[Webkit-unassigned] [Bug 157537] New: We should have one calleeSaveRegistersBuffer per VMEntryFrame, not one per VM.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue May 10 14:56:31 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=157537

            Bug ID: 157537
           Summary: We should have one calleeSaveRegistersBuffer per
                    VMEntryFrame, not one per VM.
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

Consider this scenario:

1. Some C++ code enters the VM to call into JS code.
2. JS code throws an exception, and saves callee saved regs (from step 1) into the VM calleeSaveRegistersBuffer.

3. The Inspector wants to inspect that exception, and calls some C++ inspector code.  With ASAN, this C++ code alters %rbx on x86_64.
4. C++ inspector code calls a JS inspector function.  This re-enters the VM.
5. The JS inspector code runs hot enough that we do an enterOptimizationCheck on it.
    The enterOptimizationCheck first saves callee saved regs (from step 4) into the VM calleeSaveRegistersBuffer.
    Note: the VM calleeSaveRegistersBuffer now contains callee saved values from step 4.

6. The Inspector eventually returns to the caller JS code (from step 2).
7. The JS code does not have a handler for the exception and treats it as an uncaught exception.
8. The _handleUncaughtException exit point in the LLINT thunks does a restoreCalleeSavesFromVMCalleeSavesBuffer to restore the callee saved regs from step 1.
    Unfortunately, the VM calleeSaveRegistersBuffer now contains callee saved values from step 4, not the ones from step 1.

9. _handleUncaughtException returns to the outer C++ code.
10. The C++ code tries to use %rbx and crashes because it contains a bad value.

To fix this, we'll allocate space in the VMEntryFrame for the calleeSaveRegistersBuffer, and used that for each VM entry session instead of a singleton buffer in the VM.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160510/a3869c01/attachment.html>

More information about the webkit-unassigned mailing list