181802 2018-01-18 10:16:15 -0800 REGRESSION (r226068): [X86] Crash in JavaScriptCore ShadowChicken when handling exceptions 2018-01-18 10:44:32 -0800 1 1 1 Unclassified WebKit JavaScriptCore Other Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff ews-watchlist fpizlo keith_miller mark.lam saam webkit-bug-importer oldest_to_newest 1390556 0 msaboff 2018-01-18 10:16:15 -0800 After change set r226068, X86 (32 bit builds) crash handling exceptions in ShadowChicken::update(). Here is a crash in testapi when run from the debugger: Process 55384 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) frame #0: 0x004d0892 JavaScriptCore`JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*) [inlined] WTF::VectorBufferBase<JSC::ShadowChicken::Frame, WTF::FastMalloc>::VectorBufferBase() at Vector.h:337 [opt] 334 protected: 335 VectorBufferBase() 336 : m_buffer(0) -> 337 , m_capacity(0) 338 , m_size(0) 339 , m_mask(0) 340 { Target 0: (testapi) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) * frame #0: 0x004d0892 JavaScriptCore`JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*) [inlined] WTF::VectorBufferBase<JSC::ShadowChicken::Frame, WTF::FastMalloc>::VectorBufferBase() at Vector.h:337 [opt] frame #1: 0x004d088e JavaScriptCore`JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*) [inlined] WTF::VectorBuffer<JSC::ShadowChicken::Frame, 0ul, WTF::FastMalloc>::VectorBuffer() at Vector.h:376 [opt] frame #2: 0x004d088e JavaScriptCore`JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*) [inlined] WTF::Vector<JSC::ShadowChicken::Frame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::Vector() at Vector.h:621 [opt] frame #3: 0x004d088e JavaScriptCore`JSC::ShadowChicken::update(JSC::VM&, JSC::ExecState*) [inlined] WTF::Vector<JSC::ShadowChicken::Frame, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::Vector() at Vector.h:622 [opt] frame #4: 0x004d088e JavaScriptCore`JSC::ShadowChicken::update(this=<unavailable>, vm=<unavailable>, exec=<unavailable>) at ShadowChicken.cpp:155 [opt] frame #5: 0x004cfd6a JavaScriptCore`JSC::ShadowChicken::log(this=0x07232c40, vm=0x05968000, exec=0xbfffedd8, packet=0xbfffed40) at ShadowChicken.cpp:85 [opt] frame #6: 0x004ff550 JavaScriptCore`JSC::genericUnwind(vm=0x05968000, callFrame=<unavailable>, unwindStart=<unavailable>) at JITExceptions.cpp:62 [opt] frame #7: 0x004ff6b6 JavaScriptCore`JSC::genericUnwind(vm=0x05968000, callFrame=0xbfffedd8) at