Changeset 211479 in webkit
- Timestamp:
- Feb 1, 2017 3:29:25 AM (6 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 5 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/arity-fixup-should-not-touch-stack-area-below-sp.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/jit/ThunkGenerators.cpp (modified) (2 diffs)
-
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
-
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r211464 r211479 1 2017-02-01 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 ArityFixup should adjust SP first 4 https://bugs.webkit.org/show_bug.cgi?id=167239 5 6 Reviewed by Michael Saboff. 7 8 Significantly large arity fixup reliably causes this crash. 9 10 * stress/arity-fixup-should-not-touch-stack-area-below-sp.js: Added. 11 1 12 2017-01-31 Filip Pizlo <fpizlo@apple.com> 2 13 -
trunk/Source/JavaScriptCore/ChangeLog
r211463 r211479 1 2017-02-01 Yusuke Suzuki <utatane.tea@gmail.com> 2 3 ArityFixup should adjust SP first 4 https://bugs.webkit.org/show_bug.cgi?id=167239 5 6 Reviewed by Michael Saboff. 7 8 Arity fixup extends the stack and copy/fill the stack with 9 the values. At that time, we accidentally read/write stack 10 space below the stack pointer. As a result, we touch the area 11 of the stack space below the x64 red zone. These areas are unsafe. 12 OS may corrupt this space when constructing a signal stack. 13 The Linux kernel could not populate the pages for this space 14 and causes segmentation fault. This patch changes the stack 15 pointer before performing the arity fixup. 16 17 * jit/ThunkGenerators.cpp: 18 (JSC::arityFixupGenerator): 19 * llint/LowLevelInterpreter32_64.asm: 20 * llint/LowLevelInterpreter64.asm: 21 1 22 2017-01-31 Filip Pizlo <fpizlo@apple.com> 2 23 -
trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp
r210232 r211479 441 441 jit.neg64(JSInterfaceJIT::argumentGPR0); 442 442 443 // Adjust call frame register and stack pointer to account for missing args. 444 // We need to change the stack pointer first before performing copy/fill loops. 445 // This stack space below the stack pointer is considered unsed by OS. Therefore, 446 // OS may corrupt this space when constructing a signal stack. 447 jit.move(JSInterfaceJIT::argumentGPR0, extraTemp); 448 jit.lshift64(JSInterfaceJIT::TrustedImm32(3), extraTemp); 449 jit.addPtr(extraTemp, JSInterfaceJIT::callFrameRegister); 450 jit.addPtr(extraTemp, JSInterfaceJIT::stackPointerRegister); 451 443 452 // Move current frame down argumentGPR0 number of slots 444 453 JSInterfaceJIT::Label copyLoop(jit.label()); … … 456 465 jit.branchAdd32(MacroAssembler::NonZero, JSInterfaceJIT::TrustedImm32(1), JSInterfaceJIT::argumentGPR2).linkTo(fillUndefinedLoop, &jit); 457 466 458 // Adjust call frame register and stack pointer to account for missing args459 jit.move(JSInterfaceJIT::argumentGPR0, extraTemp);460 jit.lshift64(JSInterfaceJIT::TrustedImm32(3), extraTemp);461 jit.addPtr(extraTemp, JSInterfaceJIT::callFrameRegister);462 jit.addPtr(extraTemp, JSInterfaceJIT::stackPointerRegister);463 464 467 done.link(&jit); 465 468 -
trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
r210276 r211479 614 614 negi t1 615 615 move cfr, t3 616 move t1, t0 617 lshiftp 3, t0 618 addp t0, cfr 619 addp t0, sp 616 620 .copyLoop: 617 621 loadi PayloadOffset[t3], t0 … … 632 636 baddinz 1, t2, .fillLoop 633 637 634 lshiftp 3, t1635 addp t1, cfr636 addp t1, sp637 638 .continue: 638 639 # Reload CodeBlock and PC, since the slow_path clobbered it. -
trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
r210276 r211479 526 526 subp CalleeSaveSpaceAsVirtualRegisters * 8, t3 527 527 addi CalleeSaveSpaceAsVirtualRegisters, t2 528 move t1, t0 529 lshiftp 3, t0 530 addp t0, cfr 531 addp t0, sp 528 532 .copyLoop: 529 533 loadq [t3], t0 … … 539 543 addp 8, t3 540 544 baddinz 1, t2, .fillLoop 541 542 lshiftp 3, t1543 addp t1, cfr544 addp t1, sp545 545 546 546 .continue:
Note: See TracChangeset
for help on using the changeset viewer.