Bug 184185
| Summary: | We should not store to stack locations which are not protected by the stack pointer. | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Mark Lam <mark.lam> |
| Component: | WebAssembly | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | fpizlo, jfbastien, keith_miller, msaboff, rmorisset, saam, ysuzuki |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Mark Lam
createJSToWasmWrapper() emits code that stores to "calleeFrame", but calleeFrame exists below the stack pointer. Similarly, wasmToJS() also does the same. The values stored at the locations below the stack pointer are succeptible to corruption by interrupts that may fire if the OS uses the user stack red zone as the interrupt stack frame.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |