[Webkit-unassigned] [Bug 184185] New: We should not store to stack locations while are not protected by the stack pointer.

Fri Mar 30 10:55:38 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=184185

            Bug ID: 184185
           Summary: We should not store to stack locations while are not
                    protected by the stack pointer.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebAssembly
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

createJSToWasmWrapper() emits code that stores to "calleeFrame", but calleeFrame exists below the stack pointer.  Similarly, wasmToJS() also does the same.  The values stored at the locations below the stack pointer are succeptible to corruption by interrupts that may fire if the OS uses the user stack red zone as the interrupt stack frame.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180330/00c154cc/attachment.html>