JITExceptions.cpp:98 [opt] frame #8: 0x0052c034 JavaScriptCore`::operationVMHandleException(exec=0xbfffedd8) at JITOperations.cpp:2354 [opt] frame #9: 0x038017a5 frame #10: 0x000b26fb JavaScriptCore`llint_entry at LowLevelInterpreter.asm:830 frame #11: 0x000ad51e JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter32_64.asm:279 frame #12: 0x004fd56d JavaScriptCore`JSC::JITCode::execute(this=<unavailable>, vm=0x05968000, protoCallFrame=0xbfffeee0) at JITCode.cpp:81 [opt] frame #13: 0x004ceed6 JavaScriptCore`JSC::Interpreter::executeProgram(this=0x01d50bb0, source=0xbffff4c0, callFrame=<unavailable>, thisObj=<unavailable>) at Interpreter.cpp:941 [opt] frame #14: 0x006d1ba9 JavaScriptCore`JSC::evaluate(exec=<unavailable>, source=<unavailable>, thisValue=JSValue @ 0xbffff488, returnedException=<unavailable>) at Completion.cpp:103 [opt] frame #15: 0x000d5ea9 JavaScriptCore`::JSScriptEvaluate(context=<unavailable>, script=0x072e0508, thisValueRef=<unavailable>, exception=<unavailable>) at JSScriptRef.cpp:156 [opt] frame #16: 0x0000a362 testapi`main(argc=2, argv=<unavailable>) at testapi.c:1981 [opt] frame #17: 0xa73b66e1 libdyld.dylib`start + 1 (lldb) It looks like our X86-32 exception handling from our native call thunks don’t properly align the stack before calling exception handling code. The exception handling code calls into ShadowChicken code to update the shadow stack. The Vector index masking change made in r226068 added a new field to Vector objects, going from three 4 byte fields to four. The compiler decided to initialize all fields using a zeroed xmm register. The crash happened here because ShadowChicken::update() has a local Vector object (alocated on the stack). Since the stack isn’t aligned on 16 byte boundaries like it’s suppose to, the store of the xmm register to the stack location caused a SEGV. 1390557 1 msaboff 2018-01-18 10:16:41 -0800 <rdar://problem/36348520> 1390569 2 331639 msaboff 2018-01-18 10:39:15 -0800 Created attachment 331639 Patch 1390570 3 msaboff 2018-01-18 10:44:32 -0800 Committed r227152: <https://trac.webkit.org/changeset/227152> 331639 2018-01-18 10:39:15 -0800 2018-01-18 10:39:40 -0800 Patch 181802.patch text/plain 5955 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMjI3MTQ5KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI3IEBA CisyMDE4LTAxLTE4ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIFJFR1JFU1NJT04gKHIyMjYwNjgpOiBbWDg2XSBDcmFzaCBpbiBKYXZhU2NyaXB0Q29yZSBT aGFkb3dDaGlja2VuIHdoZW4gaGFuZGxpbmcgZXhjZXB0aW9ucworICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTgxODAyCisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgVGhlcmUgd2hlcmUgYSBmZXcgcGxhY2VzIHdo ZXJlIHRoZSBzdGFjayBpc24ndCBwcm9wZXJseSBhbGlnbmVkIGZvciBYODYgd2hlbiB3ZSBjYWxs IGludG8gQysrIGNvZGUuCisgICAgICAgIFR3byBwbGFjZXMgYXJlIHdoZXJlIHdlIGNhbGwgaW50 byBleGNlcHRpb24gaGFuZGxpbmcgY29kZSwgdGhlIExMSW50IGFuZCBmcm9tIG5hdGl2ZUZvckdl bmVyYXRvci4KKyAgICAgICAgVGhlIG90aGVyIHBsYWNlIHdhcyB3aGVuIHdlIGNhbGwgaW50byB0 aGUgb3BlcmF0aW9uT1NSV3JpdGVCYXJyaWVyKCkuCisKKyAgICAgICAgQWRkZWQgYW4gYXNzZXJ0 IGNoZWNrIHRoYXQgdGhlIHN0YWNrIGlzIGFsaWduZWQgb24gWDg2IHBsYXRmb3JtcyBpbiB0aGUg bmF0aXZlIGNhbGwgdHJhY2luZyBjb2RlLgorICAgICAgICBUaGlzIGhlbHBlZCBmaW5kIHRoZSBv dGhlciBjYXNlcyBiZXlvbmQgdGhlIG9yaWdpbmFsIHByb2JsZW0uCisKKyAgICAgICAgKiBkZmcv REZHT1NSRXhpdENvbXBpbGVyQ29tbW9uLmNwcDoKKyAgICAgICAgKEpTQzo6REZHOjpvc3JXcml0 ZUJhcnJpZXIpOgorICAgICAgICAqIGludGVycHJldGVyL0ZyYW1lVHJhY2Vycy5oOgorICAgICAg ICAoSlNDOjphc3NlcnRTdGFja1BvaW50ZXJJc0FsaWduZWQpOgorICAgICAgICAoSlNDOjpOYXRp dmVDYWxsRnJhbWVUcmFjZXI6Ok5hdGl2ZUNhbGxGcmFtZVRyYWNlcik6CisgICAgICAgIChKU0M6 Ok5hdGl2ZUNhbGxGcmFtZVRyYWNlcldpdGhSZXN0b3JlOjpOYXRpdmVDYWxsRnJhbWVUcmFjZXJX aXRoUmVzdG9yZSk6CisgICAgICAgICogaml0L1RodW5rR2VuZXJhdG9ycy5jcHA6CisgICAgICAg IChKU0M6Om5hdGl2ZUZvckdlbmVyYXRvcik6CisgICAgICAgICogbGxpbnQvTG93TGV2ZWxJbnRl cnByZXRlcjMyXzY0LmFzbToKKwogMjAxOC0wMS0xOCAgQ29tbWl0IFF1ZXVlICA8Y29tbWl0LXF1 ZXVlQHdlYmtpdC5vcmc+CiAKICAgICAgICAgVW5yZXZpZXdlZCwgcm9sbGluZyBvdXQgcjIyNzA5 Ni4KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHT1NSRXhpdENvbXBpbGVyQ29t bW9uLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR09TUkV4 aXRDb21waWxlckNvbW1vbi5jcHAJKHJldmlzaW9uIDIyNzE0MykKKysrIFNvdXJjZS9KYXZhU2Ny aXB0Q29yZS9kZmcvREZHT1NSRXhpdENvbXBpbGVyQ29tbW9uLmNwcAkod29ya2luZyBjb3B5KQpA QCAtMjU4LDcgKzI1OCw3IEBAIHN0YXRpYyB2b2lkIG9zcldyaXRlQmFycmllcihDQ2FsbEhlbHBl cnMKIAogICAgIC8vIFdlIG5lZWQgdGhlc2UgZXh0cmEgc2xvdHMgYmVjYXVzZSBzZXR1cEFyZ3Vt ZW50c1dpdGhFeGVjU3RhdGUgd2lsbCB1c2UgcG9rZSBvbiB4ODYuCiAjaWYgQ1BVKFg4NikKLSAg ICBqaXQuc3ViUHRyKE1hY3JvQXNzZW1ibGVyOjpUcnVzdGVkSW1tMzIoc2l6ZW9mKHZvaWQqKSAq IDMpLCBNYWNyb0Fzc2VtYmxlcjo6c3RhY2tQb2ludGVyUmVnaXN0ZXIpOworICAgIGppdC5zdWJQ dHIoTWFjcm9Bc3NlbWJsZXI6OlRydXN0ZWRJbW0zMihzaXplb2Yodm9pZCopICogNCksIE1hY3Jv QXNzZW1ibGVyOjpzdGFja1BvaW50ZXJSZWdpc3Rlcik7CiAjZW5kaWYKIAogICAgIGppdC5zZXR1 cEFyZ3VtZW50c1dpdGhFeGVjU3RhdGUob3duZXIpOwpAQCAtMjY2LDcgKzI2Niw3IEBAIHN0YXRp