Changeset 161180 in webkit

Timestamp:

Dec 31, 2013, 2:26:49 AM (11 years ago)

Author:

mark.lam@apple.com

Message:

CStack: Need a separate stack limit for the JS stack and the C stack.
​https://bugs.webkit.org/show_bug.cgi?id=126320.

Not yet reviewed.

With this patch, we now accurately track how much JS stack space the
VM has used, and cap that at the value specified by Options::maxStackSize().

The JS stack space is measured in chunks, one for each VMEntryScope. Each
VMEntryScope will also keep a running total of the sum of all the stack
usage of previous VMEntryScopes to simplify the calculation of the total
usage.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::execute):

• In Interpreter::execute() for programs, we were installing the VMEntryScope even if we end up only processing a JSON object. This poses a problem because the code that processes the JSON object will call functions that will re-enter the VM thereby installing another VMEntryScope. Each VMEntryScope expects VM.topCallFrame and VM.stackPointerAtVMEntry to be set up properly for the previous VMEntryScope. However, in this case, we've installed the VMEntryScope for a potential ProgramExecutable but never executed a program to initialize its values for VM.topCallFrame and VM.stackPointerAtVMEntry. This in turn causes a crash when the second VMEntryScope makes use of VM.topCallFrame.

The fix is simply to defer installation of the VMEntryScope for the

program till we are actually sure that we will attempt to execute a
program.

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL(stack_check)):

• In llint_stack_check(), we pop the frame that we failed to set up before throwing the StackOverflowError. Added an update of topCallFrame here to reflect this popping action.

• llint/LowLevelInterpreter64.asm:
• The VMEntryScope will have to calculate and set up a jsStackLimit value before we actually know what the stack pointer is at the point when we re-enter the VM. So, instead of using the real stackPointerAtVMEntry for the jsStackLimit calculation, we use an estimate.

doCallToJavaScript() here will set VM.stackPointerAtVMEntry to its

real value. But before it does that, it needs to adjust VM.jsStackLimit
by the delta between the estimate and the real stackPointerAtVMEntry.

• If doCallToJavaScript() fails its stack check for incoming args, it also needs to clear VM.stackPointerAtVMEntry so that C code can assert that the various pointers into the stack remain consistent.

By consistent, I mean that, given that the stack grows down, and that
VM.stackPointerAtVMEntry and VM.topCallFrame are properly initialized,
then the following should always be true:

let topOfStack = VM.topCallFrame->topOfFrame();
stackPointerAtVMEntry >= topOfStack >= stack pointer in a C helper function

and

JSStack.containsAddress(stackPointerAtVMEntry)

and

JSStack.containsAddress(topOfStack)

Clearing VM.stackPointerAtVMEntry, if the stack check in doCallToJavaScript()
fails, indicates we failed to enter the current VMEntryScope and that we
should be using the previous VMEntryScope's stackPointerAtVMEntry and
topCallFrame for the above assertions.

NOTE: These assertions are done in VMEntryScope::updateStackLimits().

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:
• runtime/VMEntryScope.cpp:

(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::~VMEntryScope):
(JSC::VMEntryScope::stackUsageFor):
(JSC::VMEntryScope::updateStackLimits):
(JSC::VMEntryScope::currentStackPointer):
(JSC::VMEntryScope::requiredCapacity):

• requiredCapacity() now computes the excess amount C stack capacity that we have available, and discount it in the computation of the JS stack limit. By excess, I mean the amount of unused C stack space that exceeds the amount of unused JS stack space capacity.

• runtime/VMEntryScope.h:

Location:

branches/jsCStack/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• interpreter/Interpreter.cpp (modified) (2 diffs)
• llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• llint/LowLevelInterpreter64.asm (modified) (2 diffs)
• runtime/VM.cpp (modified) (1 diff)
• runtime/VM.h (modified) (1 diff)
• runtime/VMEntryScope.cpp (modified) (7 diffs)
• runtime/VMEntryScope.h (modified) (3 diffs)

branches/jsCStack/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-12-31  Mark Lam  <mark.lam@apple.com>
+
+        CStack: Need a separate stack limit for the JS stack and the C stack.
+        https://bugs.webkit.org/show_bug.cgi?id=126320.
+
+        Not yet reviewed.
+
+        With this patch, we now accurately track how much JS stack space the
+        VM has used, and cap that at the value specified by Options::maxStackSize().
+
+        The JS stack space is measured in chunks, one for each VMEntryScope. Each
+        VMEntryScope will also keep a running total of the sum of all the stack
+        usage of previous VMEntryScopes to simplify the calculation of the total
+        usage.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::execute):
+        - In Interpreter::execute() for programs, we were installing the VMEntryScope
+          even if we end up only processing a JSON object. This poses a problem
+          because the code that processes the JSON object will call functions that
+          will re-enter the VM thereby installing another VMEntryScope. Each
+          VMEntryScope expects VM.topCallFrame and VM.stackPointerAtVMEntry to be
+          set up properly for the previous VMEntryScope. However, in this case,
+          we've installed the VMEntryScope for a potential ProgramExecutable but
+          never executed a program to initialize its values for VM.topCallFrame and
+          VM.stackPointerAtVMEntry. This in turn causes a crash when the second
+          VMEntryScope makes use of VM.topCallFrame.
+              The fix is simply to defer installation of the VMEntryScope for the
+          program till we are actually sure that we will attempt to execute a
+          program.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL(stack_check)):
+        - In llint_stack_check(), we pop the frame that we failed to set up before
+          throwing the StackOverflowError. Added an update of topCallFrame here to
+          reflect this popping action.
+
+        * llint/LowLevelInterpreter64.asm:
+        - The VMEntryScope will have to calculate and set up a jsStackLimit value
+          before we actually know what the stack pointer is at the point when we
+          re-enter the VM. So, instead of using the real stackPointerAtVMEntry for
+          the jsStackLimit calculation, we use an estimate.
+              doCallToJavaScript() here will set VM.stackPointerAtVMEntry to its
+          real value. But before it does that, it needs to adjust VM.jsStackLimit
+          by the delta between the estimate and the real stackPointerAtVMEntry.
+
+        - If doCallToJavaScript() fails its stack check for incoming args, it also
+          needs to clear VM.stackPointerAtVMEntry so that C code can assert that
+          the various pointers into the stack remain consistent.
+
+          By consistent, I mean that, given that the stack grows down, and that
+          VM.stackPointerAtVMEntry and VM.topCallFrame are properly initialized,
+          then the following should always be true:
+
+              let topOfStack = VM.topCallFrame->topOfFrame();
+              stackPointerAtVMEntry >= topOfStack >= stack pointer in a C helper function
+          and
+              JSStack.containsAddress(stackPointerAtVMEntry)
+          and
+              JSStack.containsAddress(topOfStack)
+
+          Clearing VM.stackPointerAtVMEntry, if the stack check in doCallToJavaScript()
+          fails, indicates we failed to enter the current VMEntryScope and that we
+          should be using the previous VMEntryScope's stackPointerAtVMEntry and
+          topCallFrame for the above assertions.
+
+          NOTE: These assertions are done in VMEntryScope::updateStackLimits().
+
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+        * runtime/VMEntryScope.cpp:
+        (JSC::VMEntryScope::VMEntryScope):
+        (JSC::VMEntryScope::~VMEntryScope):
+        (JSC::VMEntryScope::stackUsageFor):
+        (JSC::VMEntryScope::updateStackLimits):
+        (JSC::VMEntryScope::currentStackPointer):
+        (JSC::VMEntryScope::requiredCapacity):
+        - requiredCapacity() now computes the excess amount C stack capacity that
+          we have available, and discount it in the computation of the JS stack
+          limit. By excess, I mean the amount of unused C stack space that
+          exceeds the amount of unused JS stack space capacity.
+
+        * runtime/VMEntryScope.h:
+
 2013-12-30  Mark Lam  <mark.lam@apple.com>
 

branches/jsCStack/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -771 +771 @@
         return jsNull();
 
-    VMEntryScope entryScope(vm, scope->globalObject());
     if (!vm.isSafeToRecurse())
         return checkedReturn(throwStackOverflowError(callFrame));
@@ -878 +877 @@
     // object.
 
+    VMEntryScope entryScope(vm, scope->globalObject());
+
     // Compile source to bytecode if necessary:
     if (JSObject* error = program->initializeGlobalProperties(vm, callFrame, scope))

branches/jsCStack/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -459 +459 @@
     // throw the StackOverflowError unconditionally.
 #if ENABLE(LLINT_C_LOOP)
-    ASSERT(!exec->vm().interpreter->stack().containsAddress(exec->topOfFrame()));
+    ASSERT(!vm.interpreter->stack().containsAddress(exec->topOfFrame()));
     if (LIKELY(vm.interpreter->stack().ensureCapacityFor(exec->topOfFrame())))
         LLINT_RETURN_TWO(pc, 0);
@@ -465 +465 @@
 
     exec = exec->callerFrame();
+    vm.topCallFrame = exec;
     Interpreter::ErrorHandlingMode mode(exec);
     CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));

branches/jsCStack/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -180 +180 @@
     checkStackPointerAlignment(temp2, 0xbad0dc01)
 
