Changeset 260692 in webkit

Timestamp:

Apr 25, 2020 12:24:07 AM (4 years ago)

Author:

mark.lam@apple.com

Message:

Suppress ASan on DFG::clobberize() to work around an ASan bug.
​https://bugs.webkit.org/show_bug.cgi?id=211012
<rdar://problem/62275430>

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

ASan was incorrectly thinking that we're accessing invalid stack memory when we're not.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

LayoutTests:

Test is courtesy of Fabien Duchene and Pinki Gyanchandani.

• js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt: Added.
• js/suppress-asan-on-clobberize-to-workaround-asan-bug.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt (added)
• LayoutTests/js/suppress-asan-on-clobberize-to-workaround-asan-bug.html (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-04-24  Mark Lam  <mark.lam@apple.com>
+
+        Suppress ASan on DFG::clobberize() to work around an ASan bug.
+        https://bugs.webkit.org/show_bug.cgi?id=211012
+        <rdar://problem/62275430>
+
+        Reviewed by Yusuke Suzuki.
+
+        Test is courtesy of Fabien Duchene and Pinki Gyanchandani.
+
+        * js/suppress-asan-on-clobberize-to-workaround-asan-bug-expected.txt: Added.
+        * js/suppress-asan-on-clobberize-to-workaround-asan-bug.html: Added.
+
 2020-04-24  Kate Cheney  <katherine_cheney@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-24  Mark Lam  <mark.lam@apple.com>
+
+        Suppress ASan on DFG::clobberize() to work around an ASan bug.
+        https://bugs.webkit.org/show_bug.cgi?id=211012
+        <rdar://problem/62275430>
+
+        Reviewed by Yusuke Suzuki.
+
+        ASan was incorrectly thinking that we're accessing invalid stack memory when we're not.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2020-04-24  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -40 +40 @@
 namespace JSC { namespace DFG {
 
+// FIXME: SUPPRESS_ASAN is needed here because ASan can mistakenly think that
+// we're accesing out of invalid bounds stack memory when we're not. For example,
+// in the CheckIsConstant case below, we compute:
+//    AdjacencyList(AdjacencyList::Fixed, node->child1())
+//
+// 1. The AdjacencyList constructor takes an Edge value.
+// 2. node->child1() returns an Edge&.
+// 3. Clang generates a call to __asan_memcpy to copy the return value of
+//    node->child1() to a temp local on the stack used for passing the Edge
+//    argument to the AdjacencyList constructor.
+// 4. Inside __asan_memcpy, it attempts to write to the temp local Edge in
+//    clobberize's frame (not __asan_memcpy's frame), and ASan will wrongly
+//    flag this as an invalid out of stack bounds write.
+//
+// This manifested with a debug ASan build.
+// See <rdar://problem/62362403>.
+
 template<typename ReadFunctor, typename WriteFunctor, typename DefFunctor>
-void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFunctor& write, const DefFunctor& def)
+SUPPRESS_ASAN void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFunctor& write, const DefFunctor& def)
 {
     // Some notes: