Changeset 252239 in webkit

Timestamp:

Nov 8, 2019 8:58:49 AM (4 years ago)

Author:

mark.lam@apple.com

Message:

Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction().
​https://bugs.webkit.org/show_bug.cgi?id=203936
<rdar://problem/56624724>

Reviewed by Saam Barati.

JSTests:

This issue originally manifested as incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
failing on iOS devices due to its smaller stack. We adapted the original test
here using $vm.callWithStackSize() to reproduce the issue on x86_64 though it
has a much larger physical stack to work with. This new test will crash while
stepping on the guard page beyond the end of the stack if the fix is not applied.

• stress/stack-overflow-in-yarr-byteCompile.js: Added.

Source/JavaScriptCore:

Basically, any functions below Yarr::ByteCompiler::compile() that recurses need
to check if it's safe to recurse before doing so. This patch adds the stack
checks in Yarr::ByteCompiler::compile() because it is the entry point to this
sub-system, and Yarr::ByteCompiler::emitDisjunction() because it is the only
function that recurses. All other functions called below compile() are either
leaf functions or have shallow stack usage. Hence, their stack needs are covered
by the DefaultReservedZone, and they do not need stack checks.

This patch also does the following:

1. Added $vm.callWithStackSize() which can be used to call a test function near the end of the physical stack. This enables is to simulate the smaller stack size of more resource constrained devices.

$vm.callWithStackSize() uses inline asm to adjust the stack pointer and
does the callback via the JIT probe trampoline.

2. Added the --disableOptionsFreezingForTesting to the jsc shell to make it possible to disable freezing of JSC options. $vm.callWithStackSize() relies on this to modify the VM's stack limits.

3. Removed the inline modifier on VM::updateStackLimits() so that we can call it from $vm.callWithStackSize() as well. It is not a performance critical function and is rarely called.

4. Added a JSDollarVMHelper class that other parts of the system can declare as a friend. This gives $vm a backdoor into the private functions and fields of classes for its debugging work. In this patch, we're only using it to access VM::updateVMStackLimits().

• jsc.cpp:

(CommandLine::parseArguments):

• runtime/VM.cpp:

(JSC::VM::updateStackLimits):

• runtime/VM.h:
• tools/JSDollarVM.cpp:

(JSC::JSDollarVMHelper::JSDollarVMHelper):
(JSC::JSDollarVMHelper::vmStackStart):
(JSC::JSDollarVMHelper::vmStackLimit):
(JSC::JSDollarVMHelper::vmSoftStackLimit):
(JSC::JSDollarVMHelper::updateVMStackLimits):
(JSC::callWithStackSizeProbeFunction):
(JSC::functionCallWithStackSize):
(JSC::JSDollarVM::finishCreation):
(IGNORE_WARNINGS_BEGIN): Deleted.

• yarr/YarrInterpreter.cpp:

(JSC::Yarr::ByteCompiler::compile):
(JSC::Yarr::ByteCompiler::emitDisjunction):
(JSC::Yarr::ByteCompiler::isSafeToRecurse):

Source/WTF:

1. Add a StackCheck utility class so that we don't have to keep reinventing this every time we need to add stack checking somewhere.
2. Rename some arguments and constants in StackBounds to be more descriptive of what they actually are.

• WTF.xcodeproj/project.pbxproj:
• wtf/CMakeLists.txt:
• wtf/StackBounds.h:

(WTF::StackBounds::recursionLimit const):

• wtf/StackCheck.h: Added.

(WTF::StackCheck::StackCheck):
(WTF::StackCheck::isSafeToRecurse):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/stack-overflow-in-yarr-byteCompile.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/jsc.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/VM.h (modified) (1 diff)
• Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (5 diffs)
• Source/JavaScriptCore/yarr/YarrInterpreter.cpp (modified) (4 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/WTF.xcodeproj/project.pbxproj (modified) (2 diffs)
• Source/WTF/wtf/CMakeLists.txt (modified) (1 diff)
• Source/WTF/wtf/StackBounds.h (modified) (3 diffs)
• Source/WTF/wtf/StackCheck.h (added)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-11-07  Mark Lam  <mark.lam@apple.com>
+
+        Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction().
+        https://bugs.webkit.org/show_bug.cgi?id=203936
+        <rdar://problem/56624724>
+
+        Reviewed by Saam Barati.
+
+        This issue originally manifested as incorrect-exception-assertion-in-operationRegExpExecNonGlobalOrSticky.js
+        failing on iOS devices due to its smaller stack.  We adapted the original test
+        here using $vm.callWithStackSize() to reproduce the issue on x86_64 though it
+        has a much larger physical stack to work with.  This new test will crash while
+        stepping on the guard page beyond the end of the stack if the fix is not applied.
+
+        * stress/stack-overflow-in-yarr-byteCompile.js: Added.
+
 2019-11-07  Tuomas Karkkainen  <tuomas.webkit@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-11-07  Mark Lam  <mark.lam@apple.com>
+
+        Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction().
+        https://bugs.webkit.org/show_bug.cgi?id=203936
+        <rdar://problem/56624724>
+
+        Reviewed by Saam Barati.
+
+        Basically, any functions below Yarr::ByteCompiler::compile() that recurses need
+        to check if it's safe to recurse before doing so.  This patch adds the stack
+        checks in Yarr::ByteCompiler::compile() because it is the entry point to this
+        sub-system, and Yarr::ByteCompiler::emitDisjunction() because it is the only
+        function that recurses.  All other functions called below compile() are either
+        leaf functions or have shallow stack usage.  Hence, their stack needs are covered
+        by the DefaultReservedZone, and they do not need stack checks.
+
+        This patch also does the following:
+        1. Added $vm.callWithStackSize() which can be used to call a test function near
+           the end of the physical stack.  This enables is to simulate the smaller stack
+           size of more resource constrained devices.
+
+           $vm.callWithStackSize() uses inline asm to adjust the stack pointer and
+           does the callback via the JIT probe trampoline.
+
+        2. Added the --disableOptionsFreezingForTesting to the jsc shell to make it
+           possible to disable freezing of JSC options.  $vm.callWithStackSize() relies
+           on this to modify the VM's stack limits.
+
+        3. Removed the inline modifier on VM::updateStackLimits() so that we can call it
+           from $vm.callWithStackSize() as well.  It is not a performance critical
+           function and is rarely called.
+
+        4. Added a JSDollarVMHelper class that other parts of the system can declare as
+           a friend.  This gives $vm a backdoor into the private functions and fields of
+           classes for its debugging work.  In this patch, we're only using it to access
+           VM::updateVMStackLimits().
+
+        * jsc.cpp:
+        (CommandLine::parseArguments):
+        * runtime/VM.cpp:
+        (JSC::VM::updateStackLimits):
+        * runtime/VM.h:
+        * tools/JSDollarVM.cpp:
+        (JSC::JSDollarVMHelper::JSDollarVMHelper):
+        (JSC::JSDollarVMHelper::vmStackStart):
+        (JSC::JSDollarVMHelper::vmStackLimit):
+        (JSC::JSDollarVMHelper::vmSoftStackLimit):
+        (JSC::JSDollarVMHelper::updateVMStackLimits):
+        (JSC::callWithStackSizeProbeFunction):
+        (JSC::functionCallWithStackSize):
+        (JSC::JSDollarVM::finishCreation):
+        (IGNORE_WARNINGS_BEGIN): Deleted.
+        * yarr/YarrInterpreter.cpp:
+        (JSC::Yarr::ByteCompiler::compile):
+        (JSC::Yarr::ByteCompiler::emitDisjunction):
+        (JSC::Yarr::ByteCompiler::isSafeToRecurse):
+
 2019-11-07  Tadeu Zagallo  <tzagallo@apple.com>
 

trunk/Source/JavaScriptCore/jsc.cpp

@@ -2892 +2892 @@
             continue;
         }
+        if (!strcmp(arg, "--disableOptionsFreezingForTesting")) {
+            Config::disableFreezingForTesting();
+            continue;
+        }
 
         static const char* timeoutMultiplierOptStr = "--timeoutMultiplier=";

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -882 +882 @@
 #endif
 
-inline void VM::updateStackLimits()
+void VM::updateStackLimits()
 {
 #if OS(WINDOWS)

