Bug 159448

Summary: StackVisitor::unwindToMachineCodeBlockFrame() may unwind past a VM entry frame when catching an exception and the frame has inlined tail calls
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, oliver, sukolsak, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
WIP
none
patch none

Saam Barati
Reported 2016-07-05 18:36:28 PDT
If we see that we have a sequence of tail calls that were inlined into a single machine frame, gotoNextFrame() will step over the machine callee and go to its caller (because it made a tail call, we treat the callee as logically not on the stack). This is a huge bug if we're unwinding from an exception where it's illegal to skip over VM entry frames. The machine caller of this tail called machine frame might be the VM entry frame. I think because unwindToMachineCodeBlockFrame() has sufficiently specific behavior, it should just do its own special unwinding.
Attachments
WIP (1.78 KB, patch)
2016-07-05 19:16 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (4.41 KB, patch)
2016-07-05 19:45 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2016-07-05 18:37:37 PDT
<rdar://problem/27084459>
Saam Barati
Comment 2 2016-07-05 19:16:26 PDT
Created attachment 282838 [details] WIP Pretty sure this fixes the bug. Need to write up a changelog.
Mark Lam
Comment 3 2016-07-05 19:36:57 PDT
Comment on attachment 282838 [details] WIP View in context: https://bugs.webkit.org/attachment.cgi?id=282838&action=review > Source/JavaScriptCore/tests/stress/dont-unwind-past-vm-entry-frame.js:35 > + for (i = 0; i < 10000; i++) { > + try { > + p(); > + } catch(e) { } > + } I presume the expectation here is that this test should not crash. Can you add a comment indicating that at the top of the file?
Saam Barati
Comment 4 2016-07-05 19:45:52 PDT
Created attachment 282844 [details] patch
Mark Lam
Comment 5 2016-07-05 19:48:57 PDT
Comment on attachment 282844 [details] patch r=me
WebKit Commit Bot
Comment 6 2016-07-05 22:25:41 PDT
Comment on attachment 282844 [details] patch Clearing flags on attachment: 282844 Committed r202847: <http://trac.webkit.org/changeset/202847>
WebKit Commit Bot
Comment 7 2016-07-05 22:25:46 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.