[Webkit-unassigned] [Bug 217588] New: CallFrame.h:324:38: warning: calling ‘void* __builtin_frame_address(unsigned int)’ with a nonzero argument is unsafe [-Wframe-address]

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Oct 11 15:20:30 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=217588

            Bug ID: 217588
           Summary: CallFrame.h:324:38: warning: calling ‘void*
                    __builtin_frame_address(unsigned int)’ with a nonzero
                    argument is unsafe [-Wframe-address]
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: ysuzuki at apple.com

I've never seen -Wframe-address before. Anyway, we have this code in CallFrame.h:

#if USE(BUILTIN_FRAME_ADDRESS)
#define DECLARE_CALL_FRAME(vm) \
    ({ \
        ASSERT(JSC::isFromJSCode(removeCodePtrTag<void*>(__builtin_return_address(0)))); \
        bitwise_cast<JSC::CallFrame*>(__builtin_frame_address(1)); \
    })
#else
#define DECLARE_CALL_FRAME(vm) ((vm).topCallFrame)
#endif

This code was added in r251475, nearly a year ago. I'm not sure why it hasn't caused warnings for me before now. (I'm using GCC 10.2.1 20200826 currently. Maybe the warning was added in a GCC point release? I've been using GCC 10 all year.) Anyway, the manpage says:

       -Wframe-address
           Warn when the __builtin_frame_address or __builtin_return_address is called with an argument greater
           than 0.  Such calls may return indeterminate values or crash the program.  The warning is included in
           -Wall.

Documentation is here: https://gcc.gnu.org/onlinedocs/gcc/Return-Address.html. "Calling this function with a nonzero argument can have unpredictable effects, including crashing the calling program. As a result, calls that are considered unsafe are diagnosed when the -Wframe-address option is in effect. Such calls should only be made in debugging situations."

So... that seems bad. This seems like a question for compiler people, then: should we disable USE_BUILTIN_FRAME_ADDRESS, or suppress the warning and hope for the best...?

[570/3175] Building CXX object Source/WebCore/CMakeFiles/...es/WebCore/unified-sources/UnifiedSource-48793971-1.cpp.o
In file included from DerivedSources/ForwardingHeaders/JavaScriptCore/ArgList.h:24,
                 from DerivedSources/ForwardingHeaders/JavaScriptCore/JSArray.h:23,
                 from DerivedSources/ForwardingHeaders/JavaScriptCore/ArrayAllocationProfile.h:29,
                 from DerivedSources/ForwardingHeaders/JavaScriptCore/JSGlobalObject.h:24,
                 from DerivedSources/ForwardingHeaders/JavaScriptCore/InternalFunctionAllocationProfile.h:28,
                 from DerivedSources/ForwardingHeaders/JavaScriptCore/FunctionRareData.h:28,
                 from DerivedSources/ForwardingHeaders/JavaScriptCore/JSFunction.h:26,
                 from DerivedSources/WebCore/JSDOMBindingInternalsBuiltins.h:35,
                 from DerivedSources/WebCore/WebCoreJSBuiltinInternals.h:38,
                 from ../../Source/WebCore/bindings/js/JSDOMGlobalObject.h:29,
                 from ../../Source/WebCore/bindings/js/JSDOMWrapper.h:24,
                 from ../../Source/WebCore/domjit/DOMJITHelpers.h:29,
                 from ../../Source/WebCore/domjit/DOMJITHelpers.cpp:27,
                 from DerivedSources/WebCore/unified-sources/UnifiedSource-48793971-1.cpp:1:
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp: In function ‘JSC::EncodedJSValue WebCore::DOMJIT::operationToJSElement(JSC::JSGlobalObject*, void*)’:
DerivedSources/ForwardingHeaders/JavaScriptCore/CallFrame.h:324:38: warning: calling ‘void* __builtin_frame_address(unsigned int)’ with a nonzero argument is unsafe [-Wframe-address]
  324 |         bitwise_cast<JSC::CallFrame*>(__builtin_frame_address(1)); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp:152:33: note: in expansion of macro ‘DECLARE_CALL_FRAME’
  152 |     JSC::CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
      |                                 ^~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp: In function ‘JSC::EncodedJSValue WebCore::DOMJIT::operationToJSHTMLElement(JSC::JSGlobalObject*, void*)’:
DerivedSources/ForwardingHeaders/JavaScriptCore/CallFrame.h:324:38: warning: calling ‘void* __builtin_frame_address(unsigned int)’ with a nonzero argument is unsafe [-Wframe-address]
  324 |         bitwise_cast<JSC::CallFrame*>(__builtin_frame_address(1)); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp:162:33: note: in expansion of macro ‘DECLARE_CALL_FRAME’
  162 |     JSC::CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
      |                                 ^~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp: In function ‘JSC::EncodedJSValue WebCore::DOMJIT::operationToJSDocument(JSC::JSGlobalObject*, void*)’:
DerivedSources/ForwardingHeaders/JavaScriptCore/CallFrame.h:324:38: warning: calling ‘void* __builtin_frame_address(unsigned int)’ with a nonzero argument is unsafe [-Wframe-address]
  324 |         bitwise_cast<JSC::CallFrame*>(__builtin_frame_address(1)); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp:172:33: note: in expansion of macro ‘DECLARE_CALL_FRAME’
  172 |     JSC::CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
      |                                 ^~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp: In function ‘JSC::EncodedJSValue WebCore::DOMJIT::operationToJSNode(JSC::JSGlobalObject*, void*)’:
DerivedSources/ForwardingHeaders/JavaScriptCore/CallFrame.h:324:38: warning: calling ‘void* __builtin_frame_address(unsigned int)’ with a nonzero argument is unsafe [-Wframe-address]
  324 |         bitwise_cast<JSC::CallFrame*>(__builtin_frame_address(1)); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp:182:33: note: in expansion of macro ‘DECLARE_CALL_FRAME’
  182 |     JSC::CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
      |                                 ^~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp: In function ‘JSC::EncodedJSValue WebCore::DOMJIT::operationToJSContainerNode(JSC::JSGlobalObject*, void*)’:
DerivedSources/ForwardingHeaders/JavaScriptCore/CallFrame.h:324:38: warning: calling ‘void* __builtin_frame_address(unsigned int)’ with a nonzero argument is unsafe [-Wframe-address]
  324 |         bitwise_cast<JSC::CallFrame*>(__builtin_frame_address(1)); \
      |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../Source/WebCore/domjit/JSDocumentDOMJIT.cpp:192:33: note: in expansion of macro ‘DECLARE_CALL_FRAME’
  192 |     JSC::CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
      |                                 ^~~~~~~~~~~~~~~~~~

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20201011/ae1c632c/attachment-0001.htm>

More information about the webkit-unassigned mailing list