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -1094 +1094 @@
     friend class CatchScope;
     friend class ExceptionScope;
+    friend class JSDollarVMHelper;
     friend class ThrowScope;
     friend class VMTraps;

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -32 +32 @@
 #include "DOMJITGetterSetter.h"
 #include "Debugger.h"
+#include "Error.h"
 #include "FrameTracers.h"
 #include "FunctionCodeBlock.h"
@@ -44 +45 @@
 #include "Options.h"
 #include "Parser.h"
+#include "ProbeContext.h"
 #include "ShadowChicken.h"
 #include "Snippet.h"
@@ -64 +66 @@
 
 IGNORE_WARNINGS_BEGIN("frame-address")
+
+extern "C" void ctiMasmProbeTrampoline();
+
+namespace JSC {
+
+// This class is only here as a simple way to grant JSDollarVM friend privileges
+// to all the classes that it needs special access to.
+class JSDollarVMHelper {
+public:
+    JSDollarVMHelper(VM& vm)
+        : m_vm(vm)
+    { }
+
+    void updateVMStackLimits() { return m_vm.updateStackLimits(); };
+
+private:
+    VM& m_vm;
+};
+
+} // namespace JSC
 
 namespace {
@@ -1969 +1991 @@
 }
 
+// Calls the specified test function after adjusting the stack to have the specified
+// remaining size from the end of the physical stack.
+// Usage: $vm.callWithStackSize(funcToCall, desiredStackSize)
+//
+// This function will only work in test configurations, specifically, only if JSC
+// options are not frozen. For the jsc shell, the --disableOptionsFreezingForTesting
+// argument needs to be passed in on the command line.
+
+#if ENABLE(MASM_PROBE)
+static void callWithStackSizeProbeFunction(Probe::State* state)
+{
+    JSGlobalObject* globalObject = bitwise_cast<JSGlobalObject*>(state->arg);
+    JSFunction* function = bitwise_cast<JSFunction*>(state->probeFunction);
+    state->initializeStackFunction = nullptr;
+    state->initializeStackArg = nullptr;
+
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+
+    CallData callData;
+    CallType callType = getCallData(vm, function, callData);
+    MarkedArgumentBuffer args;
+    call(globalObject, function, callType, callData, jsUndefined(), args);
+}
+#endif // ENABLE(MASM_PROBE)
+
+static EncodedJSValue JSC_HOST_CALL functionCallWithStackSize(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+    JSLockHolder lock(vm);
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
+#if OS(DARWIN) && CPU(X86_64)
+    constexpr bool isSupportedByPlatform = true;
+#else
+    constexpr bool isSupportedByPlatform = false;
+#endif
+
+    if (!isSupportedByPlatform)
+        return throwVMError(globalObject, throwScope, "Not supported for this platform");
+
+#if ENABLE(MASM_PROBE)
+    if (g_jscConfig.isPermanentlyFrozen || !g_jscConfig.disabledFreezingForTesting)
+        return throwVMError(globalObject, throwScope, "Options are frozen");
+
+    if (callFrame->argumentCount() < 2)
+        return throwVMError(globalObject, throwScope, "Invalid number of arguments");
+    JSValue arg0 = callFrame->argument(0);
+    JSValue arg1 = callFrame->argument(1);
+    if (!arg0.isFunction(vm))
+        return throwVMError(globalObject, throwScope, "arg0 should be a function");
+    if (!arg1.isNumber())
+        return throwVMError(globalObject, throwScope, "arg1 should be a number");
+
+    JSFunction* function = jsCast<JSFunction*>(arg0.toObject(globalObject));
+    size_t desiredStackSize = arg1.asNumber();
+
+    const StackBounds& bounds = Thread::current().stack();
+    uint8_t* currentStackPosition = bitwise_cast<uint8_t*>(currentStackPointer());
+    uint8_t* end = bitwise_cast<uint8_t*>(bounds.end());
+    uint8_t* desiredStart = end + desiredStackSize;
+    if (desiredStart >= currentStackPosition)
+        return throwVMError(globalObject, throwScope, "Unable to setup desired stack size");
+
+    JSDollarVMHelper helper(vm);
+
+    unsigned originalMaxPerThreadStackUsage = Options::maxPerThreadStackUsage();
+    void* originalVMSoftStackLimit = vm.softStackLimit();
+    void* originalVMStackLimit = vm.stackLimit();
+
+    // This is a hack to make the VM think it's stack limits are near the end
+    // of the physical stack.
+    uint8_t* vmStackStart = bitwise_cast<uint8_t*>(vm.stackPointerAtVMEntry());
+    uint8_t* vmStackEnd = vmStackStart - originalMaxPerThreadStackUsage;
+    ptrdiff_t sizeDiff = vmStackEnd - end;
+    RELEASE_ASSERT(sizeDiff >= 0);
+    RELEASE_ASSERT(sizeDiff < UINT_MAX);
+
+    Options::maxPerThreadStackUsage() = originalMaxPerThreadStackUsage + sizeDiff;
+    helper.updateVMStackLimits();
+
+#if OS(DARWIN) && CPU(X86_64)
+    __asm__ volatile (
+        "subq %[sizeDiff], %%rsp" "\n"
+        "pushq %%rax" "\n"
+        "pushq %%rcx" "\n"
+        "pushq %%rdx" "\n"
+        "pushq %%rbx" "\n"
+        "callq *%%rax" "\n"
+        "addq %[sizeDiff], %%rsp" "\n"
+        :
+        : "a" (ctiMasmProbeTrampoline)
+        , "c" (callWithStackSizeProbeFunction)
+        , "d" (function)
+        , "b" (globalObject)
+        , [sizeDiff] "rm" (sizeDiff)
+        : "memory"
+    );
+#else
+    UNUSED_PARAM(function);
+    UNUSED_PARAM(callWithStackSizeProbeFunction);
+#endif // OS(DARWIN) && CPU(X86_64)
+
+    Options::maxPerThreadStackUsage() = originalMaxPerThreadStackUsage;
+    helper.updateVMStackLimits();
+    RELEASE_ASSERT(vm.softStackLimit() == originalVMSoftStackLimit);
+    RELEASE_ASSERT(vm.stackLimit() == originalVMStackLimit);
+
+    return encodedJSUndefined();
+
+#else // not ENABLE(MASM_PROBE)
+    UNUSED_PARAM(callFrame);
+    return throwVMError(globalObject, throwScope, "Not supported for this platform");
+#endif // ENABLE(MASM_PROBE)
+}
+
 // Creates a new global object.
 // Usage: $vm.createGlobalObject()
@@ -2630 +2769 @@
     addFunction(vm, "haveABadTime", functionHaveABadTime, 1);
     addFunction(vm, "isHavingABadTime", functionIsHavingABadTime, 1);
+
+    addFunction(vm, "callWithStackSize", functionCallWithStackSize, 2);
 
     addFunction(vm, "createGlobalObject", functionCreateGlobalObject, 0);

trunk/Source/JavaScriptCore/yarr/YarrInterpreter.cpp

@@ -35 +35 @@
 #include <wtf/CheckedArithmetic.h>
 #include <wtf/DataLog.h>
+#include <wtf/StackCheck.h>
 #include <wtf/text/CString.h>
 #include <wtf/text/WTFString.h>
@@ -1695 +1696 @@
     std::unique_ptr<BytecodePattern> compile(BumpPointerAllocator* allocator, ConcurrentJSLock* lock, ErrorCode& errorCode)
     {
+        if (UNLIKELY(!isSafeToRecurse())) {
+            errorCode = ErrorCode::TooManyDisjunctions;
+            return nullptr;
+        }
+
         regexBegin(m_pattern.m_numSubpatterns, m_pattern.m_body->m_callFrameSize, m_pattern.m_body->m_alternatives[0]->onceThrough());
         if (auto error = emitDisjunction(m_pattern.m_body, 0, 0)) {
@@ -2029 +2035 @@
     Optional<ErrorCode> WARN_UNUSED_RETURN emitDisjunction(PatternDisjunction* disjunction, Checked<unsigned, RecordOverflow> inputCountAlreadyChecked, unsigned parenthesesInputCountAlreadyChecked)
     {
+        if (UNLIKELY(!isSafeToRecurse()))
+            return ErrorCode::TooManyDisjunctions;
+
         for (unsigned alt = 0; alt < disjunction->m_alternatives.size(); ++alt) {
             auto currentCountAlreadyChecked = inputCountAlreadyChecked;
@@ -2406 +2415 @@
 
