Bug 159448

Summary: StackVisitor::unwindToMachineCodeBlockFrame() may unwind past a VM entry frame when catching an exception and the frame has inlined tail calls
Product: WebKit Reporter: Saam Barati <sbarati>
Component: JavaScriptCoreAssignee: Saam Barati <sbarati>
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, oliver, sukolsak, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Description Flags
patch none

Description Saam Barati 2016-07-05 18:36:28 PDT
If we see that we have a sequence of tail calls that were inlined into a single machine frame, gotoNextFrame()
will step over the machine callee and go to its caller (because it made a tail call, we treat the callee
as logically not on the stack). This is a huge bug if we're unwinding from an exception where it's illegal
to skip over VM entry frames. The machine caller of this tail called machine frame might be the VM entry frame.
I think because unwindToMachineCodeBlockFrame() has sufficiently specific behavior, it should just do its own special unwinding.
Comment 1 Saam Barati 2016-07-05 18:37:37 PDT
Comment 2 Saam Barati 2016-07-05 19:16:26 PDT
Created attachment 282838 [details]

Pretty sure this fixes the bug. Need to write up a changelog.
Comment 3 Mark Lam 2016-07-05 19:36:57 PDT
Comment on attachment 282838 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=282838&action=review

> Source/JavaScriptCore/tests/stress/dont-unwind-past-vm-entry-frame.js:35
> +    for (i = 0; i < 10000; i++) {
> +        try {
> +            p();
> +        } catch(e) { }
> +    }

I presume the expectation here is that this test should not crash.  Can you add a comment indicating that at the top of the file?
Comment 4 Saam Barati 2016-07-05 19:45:52 PDT
Created attachment 282844 [details]
Comment 5 Mark Lam 2016-07-05 19:48:57 PDT
Comment on attachment 282844 [details]

Comment 6 WebKit Commit Bot 2016-07-05 22:25:41 PDT
Comment on attachment 282844 [details]

Clearing flags on attachment: 282844

Committed r202847: <http://trac.webkit.org/changeset/202847>
Comment 7 WebKit Commit Bot 2016-07-05 22:25:46 PDT
All reviewed patches have been landed.  Closing bug.