YyB2b2lkIG9zcldyaXRlQmFycmllcihDQ2FsbEhlbHBlcnMKICAgICBqaXQuY2FsbChzY3JhdGNo KTsKIAogI2lmIENQVShYODYpCi0gICAgaml0LmFkZFB0cihNYWNyb0Fzc2VtYmxlcjo6VHJ1c3Rl ZEltbTMyKHNpemVvZih2b2lkKikgKiAzKSwgTWFjcm9Bc3NlbWJsZXI6OnN0YWNrUG9pbnRlclJl Z2lzdGVyKTsKKyAgICBqaXQuYWRkUHRyKE1hY3JvQXNzZW1ibGVyOjpUcnVzdGVkSW1tMzIoc2l6 ZW9mKHZvaWQqKSAqIDQpLCBNYWNyb0Fzc2VtYmxlcjo6c3RhY2tQb2ludGVyUmVnaXN0ZXIpOwog I2VuZGlmCiAKICAgICBvd25lcklzUmVtZW1iZXJlZE9ySW5FZGVuLmxpbmsoJmppdCk7CkluZGV4 OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIvRnJhbWVUcmFjZXJzLmgKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2ludGVycHJldGVyL0ZyYW1lVHJhY2Vycy5o CShyZXZpc2lvbiAyMjcxNDMpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaW50ZXJwcmV0ZXIv RnJhbWVUcmFjZXJzLmgJKHdvcmtpbmcgY29weSkKQEAgLTI2LDYgKzI2LDcgQEAKICNwcmFnbWEg b25jZQogCiAjaW5jbHVkZSAiQ2F0Y2hTY29wZS5oIgorI2luY2x1ZGUgIlN0YWNrQWxpZ25tZW50 LmgiCiAjaW5jbHVkZSAiVk0uaCIKIAogbmFtZXNwYWNlIEpTQyB7CkBAIC02OCw2ICs2OSwxOCBA QCBwcml2YXRlOgogICAgIENhbGxGcmFtZSogb2xkQ2FsbEZyYW1lOwogfTsKIAorQUxXQVlTX0lO TElORSBzdGF0aWMgdm9pZCBhc3NlcnRTdGFja1BvaW50ZXJJc0FsaWduZWQoKQoreworI2lmbmRl ZiBOREVCVUcKKyNpZiBDUFUoWDg2KQorICAgIHVpbnRwdHJfdCBzdGFja1BvaW50ZXI7CisKKyAg ICBhc20oIm1vdmwgJSVlc3AsJTAiIDogIj1yIihzdGFja1BvaW50ZXIpKTsKKyAgICBBU1NFUlQo IShzdGFja1BvaW50ZXIgJSBzdGFja0FsaWdubWVudEJ5dGVzKCkpKTsKKyNlbmRpZgorI2VuZGlm Cit9CisKIGNsYXNzIE5hdGl2ZUNhbGxGcmFtZVRyYWNlciB7CiBwdWJsaWM6CiAgICAgQUxXQVlT X0lOTElORSBOYXRpdmVDYWxsRnJhbWVUcmFjZXIoVk0qIHZtLCBDYWxsRnJhbWUqIGNhbGxGcmFt ZSkKQEAgLTc1LDYgKzg4LDcgQEAgcHVibGljOgogICAgICAgICBBU1NFUlQodm0pOwogICAgICAg ICBBU1NFUlQoY2FsbEZyYW1lKTsKICAgICAgICAgQVNTRVJUKHJlaW50ZXJwcmV0X2Nhc3Q8dm9p ZCo+KGNhbGxGcmFtZSkgPCByZWludGVycHJldF9jYXN0PHZvaWQqPih2bS0+dG9wRW50cnlGcmFt ZSkpOworICAgICAgICBhc3NlcnRTdGFja1BvaW50ZXJJc0FsaWduZWQoKTsKICAgICAgICAgdm0t PnRvcENhbGxGcmFtZSA9IGNhbGxGcmFtZTsKICAgICB9CiB9OwpAQCAtODYsNiArMTAwLDcgQEAg cHVibGljOgogICAgIHsKICAgICAgICAgQVNTRVJUKHZtKTsKICAgICAgICAgQVNTRVJUKGNhbGxG cmFtZSk7CisgICAgICAgIGFzc2VydFN0YWNrUG9pbnRlcklzQWxpZ25lZCgpOwogICAgICAgICBt X3NhdmVkVG9wRW50cnlGcmFtZSA9IHZtLT50b3BFbnRyeUZyYW1lOwogICAgICAgICBtX3NhdmVk VG9wQ2FsbEZyYW1lID0gdm0tPnRvcENhbGxGcmFtZTsKICAgICAgICAgdm0tPnRvcEVudHJ5RnJh bWUgPSBFbnRyeUZyYW1lOwpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9UaHVua0dl bmVyYXRvcnMuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvVGh1 bmtHZW5lcmF0b3JzLmNwcAkocmV2aXNpb24gMjI3MTQzKQorKysgU291cmNlL0phdmFTY3JpcHRD b3JlL2ppdC9UaHVua0dlbmVyYXRvcnMuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC00MDAsNyArNDAw LDcgQEAgc3RhdGljIE1hY3JvQXNzZW1ibGVyQ29kZVJlZiBuYXRpdmVGb3JHZQogICAgIGppdC5z dG9yZVB0cihKU0ludGVyZmFjZUpJVDo6Y2FsbEZyYW1lUmVnaXN0ZXIsICZ2bS0+dG9wQ2FsbEZy YW1lKTsKIAogI2lmIENQVShYODYpICYmIFVTRShKU1ZBTFVFMzJfNjQpCi0gICAgaml0LmFkZFB0 cihKU0ludGVyZmFjZUpJVDo6VHJ1c3RlZEltbTMyKC0xMiksIEpTSW50ZXJmYWNlSklUOjpzdGFj a1BvaW50ZXJSZWdpc3Rlcik7CisgICAgaml0LnN1YlB0cihKU0ludGVyZmFjZUpJVDo6VHJ1c3Rl ZEltbTMyKDQpLCBKU0ludGVyZmFjZUpJVDo6c3RhY2tQb2ludGVyUmVnaXN0ZXIpOwogICAgIGpp dC5tb3ZlKEpTSW50ZXJmYWNlSklUOjpjYWxsRnJhbWVSZWdpc3RlciwgSlNJbnRlcmZhY2VKSVQ6 OnJlZ1QwKTsKICAgICBqaXQucHVzaChKU0ludGVyZmFjZUpJVDo6cmVnVDApOwogI2Vsc2UKQEAg LTQxMyw3ICs0MTMsNyBAQCBzdGF0aWMgTWFjcm9Bc3NlbWJsZXJDb2RlUmVmIG5hdGl2ZUZvckdl CiAgICAgaml0Lm1vdmUoSlNJbnRlcmZhY2VKSVQ6OlRydXN0ZWRJbW1QdHIoRnVuY3Rpb25QdHIo b3BlcmF0aW9uVk1IYW5kbGVFeGNlcHRpb24pLnZhbHVlKCkpLCBKU0ludGVyZmFjZUpJVDo6cmVn VDMpOwogICAgIGppdC5jYWxsKEpTSW50ZXJmYWNlSklUOjpyZWdUMyk7CiAjaWYgQ1BVKFg4Nikg JiYgVVNFKEpTVkFMVUUzMl82NCkKLSAgICBqaXQuYWRkUHRyKEpTSW50ZXJmYWNlSklUOjpUcnVz dGVkSW1tMzIoMTYpLCBKU0ludGVyZmFjZUpJVDo6c3RhY2tQb2ludGVyUmVnaXN0ZXIpOworICAg IGppdC5hZGRQdHIoSlNJbnRlcmZhY2VKSVQ6OlRydXN0ZWRJbW0zMig4KSwgSlNJbnRlcmZhY2VK SVQ6OnN0YWNrUG9pbnRlclJlZ2lzdGVyKTsKICNlbGlmIE9TKFdJTkRPV1MpCiAgICAgaml0LmFk ZFB0cihKU0ludGVyZmFjZUpJVDo6VHJ1c3RlZEltbTMyKDQgKiBzaXplb2YoaW50NjRfdCkpLCBK U0ludGVyZmFjZUpJVDo6c3RhY2tQb2ludGVyUmVnaXN0ZXIpOwogI2VuZGlmCkluZGV4OiBTb3Vy Y2UvSmF2YVNjcmlwdENvcmUvbGxpbnQvTG93TGV2ZWxJbnRlcnByZXRlcjMyXzY0LmFzbQo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvbGxpbnQvTG93TGV2ZWxJbnRlcnByZXRl cjMyXzY0LmFzbQkocmV2aXNpb24gMjI3MTQzKQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2xs aW50L0xvd0xldmVsSW50ZXJwcmV0ZXIzMl82NC5hc20JKHdvcmtpbmcgY29weSkKQEAgLTIxMjQs NiArMjEyNCw5IEBAIG1hY3JvIG5hdGl2ZUNhbGxUcmFtcG9saW5lKGV4ZWN1dGFibGVPZmYKICAg ICByZXQKIAogLmhhbmRsZUV4Y2VwdGlvbjoKK2lmIFg4NiBvciBYODZfV0lOCisgICAgc3VicCA4 LCBzcCAjIGFsaWduIHN0YWNrIHBvaW50ZXIKK2VuZAogICAgIHN0b3JlcCBjZnIsIFZNOjp0b3BD YWxsRnJhbWVbdDNdCiAgICAgam1wIF9sbGludF90aHJvd19mcm9tX3Nsb3dfcGF0aF90cmFtcG9s aW5lCiBlbmQKQEAgLTIxNzYsNiArMjE3OSw5IEBAIG1hY3JvIGludGVybmFsRnVuY3Rpb25DYWxs VHJhbXBvbGluZShvZmYKICAgICByZXQKIAogLmhhbmRsZUV4Y2VwdGlvbjoKK2lmIFg4NiBvciBY ODZfV0lOCisgICAgc3VicCA4LCBzcCAjIGFsaWduIHN0YWNrIHBvaW50ZXIKK2VuZAogICAgIHN0 b3JlcCBjZnIsIFZNOjp0b3BDYWxsRnJhbWVbdDNdCiAgICAgam1wIF9sbGludF90aHJvd19mcm9t X3Nsb3dfcGF0aF90cmFtcG9saW5lCiBlbmQK