 private:
+    inline bool isSafeToRecurse() { return m_stackCheck.isSafeToRecurse(); }
+
     YarrPattern& m_pattern;
     std::unique_ptr<ByteDisjunction> m_bodyDisjunction;
+    StackCheck m_stackCheck;
     unsigned m_currentAlternativeIndex { 0 };
     Vector<ParenthesesStackEntry> m_parenthesesStack;

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2019-11-07  Mark Lam  <mark.lam@apple.com>
+
+        Add a stack overflow check in Yarr::ByteCompiler::emitDisjunction().
+        https://bugs.webkit.org/show_bug.cgi?id=203936
+        <rdar://problem/56624724>
+
+        Reviewed by Saam Barati.
+
+        1. Add a StackCheck utility class so that we don't have to keep reinventing this
+           every time we need to add stack checking somewhere.
+        2. Rename some arguments and constants in StackBounds to be more descriptive of
+           what they actually are.
+
+        * WTF.xcodeproj/project.pbxproj:
+        * wtf/CMakeLists.txt:
+        * wtf/StackBounds.h:
+        (WTF::StackBounds::recursionLimit const):
+        * wtf/StackCheck.h: Added.
+        (WTF::StackCheck::StackCheck):
+        (WTF::StackCheck::isSafeToRecurse):
+
 2019-11-06  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/WTF/WTF.xcodeproj/project.pbxproj

@@ -695 +695 @@
                 FE05FAE61FDB214300093230 /* DumbPtrTraits.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DumbPtrTraits.h; sourceTree = "<group>"; };
                 FE05FAFE1FE5007500093230 /* WTFAssertions.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WTFAssertions.cpp; sourceTree = "<group>"; };
+                FE1D6D87237401CD007A5C26 /* StackCheck.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StackCheck.h; sourceTree = "<group>"; };
                 FE1E2C392240C05400F6B729 /* PtrTag.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PtrTag.cpp; sourceTree = "<group>"; };
                 FE1E2C41224187C600F6B729 /* PlatformRegisters.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PlatformRegisters.cpp; sourceTree = "<group>"; };
@@ -1153 +1154 @@
                                 A8A4730E151A825B004123FF /* StackBounds.cpp */,
                                 A8A4730F151A825B004123FF /* StackBounds.h */,
+                                FE1D6D87237401CD007A5C26 /* StackCheck.h */,
                                 FEEA4DF8216D7BE400AC0602 /* StackPointer.cpp */,
                                 FEEA4DF7216D608C00AC0602 /* StackPointer.h */,

trunk/Source/WTF/wtf/CMakeLists.txt

@@ -216 +216 @@
     Spectrum.h
     StackBounds.h
+    StackCheck.h
     StackPointer.h
     StackShot.h

trunk/Source/WTF/wtf/StackBounds.h

@@ -35 +35 @@
 class StackBounds {
     WTF_MAKE_FAST_ALLOCATED;
+public:
 
     // This 64k number was picked because a sampling of stack usage differences
@@ -41 +42 @@
     // conservative availability value that is not too large but comfortably
     // exceeds 27k with some buffer for error.
-    static constexpr size_t s_defaultAvailabilityDelta = 64 * 1024;
+    static constexpr size_t DefaultReservedZone = 64 * 1024;
 
-public:
     static constexpr StackBounds emptyBounds() { return StackBounds(); }
 
@@ -83 +83 @@
     }
 
-    void* recursionLimit(size_t minAvailableDelta = s_defaultAvailabilityDelta) const
+    void* recursionLimit(size_t minReservedZone = DefaultReservedZone) const
     {
         checkConsistency();
-        return static_cast<char*>(m_bound) + minAvailableDelta;
+        return static_cast<char*>(m_bound) + minReservedZone;
     }