ):
* Source/JavaScriptCore/wasm/WasmCallee.h:
* Source/JavaScriptCore/wasm/WasmInstance.h:
(JSC::Wasm::Instance::softStackLimit const):
* Source/JavaScriptCore/wasm/WasmOperations.cpp:
(JSC::Wasm::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/wasm/WasmOperations.h:
* Source/JavaScriptCore/wasm/WasmSlowPaths.cpp:
(JSC::LLInt::WASM_SLOW_PATH_DECL):
* Source/JavaScriptCore/wasm/WasmThunks.cpp:
(JSC::Wasm::crashDueToBBQStackOverflow):
* Source/JavaScriptCore/wasm/WasmThunks.h:

Originally-landed-as: 272448.466 at safari-7618-branch (a08ba6e8c208). rdar://124558656
Canonical link: https://commits.webkit.org/276403@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list