Changeset 261325 in webkit

Timestamp:

May 7, 2020, 12:25:32 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Add stack checks to the DFG and FTL bytecode parser.
​https://bugs.webkit.org/show_bug.cgi?id=211547
<rdar://problem/62958880>

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

Inlining can cause some level of recursion of the DFG bytecode parser. We should
do a stack check at each inlining check before recursing. If a stack overflow
appears to be imminent, then just refuse to inline, and therefore, don't recurse
deeper into the parser.

This issue is more noticeable on ASan debug builds where stack frames can be
humongous.

Removed the SUPPRESS_ASAN on cloberrize() and the associated comment from r260692.
It was a mis-diagnosis. The stack checks are what we need.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleVarargsInlining):
(JSC::DFG::ByteCodeParser::handleInlining):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGGraph.h:

Source/WTF:

Added a StackCheck::Scope RAII object to help verify that the default reserved
zone size is at least adequate for known work loads. If this the StackCheck::Scope
assertions fail, then we either need more stack checks, or the reserved zone size
needs to be increased.

Note that the assertions are usually only on in Debug builds. Ideally, we would
want to measure the reserved zone size with a Release build. To do that, we
can just set VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE to 1 unconditionally in
StackCheck.h and rebuild.

• wtf/StackCheck.h:

(WTF::StackCheck::Scope::Scope):
(WTF::StackCheck::Scope::~Scope):
(WTF::StackCheck::Scope::isSafeToRecurse):
(WTF::StackCheck::StackCheck):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• JavaScriptCore/dfg/DFGGraph.h (modified) (3 diffs)
• WTF/ChangeLog (modified) (1 diff)
• WTF/wtf/StackCheck.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-05-07  Mark Lam  <mark.lam@apple.com>
+
+        Add stack checks to the DFG and FTL bytecode parser.
+        https://bugs.webkit.org/show_bug.cgi?id=211547
+        <rdar://problem/62958880>
+
+        Reviewed by Yusuke Suzuki.
+
+        Inlining can cause some level of recursion of the DFG bytecode parser.  We should
+        do a stack check at each inlining check before recursing.  If a stack overflow
+        appears to be imminent, then just refuse to inline, and therefore, don't recurse
+        deeper into the parser.
+
+        This issue is more noticeable on ASan debug builds where stack frames can be
+        humongous.
+
+        Removed the SUPPRESS_ASAN on cloberrize() and the associated comment from r260692.
+        It was a mis-diagnosis.  The stack checks are what we need.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGGraph.h:
+
 2020-05-07  Darin Adler  <darin@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1927 +1927 @@
 {
     VERBOSE_LOG("Handling inlining (Varargs)...\nStack: ", currentCodeOrigin(), "\n");
+
+    StackCheck::Scope stackChecker(m_graph.m_stackChecker);
+    if (!stackChecker.isSafeToRecurse()) {
+        VERBOSE_LOG("Bailing inlining (compiler thread stack overflow eminent).\nStack: ", currentCodeOrigin(), "\n");
+        return false;
+    }
     if (callLinkStatus.maxArgumentCountIncludingThis() > Options::maximumVarargsForInlining()) {
         VERBOSE_LOG("Bailing inlining: too many arguments for varargs inlining.\n");
@@ -2071 +2077 @@
 {
     VERBOSE_LOG("Handling inlining...\nStack: ", currentCodeOrigin(), "\n");
+
+    StackCheck::Scope stackChecker(m_graph.m_stackChecker);
+    if (!stackChecker.isSafeToRecurse()) {
+        VERBOSE_LOG("Bailing inlining (compiler thread stack overflow eminent).\nStack: ", currentCodeOrigin(), "\n");
+        return CallOptimizationResult::DidNothing;
+    }
     
     CodeSpecializationKind specializationKind = InlineCallFrame::specializationKindFor(kind);

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -40 +40 @@
 namespace JSC { namespace DFG {
 
-// FIXME: SUPPRESS_ASAN is needed here because ASan can mistakenly think that
-// we're accesing out of invalid bounds stack memory when we're not. For example,
-// in the CheckIsConstant case below, we compute:
-//    AdjacencyList(AdjacencyList::Fixed, node->child1())
-//
-// 1. The AdjacencyList constructor takes an Edge value.
-// 2. node->child1() returns an Edge&.
-// 3. Clang generates a call to __asan_memcpy to copy the return value of
-//    node->child1() to a temp local on the stack used for passing the Edge
-//    argument to the AdjacencyList constructor.
-// 4. Inside __asan_memcpy, it attempts to write to the temp local Edge in
-//    clobberize's frame (not __asan_memcpy's frame), and ASan will wrongly
-//    flag this as an invalid out of stack bounds write.
-//
-// This manifested with a debug ASan build.
-// See <rdar://problem/62362403>.
-
 template<typename ReadFunctor, typename WriteFunctor, typename DefFunctor>
-SUPPRESS_ASAN void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFunctor& write, const DefFunctor& def)
+void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFunctor& write, const DefFunctor& def)
 {
     clobberize(graph, node, read, write, def, [] { });

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -42 +42 @@
 #include <wtf/BitVector.h>
 #include <wtf/HashMap.h>
-#include <wtf/Vector.h>
+#include <wtf/StackCheck.h>
 #include <wtf/StdLibExtras.h>
 #include <wtf/StdUnorderedMap.h>
+#include <wtf/Vector.h>
 
 namespace WTF {
@@ -1066 +1067 @@
     void nextPhase() { m_prefix.phaseNumber++; }
 
+    StackCheck m_stackChecker;
     VM& m_vm;
     Plan& m_plan;
     CodeBlock* m_codeBlock;
     CodeBlock* m_profiledBlock;
-    
+
     Vector<RefPtr<BasicBlock>, 8> m_blocks;
     Vector<BasicBlock*, 1> m_roots;

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-05-07  Mark Lam  <mark.lam@apple.com>
+
+        Add stack checks to the DFG and FTL bytecode parser.
+        https://bugs.webkit.org/show_bug.cgi?id=211547
+        <rdar://problem/62958880>
+
+        Reviewed by Yusuke Suzuki.
+
+        Added a StackCheck::Scope RAII object to help verify that the default reserved
+        zone size is at least adequate for known work loads.  If this the StackCheck::Scope
+        assertions fail, then we either need more stack checks, or the reserved zone size
+        needs to be increased.
+
+        Note that the assertions are usually only on in Debug builds.  Ideally, we would
+        want to measure the reserved zone size with a Release build.  To do that, we
+        can just set VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE to 1 unconditionally in
+        StackCheck.h and rebuild.
+
+        * wtf/StackCheck.h:
+        (WTF::StackCheck::Scope::Scope):
+        (WTF::StackCheck::Scope::~Scope):
+        (WTF::StackCheck::Scope::isSafeToRecurse):
+        (WTF::StackCheck::StackCheck):
+
 2020-05-06  Yoshiaki Jitsukawa  <yoshiaki.jitsukawa@sony.com> and Fujii Hironori  <Hironori.Fujii@sony.com>
 

trunk/Source/WTF/wtf/StackCheck.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2019-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -31 +31 @@
 namespace WTF {
 
+// We only enable the reserved zone size check by default on ASSERT_ENABLED
+// builds (which usually mean Debug builds). However, it is more valuable to
+// run this test on Release builds. That said, we don't want to do pay this
+// cost always because we may need to do stack checks on hot paths too.
+// Note also that we're deliberately using RELEASE_ASSERTs if the verification
+// is turned on. This makes it easier for us to turn this on for Release builds
+// for a reserved zone size calibration test runs.
+
+#define VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE ASSERT_ENABLED
+
 class StackCheck {
     WTF_MAKE_FAST_ALLOCATED;
 public:
-    StackCheck(const StackBounds& bounds = Thread::current().stack(), size_t minReservedZone = StackBounds::DefaultReservedZone)
+    class Scope {
+    public:
+        Scope(StackCheck& checker)
+            : m_checker(checker)
+        {
+            m_checker.isSafeToRecurse();
+#if VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE
+            RELEASE_ASSERT(checker.m_ownerThread == &Thread::current());
+
+            // Make sure that the stack interval between checks never exceed the
+            // reservedZone size. If the interval exceeds the reservedZone size,
+            // then we either need to:
+            // 1. break the interval into smaller pieces (i.e. insert more checks), or
+            // 2. use a larger reservedZone size.
+            uint8_t* currentStackCheckpoint = reinterpret_cast<uint8_t*>(currentStackPointer());
+            uint8_t* previousStackCheckpoint = m_checker.m_lastStackCheckpoint;
+            RELEASE_ASSERT(previousStackCheckpoint - currentStackCheckpoint > 0);
+            RELEASE_ASSERT(previousStackCheckpoint - currentStackCheckpoint < static_cast<ptrdiff_t>(m_checker.m_reservedZone));
+
+            m_savedLastStackCheckpoint = m_checker.m_lastStackCheckpoint;
+            m_checker.m_lastStackCheckpoint = currentStackCheckpoint;
+#endif
+        }
+
+#if VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE
+        ~Scope()
+        {
+            m_checker.m_lastStackCheckpoint = m_savedLastStackCheckpoint;
+        }
+#endif
+
+        bool isSafeToRecurse() { return m_checker.isSafeToRecurse(); }
+
+    private:
+        StackCheck& m_checker;
+#if VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE
+        uint8_t* m_savedLastStackCheckpoint;
+#endif
+    };
+
+    StackCheck(const StackBounds& bounds = Thread::current().stack(), size_t minReservedZone = defaultReservedZoneSize)
         : m_stackLimit(bounds.recursionLimit(minReservedZone))
+#if VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE
+        , m_ownerThread(&Thread::current())
+        , m_lastStackCheckpoint(reinterpret_cast<uint8_t*>(currentStackPointer()))
+        , m_reservedZone(minReservedZone)
+#endif
     { }
 
@@ -41 +96 @@
 
 private:
+#if ASAN_ENABLED
+    static constexpr size_t defaultReservedZoneSize = StackBounds::DefaultReservedZone * 2;
+#else
+    static constexpr size_t defaultReservedZoneSize = StackBounds::DefaultReservedZone;
+#endif
+
     void* m_stackLimit;
+#if VERIFY_STACK_CHECK_RESERVED_ZONE_SIZE
+    Thread* m_ownerThread;
+    uint8_t* m_lastStackCheckpoint;
+    size_t m_reservedZone;
+#endif
+
+    friend class Scope;
 };