+    # The jsStackLimit was previously computed in VMEntryScope using an
+    # estimated stackPointerAtVMEntry value. Adjust the jsStackLimit by
+    # the delta between the actual stackPointerAtVMEntry and the estimate
+    # that we used previously.
+    subp VM::stackPointerAtVMEntry[vm], sp, temp2
+    subp VM::m_jsStackLimit[vm], temp2, temp2
+    storep temp2, VM::m_jsStackLimit[vm]
+    storep sp, VM::stackPointerAtVMEntry[vm]
+
     # The stack host zone ensures that we have adequate space for the
     # VMEntrySentinelFrame. Proceed with allocating and initializing the
@@ -211 +220 @@
     end
 
+    storep 0, VM::stackPointerAtVMEntry[vm]
     cCall2(_llint_throw_stack_overflow_error, vm, protoCallFrame)
     callToJavaScriptEpilogue()

branches/jsCStack/Source/JavaScriptCore/runtime/VM.cpp

@@ -168 +168 @@
     , clientData(0)
     , topCallFrame(CallFrame::noCaller())
+    , stackPointerAtVMEntry(0)
     , arrayConstructorTable(adoptPtr(new HashTable(JSC::arrayConstructorTable)))
     , arrayPrototypeTable(adoptPtr(new HashTable(JSC::arrayPrototypeTable)))

branches/jsCStack/Source/JavaScriptCore/runtime/VM.h

@@ -228 +228 @@
         ClientData* clientData;
         ExecState* topCallFrame;
+        void* stackPointerAtVMEntry;
         Watchdog watchdog;
 

branches/jsCStack/Source/JavaScriptCore/runtime/VMEntryScope.cpp

@@ -27 +27 @@
 #include "VMEntryScope.h"
 
+#include "Options.h"
 #include "VM.h"
 #include <wtf/StackBounds.h>
@@ -36 +37 @@
     , m_stack(wtfThreadData().stack())
     , m_globalObject(globalObject)
+    , m_prevStackUsage(0)
     , m_prevFirstEntryScope(vm.firstEntryScope)
     , m_prevTopEntryScope(vm.topEntryScope)
@@ -43 +45 @@
 #endif
     , m_prevLastStackTop(vm.lastStackTop())
+    , m_prevStackPointerAtVMEntry(vm.stackPointerAtVMEntry)
+    , m_prevTopCallFrame(vm.topCallFrame)
 {
+    ASSERT(wtfThreadData().stack().isGrowingDownward());
+    ASSERT(!vm.topCallFrame || currentStackPointer() <= reinterpret_cast<char*>(vm.topCallFrame->topOfFrame()));
+
+    // Step 1: Compute the stack usage of the last VM entry before we install
+    // the current entry scope below.
+    if (vm.topEntryScope) {
+        char* topOfStack = reinterpret_cast<char*>(vm.topCallFrame->topOfFrame());
+        m_prevStackUsage = vm.topEntryScope->stackUsageFor(topOfStack);
+    }
+
+    // Step 2: Install the current entry scope.
     if (!vm.firstEntryScope) {
 #if ENABLE(ASSEMBLER)
@@ -55 +70 @@
         vm.resetDateCache();
     }
+    vm.stackPointerAtVMEntry = 0;
     vm.topEntryScope = this;
 
@@ -60 +76 @@
     vm.clearExceptionStack();
 
+    vm.setLastStackTop(m_stack.origin());
+
+    // Step 3: Compute the stack limit using the installed entry scope.
     updateStackLimits();
-    vm.setLastStackTop(m_stack.origin());
 }
 
@@ -73 +91 @@
 #endif
     m_vm.setLastStackTop(m_prevLastStackTop);
+    m_vm.stackPointerAtVMEntry = m_prevStackPointerAtVMEntry;
+    m_vm.topCallFrame = m_prevTopCallFrame;
+}
+
+size_t VMEntryScope::stackUsageFor(char* topOfStack) const
+{
+    size_t currentStackUsage = 0;
+    ASSERT(m_vm.stackPointerAtVMEntry);
+    char* startOfStack = reinterpret_cast<char*>(m_vm.stackPointerAtVMEntry);
+    ASSERT(topOfStack <= startOfStack);
+    currentStackUsage = startOfStack - topOfStack;
+
+    ASSERT(Options::maxStackSize() >= m_prevStackUsage + currentStackUsage);
+    return m_prevStackUsage + currentStackUsage;
 }
 
 void VMEntryScope::updateStackLimits()
 {
+    ASSERT(wtfThreadData().stack().isGrowingDownward());
+    char* topOfStack = currentStackPointer();
+
 #if !ENABLE(LLINT_C_LOOP)
-    void* jsStackLimit = m_stack.recursionLimit(requiredCapacity(JSStackCapacity));
+    char* topOfJSStack = m_vm.topCallFrame ? reinterpret_cast<char*>(m_vm.topCallFrame->topOfFrame()) : topOfStack;
+
+    // If we have not re-entered the VM yet via callToJavaScript / callToNativeFunction,
+    // then stackPointerAtVMEntry will not have been set up yet. Instead, we'll
+    // compute the stack limit relative to the current topOfJSStack (as an estimate
+    // of stackPointerAtVMEntry). When we enter callToJavaScript later, we'll adjust
+    // the stack limit with the delta between the actual stackPointerAtVMEntry and
+    // the estimate value that we use here.
+    if (!m_vm.stackPointerAtVMEntry)
+        m_vm.stackPointerAtVMEntry = topOfJSStack;
+
+    void* jsStackLimit = m_stack.recursionLimit(requiredCapacity(topOfJSStack, JSStackCapacity));
+#ifndef NDEBUG
+    char* startOfStack = reinterpret_cast<char*>(m_vm.stackPointerAtVMEntry);
+    char* stackLimit = reinterpret_cast<char*>(jsStackLimit);
+    ASSERT(m_prevStackUsage + (startOfStack - stackLimit) <= Options::maxStackSize());
+#endif
     m_vm.setJSStackLimit(jsStackLimit);
-#endif
-    void* nativeStackLimit = m_stack.recursionLimit(requiredCapacity(NativeStackCapacity));
+
+    // Some sanity checks for our pointers into the stack:
+    ASSERT(m_vm.interpreter->stack().containsAddress(reinterpret_cast<Register*>(m_vm.stackPointerAtVMEntry)));
+    ASSERT(m_vm.interpreter->stack().containsAddress(reinterpret_cast<Register*>(topOfJSStack)));
+    ASSERT(currentStackPointer() <= topOfJSStack);
+    ASSERT(topOfJSStack <= m_vm.stackPointerAtVMEntry);
+#endif // !ENABLE(LLINT_C_LOOP)
+
+    void* nativeStackLimit = m_stack.recursionLimit(requiredCapacity(topOfStack, NativeStackCapacity));
     m_vm.setStackLimit(nativeStackLimit);
 }
 
-size_t VMEntryScope::requiredCapacity(CapacityType type) const
+char* VMEntryScope::currentStackPointer() const
 {
+    char* p;
+#if ENABLE(LLINT_C_LOOP)
+    p = reinterpret_cast<char*>(m_vm.topCallFrame->topOfFrame());
+#else
+    p = reinterpret_cast<char*>(&p);
+#endif
+    return p;
+}
+
+size_t VMEntryScope::requiredCapacity(char* topOfStack, CapacityType type) const
+{
+    ASSERT(m_stack.isGrowingDownward());
+
+    size_t excessCStackSize = 0;
+#if !ENABLE(LLINT_C_LOOP)
+    if (type == JSStackCapacity) {
+        ASSERT(Options::maxStackSize() >= stackUsageFor(topOfStack));
+        size_t availableJSStack = Options::maxStackSize() - stackUsageFor(topOfStack);
+
+        char* bottomOfStack = reinterpret_cast<char*>(m_stack.origin());
+        size_t availableCStack = m_stack.size() - (bottomOfStack - topOfStack);
+        if (availableCStack > availableJSStack)
+            excessCStackSize = availableCStack - availableJSStack;
+    }
+#else
     UNUSED_PARAM(type);
+    ASSERT(type == NativeStackCapacity);
+#endif
 
     // We require a smaller stack budget for the error stack. This is to allow
@@ -101 +186 @@
     Interpreter* interpreter = m_vm.interpreter;
     size_t requiredCapacity = interpreter->isInErrorHandlingMode() ? errorModeRequiredStack : requiredStack;
+    requiredCapacity += excessCStackSize;
+
     RELEASE_ASSERT(m_stack.size() >= requiredCapacity);
     return requiredCapacity; 

branches/jsCStack/Source/JavaScriptCore/runtime/VMEntryScope.h

@@ -49 +49 @@
         NativeStackCapacity,
     };
-    size_t requiredCapacity(CapacityType) const;
+    size_t requiredCapacity(char* topOfStack, CapacityType) const;
+    char* currentStackPointer() const;
+    size_t stackUsageFor(char* topOfStack) const;
 
     VM& m_vm;
@@ -55 +57 @@
     StackBounds m_stack;
     JSGlobalObject* m_globalObject;
+    size_t m_prevStackUsage;
 
     // The following pointers may point to a different thread's stack.
@@ -64 +67 @@
 #endif
     void* m_prevLastStackTop;
+    void* m_prevStackPointerAtVMEntry;
+    ExecState* m_prevTopCallFrame;
 };